Return Oriented Programming

Question

I very new to Return Oriented Programming.

Running on a 64 bit linux. Trying to overwrite the return address to the function 'not_called'. What should the correct arguments be?

ridzuan@ubuntu:~/Desktop/mypintool/codes$ gdb -q rop
Reading symbols from rop...(no debugging symbols found)...done.
(gdb) disas vulnerable_function 
Dump of assembler code for function vulnerable_function:
   0x0000000000000744 <+0>: push   %rbp
   0x0000000000000745 <+1>: mov    %rsp,%rbp
   0x0000000000000748 <+4>: add    $0xffffffffffffff80,%rsp
   0x000000000000074c <+8>: mov    %rdi,-0x78(%rbp)
   0x0000000000000750 <+12>:    mov    -0x78(%rbp),%rdx
   0x0000000000000754 <+16>:    lea    -0x70(%rbp),%rax
   0x0000000000000758 <+20>:    mov    %rdx,%rsi
   0x000000000000075b <+23>:    mov    %rax,%rdi
   0x000000000000075e <+26>:    callq  0x5d0
   0x0000000000000763 <+31>:    nop
   0x0000000000000764 <+32>:    leaveq 
   0x0000000000000765 <+33>:    retq   
End of assembler dump.
(gdb) print not_called 
$1 = {<text variable, no debug info>} 0x720 <not_called>
(gdb) quit
ridzuan@ubuntu:~/Desktop/mypintool/codes$ ./rop "$(python -c 'print 
"A"*0x80 + "BBBBBBBB" + "\x07\x44"')"
Segmentation fault (core dumped)

Copy/paste text (into a code block), not pictures of text. Hint: this is a PIE executable, the final address isn't determined until you actually run it. (And will vary between runs unless you run it with ASLR disabled, like GDB does.) — Peter Cordes, Feb 15 '21 at 07:12
In case I wasn't clear, `0x0000000000000744` won't be the run-time address of your function. `starti` first to let the kernel create a process with the code mapped to the default address, instead of disassembling with an image base of `0` — Peter Cordes, Feb 15 '21 at 07:23

Return Oriented Programming

0 Answers0