Overwriting the return address of the stack with overflowing the buffer allows us to return another malicious address which ends up with code execution.
Keep that in mind if NX is enabled we can't just directly jump to shellcode
1 2 3 4 5 6 7 8 9 10 11 12
| | | | | | | | | BUFFER | | | | | | | | | | | Oops, I overflowed it |__________________| | |_______esb________| -------|---> Junk buffer ends here |_______ret________| -------V----> We overwrite the ret address with the one we want to call | | |__________________|
Since we overwrite the return address with system’s address, we can give system arguments and make it execute commands
Chain Chain Chain the ROP baby
Simple ROP logic ,locally,is this,
1st –> find exact size of buffer to fill buffer+ebp. 2nd –> For overwriting the ret address find the system address with “p system” from gdb. 3rd –> Search for “/bin/sh” in the program with “memsearch /bin/sh” in order to skip calculating offset etc. because this way it will be calculated already. Don’t care about exit. 4th –> Construct your chain like this “junk_buf + system_addr + exit_addr + /bin/sh “ EXTERMINATE!!
Finding Addresses Locally
Start with this gdb ./vuln
gdb gives you a great opportunity to do address calculations