SROP | Signals, you say?

exploit
srop
linux

(exploit) #21

@sloth I did SROP on 64bit and gave a 32bit binary, so people can search more and learn more! :smiley:
@neolex Here you go, happy you liked the article! :smile:


#22

Hey Thanks @exploit !

I can’t find a way to set eax to the syscall number for sigreturn :confused:


(exploit) #23

@neolex

Questions: What’s read() return value? What’s sigreturn syscall number on 32bit?


#24

@exploit

[spoiler]Ok so I have to read 0x77 character to store 0x77 in eax and then call the syscall…

I have the frame syscall but it segfault, is it possible to make a execve direct from the frame or do I have to use the mprotect technique ?

I have eax = 0xb EBX: 0x804a01f ("/bin/sh") ECX: 0x804a01f ("/bin/sh") and ESP 0x804a01f ("/bin/sh") but it segfault on int 0x80…
Sorry :confused:
[/spoiler]


(exploit) #25

You didn’t set the registers well, try more :smile:!


(Security Architect & Founder) #26

This topic was automatically closed after 43 hours. New replies are no longer allowed.