@sloth I did SROP on 64bit and gave a 32bit binary, so people can search more and learn more! 
@neolex Here you go, happy you liked the article! 
1 Like
[spoiler]Ok so I have to read 0x77 character to store 0x77 in eax and then call the syscall…
I have the frame syscall but it segfault, is it possible to make a execve direct from the frame or do I have to use the mprotect technique ?
I have eax = 0xb EBX: 0x804a01f ("/bin/sh") ECX: 0x804a01f ("/bin/sh") and ESP 0x804a01f ("/bin/sh") but it segfault on int 0x80…
Sorry 
[/spoiler]
You didn’t set the registers well, try more !
This topic was automatically closed after 43 hours. New replies are no longer allowed.