1. Introduction
Using this tool, you can search for Gadgets in binary files to facilitate your use of ROP.
With the opening of NX protection, the previous method of directly injecting code directly into the stack or heap is difficult to continue to exert its effect. Attackers have also proposed corresponding methods to bypass the protection. At present, the main one is ROP (Return Oriented Programming). The main idea is to use existing gadgets in the program on the basis of stack buffer overflow. Change the value of some registers or variables to control the execution flow of the program. The so-called gadgets are instruction sequences ending with ret. Through these instruction sequences, we can modify the content of certain addresses to facilitate the control of the execution flow of the program.
We know that x86 relies on the stack to pass parameters, and x64 changes its order to rdi, rsi, rdx, rcx, r8, r9, (here 6 registers can be understood as Gadgets) If there are more than 6 parameters, it will be used. We must first know this feature of the stack.
Some questions, there is neither a ready-made system nor a /bin/sh string, and no libc.so is provided to us, so what we have to do is to find a way to leak the libc address and get the system function and the /bin/sh character string;
We need to get the address of rdi, rsi, rdx, rcx, r8, r9, the first thing to get is the address of rdi;
This is the role of ROPgadget;
2. Installation of ROPgadget tool
# 先安装Capstone,它是一个轻量级的多平台架构支持的反汇编架构。
sudo apt-get install python-capstone
# 下载好ROPgadget解压,并进入文件夹中
python setup.py install
3. The use of tools
command: ROPgadget --binary 文件名 --only "pop|ret" | grep rdi
