ROP - Revision history

Inflatable Man: Fixes typo and adds comma

2021-06-10T16:30:11Z

Fixes typo and adds comma

Sjeezpwn at 15:59, 10 April 2015

2015-04-10T15:59:48Z

Sjeezpwn: explained it but need more examples

2015-04-10T15:33:23Z

explained it but need more examples

New page

ROP is a form of exploitation where you search for gadgets in memory (instructions bascially)
and use memory's own code instead of using your code. In evasi0n, this ROP gadget is used
STR R1, [R2];BX LR
So evasi0n looks for that in memory using memmem(), here's the function in planetbeing's
patchfinder.

int32_t find_str_r1_r2_bx_lr(uint32_t region, uint8_t* kdata, size_t ksize)
{
const uint8_t search[] = {0x11, 0x60, 0x70, 0x47};
void* ptr = memmem(kdata, ksize, search, sizeof(search)) + 1;
if(!ptr)
return 0;

return ((uintptr_t)ptr) - ((uintptr_t)kdata);
}
Once you've figured out all your ROP gadgets thta's your payload and that's how you will
exploit whatever vulnerability you found.

@@ Line 13: / Line 13: @@
        return ((uintptr_t)ptr) - ((uintptr_t)kdata);
+  }
-Once you've figured out all your ROP gadgets thta's your payload and that's how you will
+Once you've figured out all your ROP gadgets, that's your payload and that's how you will
 exploit whatever vulnerability you found.

@@ Line 11: / Line 11: @@
     if(!ptr)
         return 0;
+  }
 Once you've figured out all your ROP gadgets thta's your payload and that's how you will