Skip to content

Instantly share code, notes, and snippets.

@Cryptiiiic

Cryptiiiic/How to find OFFSET_ROP_ADD_X0_X0_0x10 for v0rtex.md

Last active December 9, 2017 18:07
Show Gist options
  • Save Cryptiiiic/d83937ff6239c867d0ec7bfe5cb40901 to your computer and use it in GitHub Desktop.
Save Cryptiiiic/d83937ff6239c867d0ec7bfe5cb40901 to your computer and use it in GitHub Desktop.
Download ZIP
Guide for finding the ROP Gadget for the v0rtex exploit.md
Raw
How to find OFFSET_ROP_ADD_X0_X0_0x10 for v0rtex.md
  1. Open the kernel in radare2 using r2 kernelcache.release.nxxx.dec. (Kernel has to be decompressed)
  2. Once the kernel is open in r2, we are going to search for assembly code with "/c add x0, x0, 0x10; ret" You should get an output like this:
  3. We are going to take the second address at the top(in this example it's 0xfffffff00651a178) and we are going to seek to it as well as subtracting 0x4. Here is the command: s 0xfffffff00651a178 - 0x4.
  4. We are going to print out the assembly code of 0xfffffff00651a174 using pd 2. The output should look similar to this:
  5. If your output looks similar to this, take the address of add x0, x0, 0x10 and that is the ROP Gadget offset.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment