@sloth I did SROP on 64bit and gave a 32bit binary, so people can search more and learn more!
@neolex Here you go, happy you liked the article!
1 Like
Hey Thanks @exploit !
I can’t find a way to set eax to the syscall number for sigreturn
1 Like
Questions: What’s read() return value? What’s sigreturn syscall number on 32bit?
[spoiler]Ok so I have to read 0x77 character to store 0x77 in eax and then call the syscall…
I have the frame syscall but it segfault, is it possible to make a execve direct from the frame or do I have to use the mprotect technique ?
I have eax = 0xb EBX: 0x804a01f ("/bin/sh") ECX: 0x804a01f ("/bin/sh") and ESP 0x804a01f ("/bin/sh") but it segfault on int 0x80…
Sorry
[/spoiler]
You didn’t set the registers well, try more 
This topic was automatically closed after 43 hours. New replies are no longer allowed.