Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save Cryptiiiic/d83937ff6239c867d0ec7bfe5cb40901 to your computer and use it in GitHub Desktop.
Save Cryptiiiic/d83937ff6239c867d0ec7bfe5cb40901 to your computer and use it in GitHub Desktop.
Guide for finding the ROP Gadget for the v0rtex exploit.md
  1. Open the kernel in radare2 using r2 kernelcache.release.nxxx.dec. (Kernel has to be decompressed)
  2. Once the kernel is open in r2, we are going to search for assembly code with "/c add x0, x0, 0x10; ret" You should get an output like this:
  3. We are going to take the second address at the top(in this example it's 0xfffffff00651a178) and we are going to seek to it as well as subtracting 0x4. Here is the command: s 0xfffffff00651a178 - 0x4.
  4. We are going to print out the assembly code of 0xfffffff00651a174 using pd 2. The output should look similar to this:
  5. If your output looks similar to this, take the address of add x0, x0, 0x10 and that is the ROP Gadget offset.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment