- Open the kernel in radare2 using
r2 kernelcache.release.nxxx.dec
. (Kernel has to be decompressed) - Once the kernel is open in r2, we are going to search for assembly code with
"/c add x0, x0, 0x10; ret"
You should get an output like this: - We are going to take the second address at the top(in this example it's
0xfffffff00651a178
) and we are going to seek to it as well as subtracting0x4
. Here is the command:s 0xfffffff00651a178 - 0x4
. - We are going to print out the assembly code of
0xfffffff00651a174
usingpd 2
. The output should look similar to this: - If your output looks similar to this, take the address of
add x0, x0, 0x10
and that is the ROP Gadget offset.
Last active
December 9, 2017 18:07
-
-
Save Cryptiiiic/d83937ff6239c867d0ec7bfe5cb40901 to your computer and use it in GitHub Desktop.
Guide for finding the ROP Gadget for the v0rtex exploit.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment