Using the primitive tool we made in v1.0, we crafted an exploit that calls the mprotect() system call which has the ability alter the permissions in a given range of addresses. We used this to make the writable .data section executable as well, allowing us to inject code of our choosing and execute it, this defeating the W^X protection used in modern operating systems.
It is a 2-stage exploit.
-
The first stage is the ROP Payload which chains gadgets to executes
mprotectsystem call and makes.datasection executable and injects traditional shellcode into.datasection. -
Second stage is running the traditional shellcode - the classic way to exploit a system!