MicroPython
Would it be possible to build a ROP chain for MPy ESP32? #9473
Unanswered
RSC-Games
asked this question in
Hardware & Peripherals
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I have done quite a bit of reading concerning console hacking and ROP. Recently, I also saw a research paper detailing how to detect ROP on the ESP32 with certain internal hardware. Also, MicroPython has a mem32 constant and uctypes that allows direct access to memory. If someone could potentially locate the stack via these libraries, locate gadgets, build a ROP chain, and inject the pointer onto the stack, it would be possible to gain arbitrary code execution.
NOTE: The above depends on direct REPL access or a pre-written script and a MPy build that does not restrict access to IRAM. In this case it would probably be easier to compile a MPy natmod and copy it onto the board filesystem, then run that.
I do not have a proof-of-concept, but I'm curious as to whether this is possible without REPL or creating a .py file (so a string or bytearray).
Beta Was this translation helpful? Give feedback.
All reactions