> Please note that after injecting the vulnerabilities, the programs execute
> the '*main*' function from the vulnerable program, not the entry function
> from the original program. However, the Gadgets from the original program
> are still usable. This approach allows us to evaluate the ROP construction
> capability of the original program's Gadget collection and use the injected
> vulnerabilities to validate the correctness of ROP exploitation.
Which means you do all your work before a program can self-protect
itself using pledge() or unveil() or a whole bunch of other mechanisms.
You are not just ignoring address space randomization, but also a bunch
of other mechanisms.
int
main()
{
pledge("stdio, NULL);
while (1)
sleep(100:
}
You would do an execve() inside this program image because you've never
started running the program. But since the program never ran any of it's
own code, you haven't done it in the program, but only in your own code.
And this work is done through offline calculation obviously, since the
program's text segment is not readable (on most modern machines with PKU)
due to the xonly work which makes the text segment not readable.
That is so synthetic, it is uninteresting.
I too can become very rich quickly by assuming the banks have turned off
all their protections.
