Ret2csu

ret2csu (return to __libc_csu_init) is an advanced ROP technique used when you have limited gadgets available in a binary. It leverages the initialization functions in the .init section of ELF binaries to construct ROP chains.

How this technique works.

The technique exploits two useful functions in the __libc_csu_init section found in most linux binaries.

The functions contains a sequence of pop instructions that can set multiple registers.
It also contains useful mov instructions that can move values between registers

Typical gadgets found

class="highlight">

1
2
3
4
5
6
7
8
9
10
11
12
pop rbx
pop rbp
pop r12
pop r13
pop r14
pop r15
ret

 mov rdx, r15
mov rsi, r14
mov edi, r13d
call qword ptr [r12 + rbx*8]
Why use this technique?
This technique is useful when:
the binary is small with few gadgets
aslr is enabled (but you have a libc leak)
Example
Recently Updated
 Binary Exploitation Docker Environment
 Mem-Test writeup
  Buffer Overflow with Global Variable Control
 Databases for hackers
 Building a Comprehensive C2 Framework
Trending Tags
 c2 ctf lab red-team
© 2025 Nkateko Tibane. Some rights reserved.
Using the Chirpy theme for Jekyll.
Trending Tags
 c2 ctf lab red-team
 
 
A new version of content is available.