Return Oriented Programming - ROP
Return Oriented Programming (ROP) is a technique that allows an attacker to execute arbitrary code in a program by chaining together small fragments of code, known as "gadgets", that are already present in the program's memory.
ROP works by exploiting a vulnerability in the program that allows the attacker to control the program's instruction pointer such as buffer overflow or format string exploit. The attacker can use this control to redirect the instruction pointer to a gadget in the program's memory, and then chain together multiple gadgets to execute arbitrary code.
One of the key features of ROP is that it does not require to inject new code into the program's memory.. This makes ROP attacks difficult to detect and prevent, as the attacker is not introducing any new code that can be identified and blocked.
List available gadgets
There is multiple tool that can list available gadget for a binary such as ROPgadget and ropper
In order to have a lot of gadget, the binary was compiled using the -static
parameter.
Chaining gadgets
When a function ends and calls the RET
instruction, it is actually a POP EIP
that is performed, followed by a JMP EIP
. The POP EIP
takes the value that is on top of the stack and stores it in the EIP
register. Since this value is controled (using a Buffer overflow or format string exploit for example), the JMP EIP
is controled.
So, there is the stack state after a buffer overflow in order to run the rop chain :
When the gagdet 1 return, the process will POP EIP
and because there is the next gadget address, the process will chain with it.
In this example there is a "gadget2 need". This is an example in the case of gadget2 will make a POP
instruction or any other that need specific value onto the stack.
Generating ROP chain
If there is a syscall gadget, such as int 0x80
, there is a notable syscall : the execve
syscall, which executes the program passed in argument.
execve
can be used to call /bin/sh
.
To do this, a pointer to /bin/sh
must be passed as parameter (EBX
in x86 ) and other parameters (ECX
and EDX
ix x86) must be populated with 0. This is necessary because both argv and envp must be set to NULL in order to pop a shell.
There is multiple tool that can create ROP chain that call an execve
with available gadget for a binary such as ROPgadget and ropper
Resources
Last updated