A humble introduction to ROP chaining basics. The ppt deals with what is ROP. It builds the basics by introducing basics of buffer overflow and then talks about ROPs and why they are needed. It also has animated videos to help understand the layout of the stack clearly.

1. ROP Chaining

2. What is it?

3. • So that we can control the EIP via a series of
cleverly crafted RETs, that’s not in our control, on
the Stack and bypass ASLR, W^X etc. and finally
achieve attacker controlled code execution !
Why is it needed ?

5. Let us decode that ****
• EIP
• RETs
• Stack
• Code execution
• ASLR
• W^X

6. Basics
• Function call under the hood

7. Function call ()
• CALL = PUSH RET ADDRESS ON STACK
• { = SET UP THE STACK =
• MOVE ESP AHEAD
• PUSH EBP
• MOV ESP TO EBP

8. Function Return
• return/ } =
• 2) ret =
• return control back to the calling function = the return
address stored earlier on the stack = pop eip
• 1) leave =
• restore esp = mov ebp to esp
• restore ebp = pop ebp

9. TOS
CALL instruction
TOS
Return Address
{ = function set up
TOS
Old EBP xxxx
EBP
Old EBP
EBP
xxxx
Argument

10. Return Address
TOS
Old EBP xxxx
EBP
xxxx} = return = leave + ret
leave instruction =
1) esp = ebp
TOS
leave instruction = 2) pop ebp
TOS
ret instruction = pop esp
TOS
Return Address
EIP

11. Hence the idea
• Put things WE want on the stack so that it
eventually ends up in the EIP
• Vanilla Buffer Overflow works

12. Challenges
• Stack region should be executable (DEP/W^X)
• Address to put on stack (address of shell
code) should be known/predictable (ASLR)

13. ASLR
• What ?
• Why ?
• How ?

14. Sample
• Vulnerable to buffer overflow.
• add_bin() - adds “/bin” to a string
• add_sh() - adds “/sh” to the same string
• exec_string() - calls system(the_above_string)

15. Objective
• Get $
• Hint :
• How do we execute all 3 ()s in a sequence ?

16. Initial thoughts ?
• Address of each function is known ! Can’t we just
put them on the stack as we would for the first
function ?

17. YES, that’s the idea !
• But NO, not as directly ! WHY ?

19. What just happened ?
• We arranged the stack as we were planning to.

20. actual return address of
vulnerable_function
&add_bin()
actual return address of
add_bin()&pop;ret
argument for add_bin()
actual return address of
add_sh()
&add_sh()
&pop;pop;ret
arg1 for add_Sh()
arg2 for add_Sh()
&exec_string()
EIP
&add_bi
n()
&pop;retpopret

21. ROP-fu
• This is what is ROP chaining

22. GADGETS
• Find instructions of the format
….. RET
• This is what we call `GADGETS`
• There are automated tools to find these in
your binary

23. ACHIEVEMENT
• Use them to achieve what you want. This is one
way to bypass ASLR - actually better said as :
achieve what we want despite ASLR being
present !

24. Applications
Some rather fancy ones
• Exploits
• JailBreaks
• Rooting

25. QUESTIONS ??

26. Resources
• https://reverseengineering.stackexchange.com/questions/1992/what-is-plt-got
• https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
• https://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/LectureSlides/Chapter02%20-
%20RuntimeAttacks.pdf
• https://stackoverflow.com/questions/4292447/does-ret-instruction-cause-esp-register-added-by-4
• https://security.stackexchange.com/questions/37373/aslr-randomization-bss
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Baby-s-first-NX-ASLR-bypass/
• https://www.rcesecurity.com/2011/12/stack-manipulation-using-pop-ret/
• https://dkalemis.wordpress.com/2010/10/27/the-need-for-a-pop-pop-ret-instruction-sequence/
• https://github.com/JonathanSalwan/ROPgadget
• https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/
• https://stackoverflow.com/questions/41231637/how-does-a-function-call-work
• http://www.avrbeginners.net/new/wp-content/uploads/2011/08/avrbeginners_04_Jumps_Calls_and_the_Stack_1.0.1.pdf
• https://cs.nyu.edu/courses/fall04/V22.0201-003/ia32_chap_03.pdf
• https://stackoverflow.com/questions/16368769/return-to-call-after-jumps-in-assembly