A humble introduction to ROP chaining basics. The ppt deals with what is ROP. It builds the basics by introducing basics of buffer overflow and then talks about ROPs and why they are needed. It also has animated videos to help understand the layout of the stack clearly.
3. • So that we can control the EIP via a series of
cleverly crafted RETs, that’s not in our control, on
the Stack and bypass ASLR, W^X etc. and finally
achieve attacker controlled code execution !
Why is it needed ?
4.
5. Let us decode that ****
• EIP
• RETs
• Stack
• Code execution
• ASLR
• W^X
7. Function call ()
• CALL = PUSH RET ADDRESS ON STACK
• { = SET UP THE STACK =
• MOVE ESP AHEAD
• PUSH EBP
• MOV ESP TO EBP
8. Function Return
• return/ } =
• 2) ret =
• return control back to the calling function = the return
address stored earlier on the stack = pop eip
• 1) leave =
• restore esp = mov ebp to esp
• restore ebp = pop ebp
10. Return Address
TOS
Old EBP xxxx
EBP
xxxx} = return = leave + ret
leave instruction =
1) esp = ebp
TOS
leave instruction = 2) pop ebp
TOS
ret instruction = pop esp
TOS
Return Address
EIP
11. Hence the idea
• Put things WE want on the stack so that it
eventually ends up in the EIP
• Vanilla Buffer Overflow works
12. Challenges
• Stack region should be executable (DEP/W^X)
• Address to put on stack (address of shell
code) should be known/predictable (ASLR)
14. Sample
• Vulnerable to buffer overflow.
• add_bin() - adds “/bin” to a string
• add_sh() - adds “/sh” to the same string
• exec_string() - calls system(the_above_string)
20. actual return address of
vulnerable_function
&add_bin()
actual return address of
add_bin()&pop;ret
argument for add_bin()
actual return address of
add_sh()
&add_sh()
&pop;pop;ret
arg1 for add_Sh()
arg2 for add_Sh()
&exec_string()
EIP
&add_bi
n()
&pop;retpopret
22. GADGETS
• Find instructions of the format
….. RET
• This is what we call `GADGETS`
• There are automated tools to find these in
your binary
23. ACHIEVEMENT
• Use them to achieve what you want. This is one
way to bypass ASLR - actually better said as :
achieve what we want despite ASLR being
present !