Dobin 0x54_DefeatExploitMitigations_ROP.pdf

Return Oriented Programming (ROP)

What is ROP

Smatly chain gadgets together to execute arbitrary code

Gadgets:

• Some sequence of code, followed by a RET

How to find gadgets:

• Search in code section for byte 0xc3 (=ret)
• Go backwards, and decode each byte
• For each byte:
  • Check if it is a valid x32 instruction
  • If yes: add gadget, and continue
  • In no: continue

• Call/ret's can be chained
• Arbitraru code exectuion with no code uploaded
• "Shellcode" consists of:
  • Adresses of gadgets
  • Arguments for gadgets (addresses, or immediates)
  • NOT: assembler instructions

Whatn if the ESP (Stack Pointer) does not point to our rop chain?

• Can only execute one gadget
• Use it to let the stack point to another memory location

If a register points to our ropchain
xchg eax, esp // change the content of the esp to the value in the eax, which points to our rop chain

If its somewhere else on the stack:
add esp, 0x100 // increment the esp to point to our ropchain

Or, in general:
mov esp, 0x12345
pop esp

• The program code
  • Static location in memory (if not PIE)
  • Need to be of size to have enough gadgets
• Shared library code (LIBC etc.)
  • "Universal gadget library", because its very big
  • Sadly, non-guessable base location (ASLR'd even without PIE)

ROP shellcode usually consists of:

• Libc calls
  • malloc() / mprotect()
• Prepartations of libc calls
  • set up registers
  • read data to defeat ASLR
• Skipping of shellcode arguments (pop/pop/ret)
• And even "plain ASM (Asembler)" (e.g. jmp)

• ROP is very inefficient
• Needs a lot of gadgets
• Neo suitable to implement complete shellcode in it

Solution: Multi Stage Shellcode