Karten 11 Karten
Lernende 0 Lernende
Sprache English
Stufe Universität
Erstellt / Aktualisiert 24.06.2019 / 24.06.2019
Lizenzierung Keine Angabe
0 Exakte Antworten 11 Text Antworten 0 Multiple Choice Antworten
Fenster schliessen

What does ROP stand for?

Return Oriented Programming (ROP)

Fenster schliessen

What are gadgets and how are they used?

What is ROP

Smatly chain gadgets together to execute arbitrary code


  • Some sequence of code, followed by a RET
Fenster schliessen

How can you find gadgets?

How to find gadgets:

  • Search in code section for byte 0xc3 (=ret)
  • Go backwards, and decode each byte
  • For each byte:
    • Check if it is a valid x32 instruction
    • If yes: add gadget, and continue
    • In no: continue
Fenster schliessen

What are the characteristics of a ROP chain?

  • Call/ret's can be chained
  • Arbitraru code exectuion with no code uploaded
  • "Shellcode" consists of:
    • Adresses of gadgets
    • Arguments for gadgets (addresses, or immediates)
    • NOT: assembler instructions
Fenster schliessen

What is stack pivoting?

Whatn if the ESP (Stack Pointer) does not point to our rop chain?

  • Can only execute one gadget
  • Use it to let the stack point to another memory location

If a register points to our ropchain
xchg eax, esp // change the content of the esp to the value in the eax, which points to our rop chain


If its somewhere else on the stack:
add esp, 0x100 // increment the esp to point to our ropchain

Or, in general:
mov esp, 0x12345
pop esp

Fenster schliessen

Where can we take gadgets from?

  • The program code
    • Static location in memory (if not PIE)
    • Need to be of size to have enough gadgets
  • Shared library code (LIBC etc.)
    • "Universal gadget library", because its very big
    • Sadly, non-guessable base location (ASLR'd even without PIE)
Fenster schliessen

What does ROP shellcode usualy consist of?

ROP shellcode usually consists of:

  • Libc calls
    • malloc() / mprotect()
  • Prepartations of libc calls
    • set up registers
    • read data to defeat ASLR
  • Skipping of shellcode arguments (pop/pop/ret)
  • And even "plain ASM (Asembler)" (e.g. jmp)
Fenster schliessen

What is the problem with ROP?

  • ROP is very inefficient
  • Needs a lot of gadgets
  • Neo suitable to implement complete shellcode in it

Solution: Multi Stage Shellcode