Questions about this topic? Sign up to ask in the talk tab.
Return Oriented Programming (ROP)
From NetSec
Return Oriented Programming (also known as ROP) is used in buffer overflow payloads to defeat DEP. It is very similar to writing a call stack by hand.
This article contains too little information, it should be expanded or updated. |
---|
Things you can do to help:
|
- Theory
In linked binary executables, assembly syntax for calling a function is:
push $arg2 push $arg1 call function |
Because the ret instruction is similar to pop %eip, it is also possible to call a function this way:
push $arg2 push $arg1 push pointer_to_function ret |
When calling multiple functions:
push $func2arg2 push $func2arg1 push pointer_to_func2 push $func1arg2 push $func1arg1 push pointer_to_func1 ret |
When a buffer overflow takes place, %eip or %rip is set to the last dword or qword pushed to the stack, respectively. This behavior originates from the return instruction (ret) and therefore one can craft their buffer overflow shellcode in a similar format to:
[nops][func2arg2][func2arg1][pointer_to_func2][func1arg2][func1arg1][pointer_to_func1]