Questions about this topic? Sign up to ask in the talk tab.

Return Oriented Programming (ROP)

From NetSec
Jump to: navigation, search

Return Oriented Programming (also known as ROP) is used in buffer overflow payloads to defeat DEP. It is very similar to writing a call stack by hand.

This article contains too little information, it should be expanded or updated.
Things you can do to help:
  • add more content.
  • update current content.
  • Theory

In linked binary executables, assembly syntax for calling a function is:

 
push $arg2
push $arg1
call function
 

Because the ret instruction is similar to pop %eip, it is also possible to call a function this way:

 
push $arg2
push $arg1
push pointer_to_function
ret
 

When calling multiple functions:

 
push $func2arg2
push $func2arg1
push pointer_to_func2
push $func1arg2
push $func1arg1
push pointer_to_func1
ret
 

When a buffer overflow takes place, %eip or %rip is set to the last dword or qword pushed to the stack, respectively. This behavior originates from the return instruction (ret) and therefore one can craft their buffer overflow shellcode in a similar format to:

 [nops][func2arg2][func2arg1][pointer_to_func2][func1arg2][func1arg1][pointer_to_func1]