Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Return Oriented Programming (ROP)"
From NetSec
| Line 1: | Line 1: | ||
| − | Return Oriented Programming (also known as ROP) is used in [[Buffer Overflows|buffer overflow]] [[Shellcode|payloads]] to defeat [[ | + | Return Oriented Programming (also known as ROP) is used in [[Buffer Overflows|buffer overflow]] [[Shellcode|payloads]] to defeat [[DEP]]. It is very similar to writing a call stack by hand. |
{{expand}} | {{expand}} | ||
| + | * '''Theory''' | ||
| + | In linked [[binary]] executables, [[Assembly Basics|assembly]] syntax for calling a function is: | ||
| + | {{code|text=<source lang="asm"> | ||
| + | push $arg2 | ||
| + | push $arg1 | ||
| + | call function | ||
| + | </source>}} | ||
| + | |||
| + | Because the '''ret''' instruction is similar to '''pop %eip''', it is also possible to call a function this way: | ||
| + | |||
| + | {{code|text=<source lang="asm"> | ||
| + | push $arg2 | ||
| + | push $arg1 | ||
| + | push pointer_to_function | ||
| + | ret | ||
| + | </source>}} | ||
| + | |||
| + | When calling multiple functions: | ||
| + | {{code|text=<source lang="asm"> | ||
| + | push $func2arg2 | ||
| + | push $func2arg1 | ||
| + | push pointer_to_func2 | ||
| + | push $func1arg2 | ||
| + | push $func1arg1 | ||
| + | push pointer_to_func1 | ||
| + | ret | ||
| + | </source>}} | ||
| + | |||
| + | When a [[Buffer Overflows|buffer overflow]] takes place, '''%eip''' or '''%rip''' is set to the last '''dword''' or '''qword''' pushed to the stack, respectively. This behavior originates from the return instruction (ret) and therefore one can craft their buffer overflow [[shellcode]] in a similar format to: | ||
| + | [nops][func2arg2][func2arg1][pointer_to_func2][func1arg2][func1arg1][pointer_to_func1] | ||
Revision as of 15:57, 2 May 2012
Return Oriented Programming (also known as ROP) is used in buffer overflow payloads to defeat DEP. It is very similar to writing a call stack by hand.
| This article contains too little information, it should be expanded or updated. |
|---|
Things you can do to help:
|
- Theory
In linked binary executables, assembly syntax for calling a function is:
push $arg2 push $arg1 call function |
Because the ret instruction is similar to pop %eip, it is also possible to call a function this way:
push $arg2 push $arg1 push pointer_to_function ret |
When calling multiple functions:
push $func2arg2 push $func2arg1 push pointer_to_func2 push $func1arg2 push $func1arg1 push pointer_to_func1 ret |
When a buffer overflow takes place, %eip or %rip is set to the last dword or qword pushed to the stack, respectively. This behavior originates from the return instruction (ret) and therefore one can craft their buffer overflow shellcode in a similar format to:
[nops][func2arg2][func2arg1][pointer_to_func2][func1arg2][func1arg1][pointer_to_func1]
