An exploitation technique typically employed when a stack-based buffer overflow
vulnerability exists. This consists of identifying "gadgets", which are simply
sets of CPU instructions that end with a ret
instruction. By "chaining"
together several gadgets, an attacker can achieve arbitrary code execution.
A few examples of this technique include:
- Write data to memory and execute '/bin/bash' with the
execve
syscall - Call a libc function (
ret2libc
) - Use a
call <reg>
orjmp <reg>
instruction to pass execution to shellcode (ret2reg
) - Use a syscall to map writable memory, write the shellcode the memory region, and then execute it
"Introduction to return oriented programming (ROP)", Code Arcana
"Return-Oriented Programming: Systems, Languages, and Applications" - Ryan Roemer, Erik Buchanan, Hovav Shacham, Stefan Savage
Note: This is kind of difficult to read because of the screenshots, but is still worth understanding.
"Stack Overflow ASLR bypass using ret2reg", sickness
"Exploit Writing Tutorial: ROP with Shellcode", Vincent Dary
"Basic ROP Techniques and Tricks", Josiah Pierce
"Binary exploitation: ret2libc + unknown libc", Hugo "flawwan"
"Return Oriented Programming - Part2", Adwaith "adwait1-G" Gautham
"64-bit Linux Return-Oriented Programming", Ben Lynn
"Fancy ROP"
"Exploit Development: Hands Up! Give Us The Stack! This Is a ROPpery!", Connor McGarr
"ROPEmporium: Pivot 32-bit CTF Walkthrough With Radare2", janne808
"Smashing the Stack Part 2 - Building the ROP Chain", Danny "malwaresec" Colmenares
- https://malwaresec.github.io/Building-the-ROP-Chain/
- https://github.com/MalwareSec/Building-the-ROP-Chain
- https://stackoverflow.com/a/56509454 - Peter Cordes
- https://security.stackexchange.com/a/181246 - Peter Cordes
"one_gadget", david942j