Return Oriented Programming.

In the past CeSeNA security meetings we had focused on ROP (Return Oriented Programming) introduced by Shacham. ROP is a techniques by which W(+)X-style hardware protections (aka DEP) are evaded via carefully crafted stack frames that divert control flow into the middle of existing variable-lenght x86 instructions, creating a short new instruction streams that then return. ROP is Turing complete language and for such a reason is a powerful tool for every attacker.

This self-explanatory image has been taken from one of the most authoritative paper on such topic: “When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC “. I deeply suggest this reading to everybody interested on machine exploitation without injecting payloads to the machine, but using ROP technique. Once the %esp becomes the %eip the attacker could forge any instruction (Turing’s completeness) determining which instruction to fetch and to execute. Processor doesn’t automatically increment %esp but “ret” at the end of each instruction sequence (in a C lib, for instance) does.

For more information on this powerful exploiting technique read this, this (practical one), this and this (nice and small).