I’ve been talking and giving refs about Return Oriented Programming as one of the main techniques to build exploits in the current “net era” (here). Today I want only share some general principles that often people tend to confuse (writing me tons of FB messages 😛 ). Probably next days I’ll post something more on Gadgets exploiting.
Some general principles to keep in mind while thinking/using/writing about ROP.
- ROP exploiting techniques doesn’t bypass ASLR protection but contrary are really useful for bypassing DEP (NX bit).
- The ROP gadgets are little piece of code spread in executable memory found by misalign code segment.
- Since DEP (NX bit) does not allow you to execute code from stack, hijacking EIP to your gadgets means to execute Gadget’s code.
- There are many ways to use gadgets theoretically you might use gadgets to directly build on your memory a malware. ROP is Turing complete, but this takes so many time… Usually attackers use gadgets to disable DEP (NX bit) (like for example calling VirtualProtect() ) or to move the payload (typically a shellcode) into executable memory (like HEAP ).
- Every gadget must be driven from stack. So they need to return with a RETN.
- In order to move from Gadget to Gadget you have to use your ESP as your EIP. This is possible by using RETN. Here you have to remember that RETN = POP IP, which move ESP a word below (higher memory address space).
- By chaining two or more gadgets you are building a gadget’s chain which will dynamically (by meaning of directly into the memory) overwrite the right parameters the stack.
- You always need to overflow something (lets say a stack). You always need to point to your starting gadget’s chain, and you always need to put your favorite shallcode on memory.
- You might think to have two different chains of gadgets: (a) a preparatory chain which sets right values for the “execution functions” (for example VirtualProtect() ) and (b) gadgets that will effectively do what you want to do (again VirtualProtect example “(b)” ).
- Speaking about addresses, you always need to overwrite the first time EIP by overflowing, and you need to find the way to point to your ESP. You might do that by addressing directly to ESP (no ASLR) or using different techniques to JMP ESP (ASLR) like for example SEH or brute force (using NOPs).
- After the second chain of gadgets has been reached, the return address of the second gadget’s chain (VirtualProtect()) must be the starting address of your shellcode.
I hope to have given you (all of you interested on ROP) some quick answers to better understand how ROP works. In the practice you will find much more issues like “padding gadgets” (each gadget with more then one POP) little-endian convention, NULL bytes issues, chaining issues, addresses issues and so forth… As soon as I find much time I will post a simple example of ROP, hoping to further clarify Gadget’s exploiting process .