1

I'm doing basic exploitation test on a simple program with fiew lines of code. I intend to exploit a buffer overflow vulnerability to perform a ROP attack. To gather the available gadgets I use ROPgadget tool. I found a very useful gadget at address let's say addr, this address is the start of another legitimate instruction for the program.

Is it possible to use this gadget or not? If yes, how will the processor execute the gadget and not the legitimate instruction knowing that they both start at the same address addr

Ahmed
  • 83
  • 4

1 Answers1

3

Short answer: yes.

Long answer:

Instructions on x86 processors vary in their length between 1 and many bytes. (This works because no instruction can be a prefix of another instruction. Much like phone numbers. See this guy for the theory behind it.)

The CPU sees everything as bytes and does not know what the compiler intended, so if you point the instruction pointer at some executable memory, the CPU does not care as long as it decodes to a valid instruction. It will then continue executing until it encounters any kind of error.

Example:

89 EB FE 40 C3

If you jump at the first byte you get:

89 EB FE 40 C3 : mov EAX, 0xC340FEEB

If you jump at the second byte, you get:

EB FE : jmp $, endless loop, will spin forever

If you jump at the third byte, you get:

FE 40 C3: INC BYTE [EAX-0x30]

If you jump at the fourth byte, you get:

40: INC EAX
C3: RET

Look, a ROP gadget! It increments EAX then returns.

Which is the "real" instruction the programmer intended? Who cares?

This whole concept is what makes ROP so easy on x86 processors. E.g. MIPS, where you cannot jump in the middle of instructions, it´s much harder to find good gadgets.

manduca
  • 1,111
  • 7
  • 10