Occurence of ROP gadget

Question

I'm researching various buffer overflow techniques, one I encounter and is pretty interested in the moment is Return Oriented Programming (ROP), and the use of small groups of instructions known as gadgets.

The question: There are certain gadgets that are popular and used extensively in many exploits, for example the POP/POP/RET sequence. Is there any research or proof that occurence of such a gadget or its equivalences is high enough that always there will be one in most binaries? I'm looking for a certain common library or a popular compiling techniques that will produce these sequence.

EDIT: In short, will POP/POP/RET and equivalences will always be in a binary?

I'm asking in the x86 context, but if there is any other lead in other platform, do share.

Could you clarify what the actual question is? Are you asking whether "POP/POP/RET" will be in every exploit? — MCW, Feb 28 '13 at 13:14
Yes, that and any other gadget occurence. Sorry if I haven't been clear enough. — Pham Trung Nghia, Mar 01 '13 at 03:58

score 8 · Accepted Answer · answered Feb 28 '13 at 14:03

Creating a ROP chain is a difficult, creative, laborious yet exciting process. Generally speaking, when we are using ROP, we are trying to bypass DEP. After all, if we have control of EIP and can write to and execute the stack, why not just jump to our shellcode?

With that in mind, it is important to remember that entire payloads are not, generally, written as a ROP chain. Spawning a reverse shell entirely out of ROP gadgets while certainly possible, is likely to test the sanity of any exploit writer.

The function of a ROP chain is merely to deactivate DEP. We use ROP to turn off DEP (by adding the execute permission to the memory page that holds the stack) and then simply jump to our traditional shellcode payload.

On Windows, this is usually a case of making a VirtualProtect() system call, loaded with the correct parameters to allow execution of the stack. It has been shown that kernel32.dll alone contains appropriate gadgets for making such a call in most cases. Tools for identifying potentially useful gadgets in program code can make this process much easier. See this page for a detailed example of the process.

So whether or not a specific sequence, such as POP POP RET is present, is not all that relevant. In any program that links major libraries (which they all do), there will be more than enough gadgets to build a simple DEP deactivating ROP chain. All it takes it a bit of lateral thinking - it's like trying to build a jigsaw puzzle when every piece comes from a different box.

Thanks for the link. If I understand correctly, then if POP/POP/RET is not present, I can just find something equivalent, e.g. 2 POP/RETs ? The same thing if I want to pop 3 thing, I just need to find a POP/POP/POP/RET or something that does the same thing? — Pham Trung Nghia, Mar 01 '13 at 04:04
Exactly, you end up building weird collections of instructions, if you wanted `POP POP RET` but were willing to allow the `ebx` register to be overwritten, you might be ok with `POP LEA ebx [eax] POP RET` or similar. Finding the precise instruction string you are looking for is a bonus, but usually you end up with something weird that does *pretty much* the same job. — lynks, Mar 01 '13 at 11:31
Wow, thanks lynks. I actually clear up a few thing reading your answer. I'm waiting a few more days before marking yours the correct one. Cheer! — Pham Trung Nghia, Mar 05 '13 at 06:09
@PhamTrungNghia you're welcome, the link I posted is really good. I would suggest reading the whole thing (make a coffee), along with many other posts on that site. — lynks, Mar 07 '13 at 18:05

Occurence of ROP gadget

1 Answers1