Questions tagged [rop]

Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine's memory, called "gadgets". Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.

Source Wikipedia:

33 questions
5
votes
1 answer

How does GCC's -mmitigate-rop work?

GCC 6 has a flag, -mmitigate-rop, which compiles binaries in a way that reduces the number gadgets exploitable by ROP. The GCC documentation explaining this feature is minimal: -mmitigate-rop Try to avoid generating code sequences that contain…
forest
  • 64,616
  • 20
  • 206
  • 257
4
votes
1 answer

Where in a binary can '/bin/sh' be written to get a shell?

I've come across some behaviour in a CTF challenge that seems very strange and I was wondering if someone could help me understand it. The CTF challenge was the can-you-gets-me challenge in PicoCTF2018. It was a ROP challenge (32-bit), and in my…
Zack
  • 143
  • 6
3
votes
1 answer

Return-oriented programming: Address of system() contains NULL byte

Disclaimer: I am asking this question solely for educational purposes. I am trying to chain some function calls using return-oriented programming, exploiting a vulnerable binary which uses strcpy(). One of these function calls should be a call to…
foobar
  • 151
  • 3
3
votes
1 answer

Why ret2libc is not working in the below code on x86_64?

I am trying to bypass DEP in x86_64 (64 bit - ASLR OFF). I have my own vulnerable code and I have also written an exploit code with a basic ROP to jump into system() with parameter "/bin/sh", but it is not working I don't know why. Vulnerable C…
bsdboy
  • 51
  • 1
  • 4
3
votes
2 answers

Stack location range on linux for user process

In Linux, with ASLR enabled, is there a range of addresses where user stack address lies? What about heap, instruction addresses(text section)? In general, is it possible to look at an address and tell if it is for data or for code? I am trying to…
2
votes
2 answers

ROP executes system("/bin/sh") but does not attach to it

Here is the code: import struct buf = "" buf += "A" * 552 buf += struct.pack('
Toma
  • 121
  • 3
2
votes
1 answer

segmentation fault at strcpy while perforforming a buffer overflow

I have this code that I need to use to perform a ret2libc #include #include int main(int argc, char *argv[]) { char buf[256]; printf("buff is at:%p\n",buf); printf("%s",argv[1]); strcpy(buf, argv[1]); …
Luigi
  • 23
  • 4
2
votes
1 answer

How to use "jmp" in ROP

I'm trying to put together a ROP chain. I'm looking for a gadget to do the following: mov rdi, rdx ; mov rbp, rsp ; ret; But instead, I have a gadget like this : mov rdi, rdx ; mov rbp, rsp ; jmp 0x8109b3f7 So, I thought maybe I can use this…
perplex
  • 31
  • 1
2
votes
2 answers

Cannot build a ROP chain

My ROP exploit crashes with segmentation fault for unknown reason. This is a vulnerable code (compiled via command gcc h2.c -no-pie -fno-stack-protector -m32 -o h2): #include #include #include char string[100]; void…
Asm .
  • 59
  • 5
1
vote
1 answer

Rop: Handling a `push` in the middle of a gadget

In rop, often a gadget has an undesired pop or push in the middle. For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well. What about a push: What do we do to our chain to handle it? It seems to me that…
SRobertJames
  • 245
  • 1
  • 7
1
vote
2 answers

How do attackers determine ROP gadgets remotely?

Being gadgets change per each system and architecture (do they?), how would an attacker be able to determine the offsets of various Return Oriented Programming gadgets, would an attacker first need to determine: -The operating system? -The…
1
vote
1 answer

Understanding ret2libc return address location

I recently was studying x86 buffer overflows + ret2libc attacks from https://www.ret2rop.com/2018/08/return-to-libc.html and I noticed the order is as follows: bytes to fill buffer + address of system + return address for system/address of exit +…
asd_665
  • 13
  • 2
1
vote
1 answer

ROP gadget for setuid(zero) - writing argument zero into the stack

Having a program vulnerable to stack based buffer overflow with setuid bit set, and want to fill the buffer with ROP gadgets. If setuid(0) is needed to spawn a shell with root privilege, then '0' would be written in the stack, so setuid() can take…
Marco_81
  • 35
  • 7
1
vote
0 answers

Kernel ROP crashes running OS

I was experimenting to see if I can make an ROP chain within the kernel. In the kernel debugging mode, I can make the first jump to an arbitrary gadget address without any problem. But the problem occurs after that. If I want to continue the kernel…
perplex
  • 31
  • 1
1
vote
1 answer

Remote Buffer Overflow w/out Memory Leak

I'm working on an exploit development challenge right now in which I've been presented with a compiled binary and I have to exploit it on a remote server. No stack protections have been enabled and ASLR is disabled. I've written the exploit…
leaustinwile
  • 366
  • 1
  • 8
1
2 3