Introduction
ROP - 64bits

Stack

0x7ffff ... ff

0x00000 ..00

pop

push

Stack

0x7ffff ... ff

0x00000 ..00

Local Variable| RBP| Return Addr | ...

  • Overflow of "Local Variable" will overwrite
    • RBP
    • Return Addr
    • ...
    • Return Addr

Where to return ?

  • Return gadget

    • Something to load the "rdi, rsi, rdx" registers.
      Ex.: pop rdi; ret;

      Note : parameters to function in x64 are (in order) :
       - rdi (first parameter)
       - rsi (second parameter)
       - rdx (third parameter)
       

    • Useful function at fix address
       

Challenges

  • Objectives
    • 1st
      • Return to the "secret" function
    • 2nd, 3rd and 4th (call me for the last one)
      • Call system("/bin/bash")
  • Download
    • http://bit.ly/1XFlP4b

Introduction ROP - 64bits

By Olivier Arteau

Introduction ROP - 64bits

  • 1,719