All about ROP Chain

What is ROP?

  • Return Oriented Programming
  • Allows us to call other functions through buffer overflows

What is ROP Chain?

  • Bunching together multiple snippets of assembly code to perform desired behavior
  • Usually called chaining
  • Snippets often called gadgets, generally used for setting parameters to functions

Return to Libc

  • Extremely common ROP Chain
  • Takes advantage of GOT to call function from libc
  • ASLR does not randomize GOT entries (but PIE does). 

End Result: We can call functions to get a shell or read from memory/disk!

What to Look For? 

We'll be working with return-to-what from downunderctf - Download PWNTOOLS

Clear indication that ROP of some kind works

Further Analysis

We'll be working with return-to-what from downunderctf - Download PWNTOOLS

Exploit Concept

We'll be working with return-to-what from downunderctf - Download PWNTOOLS

  1. Overwrite up until RET 
  2. Leak the address of PUTS through the GOT Table
  3. Given the offset of system, calculate where system is in LIBC
  4. Find where bin/sh is in libc
  5. Construct ROP attack
    • Returning to System, with param "/bin/sh"
  6. Jump to vuln and execute buffer overflow with ROP attack.

Finally...Exploiting!

We'll be working with return-to-what from downunderctf - Download PWNTOOLS

  1. Overwrite up until RET 
  2. Leak the address of PUTS through the GOT Table
  3. Given the offset of system, calculate where system is in LIBC
  4. Find where bin/sh is in libc
  5. Construct ROP attack
    • Returning to System, with param "/bin/sh"
  6. Jump to vuln and execute buffer overflow with ROP attack.

Finally...Exploiting!

We'll be working with return-to-what from downunderctf - Download PWNTOOLS

pwn template --host=<enter address> --port=<port> return-to-what > return-to-what.py

ROP ROP ROPPITY

By Ragnar Security

ROP ROP ROPPITY

All about rop chain exploits.

  • 143