ROP (Return Orientated Programming)

Introduction

Some simple tips for using ROP for exploit development.

GDB

Search for “/bin/sh” string in libc system memory. Assuming the binary has been linked with libc of course.

(gdb) print system
$2 = {<text variable, no debug info>} 0x7ffff7a91c70 <system>
(gdb) find 0x7ffff7a91c70, +999999999999, "/bin/sh"
0x7ffff7b9dc23
(gdb) x /s 0x7ffff7b9dc23
0x7ffff7b9dc23: "/bin/sh"

Tutorials

My favorite ROP tutorial https://www.exploit-db.com/docs/28479.pdf

ROP example https://www.exploit-db.com/papers/13204/

ROP example http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html

ROP Utilities

ROP gadget finder http://shell-storm.org/project/ROPgadget/

ROPeMe, very simple setup – https://github.com/packz/ropeme

Demo

Visit one of my previous Protostar challenge write ups where I demonstrate the use of ropeme,

Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s