Return-Oriented Programming (ROP) is a technique used to control the instruction pointer (EIP) through a series of return addresses on the stack, allowing attackers to bypass security measures like ASLR and execute arbitrary code. The process involves carefully structuring function calls and utilizing 'gadgets'—short sequences of code ending in a return instruction—to achieve desired outcomes while navigating around executable space restrictions. This method is relevant in various applications such as exploits, jailbreaks, and rooting devices.

1. ROP Chaining

2. What is it?

3. • So that we can control the EIP via a series of
cleverly crafted RETs, that’s not in our control, on
the Stack and bypass ASLR, W^X etc. and finally
achieve attacker controlled code execution !
Why is it needed ?

5. Let us decode that ****
• EIP
• RETs
• Stack
• Code execution
• ASLR
• W^X

6. Basics
• Function call under the hood

7. Function call ()
• CALL = PUSH RET ADDRESS ON STACK
• { = SET UP THE STACK =
• MOVE ESP AHEAD
• PUSH EBP
• MOV ESP TO EBP

8. Function Return
• return/ } =
• 2) ret =
• return control back to the calling function = the return
address stored earlier on the stack = pop eip
• 1) leave =
• restore esp = mov ebp to esp
• restore ebp = pop ebp

9. TOS
CALL instruction
TOS
Return Address
{ = function set up
TOS
Old EBP xxxx
EBP
Old EBP
EBP
xxxx
Argument

10. Return Address
TOS
Old EBP xxxx
EBP
xxxx} = return = leave + ret
leave instruction =
1) esp = ebp
TOS
leave instruction = 2) pop ebp
TOS
ret instruction = pop esp
TOS
Return Address
EIP

11. Hence the idea
• Put things WE want on the stack so that it
eventually ends up in the EIP
• Vanilla Buffer Overflow works

12. Challenges
• Stack region should be executable (DEP/W^X)
• Address to put on stack (address of shell
code) should be known/predictable (ASLR)

13. ASLR
• What ?
• Why ?
• How ?

14. Sample
• Vulnerable to buffer overflow.
• add_bin() - adds “/bin” to a string
• add_sh() - adds “/sh” to the same string
• exec_string() - calls system(the_above_string)

15. Objective
• Get $
• Hint :
• How do we execute all 3 ()s in a sequence ?

16. Initial thoughts ?
• Address of each function is known ! Can’t we just
put them on the stack as we would for the first
function ?

17. YES, that’s the idea !
• But NO, not as directly ! WHY ?

19. What just happened ?
• We arranged the stack as we were planning to.

20. actual return address of
vulnerable_function
&add_bin()
actual return address of
add_bin()&pop;ret
argument for add_bin()
actual return address of
add_sh()
&add_sh()
&pop;pop;ret
arg1 for add_Sh()
arg2 for add_Sh()
&exec_string()
EIP
&add_bi
n()
&pop;retpopret

21. ROP-fu
• This is what is ROP chaining

22. GADGETS
• Find instructions of the format
….. RET
• This is what we call `GADGETS`
• There are automated tools to find these in
your binary

23. ACHIEVEMENT
• Use them to achieve what you want. This is one
way to bypass ASLR - actually better said as :
achieve what we want despite ASLR being
present !

24. Applications
Some rather fancy ones
• Exploits
• JailBreaks
• Rooting

25. QUESTIONS ??

26. Resources
• https://reverseengineering.stackexchange.com/questions/1992/what-is-plt-got
• https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
• https://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/LectureSlides/Chapter02%20-
%20RuntimeAttacks.pdf
• https://stackoverflow.com/questions/4292447/does-ret-instruction-cause-esp-register-added-by-4
• https://security.stackexchange.com/questions/37373/aslr-randomization-bss
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Baby-s-first-NX-ASLR-bypass/
• https://www.rcesecurity.com/2011/12/stack-manipulation-using-pop-ret/
• https://dkalemis.wordpress.com/2010/10/27/the-need-for-a-pop-pop-ret-instruction-sequence/
• https://github.com/JonathanSalwan/ROPgadget
• https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/
• https://stackoverflow.com/questions/41231637/how-does-a-function-call-work
• http://www.avrbeginners.net/new/wp-content/uploads/2011/08/avrbeginners_04_Jumps_Calls_and_the_Stack_1.0.1.pdf
• https://cs.nyu.edu/courses/fall04/V22.0201-003/ia32_chap_03.pdf
• https://stackoverflow.com/questions/16368769/return-to-call-after-jumps-in-assembly