What Is ROP?
First, let's describe a gadget. A gadget is a sequence of assembly code that ends with a jump instruction: for example, pop rax; ret;
. Jump instructions include ret
, jmp
, call
, etc. If you use the last jump instruction of each gadget to execute many gadgets one by one, that’s return-oriented programming (ROP): gadget1 -(jump)> gadget2 -(jump)> gadget3 -(jump)>…
Gadgets extensively exist in the vulnerable binary executable. You need to scan the binary executable, find its gadgets, exploit a vulnerability to execute some useful gadgets, and eventually finish your attack.
Implement a Real ROP Attack
Environment
Download the necessary files from here. Bug
is the vulnerable binary executable. exploit_gen.c
generates a binary data file called “exploit." The data file is the input of bug
. exploit_gen.c
may not be able to exploit the bug on your machine. Follow the steps in the next section. Do your experiments and modify exploit_gen.c
.