Return Oriented Programming


CSE 466 - Fall 2024

Picture yourself as a digital maestro, orchestrating a symphony of code in a vast digital realm. However, there’s a twist: you don’t get to pen down your own notes. Instead, you're given a legacy of existing code snippets, scattered across the system. This is the essence of Return Oriented Programming (ROP) exploits! Using nothing but the remnants of the system’s own code, you craft a cunning composition that dances to your own tune, bypassing modern security measures with elegance and stealth.

Each snippet is like a musical phrase, ending in a "return" instruction, whisking you off to the next snippet in your clandestine concerto. With each leap and bound, you weave a nefarious narrative, circumventing security checks and executing unauthorized actions, all while under the unsuspecting nose of the system’s defenses.

ROP is not just a hack; it’s a masterpiece of unauthorized orchestration, a ballet of borrowed instructions, choreographed with precision to achieve your clandestine objectives. With ROP, you step into a realm where every byte is a beat, and every return is a rhythm, embarking on an exhilarating journey of exploitation and discovery.


Lectures and Reading


Challenges

Overwrite a return address to trigger a win function!

Overwrite a return address to trigger a win function!

Use ROP to trigger a two-stage win function!

Use ROP to trigger a two-stage win function!

Use ROP to trigger a multi-stage win function!

Use ROP to trigger a multi-stage win function!

Leverage a stack leak while crafting a ROP chain to obtain the flag!

Leverage a stack leak while crafting a ROP chain to obtain the flag!

Craft a ROP chain to obtain the flag, now with no stack leak!

Craft a ROP chain to obtain the flag, now with no stack leak!

Craft a ROP chain to obtain the flag, now with no syscall gadget!

Craft a ROP chain to obtain the flag, now with no syscall gadget!

Utilize a libc leak to ROP with libc!

Utilize a libc leak to ROP with libc!

ROP with libc, no free leak this time!

ROP with libc, no free leak this time!

Perform a stack pivot to gain control flow!

Perform a stack pivot to gain control flow!

Perform a partial overwrite to call the win function.

Perform a partial overwrite to call the win function.

Apply stack pivoting to call the win function.

Apply stack pivoting to call the win function.

Creatively apply stack pivoting to call the win function.

Creatively apply stack pivoting to call the win function.

Perform ROP when the function has a canary!

Perform ROP when the function has a canary!

Perform ROP against a network forkserver!

Perform ROP against a network forkserver!

Perform ROP when the stack frame returns to libc!

Perform ROP when the stack frame returns to libc!


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

Rank Hacker Badges Score