What you currently know

• Can recognize what is happening in a binary
• Can control RIP by overflowing a buffer if there is NO CANARY
• Can find a win function if it exists
• Can create a win function with shellcode (if NX disabled)

Of course we need more practice at these things, but it's a fine start.

My instinct is that we need to practice more shellcode and address leak parsing, but there is something else on the table that we need to practice in the PWN style first (if we're to be properly FIFO).

Calling conventions...

Calling Conventions and PWN

We learned calling conventions and that helped us understand WHERE to put a new address:

• call sym.coolfunc
• PUSH NEXT_ADDR to stack
• At the top of the cool func we PUSH OLDRBP
• At the end of the cool func we POP OLDRBP
• At the ret instruction we POP RIP

Here is that as a diagram:

This knowledge unlocked controlling RIP.

Now we will unlock something else, Defeating NX

Calling conventions will help us not need shellcode.

The trick is called ROP chaining

Return-Oriented Programming

Side Quest: ROP Emporium

Let's work through the problems at: https://ropemporium.com/

Soon you will want this:

ROPgadget --binary binaryhere

The output will look something like:

Here's the big idea of ROP chains:

• You know that if the RIP points at a ret the next address is in the stack
• So what if we don't jump into a function but we jump to a single instruction RIGHT BEFORE a ret
• Then in that case we will run 1 instruction and now jump to the NEXT ADDRESS in the stack...
• So we can chain a series of instructions together in the stack...
• Which let's us sort of make shellcode, one instruction at a time
• Without needing an executable stack.

Let's solve the first 2 ROP Emporium problems together.