What you currently know

• Can recognize what is happening in a binary
• Can control RIP by overflowing a buffer if there is NO CANARY
• Can find a win function if it exists
• Can create a win function with shellcode (if NX disabled)

Of course we need more practice at these things, but it's a fine start.

My instinct is that we need to practice more shellcode and address leak parsing, but there is something else on the table that we need to practice in the PWN style first (if we're to be properly FIFO).

ROP chains... AKA Calling Conventions gone wild

Calling Conventions and PWN

We learned calling conventions and that helped us understand WHERE to put a new address:

• call sym.coolfunc
• PUSH NEXT_ADDR to stack
• At the top of the cool func we PUSH OLDRBP
• At the end of the cool func we POP OLDRBP
• At the ret instruction we POP RIP

Here is that as a diagram:

This knowledge unlocked controlling RIP.

Now we will unlock something else, Defeating NX

Calling conventions will help us not need shellcode.

The trick is called ROP chaining

Return-Oriented Programming

General Guide

• Let's suppose you need to call win(0x69, 0x420) to get the flag
• ROPgadget --binary :binaryname:
• Look for pop rdi; ret; or pop rsi; ret; or anything that can help you alter rdi, rsi
• Collect the offsets of those "gadgets" into your solve script
• If PIE is on you'll need to find a leak for the segment with this binary
• If you have a leak, find the beginning of that segment (by identifying what your leak is and subtracting the LEAK's forever offset from the one-time leak)
• Add the beginning of the segment to your offset and p64 / p32 that address
• Why RDI/RSI? We need arguments for calling a subroutine (e.g. system)
• Payload: BUFFER + p64(poprdiGadget) + p64(0x69) + p64(poprsiGadget) + p64(0x420) + p64(win)