Cyber Training Guide
CTF WriteupsOther NotesHow-To: Radare2How-To: GDB
  • Cyber Training Guide
  • 0x0: Introduction
    • git-good
    • root-1
    • root-2
    • intro
  • Binary Exploitation (pwn)
    • What is Binary Exploitation?
    • 0x1: ret2win
      • win32
      • win64
      • args
    • 0x2: shellcodes
      • location
      • shell
      • constrained
    • 0x3: format strings
      • format
      • chase
      • bbpwn
    • 0x4: stack canaries
      • canary
      • findme
    • 0x5: ROP
      • rop2win
      • split
      • callme
      • write4
      • badchars
    • 0x6: PIE
      • gimme
      • leak32
      • leak64
    • 0x7: ASLR
      • groundzero
      • stepup
      • ret2plt
    • 0x8: GOT overwrites
      • gotem
      • gotem64
  • Programming
    • What is the Programming Section?
    • 0x9: Data Serialization
      • LinkedOps
      • Tree
      • TeLeVision
    • 0xA: Programming
      • Calorie Counting
      • Hash
      • Rock Paper Scissors
      • Watch the Register
      • Supply Stacks
      • Rope Bridge
      • Mountain Climbers
  • Reverse Engineering (RE)
    • What is Reverse Engineering?
    • 0xB: Ghidra
      • hardcode
      • undo
      • snake
  • Toolkit
    • Using Pwntools
      • Establishing Connection
      • Context
      • Sending/Receiving Data
      • The ELF Class
    • My Workflow
      • Tmux
      • Vim
Powered by GitBook
On this page

Was this helpful?

  1. Binary Exploitation (pwn)

0x5: ROP

PreviousfindmeNextrop2win

Last updated 1 year ago

Was this helpful?

ROP, or Return Oriented Programming, is the creation of payloads that use the existing code in the binary, as well as the control of the instruction pointer, to execute instructions out of order to achieve a desired result.

ROP is primarily a 64-bit technique. Performing ROP exploits involves building chains of gadgets, which are small snippets of instructions already in the binary that end in a ret statement. These gadgets are chained to jump from function to function, loading registers with desired values, until the desired result is achieved.

Why is ROP not used on 32-bit?

The primary use of ROP is to load registers with desired values so they can be passed to functions. In 32-bit, parameters to functions are passed on the stack, so careful stack placement could be used to pass parameters. In 64-bit, parameters are passed in registers, so ROP is necessary to load registers with desired values.

ROP is a difficult technique to master, but it is a powerful one. It relies on the existence of a buffer overflow because we need access to write to the return pointer. It also relies on the existence of gadgets, which are not always present in binaries. However, when it works, it is a powerful technique.

The Challenges

All the challenges in this section are sourced from . It is the best resource I know for learning ROP. The challenges I host are the 64-bit editions of these challenges.

There are 8 challenges on the site, but I only cover the first five. They are more than enough to understand ROP. Frankly, the last three are really hard! If you want to challenge yourself, they're a great place to test your skills.

ROP Emporium