Tuesday, August 30, 2011


The finding of gadgets has been from years one of the big issue in writing ROP exploits. Most of the security community knew that it could be automatized, but only few of them started projects on gadget automation. On of the most relevant contribute to "ROP community" has been made by vnSecurity thanks to the ROPME tool. In the paper presented at Black Hat 2010 they show how it could be extended the old advanced return-to-libc techniques to multistage techniques that can bypass NX, ASLR and ASCII-Armor mapping and make ROP/return-to-libc exploitation on modern Linux x86 become easy. In addition, by reusing not only codes but also data from the binary itself, they can build any chained ret2libc calls or ROP calls to bypass ASLR protection.

As you see from the picture, ROPME is organized as a python shell (something like the Metasploit shell) which few but relevant commands: "generate", "load", "search" and "shell". A particular important feature is the "Search" for ROP. "Search pop ?" will search for ROPped pop instructions in the loaded binary. That's great since you don't need anymore to search gadgets manually, by using OllyDB or IDA Pro, but, from now, it's an automatic process which will make easy and fast the way to build ROP Exploits.

If you want to download the ROPME's code you might find it here. If you are interested on the slides are downloadable here, if you are interested on know more about ROPME, take a look to the original paper from here.

Enjoy ROPping !

1 comment: