Lab 3: ROP Gadgets

In this lab you will figure out ways to analyze a binary and find ROP gadgets.

Getting Started

  1. Take a look at the ROPgadget tool. Figure out what it does.
  2. Download the binary for this week’s lab. You can also look at the source code.
    • The binary is compiled to run on a 32-bit, Ubuntu 16.04 machine. You can use the lab Linux server (given by the instructor in lab) in order to experiment with it. You should assume it will run on a computer with ASLR and the NX-bit enabled.
  3. Use ROPgadget on the binary.
  4. Also run objdump on the binary.

Analyzing the Output

  1. Using the output of ROPgadget, find at least two gadgets that you can also see in the disassembly output produced by objdump.
  2. Using the output of ROPgadget, find at least two gadgets that you can’t see in the objdump output. Why aren’t they there?

Compromising a binary

  1. Looking at the source code for lab03.c, determine the vulnerability.
  2. What sequence of function calls is needed in order for a shell to be spawned? What arguments do those function calls need?
  3. Design and test an ROP attack against this binary that causes it to spawn a shell.
    • Remember that because these functions require arguments, you will need to include gadgets to pop those arguments off of the stack. Check the notes on Return Chaining (under the ROP slides) if you aren’t sure what this means.
    • You can build and test your exploit piece by piece. Try to get one function call to work, test, then add another, etc.
    • Here is a very simple template for a python file you can use to quickly develop your exploit.

Credits

The vulnerable code in this lab is derived from Introduction to return oriented programming (ROP) by Alex Reece. After you complete the lab on your own, feel free to check out his very nice tutorial at the link.