We still need the ability to overwrite the stack (it can not bypass Stack Smashing Protection). ROP cannot bypass ASLR because we need addresses of code section of the target program.
I will be using the following target program. We will execute this target program with Non-Executable Stack enabled to demonstrate ROP.
Since, the program stack is marked Non-Executable. I can not store the exploit code on stack, instead I will use the already defined functions in the program code.
The disassembled code for the function1 & read_from_input is given below. At the address 0x1171 there is a movq instruction that stores some constant value onto stack.
In Return Oriented Programming, the injected code is constructed by chaining together pieces of target program’s code. Such sequences of instructions are called gadgets in ROP terminology, each gadget performs a specific task and the last instruction is always c3 (ret instruction) giving the technique it’s name.
The instruction sequence 5f c3, 5f pops value from stack, stores it in %rdi and c3 pops value from stack, treats it as an memory address and executes the instruction stored at that address. Let’s see a ROP exploit which executes this instruction sequence or in ROP terminology executes a single gadget.