ROP with a 2nd Stack, or This Exploit is a Recursive Fibonacci Sequence Generator
Date:
ropc is a compiler from Turing-complete ROPC-IR to x86_64 shellcode. ROPC-IR is an assembly-like source language of my own invention. The most distinguishing feature of my compiler is that the shellcode program has access to a 2nd stack, called the shellcode stack. Once you have a shellcode stack, much becomes possible, such as subroutine calls within shellcode as well as library calls that don’t mangle the shellcode on the target stack.
I presented my work at the BSides Las Vegas 2019 security conference. The following is the abstract for my talk:
While a Turing-complete set of ROP gadgets can easily be found in libc, many existing ROP compilers are not Turing-complete or do not include essential programming language constructs, such as subroutine calls.
ROPC is a proof-of-concept ROP compiler for 64-bit x86_64 architectures that achieves Turing-completeness by maintaining a second, shellcode-accessible stack, which most notably makes possible subroutine calls within the exploit itself. Turing-completeness allows shellcode to avoid suspicious behavior such as calling system(3) and to return control to the target process.
As input, ROPC accepts (i) source files written in so-called ROPC-IR, (ii) rules for translating ROPC-IR instructions to sequences of gadget addresses, and (iii) static configuration parameters about the victim process. As output, it produces a two-stage shellcode (a sequence of gadget return addresses) that can be injected onto the target process’ stack.
The distinguishing features of ROPC is its emulation of a second stack available to the ROP shellcode and its consequent support for nondestructive invocation of library and system calls (with variable parameters) as well as shellcode subroutine calls.
Event Program / Slides / Video / Code