ROP Compiler Jeff Stewart , Veer

When developing exploits for modern x86 64-bit systems, attackers must handcraft exploits for each binary. This involves finding a vulnerability (such as a stack-based buffer overflow) and diverting control flow (overwrite return address). Modern exploits employ Return-Oriented Programming (ROP) to bypass widely deployed defenses such as WˆX. Building a ROP chain requires manual effort to find suitable gadgets out of the multitude of existing code snippets, and then chain those gadgets together in the correct order to call functions or execute injected code. x86 64-bit systems present some challenges that do not exist on other platforms. For example, the 64-bit calling convention primarily uses register arguments, as opposed to stack-pushed arguments on many 32-bit systems. This requires finding gadgets to set values in registers, instead of using an overflow to write to the stack. While many tools exist to help the various stages of exploit building, no public compiler is available to fully create these ROP chains. We present a simple ROP Compiler, developed to more easily generate ROP chains, given a binary and goal. We demonstrate our compiler on both a proof-of-concept simple binary, as well as a well-known utility, rsync. Our tool generates working ROP chains to inject and execute shellcode or call other functions.