Ret2ret

The main goal of this technique is to try to bypass ASLR by abusing an existing pointer in the stack.

Basically, stack overflows are usually caused by strings, and strings end with a null byte at the end in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained 0xbfffffdd, this overflow could transform it into 0xbfffff00 (note the last zeroed byte).

If that address points to our shellcode in the stack, it's possible to make the flow reach that address by adding addresses to the ret instruction util this one is reached.

Therefore the attack would be like this:

• NOP sled

• Shellcode

• Overwrite the stack from the EIP with addresses to ret (RET sled)

• 0x00 added by the string modifying an address from the stack making it point to the NOP sled

Following this link you can see an example of a vulnerable binary and in this one the exploit.

Ret2pop

In case you can find a perfect pointer in the stack that you don't want to modify (in ret2ret we changes the final lowest byte to 0x00), you can perform the same ret2ret attack, but the length of the RET sled must be shorted by 1 (so the final 0x00 overwrites the data just before the perfect pointer), and the last address of the RET sled must point to pop <reg>; ret. This way, the data before the perfect pointer will be removed from the stack (this is the data affected by the 0x00) and the final ret will point to the perfect address in the stack without any change.

Following this link you can see an example of a vulnerable binary and in this one the exploit.

References

• https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md