Automatic construction of printable return-oriented programming payload

Abstract

Return-oriented programming is a kind of codereuse technique for attackers, which is very effective to bypass the DEP defense. However, the instruction snippet (we call it gadget) is often unprintable 1. This shortcoming can limit the ROP attack to be deployed to practice, since non-ASCII scanning can detect such ROP payload. In this paper, we present a novel method that only uses the printable gadgets, as such it can circumvent the non-ASCII detection. However, this method is non-trival because printable gadgets count for about 10 percents of all the gadgets we can find in existing code(e.g., library or program code). Additionally, not only the gadget address but also data should all be printable in our ROP payload. To construct the printable ROP payload, we propose reverse derivation method to transform original shellcode to printable ROP payload. The transformation is driven by state machines, which indicate the status of data flows. Experimental results show that our method can construct the printable ROP payload that has the same functionality as the real-world malicious shellcode, in addition, the construction process is totally automatic.