Stack Overflow And Rop
Load when you are developing or debugging Linux stack-overflow exploits and need Blind ROP, ASLR/PIE bypass tricks, or JOP/COP chains beyond basic ROP.
Overview
Stack Overflow and ROP is an agent skill for the Ship phase (Security) that teaches Blind ROP, partial overwrite, ret2vdso, and JOP/COP code-reuse techniques for Linux stack-based exploit development.
Install
npx skills add https://github.com/yaklang/hack-skills --skill stack-overflow-and-ropWhat is this skill?
- Six-phase BROP table: stack read → stop gadget → BROP gadget → PLT leak → binary dump → standard ROP
- Byte-by-byte stack offset and canary brute-force on fork-persisting services
- __libc_csu_init tail probing with six-pop-plus-ret pattern to find BROP gadgets
- PLT puts/write probing to leak .text, .got, and .dynamic for offline ROPgadget
- Companion depth on ret2vdso, partial overwrite for PIE, and JOP/COP when classic ROP fails
- Six-phase BROP attack methodology table
- Six-register pop tail pattern used to identify __libc_csu_init BROP gadgets
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You can crash a remote stack overflow but lack the binary or stable gadgets under full ASLR and PIE, so ad-hoc ROP chains keep failing.
Who is it for?
Authorized CTF players, indie security researchers, and solo builders fuzzing fork-based network services who need agent-guided Blind ROP and bypass patterns.
Skip if: Teams shipping product features without exploit authorization, or anyone seeking automated patch management instead of hands-on binary exploitation methodology.
When should I use this skill?
Load when you need Blind ROP methodology, ret2vdso for ASLR bypass, partial overwrite for PIE bypass, or alternative code-reuse paradigms (JOP/COP), with fundamental ROP from the companion SKILL.md already in context.
What do I get? / Deliverables
You execute the phased BROP workflow to leak and reconstruct the binary, then assemble ret2libc or alternative JOP/COP chains after loading the package’s fundamental ROP skill first.
- Phased BROP probe plan with stop and BROP gadget candidates
- Binary dump and leak strategy using puts or write PLT
- Final ROP, ret2libc, or JOP/COP chain outline
Recommended Skills
Journey fit
Exploit-chain methodology sits in Ship because it supports authorized security validation and hardening before production—not ideation, distribution, or day-two analytics. Security is the canonical subphase for vulnerability exploitation playbooks, ROP gadget hunting, and remote memory-leak strategies.
How it compares
Agent-side exploit methodology reference—not a SaaS SAST scanner, secure-coding linter, or passive MCP vulnerability feed.
Common Questions / FAQ
Who is stack-overflow-and-rop for?
It is for solo builders and security researchers doing authorized binary exploitation, CTF challenges, or pentests who already understand basic ROP and need advanced Blind ROP and bypass techniques.
When should I use stack-overflow-and-rop?
Use it in the Ship security phase when you need Blind ROP on a forking remote service, ret2vdso or partial overwrites against ASLR/PIE, or JOP/COP when return-oriented chains are impractical—always on targets you are allowed to test.
Is stack-overflow-and-rop safe to install?
It is educational offensive-security content; review the Security Audits panel on this Prism page and only run techniques against systems you own or have explicit permission to attack.
SKILL.md
READMESKILL.md - Stack Overflow And Rop
# Advanced ROP Techniques — BROP, Partial Overwrite, JOP, COP > **AI LOAD INSTRUCTION**: Load this when you need Blind ROP methodology, ret2vdso for ASLR bypass, partial overwrite for PIE bypass, or alternative code-reuse paradigms (JOP/COP). Assumes the main [SKILL.md](./SKILL.md) is already loaded for fundamental ROP, ret2csu, ret2dlresolve, and SROP. --- ## 1. BLIND ROP (BROP) Exploit a remote stack overflow **without access to the binary**. Requires a service that forks (canary and ASLR layout persist across crashes). ### BROP Attack Phases | Phase | Goal | Method | |---|---|---| | 1. Stack reading | Determine buffer offset + canary | Byte-by-byte brute-force (child process crash = wrong byte) | | 2. Find stop gadget | Address that doesn't crash | Scan code section for `ret` into valid code (e.g., infinite loop, `sleep`) | | 3. Find BROP gadget | `__libc_csu_init` gadget | Scan for 6-pop pattern: probe address, if crash after 6 pops+ret → BROP gadget | | 4. Find puts/write PLT | Function to leak memory | Probe PLT entries: set RDI to known readable, call candidate, check for output | | 5. Dump binary | Leak .text, .got, .dynamic | Use puts(addr) to read binary from memory page by page | | 6. Standard ROP | Build exploit with leaked binary | ROPgadget on dumped binary, ret2libc | ### BROP Gadget Identification The `__libc_csu_init` tail pops 6 registers then returns. Probe: ``` [overflow][canary][saved_rbp][candidate_addr][A][A][A][A][A][A][stop_gadget] rbx rbp r12 r13 r14 r15 ``` If the process survives (reaches stop gadget) → candidate is a 6-pop gadget (high probability = BROP gadget). ### Trap Gadget vs Stop Gadget - **Stop gadget**: address that causes the process to hang or respond predictably (not crash) - **Trap gadget**: address that crashes (0x0, unmapped page) — used as a probe terminator ### PLT Identification PLT entries are at fixed 16-byte intervals. Probe: set RDI to a known readable address, iterate PLT base + N*16, check if output appears on socket → found puts/write. --- ## 2. ret2vdso (32-bit ASLR Bypass) The vDSO (virtual Dynamic Shared Object) is a kernel-mapped page containing optimized syscall stubs. On **32-bit Linux kernels < 3.18**, vDSO was mapped at a **fixed address** or with low entropy. ### Attack Method 1. Locate `sigreturn` gadget in vDSO (fixed or brute-forceable address) 2. Use SROP via vDSO's sigreturn to set all registers 3. Execute `execve("/bin/sh", 0, 0)` via syscall | Kernel Version | vDSO ASLR | Entropy | |---|---|---| | < 2.6.18 (32-bit) | Fixed at 0xffffe000 | None | | 2.6.18–3.17 (32-bit) | 1 page randomization | ~8 bits (256 positions) | | ≥ 3.18 (32-bit) | Full ASLR | Same as mmap | | 64-bit | Always randomized | Full ASLR | **Modern relevance**: Limited to legacy 32-bit systems. On 64-bit, vDSO is fully randomized. --- ## 3. PARTIAL OVERWRITE (PIE Bypass) When PIE is enabled, the code base is randomized but the **last 12 bits** (page offset) are always fixed. Overwriting only the lowest 1–2 bytes of a return address can redirect execution within the same page or to a nearby page. ### Technique ``` Original return address: 0x5555555551?? (last 12 bits = 0x1??, fixed) Overwrite last 2 bytes: 0x555555551234 → redirect to offset 0x1234 in binary If only last byte overwritten (no null terminator issue): Only 4 bits unknown (nibble brute-force = 16 attempts) If last 2 bytes overwritten: Only 4 bits unknown (page alignment) = 16 attempts ``` ### When to Use | Scenario | Technique | |---|---| | PIE + no info leak | Partial overwrite low bytes of return address | | PIE + one-byte overflow | Overwrite saved RBP low byte → misaligned frame → secondary leak | | PIE + format string | Leak full PIE base first (preferred over partial overwrite) | ### Practical Notes - Null bytes in addresses: 64-bit addresses typically contain `\x00` in upper bytes, making overflow-based overwrites write the null terminator na