Stack Basics: General

Must Know

• The stack grows towards lower addresses, and at the end there are typically two instructions:

  1
  leave
  2
  ret

  • leave is equivalent to the following, which sets up RBP to pop off RIP:

  1
  mov rsp, rbp
  2
  pop rbp

  • ret pops the RIP off and the CPU jumps to return to wherever it was, roughly:

  1
  pop rip

• Calling conventions for x86 (required for 32 bit ROP w/parameters):

  • Arguments are passed on the stack, pushed right to left (last argument pushed first)
  • Push arguments starting with the last argument to the first argument

  1
  push ARG_C
  2
  push ARG_B
  3
  push ARG_A
  4
  call function

• Calling conventions for x86_64 (required for 64 bit ROP w/parameters):

  • Arguments 1-6 are passed via registers RDI, RSI, RDX, RCX, R8, R9 respectively
  • Arguments 7 and above are pushed on to the stack.

Helpful Diagrams

Relative addressing within a function to RBP:

1
[RBP+8]   → return address
2
[RBP]     → saved old RBP
3
[RBP-8]   → first local variable
4
[RBP-16]  → second local variable
5
...

Sample stack frame in memory:

1
0x7fffffffe0c8 : return address
2
0x7fffffffe0c0 : saved RBP
3
0x7fffffffe0b8 : local variable a
4
0x7fffffffe0b0 : local variable b
5
0x7fffffffe0a8 : local variable c
6
0x7fffffffe0a0 : local variable d
7
0x7fffffffe098 : RSP (bottom of frame)

Stack Frame for a Sample ROP Chain:

Helpful Resources

• pwntools cheatsheet
• Exploit Dev roadmap
• VR in the Real World part 2 and part 3
• x86_64 syscalls