Submit Search
Upload
08 - Return Oriented Programming, the chosen one
•
0 likes
•
966 views
A
Alexandre Moneger
Follow
* Introduction to ROP * Finding gadgets * Chaining gadgets * Stack pivoting
Read less
Read more
Engineering
Report
Share
Report
Share
1 of 32
Recommended
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
Operating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
Virtual platform
Virtual platform
sean chen
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
tharindunew
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
Positive Hack Days
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
Recommended
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
Operating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
Virtual platform
Virtual platform
sean chen
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
tharindunew
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
Positive Hack Days
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
guest9f4856
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
DVClub
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
Positive Hack Days
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
Stackless Python In Eve
Stackless Python In Eve
l xf
Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
Introduction to ida python
Introduction to ida python
geeksec80
6 buffer overflows
6 buffer overflows
drewz lin
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
Alexey Smirnov
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
More Related Content
What's hot
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Chong-Kuan Chen
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Rob Gillen
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
CODE BLUE
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
guest9f4856
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CanSecWest
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
DVClub
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
Positive Hack Days
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
Stackless Python In Eve
Stackless Python In Eve
l xf
Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
Introduction to ida python
Introduction to ida python
geeksec80
6 buffer overflows
6 buffer overflows
drewz lin
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
Alexey Smirnov
What's hot
(20)
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Stackless Python In Eve
Stackless Python In Eve
Zn task - defcon russia 20
Zn task - defcon russia 20
Introduction to ida python
Introduction to ida python
6 buffer overflows
6 buffer overflows
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
FORECAST: Fast Generation of Accurate Context-Aware Signatures of Control-Hij...
Similar to 08 - Return Oriented Programming, the chosen one
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
Power of linked list
Power of linked list
Peter Hlavaty
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
Virtual machine re building
Virtual machine re building
Martin Dominguez Alvarez
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
The Linux Foundation
Writing Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
Introduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
Code Red Security
Code Red Security
Amr Ali
ECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.com
santricksapiens71
Ecet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.com
WilliamsTaylorzm
Ecet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.com
Stephenson033
ECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.com
sholingarjosh102
Exploit techniques - a quick review
Exploit techniques - a quick review
Ce.Se.N.A. Security
C++ Core Guidelines
C++ Core Guidelines
Thomas Pollak
Similar to 08 - Return Oriented Programming, the chosen one
(20)
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Power of linked list
Power of linked list
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Virtual machine re building
Virtual machine re building
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
XPDS16: Xen Live Patching - Updating Xen Without Rebooting - Konrad Wilk, Ora...
Writing Metasploit Plugins
Writing Metasploit Plugins
Introduction to eBPF and XDP
Introduction to eBPF and XDP
Code Red Security
Code Red Security
ECET 330 Massive Success--snaptutorial.com
ECET 330 Massive Success--snaptutorial.com
Ecet 330 Success Begins / snaptutorial.com
Ecet 330 Success Begins / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.com
Ecet 330 Enthusiastic Study / snaptutorial.com
ECET 330 Technology levels--snaptutorial.com
ECET 330 Technology levels--snaptutorial.com
Exploit techniques - a quick review
Exploit techniques - a quick review
C++ Core Guidelines
C++ Core Guidelines
More from Alexandre Moneger
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
Pentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
Practical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
More from Alexandre Moneger
(6)
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Pentesting custom TLS stacks
Pentesting custom TLS stacks
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Practical rsa padding oracle attacks
Practical rsa padding oracle attacks
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Recently uploaded
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Christo Ananth
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
rknatarajan
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
pranjaldaimarysona
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
upamatechverse
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Dr.Costas Sachpazis
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
ranjana rawat
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Suman Mia
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
purnimasatapathy1234
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
RajaP95
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Call Girls in Nagpur High Profile
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
rknatarajan
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
Suhani Kapoor
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
Suhani Kapoor
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
ranjana rawat
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
9953056974 Low Rate Call Girls In Saket, Delhi NCR
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
Call Girls in Nagpur High Profile
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
upamatechverse
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
slot gacor bisa pakai pulsa
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
Recently uploaded
(20)
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
08 - Return Oriented Programming, the chosen one
1.
Return Oriented Programming
The chosen one Alex Moneger Security Engineer
2.
Introduction ROP
= Return Oriented Programming Uses the “ret” instruction to drive the execution flow Allows to bypass ASLR and DEP Relies on the fact that .text section is at a fixed address Used in all modern exploits © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.
Refresher Ret2libc
uses function addresses at known locations Never executes code on the stack Problem: ASLR randomizes the addresses Any other fixed address candidates? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4.
General concepts ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5.
Non-randomized addresses
Check the randomization again: cisco@kali:~/src/seccon/ch8$ ./aslr Stack base address: 0xbfcb9a74 Heap base address: 0x8cbd008 Memcpy libc address: 0xb76ad9a0 Code section address: 0x804857e Data section address: 0x80498d0 RO data section address: 0x8048670 cisco@kali:~/src/seccon/ch8$ ./aslr Stack base address: 0xbfd14d04 Heap base address: 0x85d7008 Memcpy libc address: 0xb76ce9a0 Code section address: 0x804857e Data section address: 0x80498d0 RO data section address: 0x8048670 With ASLR enabled, .text is not randomized © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6.
Impact .text
section is not randomized .data section is not randomized PLT is a fixed offset from .text GOT is at fixed address, because in the same segment as .text Can we re-use any of this? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7.
.text What
can we do in .text? .text is the code section, so contains instructions How can we re-use those instructions? Remember pop;pop;ret construct from ret2libc? We can re-use any instructions with a trailing “ret” This let’s us keep control of the execution stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8.
BoF is control
of eip, ROP is control of esp © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9.
Visual flow
I want to add 2 values together Then put that value at a memory address i.e: 4 (eax) + 3 (ebx) = 7 (eax) 0x1234 (mem) = 7 (eax) &mov mem reg ; ret 0x1234 &pop;ret &add reg reg; ret 3 4 &pop;pop;ret mov; ret pop reg ret add; ret pop reg pop reg © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10.
Steps 1. Know
what you want to achieve (hardest) 2. Have a vague low-level idea of how to do it 3. Find gadgets 4. Find a way to stitch them together 5. Debug 6. Exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11.
Finding instructions
Find all “ret”s in a program “xc3” Disassemble backwards (pick a reasonable amount of instructions) Set of instructions Referred to as “gadgets” That gives you a set you can play with © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12.
Finding instructions 1.
Use objdump Suboptimal, requires ret instruction to be semantically correct 2. Search for “xc3” opcode manually and disassemble back from there Lot of manual work 3. Use a proper tool We’ll use a tool, for once ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13.
Ropeme Ropeme
disassembles backwards a number of instructions Allows you to search for gadgets using wildcards: cisco@kali:~/src/seccon/ch8$ ropshell.py Simple ROP interactive shell: [generate, load, search] gadgets ROPeMe> generate ch6 4 Generating gadgets for ch6 with backward depth=4 It may take few minutes depends on the depth and file size... Processing code block 1/1 Generated 93 gadgets Dumping asm gadgets to file: ch6.ggt ... OK ROPeMe> search add eax % Searching for ROP gadget: add eax % with constraints: [] 0x80482fcL: add eax 0x3ee8 ; add [eax+0x5b] bl ; leave ;; 0x80485f8L: add eax 0x83038745 ; add al 0x6e ;; ROPeMe> search pop % -leave Searching for ROP gadget: pop % with constraints: ['-leave'] 0x8048528L: pop ebp ;; 0x8048495L: pop ebx ; pop edi ; pop ebp ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14.
Useful gadgets
Pop reg => put a value in reg add [reg1] reg2 => add reg2 to memory address in reg1 mov [reg1] reg2 => mov reg2 into memory address in reg1 Call reg => call the address in reg Jmp reg => jump to address © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15.
Put gadgets together
Create high level gadgets, by putting low level gadgets together: # Write value in eax to memory 0x8048502L: pop ebx ; pop ebp ;; 0x80484feL: add [ebx+0x5d5b04c4] eax ;; # Load memory value into eax 0x8048502L: pop ebx ; pop ebp ;; 0x804875eL: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;; # Load eax with a value 0x804dad5L: mov eax edi ; pop ebx ; pop esi ; pop edi ; pop ebp ;; It’s up to you to find meaningful gadgets to use Use those high level gadgets to build payloads © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16.
ROP flow ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17.
Stages ROP
exploit generally has multiple stages 1. Stage 0: Stabilize exploit Take control of eip Copy payload into fake frame Dereference GOT 2. Stack pivot from stage 0 to stage 1 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18.
Stage 1 3.
Stage 1: Change memory permissions (optional) Execute payload Cleanup (optional) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19.
Getting function addresses
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20.
GOT dereferencing
Remember the GOT? Grab an arbitrary address from it Add the libc offset with the function you want Call it Or write it to mem, and call it later © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
21.
Example Example:
Find execve based on strcpy (0xb7ed8b70) &Strcpy GOT = 0x08049fec &Execve – &strcpy = 0x27b10 # Get the GOT address of strcpy (0x08049fec) into ebx 0x8052b9dL: pop ebx ; lea eax [edx+eax*8] ;; # Move the content of GOT entry (&strcpy) into edx 0x8052b98L: mov edx [ebx] ; pop ebx ; lea eax [edx+eax*8] ;; # Move delta between functions 0x27b10 into ecx 0x8060883L: pop ecx ;; # Add &strcpy with offset = &execve! 0x8061ddaL: add edx ecx;; 0x8061dda 0x27b10 0x8060883 0x41414141 0x8052b98 0x08049fec 0x8052b9d © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
22.
Calling the function
Calling the dereferenced function (value in edx) # Call register 0x804c244L: call edx ; leave ;; Writing the dereferenced function somewhere (ie: 0x12345678) # Move address value (0x12345678) into eax 0x8058ae0L: pop eax ; pop ebx ;; # Move adx to that address 0x8056579L: mov [eax] edx ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
23.
Copying payload ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
24.
Stage 0
2 options: Build shellcode from pieces of memory Do multiple GOT dereferencing Both end up the same: Build fake stack frame to transfer control to © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
25.
Copying shellcode
Find individual shellcode bytes in memory Use a copy function (i.e: strcpy) to copy bytes from memory to fake stack frame Ropc can give you the memory addresses of shellcode bytes cisco@kali:~/src/seccon/ch8$ ropc -s "x6ax0bx58x99x52x66x68x2dx70x89xe1x52x6ax68x68x2fx62x61x73x68x2fx62x69x6ex89xe3x52x51x53x89xe1xc dx80" -f ch8 0x00000000 -> "x6a" (NOT FOUND) 0x080485b4 -> "x0b" 0x080480f8 -> "x58" 0x08048378 -> "x99" 0x0804836a -> "x52" © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
26.
Building payload
Identify fake stack Find address of functions your interested in Copy function addresses to fake stack Copy arguments to fake stack Stack pivot to new stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
27.
Stack pivoting ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
28.
Stack pivoting
Build a fake stack in memory with your payload Move to it to start execution of payload Called stack pivoting, because you lead the execution flow to your own stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
29.
How to do
it? You need a way to control the stack pointer Esp needs to be controlled, and redirected Useful gadgets: Eax contains the value of your new frame 0x8055c61L: xchg esp eax ;; # leave = mov esp, ebp; pop ebp; Control ebp = control esp 0x8049844L: leave ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
30.
What it looks
like Stage 0 “copying” stack Stage 1 “payload” stack 0x8061dda 0x27b10 0x8060883 0x41414141 0x8052b98 0x08049fec 0x8052b9d Esp = 0x12345678 Esp = 0x08048a00 0x12345678 – 0x4 Leave; ret Copy data Copy data Copy data Copy data Copy data © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
31.
That’s it! ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
32.
Exercise time!
Find what protections are active on ch8 No source, but I left symbols ;) Reverse it Find the vulnerability Exploit it You probably wont finish this today, but keep chewing on it ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32