Download as PDF, PPTX
![Call a function
Observe normal function call
strcpy(Destination,Source);
.....
mov DWORD PTR [esp+0x4],0x804a020
mov DWORD PTR [esp],0x804a035
call 80482f0 <strcpy@plt>
.....
Source address: 0x804a020
Destination address: 0x804a035
……
ESP
system stack 18](https://image.slidesharecdn.com/rop-180717132559/75/ROP-18-2048.jpg)
![Call a function
Observe normal function call
strcpy(Destination,Source);
.....
mov DWORD PTR [esp+0x4],0x804a020
mov DWORD PTR [esp],0x804a035
call 80482f0 <strcpy@plt>
.....
Source address: 0x804a020
Destination address: 0x804a035
source address
……
ESP
system stack 19](https://image.slidesharecdn.com/rop-180717132559/75/ROP-19-2048.jpg)
![Call a function
Observe normal function call
strcpy(Destination,Source);
.....
mov DWORD PTR [esp+0x4],0x804a020
mov DWORD PTR [esp],0x804a035
call 80482f0 <strcpy@plt>
.....
Source address: 0x804a020
Destination address: 0x804a035
destination address
source address
……
ESP
system stack 20](https://image.slidesharecdn.com/rop-180717132559/75/ROP-20-2048.jpg)
![Call a function
Observe normal function call
strcpy(Destination,Source);
.....
mov DWORD PTR [esp+0x4],0x804a020
mov DWORD PTR [esp],0x804a035
call 80482f0 <strcpy@plt>
.....
Source address: 0x804a020
Destination address: 0x804a035
return address
destination address
source address
……
ESP
system stack 21](https://image.slidesharecdn.com/rop-180717132559/75/ROP-21-2048.jpg)
Uploaded byJian-Yu Li
ROP
This document discusses return oriented programming (ROP) as a technique for exploiting buffer overflows. It explains that on x86, the return address is stored on the stack, so by overflowing a buffer an attacker can control program flow. It then describes different ROP techniques like calling library functions or using "gadgets" that end in return to chain together snippets of code to achieve objectives like executing a shell.
![Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]](https://cdn.slidesharecdn.com/ss_thumbnails/ilfak-keynote-180312223906-thumbnail.jpg?width=640&height=640&fit=bounds)
![[FT-11][suhorng] “Poor Man's” Undergraduate Compilers](https://cdn.slidesharecdn.com/ss_thumbnails/poormansundergraduatecompilers-140421081114-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
ROP
- 1.
- 2. whoami 2 • briansp8210 • 交通大學資工系大二 •喜歡學習 pwn 題的相關技巧 XD
- 3. Review 3 When aprogram use some dangerous input method like gets() or scanf(“%s”, buf) …, buffer overflow may happen ! By x86 calling convention, return address is stored at EBP+4, padding proper length then we can control the program ! reference
- 4. After buffer overflow movesp, ebp pop ebp ret Function Epilogue : AAAA AAAA AAAA Target_Address …… EBP EBP+4 EBP-8 EBP+8 EBP-4 …… ESP 4 這份投影片裡用黃字標示的指令代表剛跑 完這條指令,準備去跑下一條了。
- 5. After buffer overflow movesp, ebp pop ebp ret Function Epilogue : AAAA AAAA AAAA Target_Address …… EBP EBP+4 EBP-8 EBP+8 EBP-4 …… ESP 5
- 6. After buffer overflow movesp, ebp pop ebp ret Function Epilogue : AAAA AAAA AAAA Target_Address …… 0x41414141 EBP …… ESP 6
- 7. After buffer overflow movesp, ebp pop ebp ret Function Epilogue : AAAA AAAA AAAA Target_Address …… 0x41414141 EBP …… Target_Address EIP ESP 7
- 8. What is thenext step ? ret2text Return to shellcode Return to libc ROP 8
- 9. What is thenext step ? ret2text Return to shellcode ret2libc ROP 9
- 10. ret2text When PIE(Position Independent Executable) is not enable, text segment will be fixed. Use desirable program code to do exploit ! 10
- 11.
- 12. What is thenext step ? ret2text Return to shellcode ret2libc ROP 12
- 13. Return to shellcode When NX(No-eXecute) is disabled, data section is executable. We can send shellcode to it and return to the buffer’s address to run our shellcode. We can both write and execute here ! 13
- 14.
- 15. Return to shellcode AAAA AAAA AAAA buf2 …… …… ESP …… …… 0x4141cd80 0x41414141 …… 0x2f68686a buf2 system stackdata buffer 15
- 16. Return to shellcode AAAA AAAA AAAA buf2 …… …… EIP …… …… 0x4141cd80 0x41414141 …… 0x2f68686a buf2 system stackdata buffer ESP Begin to run our shellcode !! 16
- 17. What is thenext step ? ret2text Return to shellcode ret2libc ROP 17
- 18. Call a function Observe normal function call strcpy(Destination,Source); ..... mov DWORD PTR [esp+0x4],0x804a020 mov DWORD PTR [esp],0x804a035 call 80482f0 <strcpy@plt> ..... Source address: 0x804a020 Destination address: 0x804a035 …… ESP system stack 18
- 19. Call a function Observe normal function call strcpy(Destination,Source); ..... mov DWORD PTR [esp+0x4],0x804a020 mov DWORD PTR [esp],0x804a035 call 80482f0 <strcpy@plt> ..... Source address: 0x804a020 Destination address: 0x804a035 source address …… ESP system stack 19
- 20. Call a function Observe normal function call strcpy(Destination,Source); ..... mov DWORD PTR [esp+0x4],0x804a020 mov DWORD PTR [esp],0x804a035 call 80482f0 <strcpy@plt> ..... Source address: 0x804a020 Destination address: 0x804a035 destination address source address …… ESP system stack 20
- 21. Call a function Observe normal function call strcpy(Destination,Source); ..... mov DWORD PTR [esp+0x4],0x804a020 mov DWORD PTR [esp],0x804a035 call 80482f0 <strcpy@plt> ..... Source address: 0x804a020 Destination address: 0x804a035 return address destination address source address …… ESP system stack 21
- 22. ret2libc When callinga function, there will be some needed information on stack. If we know a function’s address, we can fake a function call by return to the function with proper value on stack. function address return address argument1 argument2 …… The function you want to return to Where to go after this fake function call First argument for this function Second argument for this function 22
- 23. fake a functioncall Put needed value on stack when buffer overflow . After returning to the function, it can fetch right data from right position, just like a normal function call ! return address …… …… …… 23
- 24. system() return address after system()return address of “/bin/sh” …… AAAA fake a function call Put needed value on stack when buffer overflow . After returning to the function, it can fetch right data from right position, just like a normal function call ! buffer overflow !! 24
- 25. system() return address after system()return address of “/bin/sh” …… AAAA fake a function call Put needed value on stack when buffer overflow . After returning to the function, it can fetch right data from right position, just like a normal function call ! ESP …… leave ret …… 25
- 26. system() return address after system()return address of “/bin/sh” …… AAAA fake a function call Put needed value on stack when buffer overflow . After returning to the function, it can fetch right data from right position, just like a normal function call ! ESP …… leave ret …… 26
- 27.
- 28.
- 29. gets() pop_ebx_ret buf2 system() AAAA return address after system()return buf2 ret2libc ESP …… leave ret 29
- 30. gets() pop_ebx_ret buf2 system() AAAA return address after system()return buf2 ret2libc ESP …… leave ret 30 pop ebx ret
- 31. gets() pop_ebx_ret buf2 system() AAAA return address after system()return buf2 ret2libc ESP …… leave ret 31 pop ebx ret
- 32. gets() pop_ebx_ret buf2 system() AAAA return address after system()return buf2 ret2libc ESP …… leave ret 32 pop ebx ret
- 33. ASLR and libcaddress With ASLR, the base address of libc is randomized each time we execute a program . We can’t predict the function’s address we want to use and return to it, except those used by this program . 33
- 34. How to findfunctions’ offset The offset of a function in a libc will be fixed . Function’s address will be libc base + function’s offset . readelf or pwntools can help you find the offset ! 34 readelf –s file_name
- 35. How to findlibc’s base address For those dynamically linked program, when a function is called once, its address in libc will be written to its GOT entry . 35 file file_name objdump –d file_name <strcpy@got.plt> , this entry will store : next instruction in <strcpy@plt> if strcpy haven’t been called yet . strcpy()’s address in libc ! if strcpy have been called .
- 36. How to findlibc’s base address For those dynamically linked program, when a function is called once, its address in libc will be written to its GOT entry . 36 file file_name objdump –d file_name <strcpy@got.plt> , this entry will store : next instruction in <strcpy@plt> if strcpy haven’t been called yet . strcpy()’s address in libc ! if strcpy have been called .
- 37. How to findlibc’s base address We can use puts to leak a function’s address store in GOT entry . Subtract this function’s offset in libc from the leaked address, we can get libc’s base address ! Then we can know each function’s address : libc base + function’s offsets 37
- 38.
- 39. What is thenext step ? ret2text Return to shellcode ret2libc ROP 39
- 40. ROP Try touse gadgets, some machine instruction sequences which end with ret, to achieve our goal . For example, this is a gadget comes from <__libc_csu_init> 40
- 41.
- 42.
- 43.
- 44.
- 45.
- 46. ROP gadget1 gadget2 0xdeadbeef gadget3 AAAA …… ESP …… pop eax …… ret EIP Now eax == 0xdeadbeef 46
- 47.
- 48. Find available gadgets ROPgadget can help you find gadgets . Usage: ROPgadget --binary file_name ROPgadget --binary file_name --opcode opcode 48
- 49.
- 50. Reference ROP Mechanismspreventing buffer overflow pwntools packing and unpacking of strings ROPgadget Linux syscall reference 50
- 51. Practice train.cs.nctu.edu.tw ret2libc ROP secprog.cs.nctu.edu.tw 10/21 practice BOF1 10/21 practice BOF2 10/21 practice BOF3 11/4 practice BOF4 11/4 practice BOF6 51