SlideShare uma empresa Scribd logo

An introduction to ROP

Saumil Shah
Saumil Shah

Slides from my workshop at Hack.LU 2010 in Luxembourg. This workshop introduced the basic concepts of Return Oriented Programming with some hands-on exercises.

TecnologiaEducação
1 de 55
net-square Introduction to ROP a first look at return oriented programming Saumil Shah, Net-Square Hack.LU 2010 - Luxembourg
net-square Introduction • DEP • EIP control • Ret2LibC • Return Oriented Programming
net-square DEP • Hardware enforced (NX). • Data areas marked non-executable. – Stack marked non-executable. – Heap marked non-executable. • You can load your shellcode in the stack or the heap... • ...but you can't jump to it.
net-square EIP control • Stack - forbidden • Heap - forbidden • Binary - OK • DLLs - OK Program Image Heap Stack DLL DLL DLL
net-square Ret2LibC • Return to LibC. • Pioneered by Solar Designer in 1997. • EIP made to "return to a function". • Need control of the stack memory. – We usually have it.
net-square Ret2LibC - how does it work? • Create a fake frame on the stack. • After an overflowed function returns... • ...set the EIP return address to the new function. • Append the fake frame. • New function executes. – parameters consumed from the fake frame. • system("/bin/sh")
net-square Return Oriented Programming • Series of function returns. • Chained frames. • Transform EIP based primitives into stubs that can be "returned into". • ESP is the new EIP!
net-square Topics • Function calls and returns • Stack overflows revisited • Creating stack frames • Chaining frames • ESP control
net-square Calling a function • Add two ints x, y. • add(3,4) • What does the calling frame look like? void add(int x, int y) { int sum; sum = x + y; printf("%dn", sum); } int main() { add(3, 4); }
net-square Stack frame for add(3,4) frame for add() return address from add() 3 4 call add
net-square Return from add(3,4) • add() is about to return. • RET after epilogue of add(). • Where does ESP point to? – immediately before the RET • What does the stack look like?
net-square Before the RET return address from add() 3 4 ESP
net-square Another function • Stack overflow in func1. • Can we call add(5, 6) after returning from func1? void func1(char *s) { char buffer[128]; strcpy(buffer, s); } int main() { func1(argv[1]); }
net-square Stack frame for func1() buffer return address from func1 s
net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA
net-square Before the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA ESP
net-square After the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA EIP = 0x41414141 ESP
net-square Return to add() • Insert a fake frame in the buffer. • Make func1() return to: add(01010101, 02020202) • What does the stack frame look like?
net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202
net-square Before func1() returns buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP
net-square Return to add() buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP EIP = add()
net-square Return to add() • By carefully creating a frame... • ...we can make the program "return to our function". • We control the parameters. • We also control where to jump to after our function returns.
net-square victim2.c int main(int argc, char *argv[]) { add(3, 4); func1(argv[1]); } void func1(char *s) { char buffer[128]; strcpy(buffer, s); } void print_hello(void) { printf("Hello Worldn"); } void add(int x, int y) { int sum; sum = x + y; printf("%d + %d = %dn", x, y, sum); } stack overflow lurks here!
net-square victim2.c • Compile victim2.c • Run victim2 under a debugger • Study the stack frame before add(3, 4) gcc victim2.c -o victim2 gdb victim2
net-square gdb'ing add • Set a breakpoint before add(3, 4) 0x804836c <main>: push %ebp 0x804836d <main+1>: mov %esp,%ebp 0x804836f <main+3>: sub $0x8,%esp 0x8048372 <main+6>: and $0xfffffff0,%esp 0x8048375 <main+9>: mov $0x0,%eax 0x804837a <main+14>: sub %eax,%esp 0x804837c <main+16>: sub $0x8,%esp 0x804837f <main+19>: push $0x4 0x8048381 <main+21>: push $0x3 0x8048383 <main+23>: call 0x80483de <add> 0x8048388 <main+28>: add $0x10,%esp 0x804838b <main+31>: cmpl $0x1,0x8(%ebp)
net-square Stack frame before add(3, 4) • Dump the stack • Continue (gdb) x/64 $esp 0xbffff8ac: 0x08048388 0x00000003 0x00000004 0xbffff8c8 0xbffff8bc: 0x0804841c 0x40148f50 0x40012780 0xbffff8e8 0x08048388 3 4
net-square Overflowing func1() • Overflow func1 and... ...return to add(01010101, 02020202) • Create a fake frame. • Overwrite stack. • frame1.pl return from func1 param1 param2 return from add 0x080483de 0x01010101 0x02020202 0x42424242
net-square frame1.pl • Creates the overflow buffer as follows: • Set this in an environment variable EGG and run victim2 with $EGG: 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 distance to EIP address of add return from add param1 param2 export EGG=`./frame1.pl` gdb victim2 (gdb) run $EGG
net-square ESP • Where will ESP be after returning from add? • Verify 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 (gdb) x/64 $esp 0xbffff824: 0x01010101 0x02020202 0x08048400 0x40148f50 0xbffff834: 0x40012780 0xbffff858 0x4002e7f7 0x00000002 ESP
net-square Chaining functions • After add(01010101, 02020202), we want to run add(03030303, 04040404). • How should we set up the frames? • First, study the frame after add() returns.
net-square After add() returns AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 ESP EIP = 42424242
net-square Where does the new frame go? AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 address of add ?? 03030303 04040404
net-square Where does the new frame go? • We get only ONE chance at strcpy. • How do we preserve params 01010101 and 02020202? • We can only APPEND the second frame below our first frame. • We have to UNWIND the first frame before returning to the second frame. • Return to epilogue!
net-square Chaining the frames AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 add(01010101, 02020202) add(03030303, 04040404)
net-square Keeping ESP in control AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 Return from func1 Return to add() Return to POP/POP/RET POP POP ESP RET - Return to add() Finally EIP = 0x42424242
net-square frame2.pl • Creates the overflow buffer as follows: 080483deAAAAAA...140...AAAAAA 0804843d 01010101 02020202 distance to EIP address of add POP/POP /RET param1 param2 080483de 42424242 03030303 04040404 address of add return from add param1 param2 Use msfelfscan to find the address of POP/POP/RET from victim2 binary.
net-square frame2.pl • Set this in an environment variable EGG and run victim2 with $EGG: export EGG=`./frame2.pl` gdb victim2 (gdb) run $EGG Starting program: /home/user0/victim2 $EGG 3 + 4 = 7 1010101 + 2020202 = 3030303 3030303 + 4040404 = 7070707 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
net-square It's all about ESP! • ESP is the new EIP. • ROP involves keeping the ESP moving through the frames on the stack. • Frames can be chained by returning to epilogues of functions. – to appropriately unwind the parameters pushed on the stack. • We must never lose sight of RET.
net-square ROP frames - generic approach f1(A, B) f2(X) f1(C, D) f3(P, Q, R, S) f2(Y) : : & f1() & POP/POP/RET A B & f2() & POP/RET X & f3() & POPAD/RET P Q R & f1() & POP/POP/RET C D junk junk junk & f2() & POP/RET Y S
net-square Topics • Transforming classic EIP code to ROP • ROP vs. classic programming • Thinking in ROP terms • Assembling frames • Gadgets • Searching for gadgets • Generic techniques
net-square EIP vs. ESP Classic EIP code • N ops = N instructions. • EIP increments. • ESP fluctuates. • The CPU increments EIP automatically. ROP code • N ops = N frames. • ESP increments. • EIP fluctuates. • We have to control ESP through RET instructions.
net-square Transform EIP code to ROP • Load two registers • Call a function – with params 3,4 • How does this translate in ROP terms? mov eax, 14 mov ecx, 02500000 push 3 push 4 call 77fe3210
net-square Thinking in ROP terms ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 ESP Put 14 in the next stack word, and POP it into EAX. RET function body epilogue prologue vulnerable function EIP mov eax, 14 RET POP EAX POP EBX functionX 700344fe 700344fd 700344ff
net-square Thinking in ROP terms 700344fe AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14ESP RET function body epilogue prologue vulnerable function EIP Jump to address of "POP EAX; RET". Search function epilogues. RET POP EAX POP EBX functionX mov eax, 14
net-square Thinking in ROP terms 700344fe ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ESP RET function body epilogue prologue vulnerable function EIP Place 02500000 as the next stack word, to be loaded into ECX. RET POP EAX POP EBX functionX eax = 00000014 mov ecx, 02500000
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 RET function body epilogue prologue vulnerable function We now need an address of a "POP ECX; RET" sequence. RET POP EAX POP EBX functionX RET POP ECX functionY ESP EIP eax = 00000014 mov ecx, 02500000 6d894430 6d894431
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000ESP RET function body epilogue prologue vulnerable function 02500000 is popped into ECX. RET POP EAX POP EBX functionX EIP RET POP ECX functionY eax = 00000014 mov ecx, 02500000
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ??ESP RET function body epilogue prologue vulnerable function We now need to call a function at 77fe3210, with parameters 3, 4 RET POP EAX POP EBX functionX EIP RET POP ECX functionY push 3; push 4; call 77fe3210 eax = 00000014 ecx = 02500000
net-square Gadget Dictionary POP EAX; RET Load value into register value POP ECX; RET Read memory at address address ADD EAX,n; RET Add MOV EAX,[ECX]; RET POP EAX; RET Write value at address address POP ECX; RET value MOV [EAX],ECX; RET INC EAX; RET Increment address of function Call a function param cleanup param 1 param 2 RET NOP param N POP; POP ... RET ADD ESP,24; RET POPAD; RET POP EAX; RET Call a function pointer address CALL [EAX]; RET XCHG EAX,ESP; RET Stack flip ESP=EAX LEAVE; RET Stack flip ESP=EBP POP ESP; RET Stack flip ESP=addr address
net-square Instruction Opcodes Instruction Opcodes RET C3 RET n C2 16bits POP EAX 58 POP ECX 59 MOV EAX,[ECX] 8B 01 MOV [EAX],ECX 89 08 MOV [ECX],EAX 89 01 INC EAX 40 ADD EAX, n 83 C0 8bits
net-square Instruction Opcodes Instruction Opcodes POP EBX/EDX/ESI/EDI/EBP 5B/5A/5E/5F/5D POPAD 61 ADD ESP,24 83 C4 18 CALL [EAX] FF 10 XCHG EAX,ESP 94 LEAVE C9 (mov esp,ebp; pop ebp) POP ESP 5C
net-square Searching for Gadgets • Use msfpescan's regex search. • Example: MOV EAX,[ECX]; RET msfpescan -D -r 'x8Bx01xC3' <file> msfpescan -D -r 'x8Bx01xC2.x00' <file> msfpescan -D -r 'x8Bx01.xC3' <file> msfpescan -D -r 'x8Bx01..xC3' <file> • Sometimes you may need to improvise.
net-square Generic Techniques • Run arbitrary shellcode. • Difficult to transform entire shellcode to ROP frames. • Create a ROP loader: – Allocate RWX memory – Copy classic shellcode to this memory – Jump to shellcode • Load and run any shellcode.
net-square DEMO TIME! • Java JNLP docbase overflow • Exploiting IE8 using ROP
net-square KTHXBAI! saumil@net-square.com linked-in: saumilshah no LOLcats were harmed in preparation of these slides

Recomendados

Stack pivot
Stack pivotStack pivot
Stack pivotsounakano
 
x86とコンテキストスイッチ
x86とコンテキストスイッチx86とコンテキストスイッチ
x86とコンテキストスイッチMasami Ichikawa
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Portacle : Common Lispのオールインワン開発環境
Portacle : Common Lispのオールインワン開発環境Portacle : Common Lispのオールインワン開発環境
Portacle : Common Lispのオールインワン開発環境Satoshi imai
 
LLVM最適化のこつ
LLVM最適化のこつLLVM最適化のこつ
LLVM最適化のこつMITSUNARI Shigeo
 
静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウム
静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウム静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウム
静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウムT. Suwa
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
20分くらいでわかった気分になれるC++20コルーチン
20分くらいでわかった気分になれるC++20コルーチン20分くらいでわかった気分になれるC++20コルーチン
20分くらいでわかった気分になれるC++20コルーチンyohhoy
 

Recomendados

Stack pivot
Stack pivotStack pivot
Stack pivotsounakano
 
x86とコンテキストスイッチ
x86とコンテキストスイッチx86とコンテキストスイッチ
x86とコンテキストスイッチMasami Ichikawa
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Portacle : Common Lispのオールインワン開発環境
Portacle : Common Lispのオールインワン開発環境Portacle : Common Lispのオールインワン開発環境
Portacle : Common Lispのオールインワン開発環境Satoshi imai
 
LLVM最適化のこつ
LLVM最適化のこつLLVM最適化のこつ
LLVM最適化のこつMITSUNARI Shigeo
 
静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウム
静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウム静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウム
静的型つき組版処理システムSATySFi @第61回プログラミング・シンポジウムT. Suwa
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
20分くらいでわかった気分になれるC++20コルーチン
20分くらいでわかった気分になれるC++20コルーチン20分くらいでわかった気分になれるC++20コルーチン
20分くらいでわかった気分になれるC++20コルーチンyohhoy
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
シェル芸初心者によるシェル芸入門
シェル芸初心者によるシェル芸入門シェル芸初心者によるシェル芸入門
シェル芸初心者によるシェル芸入門icchy
 
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.kiki utagawa
 
C++ Coroutines
C++ CoroutinesC++ Coroutines
C++ CoroutinesSumant Tambe
 
Javaバイトコード入門
Javaバイトコード入門Javaバイトコード入門
Javaバイトコード入門Kota Mizushima
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
ラズパイでデバイスドライバを作ってみた。
ラズパイでデバイスドライバを作ってみた。ラズパイでデバイスドライバを作ってみた。
ラズパイでデバイスドライバを作ってみた。Kazuki Onishi
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
VTI の中身
VTI の中身VTI の中身
VTI の中身Masakazu Asama
 
SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更T. Suwa
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013Vladimir Ivanov
 
Binary indexed tree
Binary indexed treeBinary indexed tree
Binary indexed treeHCPC: 北海道大学競技プログラミングサークル
 
TMUX Rocks!
TMUX Rocks!TMUX Rocks!
TMUX Rocks!Kent Chen
 
Map
MapMap
Mapkikairoya
 
Gstreamer Basics
Gstreamer BasicsGstreamer Basics
Gstreamer BasicsSeiji Hiraki
 
katagaitai CTF勉強会 #3 crypto
katagaitai CTF勉強会 #3 cryptokatagaitai CTF勉強会 #3 crypto
katagaitai CTF勉強会 #3 cryptotrmr
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internalMotohiro KOSAKI
 
llvm入門
llvm入門llvm入門
llvm入門MITSUNARI Shigeo
 
Spi drivers
Spi driversSpi drivers
Spi driverspradeep_tewani
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 

Mais conteúdo relacionado

Mais procurados

ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談hackstuff
 
シェル芸初心者によるシェル芸入門
シェル芸初心者によるシェル芸入門シェル芸初心者によるシェル芸入門
シェル芸初心者によるシェル芸入門icchy
 
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.kiki utagawa
 
Javaバイトコード入門
Javaバイトコード入門Javaバイトコード入門
Javaバイトコード入門Kota Mizushima
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
ラズパイでデバイスドライバを作ってみた。
ラズパイでデバイスドライバを作ってみた。ラズパイでデバイスドライバを作ってみた。
ラズパイでデバイスドライバを作ってみた。Kazuki Onishi
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更T. Suwa
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013Vladimir Ivanov
 
katagaitai CTF勉強会 #3 crypto
katagaitai CTF勉強会 #3 cryptokatagaitai CTF勉強会 #3 crypto
katagaitai CTF勉強会 #3 cryptotrmr
 

Mais procurados (20)

ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
シェル芸初心者によるシェル芸入門
シェル芸初心者によるシェル芸入門シェル芸初心者によるシェル芸入門
シェル芸初心者によるシェル芸入門
 
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
Pythonの処理系はどのように実装され,どのように動いているのか? 我々はその実態を調査すべくアマゾンへと飛んだ.
 
C++ Coroutines
C++ CoroutinesC++ Coroutines
C++ Coroutines
 
Javaバイトコード入門
Javaバイトコード入門Javaバイトコード入門
Javaバイトコード入門
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3
 
ラズパイでデバイスドライバを作ってみた。
ラズパイでデバイスドライバを作ってみた。ラズパイでデバイスドライバを作ってみた。
ラズパイでデバイスドライバを作ってみた。
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
VTI の中身
VTI の中身VTI の中身
VTI の中身
 
SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更SATySFi 最近の発展と目下実装中の変更
SATySFi 最近の発展と目下実装中の変更
 
JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013JVM JIT-compiler overview @ JavaOne Moscow 2013
JVM JIT-compiler overview @ JavaOne Moscow 2013
 
Binary indexed tree
Binary indexed treeBinary indexed tree
Binary indexed tree
 
TMUX Rocks!
TMUX Rocks!TMUX Rocks!
TMUX Rocks!
 
Map
MapMap
Map
 
Gstreamer Basics
Gstreamer BasicsGstreamer Basics
Gstreamer Basics
 
katagaitai CTF勉強会 #3 crypto
katagaitai CTF勉強会 #3 cryptokatagaitai CTF勉強会 #3 crypto
katagaitai CTF勉強会 #3 crypto
 
Glibc malloc internal
Glibc malloc internalGlibc malloc internal
Glibc malloc internal
 
llvm入門
llvm入門llvm入門
llvm入門
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 

Semelhante a An introduction to ROP

Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkmarkdgray
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimonSisimon Soman
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdfhasan58964
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 

Semelhante a An introduction to ROP (20)

Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
netLec2.pdf
netLec2.pdfnetLec2.pdf
netLec2.pdf
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
 
test
testtest
test
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 

Mais de Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

Mais de Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Último

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

An introduction to ROP

  • 1. net-square Introduction to ROP a first look at return oriented programming Saumil Shah, Net-Square Hack.LU 2010 - Luxembourg
  • 2. net-square Introduction • DEP • EIP control • Ret2LibC • Return Oriented Programming
  • 3. net-square DEP • Hardware enforced (NX). • Data areas marked non-executable. – Stack marked non-executable. – Heap marked non-executable. • You can load your shellcode in the stack or the heap... • ...but you can't jump to it.
  • 4. net-square EIP control • Stack - forbidden • Heap - forbidden • Binary - OK • DLLs - OK Program Image Heap Stack DLL DLL DLL
  • 5. net-square Ret2LibC • Return to LibC. • Pioneered by Solar Designer in 1997. • EIP made to "return to a function". • Need control of the stack memory. – We usually have it.
  • 6. net-square Ret2LibC - how does it work? • Create a fake frame on the stack. • After an overflowed function returns... • ...set the EIP return address to the new function. • Append the fake frame. • New function executes. – parameters consumed from the fake frame. • system("/bin/sh")
  • 7. net-square Return Oriented Programming • Series of function returns. • Chained frames. • Transform EIP based primitives into stubs that can be "returned into". • ESP is the new EIP!
  • 8. net-square Topics • Function calls and returns • Stack overflows revisited • Creating stack frames • Chaining frames • ESP control
  • 9. net-square Calling a function • Add two ints x, y. • add(3,4) • What does the calling frame look like? void add(int x, int y) { int sum; sum = x + y; printf("%dn", sum); } int main() { add(3, 4); }
  • 10. net-square Stack frame for add(3,4) frame for add() return address from add() 3 4 call add
  • 11. net-square Return from add(3,4) • add() is about to return. • RET after epilogue of add(). • Where does ESP point to? – immediately before the RET • What does the stack look like?
  • 12. net-square Before the RET return address from add() 3 4 ESP
  • 13. net-square Another function • Stack overflow in func1. • Can we call add(5, 6) after returning from func1? void func1(char *s) { char buffer[128]; strcpy(buffer, s); } int main() { func1(argv[1]); }
  • 14. net-square Stack frame for func1() buffer return address from func1 s
  • 15. net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA
  • 16. net-square Before the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA ESP
  • 17. net-square After the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA EIP = 0x41414141 ESP
  • 18. net-square Return to add() • Insert a fake frame in the buffer. • Make func1() return to: add(01010101, 02020202) • What does the stack frame look like?
  • 19. net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202
  • 20. net-square Before func1() returns buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP
  • 21. net-square Return to add() buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP EIP = add()
  • 22. net-square Return to add() • By carefully creating a frame... • ...we can make the program "return to our function". • We control the parameters. • We also control where to jump to after our function returns.
  • 23. net-square victim2.c int main(int argc, char *argv[]) { add(3, 4); func1(argv[1]); } void func1(char *s) { char buffer[128]; strcpy(buffer, s); } void print_hello(void) { printf("Hello Worldn"); } void add(int x, int y) { int sum; sum = x + y; printf("%d + %d = %dn", x, y, sum); } stack overflow lurks here!
  • 24. net-square victim2.c • Compile victim2.c • Run victim2 under a debugger • Study the stack frame before add(3, 4) gcc victim2.c -o victim2 gdb victim2
  • 25. net-square gdb'ing add • Set a breakpoint before add(3, 4) 0x804836c <main>: push %ebp 0x804836d <main+1>: mov %esp,%ebp 0x804836f <main+3>: sub $0x8,%esp 0x8048372 <main+6>: and $0xfffffff0,%esp 0x8048375 <main+9>: mov $0x0,%eax 0x804837a <main+14>: sub %eax,%esp 0x804837c <main+16>: sub $0x8,%esp 0x804837f <main+19>: push $0x4 0x8048381 <main+21>: push $0x3 0x8048383 <main+23>: call 0x80483de <add> 0x8048388 <main+28>: add $0x10,%esp 0x804838b <main+31>: cmpl $0x1,0x8(%ebp)
  • 26. net-square Stack frame before add(3, 4) • Dump the stack • Continue (gdb) x/64 $esp 0xbffff8ac: 0x08048388 0x00000003 0x00000004 0xbffff8c8 0xbffff8bc: 0x0804841c 0x40148f50 0x40012780 0xbffff8e8 0x08048388 3 4
  • 27. net-square Overflowing func1() • Overflow func1 and... ...return to add(01010101, 02020202) • Create a fake frame. • Overwrite stack. • frame1.pl return from func1 param1 param2 return from add 0x080483de 0x01010101 0x02020202 0x42424242
  • 28. net-square frame1.pl • Creates the overflow buffer as follows: • Set this in an environment variable EGG and run victim2 with $EGG: 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 distance to EIP address of add return from add param1 param2 export EGG=`./frame1.pl` gdb victim2 (gdb) run $EGG
  • 29. net-square ESP • Where will ESP be after returning from add? • Verify 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 (gdb) x/64 $esp 0xbffff824: 0x01010101 0x02020202 0x08048400 0x40148f50 0xbffff834: 0x40012780 0xbffff858 0x4002e7f7 0x00000002 ESP
  • 30. net-square Chaining functions • After add(01010101, 02020202), we want to run add(03030303, 04040404). • How should we set up the frames? • First, study the frame after add() returns.
  • 32. net-square Where does the new frame go? AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 address of add ?? 03030303 04040404
  • 33. net-square Where does the new frame go? • We get only ONE chance at strcpy. • How do we preserve params 01010101 and 02020202? • We can only APPEND the second frame below our first frame. • We have to UNWIND the first frame before returning to the second frame. • Return to epilogue!
  • 34. net-square Chaining the frames AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 add(01010101, 02020202) add(03030303, 04040404)
  • 35. net-square Keeping ESP in control AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 Return from func1 Return to add() Return to POP/POP/RET POP POP ESP RET - Return to add() Finally EIP = 0x42424242
  • 36. net-square frame2.pl • Creates the overflow buffer as follows: 080483deAAAAAA...140...AAAAAA 0804843d 01010101 02020202 distance to EIP address of add POP/POP /RET param1 param2 080483de 42424242 03030303 04040404 address of add return from add param1 param2 Use msfelfscan to find the address of POP/POP/RET from victim2 binary.
  • 37. net-square frame2.pl • Set this in an environment variable EGG and run victim2 with $EGG: export EGG=`./frame2.pl` gdb victim2 (gdb) run $EGG Starting program: /home/user0/victim2 $EGG 3 + 4 = 7 1010101 + 2020202 = 3030303 3030303 + 4040404 = 7070707 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
  • 38. net-square It's all about ESP! • ESP is the new EIP. • ROP involves keeping the ESP moving through the frames on the stack. • Frames can be chained by returning to epilogues of functions. – to appropriately unwind the parameters pushed on the stack. • We must never lose sight of RET.
  • 39. net-square ROP frames - generic approach f1(A, B) f2(X) f1(C, D) f3(P, Q, R, S) f2(Y) : : & f1() & POP/POP/RET A B & f2() & POP/RET X & f3() & POPAD/RET P Q R & f1() & POP/POP/RET C D junk junk junk & f2() & POP/RET Y S
  • 40. net-square Topics • Transforming classic EIP code to ROP • ROP vs. classic programming • Thinking in ROP terms • Assembling frames • Gadgets • Searching for gadgets • Generic techniques
  • 41. net-square EIP vs. ESP Classic EIP code • N ops = N instructions. • EIP increments. • ESP fluctuates. • The CPU increments EIP automatically. ROP code • N ops = N frames. • ESP increments. • EIP fluctuates. • We have to control ESP through RET instructions.
  • 42. net-square Transform EIP code to ROP • Load two registers • Call a function – with params 3,4 • How does this translate in ROP terms? mov eax, 14 mov ecx, 02500000 push 3 push 4 call 77fe3210
  • 43. net-square Thinking in ROP terms ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 ESP Put 14 in the next stack word, and POP it into EAX. RET function body epilogue prologue vulnerable function EIP mov eax, 14 RET POP EAX POP EBX functionX 700344fe 700344fd 700344ff
  • 44. net-square Thinking in ROP terms 700344fe AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14ESP RET function body epilogue prologue vulnerable function EIP Jump to address of "POP EAX; RET". Search function epilogues. RET POP EAX POP EBX functionX mov eax, 14
  • 45. net-square Thinking in ROP terms 700344fe ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ESP RET function body epilogue prologue vulnerable function EIP Place 02500000 as the next stack word, to be loaded into ECX. RET POP EAX POP EBX functionX eax = 00000014 mov ecx, 02500000
  • 46. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 RET function body epilogue prologue vulnerable function We now need an address of a "POP ECX; RET" sequence. RET POP EAX POP EBX functionX RET POP ECX functionY ESP EIP eax = 00000014 mov ecx, 02500000 6d894430 6d894431
  • 47. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000ESP RET function body epilogue prologue vulnerable function 02500000 is popped into ECX. RET POP EAX POP EBX functionX EIP RET POP ECX functionY eax = 00000014 mov ecx, 02500000
  • 48. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ??ESP RET function body epilogue prologue vulnerable function We now need to call a function at 77fe3210, with parameters 3, 4 RET POP EAX POP EBX functionX EIP RET POP ECX functionY push 3; push 4; call 77fe3210 eax = 00000014 ecx = 02500000
  • 49. net-square Gadget Dictionary POP EAX; RET Load value into register value POP ECX; RET Read memory at address address ADD EAX,n; RET Add MOV EAX,[ECX]; RET POP EAX; RET Write value at address address POP ECX; RET value MOV [EAX],ECX; RET INC EAX; RET Increment address of function Call a function param cleanup param 1 param 2 RET NOP param N POP; POP ... RET ADD ESP,24; RET POPAD; RET POP EAX; RET Call a function pointer address CALL [EAX]; RET XCHG EAX,ESP; RET Stack flip ESP=EAX LEAVE; RET Stack flip ESP=EBP POP ESP; RET Stack flip ESP=addr address
  • 50. net-square Instruction Opcodes Instruction Opcodes RET C3 RET n C2 16bits POP EAX 58 POP ECX 59 MOV EAX,[ECX] 8B 01 MOV [EAX],ECX 89 08 MOV [ECX],EAX 89 01 INC EAX 40 ADD EAX, n 83 C0 8bits
  • 51. net-square Instruction Opcodes Instruction Opcodes POP EBX/EDX/ESI/EDI/EBP 5B/5A/5E/5F/5D POPAD 61 ADD ESP,24 83 C4 18 CALL [EAX] FF 10 XCHG EAX,ESP 94 LEAVE C9 (mov esp,ebp; pop ebp) POP ESP 5C
  • 52. net-square Searching for Gadgets • Use msfpescan's regex search. • Example: MOV EAX,[ECX]; RET msfpescan -D -r 'x8Bx01xC3' <file> msfpescan -D -r 'x8Bx01xC2.x00' <file> msfpescan -D -r 'x8Bx01.xC3' <file> msfpescan -D -r 'x8Bx01..xC3' <file> • Sometimes you may need to improvise.
  • 53. net-square Generic Techniques • Run arbitrary shellcode. • Difficult to transform entire shellcode to ROP frames. • Create a ROP loader: – Allocate RWX memory – Copy classic shellcode to this memory – Jump to shellcode • Load and run any shellcode.
  • 54. net-square DEMO TIME! • Java JNLP docbase overflow • Exploiting IE8 using ROP