SlideShare une entreprise Scribd logo

Return Oriented Programming

UTD Computer Security Group
UTD Computer Security Group

Introduction to return oriented programming. Explanation of how to use instruction sequences already existing in an executable's memory space to manipulate control flow without injecting external payload.

Technologie
1  sur  27
Télécharger pour lire hors ligne
Intro to Return Oriented Programming UTD CSG James McFadyen 03/02/2017 1
Outline • ret2libc • Return Chaining • ROP Basics • Gadgets • Example 03/02/2017 2
ret2libc • If we point EIP to a function in libc, such as system(), we can pass it our own arguments • EIP will point to address of system(), next 4 bytes return address, next 4 bytes will be arguments • Example: o Overwrite EIP with address of system. Call this offset “x” o At offset x+4, (right after EIP), we have a return address o At x+8, we have the arguments. “/bin/sh” would make great arguments.. o ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ') o Above assumes ‘program’ to be vulnerable, and the necessary offset is 104 • system(“bin/sh”) would spawn a shell 03/02/2017 3
Return Chaining • This is very useful, can use it in conjunction with the ret2libc methodology to bypass more protection mechanisms, such as ASCII Armoring • If we try the ret2libc technique on a binary with ASCII Armor, we see that there are null bytes in the address. Ex: 0x00167100 • To evade this, we must repeatedly return into the PLT, in a “chain” of instructions 03/02/2017 4
Return Chaining • The PLT (Procedure Linkage Table) and the GOT (Global Offset Table) are two important sections • When a program calls a function, it calls a function “stub” in the PLT, which then jumps to an address listed in the GOT. • On first call to the GOT from PLT, the address for the wanted function will be resolved by dynamic linker and patched into the GOT. • Next time the PLT entry jumps to the GOT, it will jump to the actual address. 03/02/2017 5
Return Chaining • If we have a libc function that has null bytes, we can take advantage of the PLT and GOT to achieve the same goal as ret2libc • char *strcpy(char *dest, const char *src); • *dest will be address of GOT for a function • *src will be the bytes • We have to do this byte at a time… • How do we do this? 03/02/2017 6
Return Chaining • Repeatedly call strcpy, write a single byte into GOT for a function that gets called in the program o Example: replace printf() with system() • Since there are null bytes in system, we write one byte at a time of the 4 byte address , null bytes included • This changes printf() to system(), so when we call printf() in the program, it actually calls system (since system() probably won’t already exist in the binary) • So what does that look like? 03/02/2017 7
Return Chaining • Basic example: pseudo-payload to overwrite GOT of printf() with system(): o strcpy() + pop pop ret + printf@GOT[0] + 1st byte of system() address o strcpy() + pop pop ret + printf@GOT[1] + 2nd byte of system() address o strcpy() + pop pop ret + printf@GOT[2] + 3rd byte of system() address o strcpy() + pop pop ret + printf@GOT[3] + 4th byte of system() address • Once this is accomplished, carry out ret2libc like normal, but instead of executing system(), we point to printf(), since it is overwritten 03/02/2017 8
Return Chaining • pop pop ret is an important gadget (Explained later) • In an actual payload, it will be a memory address pointing to those instructions • The next 4 bytes after strcpy() are the return address • Since the return address has pop pop ret, it will execute those instructions, moving past the arguments to strcpy(): dst and src. 03/02/2017 9
ROP Basics • Return Oriented Programming • This is not an introduction to x86 assembly • Uses code that is already in the program’s address space • No injection of a payload necessary • Evades DEP / NX • Many techniques exist to bypass even more protection mechanisms • Based on return to library attacks, such as ret2libc 03/02/2017 10
ROP Basics • Evolution: o Ret2libc, “Borrowed Code Chunks”, ROP • Extends beyond scope of ret2lib techniques by allowing the use of “gadgets” • Allows loops and conditional branching • Take control of stack o Especially interested in $esp / $rsp • We will rely on the stack pointer rather than instruction pointer for ROP • Take sequences of instructions that already exist in the code to control the program 03/02/2017 11
ROP Basics • Usefool tools (Linux): o Scripting language of choice o gdb o objdump o readelf o ROPGadget http://shell-storm.org/project/ROPgadget/ o ROPEme 03/02/2017 12
ESP vs. EIP • EIP points to the current instruction to execute • Processor automatically increments EIP upon execution • ESP does not get incremented by the processor • “ret” increments ESP o Note: not limited to ret for stack traversal 03/02/2017 13
Gadgets • Different instruction sequences ending in “ret” • They perform specific tasks, such as moving the stack pointer or writing a value • Ex: pop eax; ret o Load address at stack pointer into eax • Ex: pop eax; pop ebx; ret o Load two consecutive words into eax and ebx. o Also good for “stepping over” instructions and incrementing the stack pointer • Need to understand assembly, these can get very complicated when dealing with logic and control flow 03/02/2017 14
Gadgets • We can use gadgets to pivot the stack into an area that we control • Ex: mov esp, ebx; ret • Strings of these gadgets form chains of instructions • Gadgets placed in specific orders can execute specific tasks • Only requirement is a sequence of useable bytes somewhere in executable memory region 03/02/2017 15
03/02/2017 (note red: executable, orange: writeable) 16
Gadgets • “readelf –s binary” – displays section headers for binary • Areas such as .bss are writeable - this allows us to throw payloads here, create custom stacks, etc… • .got is also an important place to write, since we can manipulate a program by changing the functions o Ex: replace a printf() with exec() in a binary that does not contain exec() 03/02/2017 17
Gadgets • Sample objdump output from a Linux binary 03/02/2017 18
Gadgets • Orange: memory location • Green: opcodes • Red: instructions • You can see the gadgets can be obtained from within the same binary • But do we really want to dig through objdump output? 03/02/2017 19
Gadgets • Example: Assume we control the stack, and we need to place a value from our stack into EBX.. • If we execute memory address 0x080483b2, it will pop our value from the stack pointer, store it in EBX, which increments the stack pointer, pop the next value into EBP, which increment thes stack pointer, and return, which increments the stack pointer. 03/02/2017 21
Gadgets • If you can solve a problem in assembly, all you need to do is find gadgets that will accomplish your goal • Looping, conditions, etc… 03/02/2017 22
Demo • Some ROP basics • Return Chaining • ROPGadget 03/02/2017 23
CTF Writeups • http://www.vnsecurity.net/2011/01/padocon-2011- ctf-karma-400-exploit-the-data-re-use-way / • http://leetmore.ctf.su/wp/defcon-ctf-quals-2011- pwnables-400 / • http://www.vnsecurity.net/2011/10/hack-lu-ctf-201 1-nebula-death-stick-services-writeup / • http://www.vnsecurity.net/2010/04/return-oriente d-programming-practice-exploiting-codegate-2010- challenge-5/ • http://auntitled.blogspot.com/2011/03/codegate-c tf-2011-vuln300-writeup.html 03/02/2017 24
Additional Resources • http://www.youtube.com/watch?v=rVhOnqlfIvQ • http://www.phrack.com/issues.html?issue=58&id =4 http://isisblogs.poly.edu/2011/10/21/geras-insec ure-programming-warming-up-stack-1-rop-nxaslr-by pass/ • http://falken.tuxfamily.org/?p=115 • http://cseweb.ucsd.edu/~hovav/papers/rbss11.ht ml • http://divine-protection.com/wordpress/?p=20 • http://www.corelan.be/index.php/2010/06/16/exploi t-writing-tutorial-part-10-chaining-dep-with-rop- the-rubikstm-cube/ 03/02/2017 25
References • A Gentle Introduction to Return-Oriented Programming by Tim Kornau - http://blog.zynamics.com/2010/03/12/a-gentle-int roduction-to-return-oriented-programming / • PLT and GOT – The key to code sharing and dynamic libraries - http:// www.technovelty.org/linux/pltgot.html • “Return-oriented Programming: Exploits Without Code Injection” Erik Buchanan, Ryan Roemer… http://cseweb.ucsd.edu/~hovav/talks/blackhat08. html 03/02/2017 26
References contd.. • “Payload Already Inside: Data Reuse for ROP Exploits” Blackhat 2010, longld @ vnsecurity.net - http:// media.blackhat.com/bh-us-10/whitepapers/Le/Blac kHat-USA-2010-Le-Paper-Payload-already-inside-d ata-reuse-for-ROP-exploits-wp.pdf • “Practical Return-Oriented Programming” Dino A. Dai Zovi - http://trailofbits.files.wordpress.com/2010/04/prac tical-rop.pdf 03/02/2017 27

Recommandé

Numba: Array-oriented Python Compiler for NumPy
Numba: Array-oriented Python Compiler for NumPyNumba: Array-oriented Python Compiler for NumPy
Numba: Array-oriented Python Compiler for NumPyTravis Oliphant
 
0.5mln packets per second with Erlang
0.5mln packets per second with Erlang0.5mln packets per second with Erlang
0.5mln packets per second with ErlangMaxim Kharchenko
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugsCNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugsSam Bowne
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne
 
BWB Meetup: Storm - distributed realtime computation system
BWB Meetup: Storm - distributed realtime computation systemBWB Meetup: Storm - distributed realtime computation system
BWB Meetup: Storm - distributed realtime computation systemAndrii Gakhov
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Taming OpenBSD Network Stack Dragons by Martin Pieuchot
Taming OpenBSD Network Stack Dragons by Martin PieuchotTaming OpenBSD Network Stack Dragons by Martin Pieuchot
Taming OpenBSD Network Stack Dragons by Martin Pieuchoteurobsdcon
 

Recommandé

Numba: Array-oriented Python Compiler for NumPy
Numba: Array-oriented Python Compiler for NumPyNumba: Array-oriented Python Compiler for NumPy
Numba: Array-oriented Python Compiler for NumPyTravis Oliphant
 
0.5mln packets per second with Erlang
0.5mln packets per second with Erlang0.5mln packets per second with Erlang
0.5mln packets per second with ErlangMaxim Kharchenko
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugsCNIT 127: Ch 4: Introduction to format string bugs
CNIT 127: Ch 4: Introduction to format string bugsSam Bowne
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne
 
BWB Meetup: Storm - distributed realtime computation system
BWB Meetup: Storm - distributed realtime computation systemBWB Meetup: Storm - distributed realtime computation system
BWB Meetup: Storm - distributed realtime computation systemAndrii Gakhov
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginSam Bowne
 
Taming OpenBSD Network Stack Dragons by Martin Pieuchot
Taming OpenBSD Network Stack Dragons by Martin PieuchotTaming OpenBSD Network Stack Dragons by Martin Pieuchot
Taming OpenBSD Network Stack Dragons by Martin Pieuchoteurobsdcon
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
Summer_Work
Summer_WorkSummer_Work
Summer_WorkBrad Schwartz
 
Lecture 10
Lecture 10Lecture 10
Lecture 10Tanveer Malik
 
Parallel program design
Parallel program designParallel program design
Parallel program designZongYing Lyu
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeSam Bowne
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723Iftach Ian Amit
 
Short introduction to Storm
Short introduction to StormShort introduction to Storm
Short introduction to StormJimmyZoger
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)Sam Bowne
 
Numba: Flexible analytics written in Python with machine-code speeds and avo...
Numba: Flexible analytics written in Python with machine-code speeds and avo...Numba: Flexible analytics written in Python with machine-code speeds and avo...
Numba: Flexible analytics written in Python with machine-code speeds and avo...PyData
 
File Handling and Command Line Arguments in C
File Handling and Command Line Arguments in CFile Handling and Command Line Arguments in C
File Handling and Command Line Arguments in CMahendra Yadav
 
Twitter Stream Processing
Twitter Stream ProcessingTwitter Stream Processing
Twitter Stream ProcessingColin Surprenant
 
Rcpp
RcppRcpp
RcppAjay Ohri
 
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...Publicis Sapient Engineering
 
Os Reindersfinal
Os ReindersfinalOs Reindersfinal
Os Reindersfinaloscon2007
 
MPI Tutorial
MPI TutorialMPI Tutorial
MPI TutorialDhanashree Prasad
 
MODELS 2019: Querying and annotating model histories with time-aware patterns
MODELS 2019: Querying and annotating model histories with time-aware patternsMODELS 2019: Querying and annotating model histories with time-aware patterns
MODELS 2019: Querying and annotating model histories with time-aware patternsAntonio García-Domínguez
 
KafNafParserPy: a python library for parsing/creating KAF and NAF files
KafNafParserPy: a python library for parsing/creating KAF and NAF filesKafNafParserPy: a python library for parsing/creating KAF and NAF files
KafNafParserPy: a python library for parsing/creating KAF and NAF filesRubén Izquierdo Beviá
 
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen IIPorting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen IIGeorge Markomanolis
 
Buzzwords Numba Presentation
Buzzwords Numba PresentationBuzzwords Numba Presentation
Buzzwords Numba Presentationkammeyer
 
Seattle useR Group - R + Scala
Seattle useR Group - R + ScalaSeattle useR Group - R + Scala
Seattle useR Group - R + ScalaShouheng Yi
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 

Contenu connexe

Tendances

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
Parallel program design
Parallel program designParallel program design
Parallel program designZongYing Lyu
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeSam Bowne
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723Iftach Ian Amit
 
Short introduction to Storm
Short introduction to StormShort introduction to Storm
Short introduction to StormJimmyZoger
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)Sam Bowne
 
Numba: Flexible analytics written in Python with machine-code speeds and avo...
Numba: Flexible analytics written in Python with machine-code speeds and avo...Numba: Flexible analytics written in Python with machine-code speeds and avo...
Numba: Flexible analytics written in Python with machine-code speeds and avo...PyData
 
File Handling and Command Line Arguments in C
File Handling and Command Line Arguments in CFile Handling and Command Line Arguments in C
File Handling and Command Line Arguments in CMahendra Yadav
 
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...Publicis Sapient Engineering
 
Os Reindersfinal
Os ReindersfinalOs Reindersfinal
Os Reindersfinaloscon2007
 
MODELS 2019: Querying and annotating model histories with time-aware patterns
MODELS 2019: Querying and annotating model histories with time-aware patternsMODELS 2019: Querying and annotating model histories with time-aware patterns
MODELS 2019: Querying and annotating model histories with time-aware patternsAntonio García-Domínguez
 
KafNafParserPy: a python library for parsing/creating KAF and NAF files
KafNafParserPy: a python library for parsing/creating KAF and NAF filesKafNafParserPy: a python library for parsing/creating KAF and NAF files
KafNafParserPy: a python library for parsing/creating KAF and NAF filesRubén Izquierdo Beviá
 
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen IIPorting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen IIGeorge Markomanolis
 
Buzzwords Numba Presentation
Buzzwords Numba PresentationBuzzwords Numba Presentation
Buzzwords Numba Presentationkammeyer
 
Seattle useR Group - R + Scala
Seattle useR Group - R + ScalaSeattle useR Group - R + Scala
Seattle useR Group - R + ScalaShouheng Yi
 

Tendances (20)

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
Summer_Work
Summer_WorkSummer_Work
Summer_Work
 
Lecture 10
Lecture 10Lecture 10
Lecture 10
 
Parallel program design
Parallel program designParallel program design
Parallel program design
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: Shellcode
 
LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723LD_PRELOAD Exploitation - DC9723
LD_PRELOAD Exploitation - DC9723
 
Short introduction to Storm
Short introduction to StormShort introduction to Storm
Short introduction to Storm
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
 
Numba: Flexible analytics written in Python with machine-code speeds and avo...
Numba: Flexible analytics written in Python with machine-code speeds and avo...Numba: Flexible analytics written in Python with machine-code speeds and avo...
Numba: Flexible analytics written in Python with machine-code speeds and avo...
 
File Handling and Command Line Arguments in C
File Handling and Command Line Arguments in CFile Handling and Command Line Arguments in C
File Handling and Command Line Arguments in C
 
Twitter Stream Processing
Twitter Stream ProcessingTwitter Stream Processing
Twitter Stream Processing
 
Rcpp
RcppRcpp
Rcpp
 
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
Devoxx - France : Making Swift – 10 enseignements qu’on peut tirer des 31.463...
 
Os Reindersfinal
Os ReindersfinalOs Reindersfinal
Os Reindersfinal
 
MPI Tutorial
MPI TutorialMPI Tutorial
MPI Tutorial
 
MODELS 2019: Querying and annotating model histories with time-aware patterns
MODELS 2019: Querying and annotating model histories with time-aware patternsMODELS 2019: Querying and annotating model histories with time-aware patterns
MODELS 2019: Querying and annotating model histories with time-aware patterns
 
KafNafParserPy: a python library for parsing/creating KAF and NAF files
KafNafParserPy: a python library for parsing/creating KAF and NAF filesKafNafParserPy: a python library for parsing/creating KAF and NAF files
KafNafParserPy: a python library for parsing/creating KAF and NAF files
 
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen IIPorting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
Porting an MPI application to hybrid MPI+OpenMP with Reveal tool on Shaheen II
 
Buzzwords Numba Presentation
Buzzwords Numba PresentationBuzzwords Numba Presentation
Buzzwords Numba Presentation
 
Seattle useR Group - R + Scala
Seattle useR Group - R + ScalaSeattle useR Group - R + Scala
Seattle useR Group - R + Scala
 

Similaire à Return Oriented Programming

127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdfTesterteste3
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxSam Bowne
 
Pipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorPipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorMoshe Zioni
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
C from hello world to 010101
C from hello world to 010101C from hello world to 010101
C from hello world to 010101Bellaj Badr
 
Learning C++ - Introduction to c++ programming 1
Learning C++ - Introduction to c++ programming 1Learning C++ - Introduction to c++ programming 1
Learning C++ - Introduction to c++ programming 1Ali Aminian
 
Intro To C++ - Class #17: Pointers!, Objects Talking To Each Other
Intro To C++ - Class #17: Pointers!, Objects Talking To Each OtherIntro To C++ - Class #17: Pointers!, Objects Talking To Each Other
Intro To C++ - Class #17: Pointers!, Objects Talking To Each OtherBlue Elephant Consulting
 
The reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memoryThe reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memoryPVS-Studio
 
lecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdflecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdfAyushKumar93531
 

Similaire à Return Oriented Programming (20)

Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
05_Return_to_Libc.pdf
05_Return_to_Libc.pdf05_Return_to_Libc.pdf
05_Return_to_Libc.pdf
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
CNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in LinuxCNIT 127: Ch 2: Stack Overflows in Linux
CNIT 127: Ch 2: Stack Overflows in Linux
 
Pipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorPipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructor
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
test
testtest
test
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
C from hello world to 010101
C from hello world to 010101C from hello world to 010101
C from hello world to 010101
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Unit iv(simple code generator)
Unit iv(simple code generator)Unit iv(simple code generator)
Unit iv(simple code generator)
 
Learning C++ - Introduction to c++ programming 1
Learning C++ - Introduction to c++ programming 1Learning C++ - Introduction to c++ programming 1
Learning C++ - Introduction to c++ programming 1
 
Introduction to OpenMP
Introduction to OpenMPIntroduction to OpenMP
Introduction to OpenMP
 
Design
DesignDesign
Design
 
Intro To C++ - Class #17: Pointers!, Objects Talking To Each Other
Intro To C++ - Class #17: Pointers!, Objects Talking To Each OtherIntro To C++ - Class #17: Pointers!, Objects Talking To Each Other
Intro To C++ - Class #17: Pointers!, Objects Talking To Each Other
 
The reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memoryThe reasons why 64-bit programs require more stack memory
The reasons why 64-bit programs require more stack memory
 
lecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdflecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdf
 

Plus de UTD Computer Security Group

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 

Plus de UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 
Advanced Windows Exploitation
Advanced Windows ExploitationAdvanced Windows Exploitation
Advanced Windows Exploitation
 

Dernier

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Dernier (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Return Oriented Programming

  • 1. Intro to Return Oriented Programming UTD CSG James McFadyen 03/02/2017 1
  • 2. Outline • ret2libc • Return Chaining • ROP Basics • Gadgets • Example 03/02/2017 2
  • 3. ret2libc • If we point EIP to a function in libc, such as system(), we can pass it our own arguments • EIP will point to address of system(), next 4 bytes return address, next 4 bytes will be arguments • Example: o Overwrite EIP with address of system. Call this offset “x” o At offset x+4, (right after EIP), we have a return address o At x+8, we have the arguments. “/bin/sh” would make great arguments.. o ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ') o Above assumes ‘program’ to be vulnerable, and the necessary offset is 104 • system(“bin/sh”) would spawn a shell 03/02/2017 3
  • 4. Return Chaining • This is very useful, can use it in conjunction with the ret2libc methodology to bypass more protection mechanisms, such as ASCII Armoring • If we try the ret2libc technique on a binary with ASCII Armor, we see that there are null bytes in the address. Ex: 0x00167100 • To evade this, we must repeatedly return into the PLT, in a “chain” of instructions 03/02/2017 4
  • 5. Return Chaining • The PLT (Procedure Linkage Table) and the GOT (Global Offset Table) are two important sections • When a program calls a function, it calls a function “stub” in the PLT, which then jumps to an address listed in the GOT. • On first call to the GOT from PLT, the address for the wanted function will be resolved by dynamic linker and patched into the GOT. • Next time the PLT entry jumps to the GOT, it will jump to the actual address. 03/02/2017 5
  • 6. Return Chaining • If we have a libc function that has null bytes, we can take advantage of the PLT and GOT to achieve the same goal as ret2libc • char *strcpy(char *dest, const char *src); • *dest will be address of GOT for a function • *src will be the bytes • We have to do this byte at a time… • How do we do this? 03/02/2017 6
  • 7. Return Chaining • Repeatedly call strcpy, write a single byte into GOT for a function that gets called in the program o Example: replace printf() with system() • Since there are null bytes in system, we write one byte at a time of the 4 byte address , null bytes included • This changes printf() to system(), so when we call printf() in the program, it actually calls system (since system() probably won’t already exist in the binary) • So what does that look like? 03/02/2017 7
  • 8. Return Chaining • Basic example: pseudo-payload to overwrite GOT of printf() with system(): o strcpy() + pop pop ret + printf@GOT[0] + 1st byte of system() address o strcpy() + pop pop ret + printf@GOT[1] + 2nd byte of system() address o strcpy() + pop pop ret + printf@GOT[2] + 3rd byte of system() address o strcpy() + pop pop ret + printf@GOT[3] + 4th byte of system() address • Once this is accomplished, carry out ret2libc like normal, but instead of executing system(), we point to printf(), since it is overwritten 03/02/2017 8
  • 9. Return Chaining • pop pop ret is an important gadget (Explained later) • In an actual payload, it will be a memory address pointing to those instructions • The next 4 bytes after strcpy() are the return address • Since the return address has pop pop ret, it will execute those instructions, moving past the arguments to strcpy(): dst and src. 03/02/2017 9
  • 10. ROP Basics • Return Oriented Programming • This is not an introduction to x86 assembly • Uses code that is already in the program’s address space • No injection of a payload necessary • Evades DEP / NX • Many techniques exist to bypass even more protection mechanisms • Based on return to library attacks, such as ret2libc 03/02/2017 10
  • 11. ROP Basics • Evolution: o Ret2libc, “Borrowed Code Chunks”, ROP • Extends beyond scope of ret2lib techniques by allowing the use of “gadgets” • Allows loops and conditional branching • Take control of stack o Especially interested in $esp / $rsp • We will rely on the stack pointer rather than instruction pointer for ROP • Take sequences of instructions that already exist in the code to control the program 03/02/2017 11
  • 12. ROP Basics • Usefool tools (Linux): o Scripting language of choice o gdb o objdump o readelf o ROPGadget http://shell-storm.org/project/ROPgadget/ o ROPEme 03/02/2017 12
  • 13. ESP vs. EIP • EIP points to the current instruction to execute • Processor automatically increments EIP upon execution • ESP does not get incremented by the processor • “ret” increments ESP o Note: not limited to ret for stack traversal 03/02/2017 13
  • 14. Gadgets • Different instruction sequences ending in “ret” • They perform specific tasks, such as moving the stack pointer or writing a value • Ex: pop eax; ret o Load address at stack pointer into eax • Ex: pop eax; pop ebx; ret o Load two consecutive words into eax and ebx. o Also good for “stepping over” instructions and incrementing the stack pointer • Need to understand assembly, these can get very complicated when dealing with logic and control flow 03/02/2017 14
  • 15. Gadgets • We can use gadgets to pivot the stack into an area that we control • Ex: mov esp, ebx; ret • Strings of these gadgets form chains of instructions • Gadgets placed in specific orders can execute specific tasks • Only requirement is a sequence of useable bytes somewhere in executable memory region 03/02/2017 15
  • 16. 03/02/2017 (note red: executable, orange: writeable) 16
  • 17. Gadgets • “readelf –s binary” – displays section headers for binary • Areas such as .bss are writeable - this allows us to throw payloads here, create custom stacks, etc… • .got is also an important place to write, since we can manipulate a program by changing the functions o Ex: replace a printf() with exec() in a binary that does not contain exec() 03/02/2017 17
  • 18. Gadgets • Sample objdump output from a Linux binary 03/02/2017 18
  • 19. Gadgets • Orange: memory location • Green: opcodes • Red: instructions • You can see the gadgets can be obtained from within the same binary • But do we really want to dig through objdump output? 03/02/2017 19
  • 20.
  • 21. Gadgets • Example: Assume we control the stack, and we need to place a value from our stack into EBX.. • If we execute memory address 0x080483b2, it will pop our value from the stack pointer, store it in EBX, which increments the stack pointer, pop the next value into EBP, which increment thes stack pointer, and return, which increments the stack pointer. 03/02/2017 21
  • 22. Gadgets • If you can solve a problem in assembly, all you need to do is find gadgets that will accomplish your goal • Looping, conditions, etc… 03/02/2017 22
  • 23. Demo • Some ROP basics • Return Chaining • ROPGadget 03/02/2017 23
  • 24. CTF Writeups • http://www.vnsecurity.net/2011/01/padocon-2011- ctf-karma-400-exploit-the-data-re-use-way / • http://leetmore.ctf.su/wp/defcon-ctf-quals-2011- pwnables-400 / • http://www.vnsecurity.net/2011/10/hack-lu-ctf-201 1-nebula-death-stick-services-writeup / • http://www.vnsecurity.net/2010/04/return-oriente d-programming-practice-exploiting-codegate-2010- challenge-5/ • http://auntitled.blogspot.com/2011/03/codegate-c tf-2011-vuln300-writeup.html 03/02/2017 24
  • 25. Additional Resources • http://www.youtube.com/watch?v=rVhOnqlfIvQ • http://www.phrack.com/issues.html?issue=58&id =4 http://isisblogs.poly.edu/2011/10/21/geras-insec ure-programming-warming-up-stack-1-rop-nxaslr-by pass/ • http://falken.tuxfamily.org/?p=115 • http://cseweb.ucsd.edu/~hovav/papers/rbss11.ht ml • http://divine-protection.com/wordpress/?p=20 • http://www.corelan.be/index.php/2010/06/16/exploi t-writing-tutorial-part-10-chaining-dep-with-rop- the-rubikstm-cube/ 03/02/2017 25
  • 26. References • A Gentle Introduction to Return-Oriented Programming by Tim Kornau - http://blog.zynamics.com/2010/03/12/a-gentle-int roduction-to-return-oriented-programming / • PLT and GOT – The key to code sharing and dynamic libraries - http:// www.technovelty.org/linux/pltgot.html • “Return-oriented Programming: Exploits Without Code Injection” Erik Buchanan, Ryan Roemer… http://cseweb.ucsd.edu/~hovav/talks/blackhat08. html 03/02/2017 26
  • 27. References contd.. • “Payload Already Inside: Data Reuse for ROP Exploits” Blackhat 2010, longld @ vnsecurity.net - http:// media.blackhat.com/bh-us-10/whitepapers/Le/Blac kHat-USA-2010-Le-Paper-Payload-already-inside-d ata-reuse-for-ROP-exploits-wp.pdf • “Practical Return-Oriented Programming” Dino A. Dai Zovi - http://trailofbits.files.wordpress.com/2010/04/prac tical-rop.pdf 03/02/2017 27