Dobin 0x54_DefeatExploitMitigations_ROP.pdf
Dobin 0x54_DefeatExploitMitigations_ROP.pdf
Dobin 0x54_DefeatExploitMitigations_ROP.pdf
Kartei Details
Karten | 11 |
---|---|
Sprache | English |
Kategorie | Religion/Ethik |
Stufe | Universität |
Erstellt / Aktualisiert | 24.06.2019 / 24.06.2019 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190624_dobin_0x54defeatexploitmitigationsrop_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190624_dobin_0x54defeatexploitmitigationsrop_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What does ROP stand for?
Return Oriented Programming (ROP)
What are gadgets and how are they used?
What is ROP
Smatly chain gadgets together to execute arbitrary code
Gadgets:
- Some sequence of code, followed by a RET
How can you find gadgets?
How to find gadgets:
- Search in code section for byte 0xc3 (=ret)
- Go backwards, and decode each byte
- For each byte:
- Check if it is a valid x32 instruction
- If yes: add gadget, and continue
- In no: continue
What are the characteristics of a ROP chain?
- Call/ret's can be chained
- Arbitraru code exectuion with no code uploaded
- "Shellcode" consists of:
- Adresses of gadgets
- Arguments for gadgets (addresses, or immediates)
- NOT: assembler instructions
What is stack pivoting?
Whatn if the ESP (Stack Pointer) does not point to our rop chain?
- Can only execute one gadget
- Use it to let the stack point to another memory location
If a register points to our ropchain
xchg eax, esp // change the content of the esp to the value in the eax, which points to our rop chain
If its somewhere else on the stack:
add esp, 0x100 // increment the esp to point to our ropchain
Or, in general:
mov esp, 0x12345
pop esp
Where can we take gadgets from?
- The program code
- Static location in memory (if not PIE)
- Need to be of size to have enough gadgets
- Shared library code (LIBC etc.)
- "Universal gadget library", because its very big
- Sadly, non-guessable base location (ASLR'd even without PIE)
What does ROP shellcode usualy consist of?
ROP shellcode usually consists of:
- Libc calls
- malloc() / mprotect()
- Prepartations of libc calls
- set up registers
- read data to defeat ASLR
- Skipping of shellcode arguments (pop/pop/ret)
- And even "plain ASM (Asembler)" (e.g. jmp)
What is the problem with ROP?
- ROP is very inefficient
- Needs a lot of gadgets
- Neo suitable to implement complete shellcode in it
Solution: Multi Stage Shellcode