Download presentation
Presentation is loading. Please wait.
Published byEustacia Carson Modified over 8 years ago
1
ROP Exploit
2
ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each gadget returns to the next gadget until hacker program is eventually executed. Gadgets: a set of useful instructions terminated by a “return” instruction (ret binary instruction code is c3). Usually, they are not part of a function bodies, so they do not have a “leave” instruction.
3
Overview Idea: In our exploit, we intelligently modify the return address so that it executes our Gadgets. For our exploit to work, we need a vulnerable application and a set of gadgets.
4
Vulnerable Code
5
Our aim is to spawn a shell using EXECVE function.
6
Execve Function Syntax: execve(const char *path, char *const argv[], char *const envp[]) Functionality: The execve function executes the program pointed to by filename. Arguments: argv is an array of argument strings passed to the new program. envp is an array of strings, conventionally of the form key=value, which are passed as environment to the new program. %eax shall have: execve identifier0x0b (or 11) %ebx shall have: const char *pathA pointer to “/bin/sh” %ecx shall have: char *const argv[]A pointer to “/bin/sh” pointer array %edx shall have: char *const envp[]NULL
7
Execve Function When the %eax is configured as 11 in our ROP exploit it invokes the execve function since the system call number of the execve function is 11. The objective of our exploit is to invoke this execve function for /bin/sh. /bin/sh is passed as an argv argument to the main and its pointer is stored in %ebx register through the gadgets. Pointer to/bin/sh pointer array is stored in %ecx register through the gadgets. Remember, it does not have to be /bin/sh. It could be telnet 10.10.10.240 ! Since /bin/sh can run with no environment variables, NULL is stored in %edx register through the gadgets as well. A total of more than 400 gadgets!
8
Gadgets For the purpose of our project, we have utilized 9 gadgets. Gadgets are loaded with the vulnerable Code. Real hackers have gadget scanning tools to find and list useful gadgets as per their preference.
9
Gadget1 This particular gadget will Initialize %eax to 0.
10
Gadget2 This Gadget will initialize %eax to 1.
11
Gadget3 This Gadget will increment %eax by 1.
12
Gadget4 This Gadget will multiply %eax by 2.
13
Gadgets 5, 6 and 7 This Gadget will move %eax to %ebx, %ecx and %edx.
14
Gadget 8 This Gadget will add %eax to %edx and then move %edx to %eax.
15
Gadget9 This gadget will Interrupt for system call.
16
Exploit Compiling Options: gcc –o ROP ROP.c -mpreferred-stack-boundary=2 –fno-stack-protector –ggdb – std=c99 Exploit Input: ….$./ROP `cat payload1` `cat payload2` /bin/sh./ROP: vulnerable executable. payload1: input1 to the first string copy redirecting the pointer of input2 to return address location. payload2: gadget chain to spawn the shell (execve as /bin/sh) bin/sh/: passed to main as argv[3] since there is no boundary to argv entries!
17
Before first strcpy RETURN EBP POINTER FOR input2 input1 (16 BYTES) Our first string copy fills the input buffer with A’s and the pointer of the second input with our return address pointer.
18
After first strcpy RETURN EBP POINTER OF input2 CONTAINS RETURN ADDRESS POINTER input1 (16 BYTES) FILLED WITH A’s Our input = 16A’s + Return Address Pointer After first string copy our input buffer will be filled with A’s and the pointer now contains the return address pointer.
19
After Second strcpy.... GADGET 5 GADGET 4 GADGET 3 GADGET 2 GADGET 1 EBP POINTER (WILL BE FILLED BY RETURN ADDRESS POINTER) INPUT(16 BYTES) Our second string consists of gadget address chain. After second string copy all the gadgets will be placed on the stack starting from return address. When main completes its execution and performs ret, our gadget chain will be executed.
21
Screenshots of Demo
23
Pointer is filled with the return address
24
Gadgets
32
Demo Recording Time!
33
Exploit Evolution Firstly, we used the concept of ROP to perform exit(1) using our gadgets. Then, we used the concept of ROP to perform exit(5) using our gadgets. Next, we redesigned the exploit to spawn a hardcoded “/bin/sh” shell. Finally, we redesigned it to spark flexible system calls.
36
Things to Avoid Return address pointer or gadget address that have 0x00. Null byte will terminate strcpy function. Return address pointer or gadget addresses that have 0x20. Space will terminate an argv string.
37
Task Assignment Ali Qahtani Himanavanth Reddy Manobiram Vangeepuram Harshil Pandya Reading and Brainstorming ×××× Vulnerable Code Design ×× Gadget design×× Exploit Design×× Verification and Testing ×××× Exploit Evolution×× Slides and Demo Development ××× ×
38
Thank you !
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.