Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Si Chen (schen@wcupa.edu) Class15 CSC 495/583 Topics of Software Security Bypassing ASLR/NX with GOT Overwrite Dr. Si Chen (schen@wcupa.edu)

Published byPirkko Laakso Modified over 6 years ago

Similar presentations

Presentation on theme: "Dr. Si Chen (schen@wcupa.edu) Class15 CSC 495/583 Topics of Software Security Bypassing ASLR/NX with GOT Overwrite Dr. Si Chen (schen@wcupa.edu)"— Presentation transcript:

1 Dr. Si Chen (schen@wcupa.edu)
Class15 CSC 495/583 Topics of Software Security Bypassing ASLR/NX with GOT Overwrite Dr. Si Chen

2 Review

3 Bypassing ASLR/NX with Ret2PLT

4 How to bypass ASLR/NX? When ASLR has been enabled, we no longer can be sure where the libc will be mapped at. However, that begs the question: how does the binary know where the address of anything is now that they are randomized? The answer lies in something called the Global Offset Table (GOT) and the Procedure Linkage Table (PLT).

5 ASM CALL Call’s in ASM are ALWAYS to absolute address
How does it work with dynamic addresses for shared libraries? Solution: A “helper” at static location In Linux: the Global Offset Table (GOT) and the Procedure Linkage Table (PLT).(they work together in tandem)

6 Procedure Linkage Table (PLT)
How does it work? “call system” is actually call The PLT resolves at runtime The PLT stores in

7 Call System() Function in libc with PLT, GOT

8 Call System() Function in libc with PLT, GOT

9 Call System() Function in libc with PLT, GOT

10 Lazy Binding 1st time call System() After the 1st System() call
After the 1st System() call

11 Bypass ASLR/NX with Ret2plt Attack
Enable ASLR (Address space layout randomization) ret2plt.c

12 Bypass ASLR/NX with Ret2plt Attack
ret2plt.c PIE Position independent executable

13 Check PLT stub Address 0x For

14 Find Useable String as Parameter for System() function
The sheep are blue, but you see red

15 Pwn Script

16 bypassGOT.c

17 bypassGOT.c The program is vulnerable in two ways:
It provides an information leak opportunity when the now_playing.album pointer is overwritten and the album name is printed. It provides a write what where primitive when the now_playing.album pointer is overwritten and input is provided to the second prompt.

18 Struct.c

19 Struct.c

20 bypassGOT.c If we take a look at the source code again, the following function is called last: puts(now_playing.name); If we leak the address of puts in libc, we can calculate the address of the libc base and subsequently, the address of the system function. Also, once we have that, we can write the address of the system function into the entry so that when this final line executes, it will actually execute: system(now_playing.name); Which means that system will be called with a parameter that we control! At the moment, we do not have a target to leak and to overwrite. We must be careful to pick a suitable one because the information leak and arbitrary write has to be performed on the same address. Additionally, the write has to result in EIP control at some point of the program's execution since we do not have that yet.

21 Pwn Script

22 Event1.c Kaizen-86 Artificial Intelligence

23 Q & A

Download ppt "Dr. Si Chen (schen@wcupa.edu) Class15 CSC 495/583 Topics of Software Security Bypassing ASLR/NX with GOT Overwrite Dr. Si Chen (schen@wcupa.edu)"

Similar presentations

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.

Programs in Memory Bryce Boe 2012/08/29 CS32, Summer 2012 B.
Part IV: Memory Management

Part IV: Memory Management
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Loaders and Linkers CS 230 이준원. 2 Overview assembler –generates an object code in a predefined format »COFF (common object file format) »ELF (executable.

Loaders and Linkers CS 230 이준원. 2 Overview assembler –generates an object code in a predefined format »COFF (common object file format) »ELF (executable.
Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.

Lecture 10: Linking and loading. Lecture 10 / Page 2AE4B33OSS 2011 Contents Linker vs. loader Linking the executable Libraries Loading executable ELF.
Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.

Linkers and Loaders 1 Linkers & Loaders – A Programmers Perspective.
Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.

Linking and Loading Fred Prussack CS 518. L&L: Overview Wake-up Questions Terms and Definitions / General Information LoadingLinking –Static vs. Dynamic.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.

(1) ICS 313: Programming Language Theory Chapter 10: Implementing Subprograms.
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.

Names and Scopes CS 351. Program Binding We should be familiar with this notion. A variable is bound to a method or current block e.g in C++: namespace.
Run time vs. Compile time

Run time vs. Compile time
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Similar presentations

Ads by Google