Presentation is loading. Please wait.

Presentation is loading. Please wait.

ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.

Published byEustacia Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each."— Presentation transcript:

1 ROP Exploit

2 ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each gadget returns to the next gadget until hacker program is eventually executed. Gadgets: a set of useful instructions terminated by a “return” instruction (ret binary instruction code is c3). Usually, they are not part of a function bodies, so they do not have a “leave” instruction.

3 Overview Idea: In our exploit, we intelligently modify the return address so that it executes our Gadgets. For our exploit to work, we need a vulnerable application and a set of gadgets.

4 Vulnerable Code

5 Our aim is to spawn a shell using EXECVE function.

6 Execve Function Syntax: execve(const char *path, char *const argv[], char *const envp[]) Functionality: The execve function executes the program pointed to by filename. Arguments: argv is an array of argument strings passed to the new program. envp is an array of strings, conventionally of the form key=value, which are passed as environment to the new program. %eax shall have: execve identifier0x0b (or 11) %ebx shall have: const char *pathA pointer to “/bin/sh” %ecx shall have: char *const argv[]A pointer to “/bin/sh” pointer array %edx shall have: char *const envp[]NULL

7 Execve Function When the %eax is configured as 11 in our ROP exploit it invokes the execve function since the system call number of the execve function is 11. The objective of our exploit is to invoke this execve function for /bin/sh. /bin/sh is passed as an argv argument to the main and its pointer is stored in %ebx register through the gadgets. Pointer to/bin/sh pointer array is stored in %ecx register through the gadgets. Remember, it does not have to be /bin/sh. It could be telnet 10.10.10.240 ! Since /bin/sh can run with no environment variables, NULL is stored in %edx register through the gadgets as well. A total of more than 400 gadgets!

8 Gadgets For the purpose of our project, we have utilized 9 gadgets. Gadgets are loaded with the vulnerable Code. Real hackers have gadget scanning tools to find and list useful gadgets as per their preference.

9 Gadget1 This particular gadget will Initialize %eax to 0.

10 Gadget2 This Gadget will initialize %eax to 1.

11 Gadget3 This Gadget will increment %eax by 1.

12 Gadget4 This Gadget will multiply %eax by 2.

13 Gadgets 5, 6 and 7 This Gadget will move %eax to %ebx, %ecx and %edx.

14 Gadget 8 This Gadget will add %eax to %edx and then move %edx to %eax.

15 Gadget9 This gadget will Interrupt for system call.

16 Exploit Compiling Options: gcc –o ROP ROP.c -mpreferred-stack-boundary=2 –fno-stack-protector –ggdb – std=c99 Exploit Input: ….$./ROP `cat payload1` `cat payload2` /bin/sh./ROP: vulnerable executable. payload1: input1 to the first string copy redirecting the pointer of input2 to return address location. payload2: gadget chain to spawn the shell (execve as /bin/sh) bin/sh/: passed to main as argv[3] since there is no boundary to argv entries!

17 Before first strcpy RETURN EBP POINTER FOR input2 input1 (16 BYTES)  Our first string copy fills the input buffer with A’s and the pointer of the second input with our return address pointer.

18 After first strcpy RETURN EBP POINTER OF input2 CONTAINS RETURN ADDRESS POINTER input1 (16 BYTES) FILLED WITH A’s  Our input = 16A’s + Return Address Pointer  After first string copy our input buffer will be filled with A’s and the pointer now contains the return address pointer.

19 After Second strcpy.... GADGET 5 GADGET 4 GADGET 3 GADGET 2 GADGET 1 EBP POINTER (WILL BE FILLED BY RETURN ADDRESS POINTER) INPUT(16 BYTES)  Our second string consists of gadget address chain.  After second string copy all the gadgets will be placed on the stack starting from return address.  When main completes its execution and performs ret, our gadget chain will be executed.

20

21 Screenshots of Demo

22

23 Pointer is filled with the return address

24 Gadgets

25

26

27

28

29

30

31

32 Demo Recording Time!

33 Exploit Evolution Firstly, we used the concept of ROP to perform exit(1) using our gadgets. Then, we used the concept of ROP to perform exit(5) using our gadgets. Next, we redesigned the exploit to spawn a hardcoded “/bin/sh” shell. Finally, we redesigned it to spark flexible system calls.

34

35

36 Things to Avoid Return address pointer or gadget address that have 0x00. Null byte will terminate strcpy function. Return address pointer or gadget addresses that have 0x20. Space will terminate an argv string.

37 Task Assignment Ali Qahtani Himanavanth Reddy Manobiram Vangeepuram Harshil Pandya Reading and Brainstorming ×××× Vulnerable Code Design ×× Gadget design×× Exploit Design×× Verification and Testing ×××× Exploit Evolution×× Slides and Demo Development ××× ×

38 Thank you !

Download ppt "ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.
Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
ESCA Lab. 2014020527 Sunhee Kong. 0x500 Shellcode Running program Shellcode A small piece of malicious code used as the payload in the exploitation of.

ESCA Lab Sunhee Kong. 0x500 Shellcode Running program Shellcode A small piece of malicious code used as the payload in the exploitation of.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E

Similar presentations

Ads by Google