See @beepboopdesign for graphics
Return Oriented Programming
Return Oriented Programming, (ROP) for short, is as described as by Wikipedia[1] as an "..exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.". The technique chains assembly opcodes, or commonly known as "ROP gadgets" within binaries and loaded libraries to perform this. To read more on the subject, check out the ROP FTW [2] paper on exploit-db.
Table Of Contents
- Techniques
- Resources
Sigreturn Oriented Programming
Within a SROP context, you'll be creating a fake sigcontext structure to pop various values into their registers and inherently perform an syscall. To do this, you'll need to to call rt_sigreturn
syscall and append your fake frame. There are two tools to create the frame , such as pwntools srop and Frame.py
Limitations : Resulting payload contains null bytes, inherently killing the chain prematuraly if functions like strcpy are used.
Requirements : A way to pop an syscall number into the EAX/RAX register (pop eax/rax & mov eax/rax; [register]) and be able to call int 0x80/syscall
.
Example : Challenge and Writeup
Got Entry Overwrite
A GOT (Global Offset Table) overwrite replaces the entry of a function with the address of another and calls it. In essence, an individual would overwrite the address of read
call in GOT, with the address of another pointer.
Limitations : If RELRO (Read-Only Relocations) is enabled, you will not be able to read into the memory region.
Requirements : Binary must be dynamically linked as it relies on the offset to functions in libc.
Example : Challenge and Writeup
Return-to-libc
A ret2libc/ret2mprotect/ret2plt etc chains pointers in loaded libc address range of a dynamic executable. A common method is to return to system
pointer, with address of a /bin/sh
string in memory.
Limitations : Only works in a dynamic executable.
Requirements : Executable must be dynamic!
Example : Challenge and Writeup <- Even includes a way to leak!
Reading/Writing Memory!
Abuses the ability to read / write into memory, perhaps a small string. Could be used in conjunction with ret2libc to call a different string such as ls -alt
or otherwise. A common section that tends to be unaffected is the BSS section which stores unitialized variables for various functions.
Limitations : Does not work if RELRO is enabled.
Requirements : Need one register to store region to write to, another to pop data, and another to write the data into the register with mov [writeto], [from]
Example : Challenge and Writeup
Return-to-dl_resolve
You'll be creating a fake structure within the heap region of the binary, and the loaded ld.so will resolve the location of the inserted symbol to the location within the libc.
Limitations : Cannot be completed if RELRO is enabled
Requirements : Binary must be dynamic.
Example : Challenge and Writeup. In this case, he actually uses a stack pivoting technique to give himself more space, in addition to Reading/Writing to write the command string.
Resources
Note: I'm trying my best, any rt's are appreciated. Helps with ...stuff. thanks!
Tag for later. Thanks for the post. Resteemed.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Thank you, I appreciate it =), hope you liked it.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit