Return Oriented Programming Techniques

in ctf •  6 years ago  (edited)

See @beepboopdesign for graphics

Return Oriented Programming

Return Oriented Programming, (ROP) for short, is as described as by Wikipedia[1] as an "..exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.". The technique chains assembly opcodes, or commonly known as "ROP gadgets" within binaries and loaded libraries to perform this. To read more on the subject, check out the ROP FTW [2] paper on exploit-db.

Table Of Contents

Sigreturn Oriented Programming

Within a SROP context, you'll be creating a fake sigcontext structure to pop various values into their registers and inherently perform an syscall. To do this, you'll need to to call rt_sigreturn syscall and append your fake frame. There are two tools to create the frame , such as pwntools srop and Frame.py

Limitations : Resulting payload contains null bytes, inherently killing the chain prematuraly if functions like strcpy are used.

Requirements : A way to pop an syscall number into the EAX/RAX register (pop eax/rax & mov eax/rax; [register]) and be able to call int 0x80/syscall.

Example : Challenge and Writeup

Got Entry Overwrite

A GOT (Global Offset Table) overwrite replaces the entry of a function with the address of another and calls it. In essence, an individual would overwrite the address of read call in GOT, with the address of another pointer.

Limitations : If RELRO (Read-Only Relocations) is enabled, you will not be able to read into the memory region.

Requirements : Binary must be dynamically linked as it relies on the offset to functions in libc.

Example : Challenge and Writeup

Return-to-libc

A ret2libc/ret2mprotect/ret2plt etc chains pointers in loaded libc address range of a dynamic executable. A common method is to return to system pointer, with address of a /bin/sh string in memory.

Limitations : Only works in a dynamic executable.

Requirements : Executable must be dynamic!

Example : Challenge and Writeup <- Even includes a way to leak!

Reading/Writing Memory!

Abuses the ability to read / write into memory, perhaps a small string. Could be used in conjunction with ret2libc to call a different string such as ls -alt or otherwise. A common section that tends to be unaffected is the BSS section which stores unitialized variables for various functions.

Limitations : Does not work if RELRO is enabled.

Requirements : Need one register to store region to write to, another to pop data, and another to write the data into the register with mov [writeto], [from]

Example : Challenge and Writeup

Return-to-dl_resolve

You'll be creating a fake structure within the heap region of the binary, and the loaded ld.so will resolve the location of the inserted symbol to the location within the libc.

Limitations : Cannot be completed if RELRO is enabled

Requirements : Binary must be dynamic.

Example : Challenge and Writeup. In this case, he actually uses a stack pivoting technique to give himself more space, in addition to Reading/Writing to write the command string.

Resources

Note: I'm trying my best, any rt's are appreciated. Helps with ...stuff. thanks!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Tag for later. Thanks for the post. Resteemed.

Thank you, I appreciate it =), hope you liked it.