Jump to content
Nytro

Payload already inside: Data reuse for rop exploits

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

PAYLOAD ALREADY INSIDE: DATA REUSE FOR ROP

EXPLOITS

Black Hat USA 2010 Whitepaper

longld at vnsecurity.net

Abstract

Return-oriented programming (ROP), based on return-to-libc and borrowed-code-chunks

ideas, is one of the buzzing advanced exploitation techniques these days to bypass NX.

There are several practical works using ROP techniques for exploitations on Windows,

iPhone OS to bypass DEP and code signing. On most of modern Linux distributions, ASCIIArmor

address mapping (which maps libc addresses starting with NULL byte) and Address

Space Layout Randomization (ASLR) are enable by default to protect against return-to-libc /

ROP attacks.

In this paper, we will show how we can extend old advanced return-to-libc techniques to

multistage techniques that can bypass NX, ASLR and ASCII-Armor mapping and make

ROP/return-to-libc exploitation on modern Linux x86 become easy. In addition, by reusing not

only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP

calls to bypass ASLR protection.

Acknowledgements

The author would like to thank to Thanh Nguyen (rd), Duy-Dinh Le (ledduy) for reviewing this

paper. Special thanks to Thanh Nguyen for contributing valuable ideas and advices.

Keywords: return-oriented-programming, return-to-libc, aslr, nx, ascii-armor, buffer

overflow, exploitation

Table of Contents
1 Introduction........................................................................................................................3
2 Multistage return-oriented exploitation technique .............................................................4
2.1 The sample vulnerable program................................................................................4
2.2 A custom stack at fixed location.................................................................................4
2.3 Stage-0 payload loader..............................................................................................5
2.4 Resolving libc addresses............................................................................................8
2.5 Stage-1 payload........................................................................................................11
3 Practical ROP exploit.......................................................................................................12
3.1 A complete stage-0 loader........................................................................................12
3.2 Practical ROP gadgets catalog................................................................................14
4 Putting all together...........................................................................................................14
5 Countermeasures............................................................................................................18
6 Conclusions.....................................................................................................................19

Download:

http://www.handgrep.se/repository/ebooks/Security/ROP/BHUS10_Paper_Payload_already_inside_data_reuse_for_ROP_exploits.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...