Nytro Posted March 4, 2013 Report Share Posted March 4, 2013 PAYLOAD ALREADY INSIDE: DATA REUSE FOR ROPEXPLOITSBlack Hat USA 2010 Whitepaperlongld at vnsecurity.netAbstractReturn-oriented programming (ROP), based on return-to-libc and borrowed-code-chunksideas, is one of the buzzing advanced exploitation techniques these days to bypass NX.There are several practical works using ROP techniques for exploitations on Windows,iPhone OS to bypass DEP and code signing. On most of modern Linux distributions, ASCIIArmoraddress mapping (which maps libc addresses starting with NULL byte) and AddressSpace Layout Randomization (ASLR) are enable by default to protect against return-to-libc /ROP attacks.In this paper, we will show how we can extend old advanced return-to-libc techniques tomultistage techniques that can bypass NX, ASLR and ASCII-Armor mapping and makeROP/return-to-libc exploitation on modern Linux x86 become easy. In addition, by reusing notonly codes but also data from the binary itself, we can build any chained ret2libc calls or ROPcalls to bypass ASLR protection.AcknowledgementsThe author would like to thank to Thanh Nguyen (rd), Duy-Dinh Le (ledduy) for reviewing thispaper. Special thanks to Thanh Nguyen for contributing valuable ideas and advices.Keywords: return-oriented-programming, return-to-libc, aslr, nx, ascii-armor, bufferoverflow, exploitationTable of Contents1 Introduction........................................................................................................................32 Multistage return-oriented exploitation technique .............................................................42.1 The sample vulnerable program................................................................................42.2 A custom stack at fixed location.................................................................................42.3 Stage-0 payload loader..............................................................................................52.4 Resolving libc addresses............................................................................................82.5 Stage-1 payload........................................................................................................113 Practical ROP exploit.......................................................................................................123.1 A complete stage-0 loader........................................................................................123.2 Practical ROP gadgets catalog................................................................................144 Putting all together...........................................................................................................145 Countermeasures............................................................................................................186 Conclusions.....................................................................................................................19Download:http://www.handgrep.se/repository/ebooks/Security/ROP/BHUS10_Paper_Payload_already_inside_data_reuse_for_ROP_exploits.pdf Quote Link to comment Share on other sites More sharing options...
