03.ExploitDev_106.pdf
(
886 KB
)
Pobierz
Exploit Development 106
Advanced Shellcode
& ROP
Devin Cook, Ph.D.
& Owen Redwood, Ph.D.
Offensive Computer Security 2.0
http://hackallthethings.com/
Outline
1.Gadget Hunting (New)
2.Advanced Shellcode (New)
3.Brief History of Exploitation (Old)
4.Demo of ROP tools (Old)
FINDING GADGETS
Briefly covered ROP so far.
Gadget sparsity problem
Have enough gadgets = turing complete capabilities
Lets cover how to find gadgets for both ROP
and shellcode
Tools:
Objdump (also supports PE binaries), READELF, Grep...
GEF or PEDA (for gdb)
Ropgadget (by Johnathan Salwan, author of
Programming from the Ground Up)
Mona.py (By the Corelan team)
Pwntools / pwnlib (python libraries)
Types of Gadgets
Classical
ROP, JOP, COP, etc
(need infoleaks)
SPECIAL
Fixed VMAs
Fixed JUMP SLOTS
Fixed DMA regions
Embedded
See my dissertation
Multilib
These gadgets completely defeat
PIE/ASLR, Partial+Full RELRO.
With the right gadgets you can do
anything :)
S-ROP
Recent, Limited POC’s
Relies on some
SPECIAL
gadgets
:)
Non-NX compliant binaries /
libraries
Imported all the time by JAVA +
Flash
Dropbox notoriously did this in the
past, was a great source of
gadgets
Return Chaining
c
Example
asi
d b ets
0x780DFFFC:
covere dg
ga
e
push EBP
’v eory / ecture
We th
sl
mov ebp,
P reviou ntro)
RO
esp
e p cap / i
sub esp,
e
0x10
(s
re
for
...
mov eax [ebp+8]
...
leave
argument 2
--------------------
argument 1
--------------------
&(pop pop ret)
--------------------
&Function 2
--------------------
argument 2
--------------------
argument 1
--------------------
&(pop pop ret)
--------------------
...
...
STACK GROWTH
Plik z chomika:
kufel_007
Inne pliki z tego folderu:
01.ExploitDev_104.pdf
(626 KB)
02.ExploitDev_105.pdf
(2332 KB)
03.ExploitDev_106.pdf
(886 KB)
04.ExploitDev_107.pdf
(1196 KB)
04.HW9.pdf
(82 KB)
Inne foldery tego chomika:
01.Intro
02.SecureC
03.Code_Auditing
04.Linux
05.Windows
Zgłoś jeśli
naruszono regulamin