Table Of Content

Payload Already Inside: Data re-use for ROP Exploits Long Le [email protected] Black Hat USA Briefing 2010 About Me ● VNSECURITY founding member ● Capture-The-Flag player ►CLGT Team BH USA 2010 Payload already inside: data reuse for ROP exploits 2 Motivation ● Buffer overflow exploit on modern Linux (x86) distribution is difficult ►Non Executable (NX/XD) ►Address Space Layout Randomization (ASLR) ►ASCII-Armor Address Space ● Return-Oriented-Programming (ROP) exploitation technique seems useless? ►No any practical work on Linux x86 BH USA 2010 Payload already inside: data reuse for ROP exploits 3 Our contributions ● A generic technique to exploit stack-based buffer overflow that bypasses NX, ASLR and ASCII-Armor protection ►Multistage ROP exploitation technique ● Make ROP exploits on Linux x86 become practical, easy ►Practical ROP gadgets catalog ►Automation tools BH USA 2010 Payload already inside: data reuse for ROP exploits 4 Benefits ● NX/ASLR/ASCII-Armor can be completely BYPASSED ● Ideas can be applied to OTHER SYSTEMS ►Windows ►Mac OS X BH USA 2010 Payload already inside: data reuse for ROP exploits 5 Scope of this talk ● Only Linux x86 ● We do not talk about: ►Compilation protections ♦ Stack Protector ►Mandatory Access Control ♦ SELinux ♦ AppArmor BH USA 2010 Payload already inside: data reuse for ROP exploits 6 Buffer overflow ● The vulnerable program ● Mitigation techniques ● Exploitation techniques BH USA 2010 Payload already inside: data reuse for ROP exploits 7 The vulnerable program #include <string.h> #include <stdio.h> int main (int argc, char **argv) { char buf[256]; int i; seteuid (getuid()); if (argc < 2) { Overflow! puts ("Need an argument\n"); exit (1); } // vulnerable code strcpy (buf, argv[1]); printf ("%s\nLen:%d\n", buf, (int)strlen(buf)); return (0); } BH USA 2010 Payload already inside: data reuse for ROP exploits 8 Overflow Stack growth AA...AA AAAA AAAA AAAA AAAA Saved EBP Saved EIP ● Attacker controlled ►Execution flow: EIP ►Stack: ESP BH USA 2010 Payload already inside: data reuse for ROP exploits 9 Mitigation techniques ● Non eXcutable ►Hardware NX/XD bit ►Emulation (PaX, ExecShield) ● Address Space Layout Randomization (ASLR) ►stack, heap, library are randomized ● ASCII-Armor Address Space ►Lib(c) addresses start with NULL byte BH USA 2010 Payload already inside: data reuse for ROP exploits 10

Description:
▻ASCII-Armor Address Space NX/ASLR/ASCII-Armor can be completely. BYPASSED. ○ Ideas can be .. Stage-1 payload strategy. Surgically
ebook img

Payload Already Inside: Data re-use for ROP Exploits PDF

44 Pages·2010·0.2 MB·English
by  Long Le
Save to my drive
Quick download
Download
Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Payload Already Inside: Data re-use for ROP Exploits

Payload Already Inside: Data re-use for ROP Exploits Long Le [email protected] Black Hat USA Briefing 2010 About Me ● VNSECURITY founding member ● Capture-The-Flag player ►CLGT Team BH USA 2010 Payload already inside: data reuse for ROP exploits 2 Motivation ● Buffer overflow exploit on modern Linux (x86) distribution is difficult ►Non Executable (NX/XD) ►Address Space Layout Randomization (ASLR) ►ASCII-Armor Address Space ● Return-Oriented-Programming (ROP) exploitation technique seems useless? ►No any practical work on Linux x86 BH USA 2010 Payload already inside: data reuse for ROP exploits 3 Our contributions ● A generic technique to exploit stack-based buffer overflow that bypasses NX, ASLR and ASCII-Armor protection ►Multistage ROP exploitation technique ● Make ROP exploits on Linux x86 become practical, easy ►Practical ROP gadgets catalog ►Automation tools BH USA 2010 Payload already inside: data reuse for ROP exploits 4 Benefits ● NX/ASLR/ASCII-Armor can be completely BYPASSED ● Ideas can be applied to OTHER SYSTEMS ►Windows ►Mac OS X BH USA 2010 Payload already inside: data reuse for ROP exploits 5 Scope of this talk ● Only Linux x86 ● We do not talk about: ►Compilation protections ♦ Stack Protector ►Mandatory Access Control ♦ SELinux ♦ AppArmor BH USA 2010 Payload already inside: data reuse for ROP exploits 6 Buffer overflow ● The vulnerable program ● Mitigation techniques ● Exploitation techniques BH USA 2010 Payload already inside: data reuse for ROP exploits 7 The vulnerable program #include <string.h> #include <stdio.h> int main (int argc, char **argv) { char buf[256]; int i; seteuid (getuid()); if (argc < 2) { Overflow! puts ("Need an argument\n"); exit (1); } // vulnerable code strcpy (buf, argv[1]); printf ("%s\nLen:%d\n", buf, (int)strlen(buf)); return (0); } BH USA 2010 Payload already inside: data reuse for ROP exploits 8 Overflow Stack growth AA...AA AAAA AAAA AAAA AAAA Saved EBP Saved EIP ● Attacker controlled ►Execution flow: EIP ►Stack: ESP BH USA 2010 Payload already inside: data reuse for ROP exploits 9 Mitigation techniques ● Non eXcutable ►Hardware NX/XD bit ►Emulation (PaX, ExecShield) ● Address Space Layout Randomization (ASLR) ►stack, heap, library are randomized ● ASCII-Armor Address Space ►Lib(c) addresses start with NULL byte BH USA 2010 Payload already inside: data reuse for ROP exploits 10

Description:
▻ASCII-Armor Address Space NX/ASLR/ASCII-Armor can be completely. BYPASSED. ○ Ideas can be .. Stage-1 payload strategy. Surgically
See more

The list of books you might like

Upgrade Premium
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.
DMCA & Copyright: Dear all, most of the website is community built, users are uploading hundred of books everyday, which makes really hard for us to identify copyrighted material, please contact us if you want any material removed.
Copyright @ PDFdrive.to, 2022 | We love our users