Return to libc attack

Содержание

Слайд 2

What is libc ?

Prog.elf

libc.so

ld-linux-x86-64.so

55cdfefe3000

7f11866a7000

7f1186c82000

What is libc ? Prog.elf libc.so ld-linux-x86-64.so 55cdfefe3000 7f11866a7000 7f1186c82000

Слайд 3

What is libc ?

Prog.elf .text

Prog.elf .data

Prog.elf .bss

Prog.elf .plt

libc.so .text

libc.so .data

libc.so .bss

libc.so .plt

55cdfefe3000

7f11866a7000

What is libc ? Prog.elf .text Prog.elf .data Prog.elf .bss Prog.elf .plt

Слайд 4

What is libc ?

// libc.so
printf

ret
Puts

ret
System

ret

// You program
main
call printf
ret
plt:
jmp printf

What is libc ? // libc.so printf … ret Puts … ret

Слайд 5

ret2libc

We know version of libc.so
We know address of libc.so
We know any function

ret2libc We know version of libc.so We know address of libc.so We
address at libc.so

Слайд 6

ret2libc

int main (){
char buf [16];
gets(buf);
}

ret from main

ebp before main

char buf[16]

ret2libc int main (){ char buf [16]; gets(buf); } ret from main

Слайд 7

ret2libc

.stack ; segment with stack

Main:
push ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push

ret2libc .stack ; segment with stack Main: push ebp mov ebp, esp
edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Ret from main

?eip

Слайд 8

ret2libc

.stack ; segment with stack

Ret from main

?eip

old ebp

Main:
push ebp
mov ebp, esp
sub esp,

ret2libc .stack ; segment with stack Ret from main ?eip old ebp
16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 9

ret2libc

.stack ; segment with stack

Ret from main

?eip

old ebp

ebp=8

1
2
3
4
5
6
7
8
9

Main:
push ebp
mov ebp, esp
sub esp,

ret2libc .stack ; segment with stack Ret from main ?eip old ebp
16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 10

ret2libc

.stack ; segment with stack

Ret from main

?eip

old ebp

ebp=8

1
2
3
4
5
6
7
8
9

Char buf[16]

Main:
push ebp
mov ebp, esp
sub

ret2libc .stack ; segment with stack Ret from main ?eip old ebp
esp, 16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 11

ret2libc

.stack ; segment with stack

Ret from main

?eip

old ebp

ebp=8

1
2
3
4
5
6
7
8
9

Char buf[16]

edx=4

Main:
push ebp
mov ebp, esp
sub

ret2libc .stack ; segment with stack Ret from main ?eip old ebp
esp, 16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 12

ret2libc

.stack ; segment with stack

Ret from main

?eip

old ebp

ebp=8

1
2
3
4
5
6
7
8
9

Char buf[16]

edx=4

4

Main:
push ebp
mov ebp, esp
sub

ret2libc .stack ; segment with stack Ret from main ?eip old ebp
esp, 16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 13

ret2libc

.stack ; segment with stack

Ret from main|AAAA

?eip

old ebp|AAAA

ebp=8

1
2
3
4
5
6
7
8
9

AAAA
AAAA
AAAA
AAAA

edx=4

4

Main:
push ebp
mov ebp, esp
sub esp,

ret2libc .stack ; segment with stack Ret from main|AAAA ?eip old ebp|AAAA
16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 14

ret2libc

.stack ; segment with stack

Ret from main|AAAA

?eip

old ebp|AAAA

ebp=8

1
2
3
4
5
6
7
8
9

AAAA
AAAA
AAAA
AAAA

edx=4

Main:
push ebp
mov ebp, esp
sub esp,

ret2libc .stack ; segment with stack Ret from main|AAAA ?eip old ebp|AAAA
16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 15

ret2libc

.stack ; segment with stack

Ret from main|syscall

?eip

ebp=AAAA

1
2
3
4
5
6
7
8
9

edx=4

Main:
push ebp
mov ebp, esp
sub esp, 16
lea

ret2libc .stack ; segment with stack Ret from main|syscall ?eip ebp=AAAA 1
edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 16

system =?

system =?

Слайд 17

system =printf-CONST

system =printf-CONST

Слайд 18

system =libc.so:system

system =libc.so:system

Слайд 19

ret2libc

.stack ; segment with stack

Ret from main|syscall

?eip

ebp=AAAA

1
2
3
4
5
6
7
8
9

edx=4

Main:
push ebp
mov ebp, esp
sub esp, 16
lea

ret2libc .stack ; segment with stack Ret from main|syscall ?eip ebp=AAAA 1
edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

Слайд 20

9. ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret

ret2libc

.stack ; segment with stack

?eip

ebp=AAAA

1
2
3
4
5
6
7
8
9
10
11

edx=4

9. ret ……………………………………. 10. system : 11. … 12 ret 13. Printf:

Слайд 21

9. ret
…………………………………….
10. system:
11. …
12 ret
13. Printf:
14. …
15. ret

ret2libc

.stack ; segment with stack

?eip

ebp=AAAA

1
2
3
4
5
6
7
8
9
10
11

edx=4

Ret from main|syscall

Ref to “/bin/sh”

Ret

9. ret ……………………………………. 10. system: 11. … 12 ret 13. Printf: 14.
from syscall

Слайд 22

Where is /bin/sh ?

Where is /bin/sh ?

Слайд 23

Where is /bin/sh ?

ropchain

Where is /bin/sh ? ropchain

Слайд 24

What about randomization

/proc/sys/kernel/randomize_va_space
0 – No randomization. Everything is static.
1 – Conservative randomization.

What about randomization /proc/sys/kernel/randomize_va_space 0 – No randomization. Everything is static. 1
Shared libraries, stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed in the previous point, memory managed through brk() is also randomized.

Слайд 25

Static compile

Prog.elf

libc.so

ld-linux-x86-64.so

55cdfefe3000

7f11866a7000

7f1186c82000

Static compile Prog.elf libc.so ld-linux-x86-64.so 55cdfefe3000 7f11866a7000 7f1186c82000

Слайд 26

Static compile (-s)

Prog.elf

libc.so

ld-linux-x86-64.so

Prog.elf

libc.so

ld-linux-x86-64.so

Static compile (-s) Prog.elf libc.so ld-linux-x86-64.so Prog.elf libc.so ld-linux-x86-64.so

Слайд 27

Static compile (-s)

Works in any linux with any libc installed
ELF contains entire

Static compile (-s) Works in any linux with any libc installed ELF
libraries
Very big binary
You can find many functions an gadgets - dangerous

Слайд 28

GDB commands

gdb:
maint info sections – show sections
shell ps aux | grep test

GDB commands gdb: maint info sections – show sections shell ps aux
– show process pid
cat /proc/[PID]/maps – show sections of process
find [START ADDRESS], [END ADDRESS], “[STRING]”
shell:
ldd test
Имя файла: Return-to-libc-attack.pptx
Количество просмотров: 48
Количество скачиваний: 0