Similar presentations:
Return to libc attack
1. Атака возврата в библиотеку return to libc attack
2. What is libc ?
55cdfefe3000Prog.elf
7f11866a7000
libc.so
7f1186c82000
ld-linux-x86-64.so
3. What is libc ?
55cdfefe3000Prog.elf .text
Prog.elf .data
Prog.elf .bss
Prog.elf .plt
7f11866a7000
libc.so .text
libc.so .data
libc.so .bss
libc.so .plt
4. What is libc ?
// You programmain
call printf
ret
plt:
jmp printf
// libc.so
printf
…
ret
Puts
…
ret
System
…
ret
5. ret2libc
1. We know version of libc.so2. We know address of libc.so
3. We know any function address at libc.so
6. ret2libc
int main (){char buf [16];
gets(buf);
}
char buf[16]
ebp before main
ret from main
7.
ret2libcMain:
1. push ebp
eip
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
Ret from main
.stack ; segment with stack
8.
ret2libcMain:
1. push ebp
2. mov ebp, esp eip
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
old ebp
Ret from main
.stack ; segment with stack
9.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16 eip
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
old ebp
Ret from main
.stack ; segment with stack
10.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf eip
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack
11.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
eip
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
edx=4
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack
12.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
eip
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
edx=4
4
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack
13.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4 eip
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
4
AAAA
5
AAAA
6
AAAA
AAAA
7
8
old ebp|AAAA
9 Ret from main|AAAA
.stack ; segment with stack
ebp=8
edx=4
14.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
AAAA
5
AAAA
6
AAAA
AAAA
7
8
old ebp|AAAA
9 Ret from main|AAAA
.stack ; segment with stack
ebp=8
edx=4
15.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=AAAA
edx=4
Ret from main|syscall
.stack ; segment with stack
16.
system =?17.
system =printf-CONST18.
system =libc.so:system19.
ret2libcMain:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=AAAA
edx=4
Ret from main|syscall
.stack ; segment with stack
20.
ret2libc9.
ret
…………………………………….
10. system :
eip
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
10
11
.stack ; segment with stack
ebp=AAAA
edx=4
21.
ret2libc9.
ret
…………………………………….
10. system:
eip
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
10
11
ebp=AAAA
edx=4
Ret from main|syscall
Ret from syscall
Ref to “/bin/sh”
.stack ; segment with stack
22. Where is /bin/sh ?
23. Where is /bin/sh ?
ropchain24. What about randomization
/proc/sys/kernel/randomize_va_space0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries,
stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed
in the previous point, memory managed through
brk() is also randomized.
25. Static compile
55cdfefe3000Prog.elf
7f11866a7000
libc.so
7f1186c82000
ld-linux-x86-64.so
26. Static compile (-s)
Prog.elfProg.elf
libc.so
libc.so
ld-linux-x86-64.so
ld-linux-x86-64.so
27. Static compile (-s)
1.2.
3.
4.
Works in any linux with any libc installed
ELF contains entire libraries
Very big binary
You can find many functions an gadgets - dangerous
28. GDB commands
gdb:maint info sections – show sections
shell ps aux | grep test – show process pid
cat /proc/[PID]/maps – show sections of process
find [START ADDRESS], [END ADDRESS], “[STRING]”
shell:
ldd test
29. Now
#include <stdio.h>int main(){
char buf[16];
gets(buf);
puts(buf);
return 0;
}
EXPLOIT this