Атака возврата в библиотеку return to libc attack

4.04M

Category:

software

Return to libc attack

1. Атака возврата в библиотеку return to libc attack

2. What is libc ?

55cdfefe3000
Prog.elf
7f11866a7000
libc.so
7f1186c82000
ld-linux-x86-64.so

3. What is libc ?

55cdfefe3000
Prog.elf .text
Prog.elf .data
Prog.elf .bss
Prog.elf .plt
7f11866a7000
libc.so .text
libc.so .data
libc.so .bss
libc.so .plt

4. What is libc ?

// You program
main
call printf
ret
plt:
jmp printf
// libc.so
printf
…
ret
Puts
…
ret
System
…
ret

5. ret2libc

1. We know version of libc.so
2. We know address of libc.so
3. We know any function address at libc.so

6. ret2libc

int main (){
char buf [16];
gets(buf);
}
char buf[16]
ebp before main
ret from main

7.

ret2libc
Main:
1. push ebp
eip
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
Ret from main
.stack ; segment with stack

8.

ret2libc
Main:
1. push ebp
2. mov ebp, esp eip
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
old ebp
Ret from main
.stack ; segment with stack

9.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16 eip
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
old ebp
Ret from main
.stack ; segment with stack

10.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf eip
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack

11.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
eip
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
edx=4
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack

12.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
eip
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
edx=4
4
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack

13.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4 eip
8. leave
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
4
AAAA
5
AAAA
6
AAAA
AAAA
7
8
old ebp|AAAA
9 Ret from main|AAAA
.stack ; segment with stack
ebp=8
edx=4

14.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
AAAA
5
AAAA
6
AAAA
AAAA
7
8
old ebp|AAAA
9 Ret from main|AAAA
.stack ; segment with stack
ebp=8
edx=4

15.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=AAAA
edx=4
Ret from main|syscall
.stack ; segment with stack

16.

system =?

17.

system =printf-CONST

18.

system =libc.so:system

19.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
ebp=AAAA
edx=4
Ret from main|syscall
.stack ; segment with stack

20.

ret2libc
9.
ret
…………………………………….
10. system :
eip
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
10
11
.stack ; segment with stack
ebp=AAAA
edx=4

21.

ret2libc
9.
ret
…………………………………….
10. system:
eip
11.
…
12
ret
13. Printf:
14.
…
15.
ret
1
2
3
4
5
6
7
8
9
10
11
ebp=AAAA
edx=4
Ret from main|syscall
Ret from syscall
Ref to “/bin/sh”
.stack ; segment with stack

22. Where is /bin/sh ?

23. Where is /bin/sh ?

ropchain

24. What about randomization

/proc/sys/kernel/randomize_va_space
0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries,
stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed
in the previous point, memory managed through
brk() is also randomized.

25. Static compile

55cdfefe3000
Prog.elf
7f11866a7000
libc.so
7f1186c82000
ld-linux-x86-64.so

26. Static compile (-s)

Prog.elf
Prog.elf
libc.so
libc.so
ld-linux-x86-64.so
ld-linux-x86-64.so

27. Static compile (-s)

1.
2.
3.
4.
Works in any linux with any libc installed
ELF contains entire libraries
Very big binary
You can find many functions an gadgets - dangerous

28. GDB commands

gdb:
maint info sections – show sections
shell ps aux | grep test – show process pid
cat /proc/[PID]/maps – show sections of process
find [START ADDRESS], [END ADDRESS], “[STRING]”
shell:
ldd test

29. Now

#include <stdio.h>
int main(){
char buf[16];
gets(buf);
puts(buf);
return 0;
}
EXPLOIT this

English Русский Rules