Что такое findslide.org?

FindSlide.org - это сайт презентаций, докладов, шаблонов в формате PowerPoint.


Для правообладателей

Обратная связь

Email: Нажмите что бы посмотреть 

Яндекс.Метрика

Презентация на тему Return to libc attack

Содержание

What is libc ?Prog.elflibc.sold-linux-x86-64.so55cdfefe30007f11866a70007f1186c82000
Атака возврата в библиотеку return to libc attack What is libc ?Prog.elflibc.sold-linux-x86-64.so55cdfefe30007f11866a70007f1186c82000 What is libc ?Prog.elf .textProg.elf .dataProg.elf .bssProg.elf .pltlibc.so .textlibc.so .datalibc.so .bsslibc.so .plt55cdfefe30007f11866a7000 What is libc ?// libc.soprintf	…	retPuts	…	retSystem	…	ret// You programmain	call printf	retplt:	jmp printf ret2libcWe know version of libc.soWe know address of libc.soWe know any function address at libc.so ret2libcint main (){	char buf [16];	gets(buf);}ret from mainebp before main char buf[16] ret2libc.stack ; segment with stackMain:push ebpmov ebp, espsub esp, 16lea edx, bufpush ret2libc.stack ; segment with stackRet from main?eipold ebpMain:push ebpmov ebp, espsub esp, ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Main:push ebpmov ebp, espsub esp, ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Char buf[16]Main:push ebpmov ebp, espsub ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Char buf[16]edx=4Main:push ebpmov ebp, espsub ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Char buf[16]edx=44Main:push ebpmov ebp, espsub ret2libc.stack ; segment with stackRet from main|AAAA?eipold ebp|AAAAebp=8123456789AAAAAAAAAAAAAAAAedx=44Main:push ebpmov ebp, espsub esp, ret2libc.stack ; segment with stackRet from main|AAAA?eipold ebp|AAAAebp=8123456789AAAAAAAAAAAAAAAAedx=4Main:push ebpmov ebp, espsub esp, ret2libc.stack ; segment with stackRet from main|syscall?eipebp=AAAA123456789edx=4Main:push ebpmov ebp, espsub esp, 16lea system =? system =printf-CONST system =libc.so:system ret2libc.stack ; segment with stackRet from main|syscall?eipebp=AAAA123456789edx=4Main:push ebpmov ebp, espsub esp, 16lea 9.	ret…………………………………….10. system :11. 	…12	ret13. Printf:14.	…15.	retret2libc.stack ; segment with stack?eipebp=AAAA1234567891011edx=4 9.	ret…………………………………….10. system:11. 	…12	ret13. Printf:14.	…15.	retret2libc.stack ; segment with stack?eipebp=AAAA1234567891011edx=4Ret from main|syscallRef to “/bin/sh”Ret from syscall Where is /bin/sh ? Where is /bin/sh ?ropchain What about randomization/proc/sys/kernel/randomize_va_space0 – No randomization. Everything is static.1 – Conservative randomization. Static compileProg.elflibc.sold-linux-x86-64.so55cdfefe30007f11866a70007f1186c82000 Static compile (-s)Prog.elflibc.sold-linux-x86-64.soProg.elflibc.sold-linux-x86-64.so Static compile (-s)Works in any linux with any libc installedELF contains entire GDB commandsgdb:maint info sections – show sectionsshell ps aux | grep test Now#include int main(){	char buf[16];	gets(buf);	puts(buf);	return 0;}EXPLOIT this
Слайды презентации

Слайд 2 What is libc ?

Prog.elf
libc.so
ld-linux-x86-64.so
55cdfefe3000
7f11866a7000
7f1186c82000

What is libc ?Prog.elflibc.sold-linux-x86-64.so55cdfefe30007f11866a70007f1186c82000

Слайд 3 What is libc ?

Prog.elf .text
Prog.elf .data
Prog.elf .bss
Prog.elf .plt
libc.so

What is libc ?Prog.elf .textProg.elf .dataProg.elf .bssProg.elf .pltlibc.so .textlibc.so .datalibc.so .bsslibc.so .plt55cdfefe30007f11866a7000

.text
libc.so .data
libc.so .bss
libc.so .plt
55cdfefe3000
7f11866a7000


Слайд 4 What is libc ?
// libc.so
printf

ret

Puts

ret
System

ret
// You program
main
call printf
ret
plt:
jmp

What is libc ?// libc.soprintf	…	retPuts	…	retSystem	…	ret// You programmain	call printf	retplt:	jmp printf

printf


Слайд 5 ret2libc
We know version of libc.so
We know address of

ret2libcWe know version of libc.soWe know address of libc.soWe know any function address at libc.so

libc.so
We know any function address at libc.so


Слайд 6 ret2libc
int main (){
char buf [16];
gets(buf);
}

ret from main
ebp before

ret2libcint main (){	char buf [16];	gets(buf);}ret from mainebp before main char buf[16]

main
char buf[16]


Слайд 7
ret2libc
.stack ; segment with stack
Main:
push ebp
mov ebp, esp
sub

ret2libc.stack ; segment with stackMain:push ebpmov ebp, espsub esp, 16lea edx,

esp, 16
lea edx, buf
push edx
call gets
add esp, 4
leave
Ret
…………………………………….
10. system

:
11. …
12 ret
13. Printf:
14. …
15. ret

Ret from main

?eip


Слайд 8
ret2libc
.stack ; segment with stack
Ret from main
?eip
old ebp
Main:
push

ret2libc.stack ; segment with stackRet from main?eipold ebpMain:push ebpmov ebp, espsub

ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call gets
add

esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 9
ret2libc
.stack ; segment with stack
Ret from main
?eip
old ebp
ebp=8
1
2
3
4
5
6
7
8
9

Main:
push

ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Main:push ebpmov ebp, espsub

ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call gets
add

esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 10
ret2libc
.stack ; segment with stack
Ret from main
?eip
old ebp
ebp=8
1
2
3
4
5
6
7
8
9

Char

ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Char buf[16]Main:push ebpmov ebp,

buf[16]
Main:
push ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call

gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 11
ret2libc
.stack ; segment with stack
Ret from main
?eip
old ebp
ebp=8
1
2
3
4
5
6
7
8
9

Char

ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Char buf[16]edx=4Main:push ebpmov ebp,

buf[16]
edx=4
Main:
push ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call

gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 12
ret2libc
.stack ; segment with stack
Ret from main
?eip
old ebp
ebp=8
1
2
3
4
5
6
7
8
9

Char

ret2libc.stack ; segment with stackRet from main?eipold ebpebp=8123456789Char buf[16]edx=44Main:push ebpmov ebp,

buf[16]
edx=4
4
Main:
push ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call

gets
add esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 13
ret2libc
.stack ; segment with stack
Ret from main|AAAA
?eip
old ebp|AAAA
ebp=8
1
2
3
4
5
6
7
8
9

AAAA
AAAA
AAAA
AAAA
edx=4
4
Main:
push

ret2libc.stack ; segment with stackRet from main|AAAA?eipold ebp|AAAAebp=8123456789AAAAAAAAAAAAAAAAedx=44Main:push ebpmov ebp, espsub

ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call gets
add

esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 14
ret2libc
.stack ; segment with stack
Ret from main|AAAA
?eip
old ebp|AAAA
ebp=8
1
2
3
4
5
6
7
8
9

AAAA
AAAA
AAAA
AAAA
edx=4
Main:
push

ret2libc.stack ; segment with stackRet from main|AAAA?eipold ebp|AAAAebp=8123456789AAAAAAAAAAAAAAAAedx=4Main:push ebpmov ebp, espsub

ebp
mov ebp, esp
sub esp, 16
lea edx, buf
push edx
call gets
add

esp, 4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 15
ret2libc
.stack ; segment with stack
Ret from main|syscall
?eip
ebp=AAAA
1
2
3
4
5
6
7
8
9

edx=4
Main:
push ebp
mov

ret2libc.stack ; segment with stackRet from main|syscall?eipebp=AAAA123456789edx=4Main:push ebpmov ebp, espsub esp,

ebp, esp
sub esp, 16
lea edx, buf
push edx
call gets
add esp,

4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 16 system =?

system =?

Слайд 17 system =printf-CONST

system =printf-CONST

Слайд 18 system =libc.so:system

system =libc.so:system

Слайд 19
ret2libc
.stack ; segment with stack
Ret from main|syscall
?eip
ebp=AAAA
1
2
3
4
5
6
7
8
9

edx=4
Main:
push ebp
mov

ret2libc.stack ; segment with stackRet from main|syscall?eipebp=AAAA123456789edx=4Main:push ebpmov ebp, espsub esp,

ebp, esp
sub esp, 16
lea edx, buf
push edx
call gets
add esp,

4
leave
Ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


Слайд 20 9. ret
…………………………………….
10. system :
11. …
12 ret
13. Printf:
14. …
15. ret


ret2libc
.stack ; segment with

9.	ret…………………………………….10. system :11. 	…12	ret13. Printf:14.	…15.	retret2libc.stack ; segment with stack?eipebp=AAAA1234567891011edx=4

stack
?eip
ebp=AAAA
1
2
3
4
5
6
7
8
9
10
11

edx=4


Слайд 21 9. ret
…………………………………….
10. system:
11. …
12 ret
13. Printf:
14. …
15. ret


ret2libc
.stack ; segment with stack
?eip
ebp=AAAA
1
2
3
4
5
6
7
8
9
10
11

edx=4
Ret

9.	ret…………………………………….10. system:11. 	…12	ret13. Printf:14.	…15.	retret2libc.stack ; segment with stack?eipebp=AAAA1234567891011edx=4Ret from main|syscallRef to “/bin/sh”Ret from syscall

from main|syscall
Ref to “/bin/sh”
Ret from syscall


Слайд 22 Where is /bin/sh ?

Where is /bin/sh ?

Слайд 23 Where is /bin/sh ?
ropchain

Where is /bin/sh ?ropchain

Слайд 24 What about randomization
/proc/sys/kernel/randomize_va_space
0 – No randomization. Everything is

What about randomization/proc/sys/kernel/randomize_va_space0 – No randomization. Everything is static.1 – Conservative

static.
1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO

and heap are randomized.
2 – Full randomization. In addition to elements listed in the previous point, memory managed through brk() is also randomized.


Слайд 25 Static compile

Prog.elf
libc.so
ld-linux-x86-64.so
55cdfefe3000
7f11866a7000
7f1186c82000

Static compileProg.elflibc.sold-linux-x86-64.so55cdfefe30007f11866a70007f1186c82000

Слайд 26 Static compile (-s)

Prog.elf
libc.so
ld-linux-x86-64.so

Prog.elf
libc.so
ld-linux-x86-64.so

Static compile (-s)Prog.elflibc.sold-linux-x86-64.soProg.elflibc.sold-linux-x86-64.so

Слайд 27 Static compile (-s)
Works in any linux with any

Static compile (-s)Works in any linux with any libc installedELF contains

libc installed
ELF contains entire libraries
Very big binary
You can find

many functions an gadgets - dangerous

Слайд 28 GDB commands
gdb:
maint info sections – show sections
shell ps

GDB commandsgdb:maint info sections – show sectionsshell ps aux | grep

aux | grep test – show process pid
cat /proc/[PID]/maps

– show sections of process
find [START ADDRESS], [END ADDRESS], “[STRING]”

shell:
ldd test



  • Имя файла: return-to-libc-attack.pptx
  • Количество просмотров: 132
  • Количество скачиваний: 0
Следующая - My idol - Lionel Messi