Payload already inside: data re-use for ROP exploits
- Type
- Paper
- Tags
- exploiting
- Authors
- Long Le
- Event
- Black Hat USA 2010
- Indexed on
- Mar 27, 2013
- URL
- https://media.blackhat.com/bh-us-10/whitepapers/Le/BlackHat-USA-2010-Le-Paper-Payload-already-inside-data-reuse-for-ROP-exploits-wp.pdf
- File name
- BlackHat-USA-2010-Le-Paper-Payload-already-inside-data-reuse-for-ROP-exploits-wp.pdf
- File size
- 208.7 KB
- MD5
- ff6f71f4fa604dffd5b539abf240f6d1
- SHA1
- 9aa92891cf60f4cba7f3a44f23b2387d631ce19f
Return-oriented programming (ROP) is one of the buzzing advanced exploitation techniques these days to bypass NX. There are several practical works using ROP techniques for exploitations on Windows, iPhoneOS to bypass DEP and code signing but no any practical ROP work for modern Linux distributions so far. Main issues for ROP exploitations on Linux x86 include ASCII-Armor address protection which maps libc address starting with NULL byte and Address Space Layout Randomization (ASLR). In this presentation we will show how we can extend an old return-into-libc technique to a stage-0 loader that can bypass ASCII-Armor protection and make ROP on Linux x86 become a reality. In addition, by reusing not only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP calls to bypass ASLR protection. A new ROP tool to build and search for ROP instructions will be released in the presentation.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
