This workshop is an introduction to Return Oriented Programming. The workshop aims to be fitting for people with varying background, as it starts easy and with detailed explanation on hands-on exercises but increases difficulty over time. The workshop is a good fit for attendees who already know about buffer overflows but want to go further. For them it's a perfect next step which will take their exploiting skills to the next level!
The basic example of exploiting a buffer overflow is pushing shellcode on the stack and jumping to it. This is successful when there are no security mechanisms. But how can we get a shell if the stack is not executable? Return Oriented Programming (ROP) is a neat technique to defeat this protection.
In this workshop, we will step up the game by turning on the NX-bit and using ROP to exploit the buffer overflow anyway. The basic idea of ROP is to use code snippets that are already in the binary. This way, we can put the shellcode together like we would tinker a blackmailing letter from old newsletters, putting the fitting pieces one after another, until we get the payload we want.
We will work on Linux (x86), get to know the libc, and debug the process. By observing the stack and registers, we will see how choosing code snippets that end with a ‘return’ (ROP-gagdets) plays out.
The workshop contains 3 exercises of different stages.
The first stage is 32 Bit to get an easy start and to get to know the environment and commands. This exercise is done together, to get a quick and efficient example on how to interact with the tools. The second stage is 64 Bit, to stress the differences regarding e.g. calling conventions. This exercise will allow the attendees to explore the exploit on their own, with my assistance when needed.
The 3rd stage will be solving the challenge with ASLR turned on (without PIE). This will get us a longer ROP-Chain, we will have a look on other useful segments like the Global Offset Table and how to use this for exploitation. Also, the combination of using ROP on 64 Bit with ASLR turned on can score you some points in CTFs.
I will provide a VM with the binaries and my presentation on it. Using a common system is the easiest way to get the same offsets in our address calculation. I will also provide instructions to set up the VM in case the attendees want to set up their own VM.
Participants should bring:
A laptop with a hypervisor (e.g. VirtualBox, VMware) installed
Participants must know or have:
- Basic knowledge about buffer overflows
- Download the preconfigured workshop VM including the binaries (alternative: follow the instructions on github to setup your own workshop-VM)
Lisa Aichele ,
Lisa is a student in Automation and Mechatronics at the university Hochschule Furtwangen (HFU), Campus Tuttlingen. With her bachelor thesis she shifted torwards the security field by developing a clang-based fuzzing toolchain. She was both attendee and trainer at Blackhoodie events and likes CTF competitions.