This document discusses return-oriented programming (ROP) attacks and variants. It begins with an introduction to ROP attacks, explaining that they circumvent data execution prevention by chaining small snippets of executable code (called gadgets) that end in return instructions. It then covers different ROP attack techniques like using arithmetic, comparison, and loop gadgets to achieve Turing completeness. The document discusses challenges like handling null bytes and describes variants like jump-oriented programming (JOP) that uses indirect jumps. It also covers creating alphanumeric ROP shellcode by selecting printable addresses. In the end, it provides tips for effectively searching gadgets.
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
Introduce Brainf*ck, another Turing complete programming language. Then, try to implement the following from scratch: Interpreter, Compiler [x86_64 and ARM], and JIT Compiler.
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
Making The Move To Java 17 (JConf 2022)Alex Motley
Are your applications still running on Java 8 or even older, unsupported versions? Or maybe you've already made the move to Java 11? Thinking about switching your application to run on Java 17 and not sure where to start? There is a lot to think about when it comes to planning a Java migration, but there are tools and strategies that can help! Come to this session to learn about the significant changes in Java that might impact your application. Topics include the removal of APIs (such as Java EE packages) and behavior changes resulting from moving an application running previous Java versions to Java 17. Learn about tools to use that help you identify potential issues within your application and how to resolve them! The discussion is informative to developers and system administrations who are interested in evaluating applications before they are migrated and while making the code changes.
The document discusses the growth and adoption of RISC-V, an open-source instruction set architecture (ISA). It notes several organizations that have adopted RISC-V, including the European Union for a supercomputer, Alibaba, Western Digital, and AWS. It also mentions companies like SiFive reaching 100 design wins and GreenWaves being named a cool vendor in AI semiconductors. The RISC-V Foundation is working to drive further adoption through activities like technical working groups, compliance testing, education, and events. Membership in the Foundation has grown significantly in recent years and now includes over 250 members in over 25 countries.
Getting started with setting up embedded platform requires audience to understand some of the key aspects of Linux. Starting with basics of Linux this presentation talks about basic commands, vi editor, shell scripting and advanced commands
This is continuation of the slide Advanced C part 1. In part 1 you learnt about fundamentals of C - How to build an algorithm, operators. In this module - Advanced C part 2 you will be learning about functions, pointers and standard Input Output functions. This slide will help you to move a further ahead in Advanced C and gain deeper knowledge on it.
Systemd is a system and service manager that replaces sysvinit. It manages services, devices, mounts and other system components. It relies on control groups (cgroups) to isolate and manage processes and resources for each service. Services are configured through declarative unit files instead of shell scripts. Systemd provides features like socket activation, timers, and integrates with journald for logging.
This document provides an overview of Linux command line essentials including shell script basics, variables, operators, loops, and functions. It covers topics such as the difference between CLI and GUI interfaces, what a kernel and shell are, defining variables and variable types, arithmetic, relational, boolean, and file test operators, while, for, and until loops, and creating reusable functions. The document is from edureka.co and serves as an introduction to common Linux shell scripting concepts.
This document provides an overview of a presentation on Laravel Octane given by Albert Chen. The presentation covered: the lifecycle of PHP and Laravel applications; an introduction to Laravel Octane and how it makes applications more friendly for long-lived processes; reminders for developing long-lived PHP applications; Laravel's service container and how containers work in Octane; how Octane supports concurrent tasks using Swoole; additional Octane features like tickers, caching, and process communication; blocking I/O in PHP and how coroutines work in Swoole; whether Octane supports coroutines; and a benchmark comparing Octane to PHP-FPM with Nginx. The document concludes with an
Prerequisite knowledge for shared memory concurrencyViller Hsiao
The document provides an overview of prerequisite knowledge for shared memory concurrency, including memory hierarchy, data consistency across memory levels, issues with simple spinlock implementations, and atomic instructions supported by CPUs like ARM and RISC-V. It discusses examples of implementing spinlocks using ARMv8 atomic instructions like ldrex/strex. It also covers memory ordering, memory barrier instructions, cache coherence protocols, and memory consistency models for architectures like ARMv8 and RISC-V.
This document discusses SWUpdate, an open source software updater for embedded Linux systems. It provides concise summaries of SWUpdate's key features and architecture in 3 sentences or less:
SWUpdate allows for safe, atomic over-the-air software updates of embedded Linux devices, supporting updates to the bootloader, kernel, filesystem and more through features like signed images, rollback, and a modular architecture using handlers and scripts. It has a client-server model that supports both push and pull updates and integrates with build systems like Yocto and deployment platforms like hawkBit. SWUpdate's small footprint and power-off safety make it suitable for remotely updating a wide range of embedded Linux devices in the field.
LCU13: An Introduction to ARM Trusted FirmwareLinaro
Resource: LCU13
Name: An Introduction to ARM Trusted Firmware
Date: 28-10-2013
Speaker: Andrew Thoelke
Video: http://www.youtube.com/watch?v=q32BEMMxmfw
Vert.x is a toolkit for building reactive microservices applications on the JVM. It uses the reactor pattern with a single-threaded event loop to avoid the C10K problem. Verticles are lightweight concurrent units that communicate asynchronously via an event bus. This allows building scalable and reactive microservices. Vert.x supports websockets, clustering, reactive programming with RxJava, and can be deployed to production environments like AWS. It also integrates with Spring for dependency injection and configuration.
Yocto - Embedded Linux Distribution MakerSherif Mousa
Yocto is an Embedded Linux distribution maker.
This presentation is a quick start guide for Yocto buildsystem to get familiar with the tool and how to start building your own custom Linux system for a specific hardware target.
This document discusses second-level caching in Java Persistence API (JPA). It begins with an introduction to the speaker's background and experience. The presentation agenda is then outlined, covering why caching is important, the differences between first-level and second-level caches in JPA, JPA configuration parameters and API for caching, and specifics of Hibernate and EclipseLink second-level caching implementations. Examples are provided that demonstrate performance improvements when utilizing caching strategies like fetching relationships, projections, and aggregation queries.
This document provides an overview of Linux networking concepts relevant for interviews, including TCP/IP and socket programming. It begins with definitions of LAN, MAN, and WAN networks. It then covers the OSI and TCP/IP models, differences between hub/switch/router, TCP/IP addressing concepts like MAC addresses, IP addresses, ports, and IPv4 vs IPv6. Next it explains TCP/IP protocols like SNMP, ICMP, ARP/RARP, DNS, and DHCP. Finally it discusses socket programming concepts like sockets, client-server programming, and synchronous I/O using select().
The document discusses the stack and buffer overflows. It provides an overview of registers, the stack, calling conventions, and buffer overflows. It explains how buffer overflows can corrupt local variables or overwrite the return pointer. The document shows how to craft payloads to exploit buffer overflows by overwriting values on the stack, such as changing a variable or calling a function directly.
This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
The document provides information on advanced assembly language procedures. It discusses the PROC, ADDR, INVOKE and PROTO directives which are used to declare and call procedures. The PROC directive declares a procedure with optional parameters, while INVOKE simplifies procedure calls by passing parameters in a single statement. PROTO creates a procedure prototype. ADDR returns the address of a variable. Stack frames and how parameters and local variables are accessed on the stack are explained. Recursive procedures and how they use stack frames are covered, with examples to calculate a sum and factorial recursively. Finally, the document discusses creating multimodule programs by dividing code across multiple source files that are assembled and linked together.
The document provides information about a reversing and malware analysis training program. It begins with a disclaimer stating that the views expressed are solely of the trainer and not the company. It then acknowledges those who supported the training program. It states that the presentation is part of a reversing and malware analysis training program currently only offered locally for free. It introduces the two trainers and provides their backgrounds and contact information. It outlines topics that will be covered including x86 assembly, instructions, stack operations, and calling conventions. It notes that a demonstration will be included.
Here are the key differences between CALL and INVOKE in x86 assembly:
- CALL is used to call a procedure without passing any parameters, while INVOKE allows passing parameters to procedures.
- When using CALL, any parameters need to be passed via registers or stack before the CALL. INVOKE handles pushing parameters onto the stack.
- A procedure called with CALL must pop its own parameters from the stack after the call, while a procedure called with INVOKE has the parameters automatically popped from the stack.
- INVOKE provides a simpler, higher-level way of calling procedures that mimics function calls in high-level languages by automatically handling parameter passing via the stack. CALL requires manually handling the
This document discusses procedures in assembly language. It covers defining procedures, calling procedures using the CALL and RET instructions, passing parameters to procedures, and managing the runtime stack. Procedures use stack frames to access parameters passed on the stack and allocate space for local variables. Examples are provided of procedures that pass arguments by value and by reference.
This document discusses procedures in assembly language. It covers defining procedures, documenting procedures, using the CALL and RET instructions to call and return from procedures, and examples of procedures including a SumOf procedure and nested procedure calls. Local variables within procedures are also mentioned.
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This document provides an introduction to software exploitation on Linux 32-bit systems. It covers common exploitation techniques like buffer overflows, format strings, and ret2libc attacks. It discusses the Linux memory layout and stack structure. It explains buffer overflows on the stack and heap, and how to leverage them to alter control flow and execute arbitrary code. It also covers the format string vulnerability and how to leak information or write to arbitrary memory locations. Tools mentioned include GDB, exploit-exercises, and Python. Overall it serves as a crash course on the basic techniques and concepts for Linux exploitation.
Introduction to debugging linux applicationscommiebstrd
The document provides an overview of ELF (Executable and Linkable Format) files, assembly language, CPU registers, memory addressing, basic assembly instructions, and debugging tools like GDB. It describes the sections and structure of ELF files, number bases, memory layout, common instructions, and how to use GDB commands to debug programs.
1. For each instruction, give the 80x86 opcode and total number of b.docxblondellchancy
1. For each instruction, give the 80x86 opcode and total number of bytes of object code, including prefix bytes. Assume you are in 64-bit mode and that
word0p, dbl0p
, and
quad0p
reference a
word, doub
leword and
quadword
in data, respectively.
Add ax, word0p
Sub dbl0p, ebx
Sub rax, 10
Add quad0p, 1000
Inc r10b
Dec word0p
Neg rdx
Inc QWORD PTR [rdx]
2. Please provide code converting a Fahrenheit to a Celsius using the registers edx and eax?
3. Please write the commands (declarations) to setup a 2-byte and 4-byte GPS location.
4. Is the following code valid? Why or why not:
mov eax, [ebx-ecx] ;
mov [eax+esi+edi], ebx ;
cmp eax, edx ;
xor ecx, ecx ;
inc eax ;
5. What does the following code do?
Push ebp ;
Mov ebp, esp ;
Push ebx ;
6. Please provide code for the following scenario:
Create a while loop that that checks for 4 iteractions
Create jumps and labels for each case
Provide an exitcode along with possible return codes.
.
This document provides an overview of basic concepts in operating systems, including subroutine linkage, thread linkage, input/output, and dynamic storage allocation. It discusses subroutine linkage on Intel x86 and SPARC architectures, including how stack frames are used. It also covers the implementation of threads using control blocks and stacks for each thread context. Finally, it discusses input/output architectures and system calls.
This chapter discusses stack overflows in Linux. It explains buffers, the stack, functions and how the stack is used. It shows how a stack buffer overflow can be exploited by overwriting the return address on the stack to redirect program flow. The document demonstrates this by having a program read user input into a buffer without bounds checking, allowing input longer than the buffer to overwrite the return address and cause a crash. gdb is used to debug the program and examine the stack.
The document summarizes the general purpose registers on the x86 architecture. It describes the common uses of registers like EAX, EBX, ECX, EDX, ESI, EDI, and EBP. It also covers special purpose registers like EIP and flags. Additionally, it provides an overview of the stack and how it is used to store function parameters, local variables, and return addresses. Finally, it discusses some simple instructions for math, logic, jumping, strings, and manipulating the stack.
The document discusses stack buffer overflows in Linux. It explains how functions use the stack, with arguments and return addresses pushed onto the stack. A stack buffer overflow occurs when a program writes past the end of a fixed-length buffer on the stack. This can overwrite the return address, allowing arbitrary code execution. The document demonstrates this by having a program read user input into a buffer without bounds checking. Entering more data than the buffer size crashes the program by overwriting the return address. This vulnerability can be exploited to gain control of a program's execution flow.
The document discusses various arithmetic instructions in assembly language including INC, DEC, ADD, SUB, MUL, DIV.
It explains the syntax and usage of each instruction, showing how they can increment, decrement, add, subtract, multiply or divide operands in registers or memory. Examples are given to illustrate how to perform basic arithmetic operations like addition and multiplication of numbers entered by the user.
This document provides an introduction to basic assembly concepts for reverse engineering including the stack, registers, calling conventions, common operations, and recognizing common constructs like function prologues and epilogues, loops, and switch statements. It explains the stack and how it is used to pass arguments and hold local variables. It also outlines some key registers and their uses as well as basic operations like mov, add, cmp, and jcc.
The document provides an introduction to computer organization and assembly language. It discusses that processor understands only machine language instructions as strings of 1s and 0s. Assembly language represents instructions in a more understandable symbolic code for a specific processor family. Assembly language is converted into executable machine code by an assembler utility. Understanding assembly language provides knowledge of how programs interface with the operating system, processor and BIOS, and how instructions access and process data.
Arun Mane is the founder and director of AmynaSec Labs. He is a security speaker and trainer who has presented at many conferences including Defcon, Blackhat, Nullcon, and HITB. His areas of expertise include security testing of IoT devices, connected vehicles, medical devices, and industrial control systems. Some common issues he finds include devices being publicly accessible, having backdoors, hardcoded credentials, and crypto or web application management problems. His testing methodology involves assessing web and mobile applications, embedded device communications, hardware testing through reverse engineering, and analyzing communication protocols and stored data.
This document outlines an agenda for a presentation on open-source intelligence (OSINT) gathering techniques. The agenda includes an introduction to OSINT, different types of intelligence gathering, a scenario example, OSINT gathering tactics and tools like Shodan, TheHarvester and Google dorks, applications of OSINT, a demonstration, references for OSINT, and a conclusion. Key OSINT tools that will be demonstrated include Twitter, Shodan, TheHarvester and Google dorks for gathering information from public online sources.
This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist
Nmap is a network scanning tool that can perform port scanning, operating system detection, and version detection among other features. It works by sending TCP and UDP packets to a target machine and examining the response, comparing it to its database to determine open ports and operating system. There are different scanning techniques that can be used like TCP SYN scanning, UDP scanning, and OS detection. Nmap also includes a scripting engine that allows users to write scripts to automate networking tasks. The presentation concludes with demonstrating Nmap's features through some examples.
The document provides an introduction and overview of the Metasploit Framework. It defines key terms like vulnerability, exploit, and payload. It outlines the scenario of testing a subnet to find vulnerabilities. It describes the main features of msfconsole like searching for modules, using specific modules, and configuring options. It promotes understanding and proper use, emphasizing that Metasploit alone does not make someone a hacker.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
TLS 1.3 is an update to the Transport Layer Security protocol that improves security and privacy. It removes vulnerable optional parts of TLS 1.2 and only supports strong ciphers to implement perfect forward secrecy. The handshake process is also significantly shortened. TLS 1.3 provides security benefits by removing outdated ciphers and privacy benefits by enabling perfect forward secrecy by default, ensuring only endpoints can decrypt traffic even if server keys are compromised in the future.
This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.
The document discusses CRLF injection and SSRF vulnerabilities. CRLF injection occurs when user input is directly parsed into response headers without sanitization, allowing special characters to be injected. SSRF is when a server is induced to make HTTP requests to domains of an attacker's choosing, potentially escalating access. Mitigations include sanitizing user input, implementing whitelists for allowed domains/protocols, and input validation.
The document provides an overview of Active Directory, including its components and how it is used to centrally manage users, computers, and other objects within a network. It discusses key Active Directory concepts such as forests, domains, organizational units, users, computers, and domain trusts. It also provides step-by-step instructions for setting up an Active Directory lab environment for red teaming purposes and integrating a client machine into the domain.
A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.
Shodan is a search engine that indexes internet-connected devices and provides information about devices, banners, and metadata. It works by generating random IP addresses and port scans to retrieve banner information from devices. This information is then stored in a searchable database. Users can search Shodan's database using filters like country, city, IP address, operating system, and ports. Shodan can be accessed through its website or command line interface. While useful for security research, Shodan also raises privacy and security concerns by revealing information about unprotected devices.
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
This document discusses several techniques for maintaining persistence on Windows systems, including modifying accessibility features, injecting into image file execution options, using AppInit DLLs, application shimming, BITS jobs, registry run keys, and Windows Management Instrumentation event subscriptions. It provides details on how each technique works, common implementations, required privileges, relevant data sources, and example event log entries.
Frida is a dynamic instrumentation toolkit that allows injecting JavaScript into applications. Objection is a runtime mobile exploration toolkit powered by Frida that helps assess the security of mobile apps. It supports iOS and Android. Objection allows exploring apps by listing classes, methods, and injecting scripts to enable dynamic analysis like dumping keychain entries.
Osquery is an open source tool that allows users to perform SQL queries on their system to retrieve information. It supports various platforms and makes it easy to get details about the system. Osquery consists of Osqueryi, Osqueryd, and Osqueryctl components. Basic queries can be run in user context mode to view system information, configuration, and tables. Osqueryd runs in daemon mode and can be configured using packs and decorators to monitor specific events and files. Osqueryctl is used to control the Osquery daemon process.
This document discusses DevSecOps, beginning with an introduction from Tibin Lukose. It then covers some challenges in DevSecOps such as developers lacking security skills, cultural challenges, and difficulties balancing speed, coverage and accuracy in testing. The document proposes a model DevSecOps company, Infosys, and provides a demo and contact information for any further questions.
This document provides an introduction to XML and related technologies like libxml2, XSLT, XPath, and XML attacks. It discusses the basics of XML including elements, tags, attributes, and validation. It also describes common XML libraries and tools like libxml2, xmllint, and xsltproc. Finally, it provides an overview of different types of XML attacks like XML injection, XPath injection, XXE, and XSLT injection.
This document contains the agenda for a presentation on Linux for hackers. The agenda includes discussing the Linux file system, managing virtual machines smartly, command line tools like alias, tee, pipe, grep, cut, uniq, and xargs, Bash scripting, logging, and proxy chaining. It also mentions demonstrating several commands and tools. The presentation aims to be an interactive session where the presenter will answer any questions from attendees.
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
Float Operations in Odoo 17 - Odoo 17 SlidesCeline George
This slide will shows the Float Operations in Odoo 17.
Decimal accuracy is a measurement tool of Odoo to let the end-user specify the floating position of different categories like unit of measure, price. This feature helps the user to decide how many values to be displayed as decimals in each category.
What is the Difference Between Lot & Serial Number in Odoo 17Celine George
In Odoo, both lots and serial numbers are used for tracking inventory, Now we can take look into about the difference between the lot number and serial number through this slide.
Bipolar Junction Transistors and operation .pptxnitugatkal
A transistor is a type of semiconductor device that can be used to conduct and insulate electric current or voltage. A transistor basically acts as a switch and an amplifier.
How to install python packages from PycharmCeline George
In this slide, let's discuss how to install Python packages from PyCharm. In case we do any customization in our Odoo environment, sometimes it will be necessary to install some additional Python packages. Let’s check how we can do this from PyCharm.
Plato and Aristotle's Views on Poetry by V.Jesinthal Maryjessintv
PPT on Plato and Aristotle's Views on Poetry prepared by Mrs.V.Jesinthal Mary, Dept of English and Foreign Languages(EFL),SRMIST Science and Humanities ,Ramapuram,Chennai-600089
Stéphan Vincent-Lancrin, Deputy Head of IMEP division and Senior Analyst - P...EduSkills OECD
Stéphan Vincent-Lancrin, Deputy Head of IMEP division and Senior Analyst - Presentation at the OECD Webinar Battling AI bias in the classroom on 25 July 2024
How to Manage Advanced Pricelist in Odoo 17Celine George
Maintaining relationships with customers is important for a business. Customizing prices will help to maintain the relationships with customers. Odoo provides a pricing strategy called pricelists. We can set appropriate prices for the clients. And advanced price rules will help to set prices based on different conditions. This slide will show how to manage advanced pricelists in odoo 17.
How to Integrate Facebook in Odoo 17 - Odoo 17 SlidesCeline George
Integrating Facebook with other platforms, such as business software like Odoo, serves several purposes and can offer numerous benefits depending on the specific goals of your business.
Email Marketing in Odoo 17 - Odoo 17 SlidesCeline George
Email marketing is used to send advertisements or commercial messages to specific groups of people by using email. Email Marketing also helps to track the campaign’s overall effectiveness. This slide will show the features of odoo 17 email marketing.
How to Configure Field Cleaning Rules in Odoo 17Celine George
In this slide let’s discuss how to configure field cleaning rules in odoo 17. Field Cleaning is used to format the data that we use inside Odoo. Odoo 17's Data Cleaning module offers Field Cleaning Rules to improve data consistency and quality within specific fields of our Odoo records. By using the field cleaning, we can correct the typos, correct the spaces between them and also formats can be corrected.
What is the Use of API.onchange in Odoo 17Celine George
The @api.onchange decorator in Odoo is indeed used to trigger a method when a field's value changes. It's commonly used for validating data or triggering actions based on the change of a specific field. When the field value changes, the function decorated with @api.onchange will be called automatically.
3. ROP Attacks
• Introduced by hovad shacham
• Circumvents DEP (data execution prevention)
• Turing Complete`ness
• More useful than ret-2-lib ( branching)
• Applicable to various architectures
4. ROP Attacks
• Gadgets are the building blocks
• Gadgets end with RET instruction
• Example gadgets
• Mov eax, ebx
• Ret
• Pop eax
• Ret
5. ROP attacks
x86 stack layout
. Registers ebp and esp point to base and top of the
stack respective
. EBP used to access local and passed paramters
eg . [ebp + 8] first parameter (EBP + 4) for ret
address
. ESP used are a pointer for popping values out from
stack
6. ROP attacks
• RET x86 instruction
• Pops a value from the stack into EIP
• Used to return control from a function
• RET can have a argument eg RET 8
• RET 8 == EIP = stack[top], add ESP , 8
7. X86 stack layout
calling conventions
__stdcall ( varadic arguments)
Int __stdcall function(int a, int b) // < paramerts
{
int b,c; // local c variables
return 0;
}
function(10, 20); // function call __stdcall
X86 disassembly
push 20 // arguments pushed from right to left
push 10
call function
function:
push ebp // Stack epilouge
mov ebp, esp
sub esp, 8 //8 bytes for two variabeles
….
….
add esp, 8
pop ebp
ret 8 // ret 8 stack clearance by callie
8. X86 stack layout
calling conventions
__cdecl( const no of args)
Int __cdelc function(int a, int b) // < paramerts
{
int b,c; // local c variables
return 0;
}
function(10, 20); // function call __cdecl
X86 disassembly
push 20 // arguments pushed from right to left
push 10
call function
add esp, 8 // stack clearance
function:
push ebp // Stack epilouge
mov ebp, esp
sub esp, 8 //8 bytes for two variabeles
….
….
add esp, 8
pop ebp
ret // ret no stack clearence
9. Basic stack overflow
• A local stack variable gets overflowed
• CALL instruction pushes the EIP to the stack
• Find a trampoline eg jmp esp to change the
value to eip to attacker controlled buffer
• demo
10. What about NX bit ?
• DEP restricts the execution of segments
marked as r/w
• We can re-use code from the address space of
executable
• Useful code chunks called as ROP gadgets
• Multiple gadgets can be chained together and
even API calls
11. ROP Basics(load and store gadgets)
• storing and loading values from and into
memory
• Primitive example pop eax; ret / pop ebx ret/ pop r32, ret
• To memory store pop eax, pop edx, ret / mov [eax], edx; ret
12. Wait a sec!
» Handling NULL bytes
• Some parameters contain NULL
• Even some addresses contain zero values
• Cannot inject NULL or zero values
• Bug prone functions eg strcpy stop copying
when they encounter a NULL byte (00 hex)
13. Handling NULL bytes
• Let x = value containing a ( many) NULL byte
• Let y = mask = 0xffffffff
• Mathematical axiom
• A xor B = z (say)
• Now z xor B = A
• We can 0x00000000 xor 0xffffffff = z (say)
• Xor it back to get the original value
• We have xor esi, ebx ; ret!
14. ROP basics(arithmetic )
• Msvcrt32.dll 0x77c4d6f add ebx, esi; stc; ret
• Kernel32.dll 0x7c902af5 sub eax,ecx; ret
• We have same for mul and div !
• Try in immunity search: add r32, r32;any;ret;
• You will find huge no. of gadgets
15. ROP basics(LOOPS)
• UNCONDITIONAL LOOPS or INFINITE LOOPS
• Pop back the value in ESP, pop esp;ret
7C80BCA8 5C POP ESP //kernel32.dll
7C80BCA9 C3 RETN
16. ROP basics(conditional jumps )
• The tricky part
• We need to modify ESP , based on certain
comparisons
. comparisons include greater than , less than ,
equal to;
X <y
X >y
X == some_val
.
17. Comparing with zero
• Divert flow through adding a certain value to esp
• Store two values on the stack , value_to_be_checked and esp_delta (the value to
be added to esp)
• Load the val in a general purpose register say eax
• X86 instruction NEG computes the two's complement and updates CF
. if val == 0 the CF = 0; else CF = 1
• ADC x86 instruction add the source and dest with carry flag(ADC – add
with carry flag)
• Make a general purpose reg and zero by xor r32,r32; then apply adc
r32,32
18. Comparing with zero(contd..)
• We have a REG (say eax) containing a single 1 bit or all 0 bits
• Apply NEG instruction on that REG to obtain the two's complement
• 2's comp will transform it into all zero's or all ones
• Perform bit-wise AND with ESP_DELTA
. according we will get ESP_DELTA as zero or its original value
• ADD esp, ESP_DALTA to divert the control flow
• DEMO
19. Checking for == (equality)
• Two values val1, val2 to be checked for equality
• Load two values using load and store gadgets as shown earlier
• Perform x86 SUB val1, val2,store back the result
• If both the values are same result will be zero,
. Check the result to zero as show in the previous slide
• ADD esp, ESP_DALTA to divert the control flow
• DEMO
20. Checking for <, > (less or greater)
• Two values val1, val2 to be checked for equality
• Load two values using load and store gadgets as shown earlier
• Perform x86 SUB val1, val2, SUB intruction sets the CF if dest > source
• Save CF using xor r32, r32;ret; adc r32,r32 ret; as shown in ealier slide
. CF will be 1 if dest > source else 0
• DEMO
22. JUMP oriented Programming
Attacks
• ROP used gadgets ending with RET x86 instruction
• JOP uses statements ending with Indirect Jump call
• Instead of stack uses a dispatcher table to jump to different locations
• Thwarts certain Anti-ROP defences
24. JUMP oriented Programming
Attacks
• Dispatcher gadget increments a REG by certain value to make it point to next loc to
jump on
• Add ebx, 4 ; JMP [ebx]
• Here , EBX points to the Dispatcher table
• Same gadgets as in ROP attacks
25. JOP(attack Model)
• Cannot work on stack buffer overflow , because control flow diverts through a ret
Instruction
• Will be detected by anti-ROP defenses if(stack overflow is used)
• Attack vectors include
• 1: pointer overwrite
• 2: Arbitrary DWORD overwrite
• 3: C++ vtable overwrite
27. Alphanumeric ROP Shellcode
• Traditional Shellcode can be made alphanumeric by choosing only certain
instruction
Example . pop ecx has an
opcode 0x59 which is the ASCII code of the character Y)
• Similar technique used in ROP shellcode
. Selecting a printable address rather than a printable opcode(in trad.
shellcodes)
28. Alphanumeric ROP Shellcode
Basic Technique by adding two printable addresses. The range of ASCII printable
characters is between 0x21 and 0x7e
Example . A non-printable gadget in kernel32.dll at 0x77D4B8C2 {pop ebx;ret} can be
represented by adding two printable addresses
0X225D414B(printable) + 0x55777777(printable) = 0x77D4B8C2(no-printable)
• Combined together can be used to transform a printable code into non-
printable
• Similar technique used in ROP shellcode
. Selecting a printable address rather than a printable opcode(in trad.
shellcodes)
29. Alphanumeric ROP
Shellcode(gadgets)
• Gadgets used for decoding addresses should be printable(bytes should be
in range of 0x21 - 0x7e
• We also need a memory region which has a printable address to store the
decoded gadgets addresses marked as r/w
. From reg to mem we have urlmon.dll
0x772C2E5E MOV DWORD PTR DS:[ECX],EAX
. ESP related CRYPTUI.dll 0x775513E30 XCHG EAX,ESP
. MSCTF.DLL 0x74722973 POP EAX
. Mshtml.dll 0x7D504962 ADD EAX,ECX
. msimtf.dll MEM to reg 0x74714263 MOV EAX,DWORD PTR DS:[ECX]
. All of the dll's loaded by internet explorer
31. Effectively searching gadgets
• Immunity debugger search for all sequences in all modules
• ANY for any no of op codes and any reg
• Match Different registers eg POP RA, RB ; RA and RB will be different
• Best Practice search in reverse order