Exploiting Return Oriented Programming (ROP) tutorial - Binary Exploitation PWN101

Описание к видео Exploiting Return Oriented Programming (ROP) tutorial - Binary Exploitation PWN101

ROP tutorial step by step, explained in detail. We will understand how Return Oriented Programming works and how to use this exploitation technique to abuse (exploit) vulnerable binaries. We will understand the theory behind the technique and later put it into practice by exploiting an actual challenge from ROPEmporium. In order to understand ROP, the most important thing is to understand what the RET instruction does (which are its effects) when it gets executed. Knowing how the ESP/RSP and EIP/RIP registers are affected by it is fundamental. We can achieve the desired behavior by chaining together ROP gadgets (creating a ROP chain), abusing a buffer overflow and hijacking the exaction flow.

Some quick notes after uploading the video:
- I forgot to include a good ROP reference from Exploit DB (Shaif El-Sherei): https://www.exploit-db.com/docs/engli...
- A ROP gadget is any instruction sequence that ends with an instruction that modifies the RIP register, typically a RET (but it could be any other instruction, like JMP). In the video, in order to keep things simple, I mentioned only the RET case.
- Yes, around 14:45 I mispronounce the word "contriving" :(

References to learn more about ROP:
- ROP Emporium: https://ropemporium.com/
- FuzzySecurity: https://www.fuzzysecurity.com/tutoria...
- Code Arcana: https://codearcana.com/posts/2013/05/...
- CTF101: https://ctf101.org/binary-exploitatio...
- Rapid7: https://www.rapid7.com/resources/rop-...
- Wikipedia: https://en.wikipedia.org/wiki/Return-...
- Information Security Lab: cs6265/2019/tut/tut06-01-rop.html
- Ired.team: https://www.ired.team/offensive-secur...

Tools to find gadgets within a binary:
- ROPgadget: https://github.com/JonathanSalwan/ROP...
- Ropper: https://github.com/JonathanSalwan/ROP...
- Pwntools' ROP: https://github.com/Gallopsled/pwntool...
- Radare2: https://radareorg.github.io/blog/post...

00:00 - Intro
00:47 - More references to learn ROP
01:29 - What is ROP?
02:55 - What are ROP gadgets and chains?
04:19 - The RET instruction
06:06 - Drawing the RET instruction (legit epilogue)
07:53 - Drawing the attack
12:43 - Checking binary protections
13:43 - Executing the binary
13:56 - Crashing the binary
14:15 - Reversing the binary
14:50 - Spotting the vulnerability
15:30 - Reversing the binary
16:00 - Spotting a call to system()
16:36 - Starting to write the exploit
17:22 - Reversing the binary
17:37 - Calling convention of x64
18:24 - Checking strings
18:33 - Spotting the command to pass to system()
19:10 - Tools to find ROP gadgets
20:07 - Finding ROP gadgets in the binary
21:20 - Writing the exploit
22:38 - Drawing the exploit
25:00 - Executing the exploit
25:17 - Exploitation successful
26:00 - Outro[*]

Exploit code, not people.
Twitter: @Razvieu
*Outro track: Etsu - Selcouth
GG

Комментарии

Информация по комментариям в разработке

Похожие видео