Return Oriented Exploitation (ROP)

Return Oriented Exploitation (ROP)

For all those who registered to AWE in BlackHat Vegas 2010 – we have special surprise for you… We’ve updated our “Bypassing NX” module with the buzzing ROP exploitation method. We took the PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit and ported it to a Windows 2008 Server environment, with DEP on AlwaysOn mode. The general idea is to use carefully calculated jumps to function tails present in executable memory in order to align the stack for a WriteProcessMemory call. This call will copy our shellcode to an executable place in memory, and then  jump to it. You can check out the exploit here.

We started working on the Pr0T3cT10n POC  – trying to see if we could get a shell on Win2k8….So we fired ID, crashed Apache and started inspecting the crash, analyzing loaded DLLs to see if any of them were ASLR disabled.


Our objective was to exploit the vulnerability with DEP AlwaysOn. We found some DLLs with noASLR – and we thought we could try to use the ROP technique to control execution flow. We coded a quick ID pycommand to find a suitable ROP gadgets set within usable DLLs.

We analyzed the script result and started to build the whole picture in our mind in order to disable DEP through ROP… we decided to go for WriteProcessMemory method. The dance begins…and after we have gained an absolute shellcode address in memory we prepared the arguments for WriteProcessMemory on the stack again using some ROP-fu:

WriteProcessMemory does its job in an awesome way and we return to our shellcode gracefully  – getting our  shell on Win2k8:

And pop ret goes the weasel!

Previous Post
QuickZip Stack BOF : A box of chocolates – part 2
Next Post
Evocam Remote Buffer Overflow on OSX

Related Posts

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE