Blog
Apr 12, 2010
Return Oriented Exploitation (ROP)
For all those who registered to AWE in BlackHat Vegas 2010 – we have special surprise for you… We’ve updated our “Bypassing NX” module with the buzzing ROP exploitation method.
3 min read
Author: Matteo Memelli
For all those who registered to AWE in BlackHat Vegas 2010 – we have special surprise for you… We’ve updated our “Bypassing NX” module with the buzzing ROP exploitation method. We took the PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit and ported it to a Windows 2008 Server environment, with DEP on AlwaysOn mode. The general idea is to use carefully calculated jumps to function tails present in executable memory in order to align the stack for a WriteProcessMemory call. This call will copy our shellcode to an executable place in memory, and then jump to it. You can check out the exploit here.
We started working on the Pr0T3cT10n POC – trying to see if we could get a shell on Win2k8….So we fired ID, crashed Apache and started inspecting the crash, analyzing loaded DLLs to see if any of them were ASLR disabled.
Our objective was to exploit the vulnerability with DEP AlwaysOn. We found some DLLs with noASLR – and we thought we could try to use the ROP technique to control execution flow. We coded a quick ID pycommand to find a suitable ROP gadgets set within usable DLLs.
We analyzed the script result and started to build the whole picture in our mind in order to disable DEP through ROP… we decided to go for WriteProcessMemory method. The dance begins…and after we have gained an absolute shellcode address in memory we prepared the arguments for WriteProcessMemory on the stack again using some ROP-fu:
WriteProcessMemory does its job in an awesome way and we return to our shellcode gracefully – getting our shell on Win2k8:
And pop ret goes the weasel!
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
The Role of Leadership in Cultivating a Resilient Cybersecurity Team
Learn about the role that leadership plays in cultivating a resilient cybersecurity team.
Sep 13, 2024
5 min read
Community Spotlight
Navigating the Leap: My Journey from Software Engineering to Offensive Security
A software engineer’s journey into offensive security, sharing insights and tips for transitioning careers and thriving in the infosec field.
Sep 13, 2024
17 min read
OffSec News
Become a Certified Threat Hunter with OffSec’s New Foundational Threat Hunting Course (TH-200)
Everything you need to know about OffSec’s new course and certification – TH:200 – Foundational Threat Hunting.
Sep 9, 2024
4 min read