1. 64-bit Linux Return- Oriented Programming AJ 2014.4.10

2. Register Use in the Stack Frame for Intel x86 ESP - Stack Pointer stacktop EBP - Base Pointer stack frame,EBP EIP - Instruction Pointer call jump, EIP. x86_64,register16 bytes 3. Calling a __cdecl Function push parameters of the function call the function,EIP push function, save update the ebp push ebp mov ebp,esp // ebp 15. The gadget system(/bin/sh) shell systemcall rdi = /bin/sh Assemble code Machine code pop %rdi 0x5f ret 0xc3 16. ROP EBP EIP char name[64] /bin/sh 0 gadget name system gadget: pop %rdi ret ESP 17. ROP EBP EIP char name[64] /bin/sh 0 gadget name system gadget: pop %rdi ret ESP PC 18. ROP EBP EIP char name[64] /bin/sh 0 gadget name system gadget: pop %rdi ret ESP PC 19. ROP shell 20. libc.so gadgets,esp gadget addresses,gadget addresses bufferdata section. 21. libc.so gadget libc.so? On Linux, our C main() function is executed by the cooperative work of GCC, libc and Linux's binary loader http://linuxgazette.net/84/hawk.html ? gadget=0x$(xxd -c1 -p /lib/x86_64-linux-gnu/libc.so.6 | grep - n -B1 c3 | grep 5f -m1 | awk '{printf"%xn",$1-1}') : ,compiler, gadgets 22. libcs system() function ? system=0x$(nm -D /lib/x86_64-linux-gnu/libc.so.6 | grep '' | cut -f1 -d' ') 23. Linux Command nm - list symbols from object files cut - remove or "cut out" sections of each line of a file or files xxd - make a hexdump or do the reverse sed - stream editor for filtering and transforming text objdump - display information from object files 24. Reference http://crypto.stanford.edu/~blynn/rop/ http://en.wikipedia.org/wiki/X86_calling_conventions http://www.unixwiz.net/techtips/win32-callconv-asm.html