How To Bypass NX Protected Stack With ROP
What Is Buffer Overflow?
Buffer is a block of memory that stores sequential types of data in memory.
If the Buffer Overflow is an incorrectly used function (strcpy,strcmp, etc.),) variables in a program,
it is called a crash when the program loads more data than its storage capacity.
As capacity is exceeded, the flow of the program can be changed with codes that are not in normal flow, i.e. shellcode codes.
Good, but what's” Stack"?
RAM has a structure that starts at a low address and goes to a high address.
When a new thread is created in the operating system, function parameters, local variables and functions work in memory
to store where it will continue after it ends, fields called Stacks are created.
Two stacks are created for each thread. Stack is the region where the variables in the programs are temporarily present in memory.
Dynamic variables in this region, function calls (jmp, call, etc.)), return values are stored in parts such as.
Stack works with LIFO(last-in-first-out) logic, i.e. last-in-first-out logic.
The EBP and ESP registers show the same location when the Stack is newly created. While the EBP register remains constant as the element is pushed into the stack,
The value of the ESP register is gradually reduced.
Purposes of Stack use
- Function to provide memory space for local variables.
Although we are debugging at the machine code level
in fact, the processor and the operating system provide us with an abstraction layer.
let me try to explain this: if the compiler has not made a specific change (for x86 architectures))
usually, all applications start at hex 400 thousand.
since it is not possible for all applications to be physically located at the same address
the addresses we see are virtual addresses. in fact, they are physically controlled by the operating system and the processor on rem
it's being placed on different pages.
- Instruction to return when a function is called when it exits the called function
hiding your address.
When each function is called, Call instruction is called indirectly to stack e
he writes the next instruction address from call instruction.
when the called function returns, it is assigned to the EIP register with return instruction I.
If we can manipulate where EIP is hiding in the stack, here's where the program will flow.
we can direct it to any area we want. so we are able to inject our shellcode.
- Storing the stack base address of the calling function.
- Storing the parameters to be passed to The called function.
up to here is the classic stack-based buffer overflow.
To prevent programs from running code in heap or stack in classic buffer overflow attacks,
something called NX came up. of course, there are people who give it different names.
Intel buna execute disable (XD), ARM execute never (XN))
and Microsoft has also named data execution prevention (DEP).
To mention this NX briefly, it helps to mark parts of our program such as heap or heap as non-executable.
In Other Words, The Classic Stack-Based Buffer Overflow Vulnerability Prevents Us From Running Shell Code Directly On The Stack.
there are 2 techniques to circumvent this method of protection. ret2libc (Return-to-libc) and ROP (Return-oriented programming)
today I'll tell you about the ROP technique.
So why the ROP?
The first reason is Address Space Layout Randomization (ASLR).):
it is a protection method that changes stack and library addresses on virtual memory. what makes
it basically makes the address of libraries (libc) random, so that we don't know the memory address of libc functions.
The ASLR technique avoids Ret2libc and forces us to constantly Leak Addresses to calculate addresses.
one reason is that in some cases when programmers restrict the use of libc
one of the best techniques we can use is the ROP technique.
(In fact, with the brute-force method in a way aslr can be overcome, but this is not a very good solution I think)
What'S a ROP ?
As the name implies, it means return-oriented programming and
It is a modern technique used to bypass guards like NX.
In the ROP technique, the main thing is the gadget, the instructions. By chaining these little gadgets together, the goal is to be achieved.
The reasoning actually. Return within the program onto the EIP register
to give an address that runs the command and then says that the address that it will return to this command should be our SHELL address.
PRACTICE AREA: https://old.liveoverflow.com/binary_hacking/protostar/stack0.html