return to libc & intro to ROP (week 3) Flashcards
what is the returning to libc method of exploiting buffer overflow?
it’s an attack method used when there is a non-executable stack; very similar to standard BO in that the return address is changed to point at a new location that we can control.
however, since no executable code is allowed on the stack we can’t just tag in shell code.
so, we return into libc and utilize a function provided by the library. we can thus bypass the stack protection.
What is ROP?
ROP is a powerful technique used to counter common exploit prevention strategies. ROP is useful for circumventing Address Space Layout Randomization (ASLR) and DEP. When using ROP, an attacker uses her control over the stack right before the return from a function to direct code execution to some other location in the program. Except on very hardened binaries, attackers can easily find a portion of code that is located in a fixed location (circumventing ASLR) and which is executable (circumventing DEP). It is relatively straightforward to chain several payloads to achieve (almost) arbitrary code execution.
Why is ROP fairly straightforward even without contrived binaries that contain the pieces we need for our exploit?
the trick is to realize that programs that use functions from a shared library, like printf and from libc, will link the entire library into their address space at run time.
this means that even if they never call system, the code for system is accessible at runtime.
we can see this using gdb
