Generating ROP payloads from numbers

Presented at DEF CON 22 (2014), Aug. 10, 2014, 2 p.m. (60 minutes).

Is it possible to generate a ROP payload whilst using as few gadgets from the target binary as possible? Is it also possible to build any shellcode in memory regardless of the opcodes in the target binary? An approach to this is to build the ROP payload by summing selected pieces of memory together and copying them to a stack in the process address space. A method and tool will be presented, which allows to stitch together selected numbers found in memory into a payload and execute it. Return Oriented Programming is at the core of modern exploitation technics, but the automation of the payload generation can be time consuming. The intent was to write a tool which is able to generate a generic enough ROP payload that it worked in most situations. I will present a new method to generate ROP payloads which relies on very few gadgets within the target binary (sometimes none), nor will rely on string copying particular bytes to build the in memory payload.


Presenters:

  • Alexandre Moneger - Cisco Systems
    Alex Moneger Alex Moneger works as a security engineer for Cisco Systems in the Cloud Web Security unit. The fun part of his working hours are spent trying to find efficient ways of detecting anomalous behaviours in http streams, thinking of ways to improve the efficacy of the web scanning process and dealing with whatever http and tls corner cases are thrown at him. His personal security interests are geared towards low level security, such as fuzzing, exploit writing and network security.

Links:

Similar Presentations: