"CTF" Reverse basis 2

Source: Internet
Author: User

    • The basic principle of RET2LIBC

RET2LIBC is a way to bypass DEP, as the name suggests is to use the system already exists in the system functions to construct the attack on DEP, there are about three ideas, through the zwsetinformationprocess function to close DEP, The Shellcode memory is set as executable through the VirtualProtect function, and space with execute permission is opened through the VirtualAlloc function.

    • The rationale used by format string

The format string is used essentially to achieve a memory arbitrary write purpose, take advantage of the variable number of printf function parameters addressing the vulnerability, and the conversion indicator%n.

    • Basic principles of ROP

As a simple example, the structure gadget process of ROP is described, and the stack space is formally represented as follows:

Gadget Construction Process Description:

Suppose an attacker intends to write the V1 value to the memory space pointed to by V2, i.e. memory[v2] = V1; The attacker controls the stack space and can construct the stack space layout; The attacker uses an indirect approach to find the equivalent instruction implementation by looking for the gadget command;

Gadget Execution Process Description:

1) Initially, the top pointer of the stack is ESP, which points to v1,eip=a1. 2) Pop operation, esp value plus 4,pop equivalent to memory transfer instruction. 3) After the pop and MOV instructions are executed, the CPU will continue to execute in a downward order. 4) RET equivalent to pop+jmp, so RET operation, ESP value will also add 4.

ROP using gadget graphic schematic (excerpt from a foreign ppt):

"CTF" Reverse basis 2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.