- The basic principle of RET2LIBC
RET2LIBC is a way to bypass DEP, as the name suggests is to use the system already exists in the system functions to construct the attack on DEP, there are about three ideas, through the zwsetinformationprocess function to close DEP, The Shellcode memory is set as executable through the VirtualProtect function, and space with execute permission is opened through the VirtualAlloc function.
- The rationale used by format string
The format string is used essentially to achieve a memory arbitrary write purpose, take advantage of the variable number of printf function parameters addressing the vulnerability, and the conversion indicator%n.
As a simple example, the structure gadget process of ROP is described, and the stack space is formally represented as follows:
Gadget Construction Process Description:
Suppose an attacker intends to write the V1 value to the memory space pointed to by V2, i.e. memory[v2] = V1; The attacker controls the stack space and can construct the stack space layout; The attacker uses an indirect approach to find the equivalent instruction implementation by looking for the gadget command;
Gadget Execution Process Description:
1) Initially, the top pointer of the stack is ESP, which points to v1,eip=a1. 2) Pop operation, esp value plus 4,pop equivalent to memory transfer instruction. 3) After the pop and MOV instructions are executed, the CPU will continue to execute in a downward order. 4) RET equivalent to pop+jmp, so RET operation, ESP value will also add 4.
ROP using gadget graphic schematic (excerpt from a foreign ppt):
"CTF" Reverse basis 2