Cryptography Reference
In-Depth Information
the address of the next instruction (
0x080b85b4
). Therefore, in order to obtain
the target address of the
), our attack needs two
instructions, i.e., a memory read instruction (at an address of our choosing) to
read the offset, and an add instruction to add the offset to the address of the
next instruction (static).
call
instruction (
0x08068508
Finding jump target address in PLT. Every entry in PLT has 3 instructions that
correspond to 16 bytes; see Figure 4. What we are interested in the jump target
in is the first instruction, assuming that the program has been executing for a
while and lazy linking has already initialized the address of the GOT entry in
the first instruction. To find the jump target (
), we need another add
instruction to find the address of the jump target (offset of 2 bytes at
0x08d06b90
0806850a
)
and another memory read instruction to read the jump target address.
08068508 <geteuid@plt>:
8068508:
ff 25 90 6b 0d 08
jmp
*0x80d6b90
806850e:
68 20 17 00 00
push
$0x1720
8068513:
e9 a0 d1 ff ff
jmp
80656e0 <_init+0x30>
Fig. 4. Entry in PLT
Finding the address of the libc function in GOT This step is simple, as the
jump target found in PLT contains exactly the address of the libc function; see
Figure 5. Therefore, we need only a memory read instruction here.
080d6b90 <_GLOBAL_OFFSET_TABLE_+2972>: e0 8a 09 00
Fig. 5. Entry in GOT
Making a system call Once the address of the libc function (
) is found,
we can make a system call by transferring control to an instruction inside the
libc function. Figure 6 shows the instructions inside
geteuid
geteuid
,inwhichthefourth
instruction
is the new system call instruction in Linux. We first
initialize four register values (
call %gs:0x10
) and then transfer control
to this instruction. So our attack in this step simply needs register initiation
instructions.
eax, ebx, ecx, edx
4.2 Finding Gadgets to Realize the Instructions Needed
In this subsection, we outline how the instructions needed in our attack are real-
ized by return-oriented programming [14]. The idea of return-oriented program-
ming is to use gadgets (short code sequences ended by
,orby
[6]).
ret
jmp <reg>
 
Search WWH ::




Custom Search