How many occurrences of the gadget movq %rsi, %rax; ret do you find in the bash program? What are their offsets (if any) from the beginning of the file? (Answers in decimal please.) Same question for the more program. b. How many occurrences of a gadget that pops the top of the stack into %rdi can you find in the program /usr/bin/wc? Give (decimal) offsets, if any. Same question for more? c. How many occurrences of a gadget that pops into %rbp can you find in /usr/bin/cp? Problem 2. Gadgets that pop values from the stack into a register are especially useful, as the value to be loaded in the register can be put on the stack as part of the exploit, providing control over what gets loaded into the register. Suppose there is a gadget popq %rdi; ret at address 0x0000555555555473. Your goal is to place the value 0xfeedface00000000 in register %rdi and then transfer control to a function called foo, which is at address 0x000055555557960e. Th
How many occurrences of the gadget movq %rsi, %rax; ret do you find in the bash program? What are their offsets (if any) from the beginning of the file? (Answers in decimal please.) Same question for the more program. b. How many occurrences of a gadget that pops the top of the stack into %rdi can you find in the program /usr/bin/wc? Give (decimal) offsets, if any. Same question for more? c. How many occurrences of a gadget that pops into %rbp can you find in /usr/bin/cp? Problem 2. Gadgets that pop values from the stack into a register are especially useful, as the value to be loaded in the register can be put on the stack as part of the exploit, providing control over what gets loaded into the register. Suppose there is a gadget popq %rdi; ret at address 0x0000555555555473. Your goal is to place the value 0xfeedface00000000 in register %rdi and then transfer control to a function called foo, which is at address 0x000055555557960e. Th
Database System Concepts
7th Edition
ISBN:9780078022159
Author:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Chapter1: Introduction
Section: Chapter Questions
Problem 1PE
Related questions
Question
Return-Oriented Programming (ROP). Return-oriented programming uses sequences of instructions that are
already part of the executable program. These are called gadgets; each gadget ends with the single-
byte instruction ret (binary code 0xc3). The exploit input consists of (i) enough padding to reach
the return address from the vulnerable function (can be anything), followed by (ii) a sequence of
addresses of gadget code in the program. Each gadget executes a few instructions that do something
useful (e.g., move a particular value into a particular register), then “return” to the address on the
top of the stack, which starts the next gadget.
ROP is important to know about because attackers can use it when countermeasures like non-
executable stack make code injection infeasible. In this problem, you will search for gadgets in
programs on your VM.
(Nota bene: ROP is a technique for exploiting an existing vulnerability—i.e., buffer overflow—
in a program; it does not create any vulnerabilities. So before even beginning to craft an attack
consisting of a sequence of gadgets, an attacker must find a vulnerable executable file. In that sense,
this exercise is unrealistic, because as far as we know the programs in which you will look for gadgets
do not have vulnerabilities.)
The directory /usr/bin contains common commands, i.e., programs that you run from the shell
(command line). Examples include mv (rename a file), cp (copy a file), more (print out a text file,
pausing after each page of output), wc (print the number of lines, words, and characters in a file),
od (“octal dump”—print the bytes of a file interpreted as characters or other types), gcc (the gnu C
compiler), and bash (Bourne-again shell, the default shell in Linux). Each of these (along with many
others) is an ELF-format executable (binary) file, containing binary x86-64 machine instructions.
For example, the table says that movq %rdx, %rax is the 3-byte hexadecimal
sequence 48 89 d0, and popq %rsi is the single (hex) byte 5e. If these byte sequences are followed
by the byte c3 (ret), they can be used as gadgets.
You can find gadgets in a binary file using the od command with the argument -tx1. This prints
out every byte of the file in hex, with 16 bytes per line. You can pipe the output into grep to search
for the specific patterns you need. (grep is an extremely useful tool that searches for patterns in
files. Do man grep on your VM to learn more.) For example, if you want to look for a gadget in
the code for bash that would copy 8 bytes from %rsi to %rax, you would search for the pattern 48
89 f0 c3:
od -tx1 /usr/bin/bash | grep "48 89 f0 c3"
Note the quotes; they are necessary. Also, the -tx1 argument tells od to print each byte’s value
in hex. This will print lines of output from od that contain the pattern you are looking for (16
bytes/line); the number at the beginning of each line is its offset from the beginning of the file (in
octal, i.e., base 8).
already part of the executable program. These are called gadgets; each gadget ends with the single-
byte instruction ret (binary code 0xc3). The exploit input consists of (i) enough padding to reach
the return address from the vulnerable function (can be anything), followed by (ii) a sequence of
addresses of gadget code in the program. Each gadget executes a few instructions that do something
useful (e.g., move a particular value into a particular register), then “return” to the address on the
top of the stack, which starts the next gadget.
ROP is important to know about because attackers can use it when countermeasures like non-
executable stack make code injection infeasible. In this problem, you will search for gadgets in
programs on your VM.
(Nota bene: ROP is a technique for exploiting an existing vulnerability—i.e., buffer overflow—
in a program; it does not create any vulnerabilities. So before even beginning to craft an attack
consisting of a sequence of gadgets, an attacker must find a vulnerable executable file. In that sense,
this exercise is unrealistic, because as far as we know the programs in which you will look for gadgets
do not have vulnerabilities.)
The directory /usr/bin contains common commands, i.e., programs that you run from the shell
(command line). Examples include mv (rename a file), cp (copy a file), more (print out a text file,
pausing after each page of output), wc (print the number of lines, words, and characters in a file),
od (“octal dump”—print the bytes of a file interpreted as characters or other types), gcc (the gnu C
compiler), and bash (Bourne-again shell, the default shell in Linux). Each of these (along with many
others) is an ELF-format executable (binary) file, containing binary x86-64 machine instructions.
For example, the table says that movq %rdx, %rax is the 3-byte hexadecimal
sequence 48 89 d0, and popq %rsi is the single (hex) byte 5e. If these byte sequences are followed
by the byte c3 (ret), they can be used as gadgets.
You can find gadgets in a binary file using the od command with the argument -tx1. This prints
out every byte of the file in hex, with 16 bytes per line. You can pipe the output into grep to search
for the specific patterns you need. (grep is an extremely useful tool that searches for patterns in
files. Do man grep on your VM to learn more.) For example, if you want to look for a gadget in
the code for bash that would copy 8 bytes from %rsi to %rax, you would search for the pattern 48
89 f0 c3:
od -tx1 /usr/bin/bash | grep "48 89 f0 c3"
Note the quotes; they are necessary. Also, the -tx1 argument tells od to print each byte’s value
in hex. This will print lines of output from od that contain the pattern you are looking for (16
bytes/line); the number at the beginning of each line is its offset from the beginning of the file (in
octal, i.e., base 8).
a. How many occurrences of the gadget movq %rsi, %rax; ret do you find in the bash program?
What are their offsets (if any) from the beginning of the file? (Answers in decimal please.)
Same question for the more program.
b. How many occurrences of a gadget that pops the top of the stack into %rdi can you find in
the program /usr/bin/wc? Give (decimal) offsets, if any. Same question for more?
c. How many occurrences of a gadget that pops into %rbp can you find in /usr/bin/cp?
Problem 2. Gadgets that pop values from the stack into a register are especially useful, as the
value to be loaded in the register can be put on the stack as part of the exploit, providing control
over what gets loaded into the register. Suppose there is a gadget popq %rdi; ret at address
0x0000555555555473. Your goal is to place the value 0xfeedface00000000 in register %rdi and
then transfer control to a function called foo, which is at address 0x000055555557960e. The return
address from the vulnerable function (i.e., the function whose buffer you will overflow with your
exploit) starts exactly 48 bytes from the start of the buffer where your exploit goes. Give your
exploit string in the form of input to hex2raw. (Hint: The information you need is all here; you
just have to figure out in what order things should be in the exploit string. It will probably help to
draw a picture.)
What are their offsets (if any) from the beginning of the file? (Answers in decimal please.)
Same question for the more program.
b. How many occurrences of a gadget that pops the top of the stack into %rdi can you find in
the program /usr/bin/wc? Give (decimal) offsets, if any. Same question for more?
c. How many occurrences of a gadget that pops into %rbp can you find in /usr/bin/cp?
Problem 2. Gadgets that pop values from the stack into a register are especially useful, as the
value to be loaded in the register can be put on the stack as part of the exploit, providing control
over what gets loaded into the register. Suppose there is a gadget popq %rdi; ret at address
0x0000555555555473. Your goal is to place the value 0xfeedface00000000 in register %rdi and
then transfer control to a function called foo, which is at address 0x000055555557960e. The return
address from the vulnerable function (i.e., the function whose buffer you will overflow with your
exploit) starts exactly 48 bytes from the start of the buffer where your exploit goes. Give your
exploit string in the form of input to hex2raw. (Hint: The information you need is all here; you
just have to figure out in what order things should be in the exploit string. It will probably help to
draw a picture.)
Expert Solution
This question has been solved!
Explore an expertly crafted, step-by-step solution for a thorough understanding of key concepts.
Step by step
Solved in 5 steps
Knowledge Booster
Learn more about
Need a deep-dive on the concept behind this application? Look no further. Learn more about this topic, computer-science and related others by exploring similar questions and additional content below.Recommended textbooks for you
Database System Concepts
Computer Science
ISBN:
9780078022159
Author:
Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:
McGraw-Hill Education
Starting Out with Python (4th Edition)
Computer Science
ISBN:
9780134444321
Author:
Tony Gaddis
Publisher:
PEARSON
Digital Fundamentals (11th Edition)
Computer Science
ISBN:
9780132737968
Author:
Thomas L. Floyd
Publisher:
PEARSON
Database System Concepts
Computer Science
ISBN:
9780078022159
Author:
Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:
McGraw-Hill Education
Starting Out with Python (4th Edition)
Computer Science
ISBN:
9780134444321
Author:
Tony Gaddis
Publisher:
PEARSON
Digital Fundamentals (11th Edition)
Computer Science
ISBN:
9780132737968
Author:
Thomas L. Floyd
Publisher:
PEARSON
C How to Program (8th Edition)
Computer Science
ISBN:
9780133976892
Author:
Paul J. Deitel, Harvey Deitel
Publisher:
PEARSON
Database Systems: Design, Implementation, & Manag…
Computer Science
ISBN:
9781337627900
Author:
Carlos Coronel, Steven Morris
Publisher:
Cengage Learning
Programmable Logic Controllers
Computer Science
ISBN:
9780073373843
Author:
Frank D. Petruzella
Publisher:
McGraw-Hill Education