Presentation Title Payload Already Inside: Data Re-Use for ROP Exploits
Presentation Abstract

Return-oriented programming (ROP) is one of the buzzing advanced exploitation techniques these days to bypass NX. There are several practical works using ROP techniques for exploitations on Windows, iPhoneOS to bypass DEP and code signing but no any practical ROP work for modern Linux distributions so far. Main issues for ROP exploitations on Linux x86 include ASCII-Armor address protection which maps libc address starting with NULL byte and Address Space Layout Randomization (ASLR).

In this presentation we will show how we can extend an old return-into-libc technique to a stage-0 loader that can bypass ASCII-Armor protection and make ROP on Linux x86 become a reality. In addition, by reusing not only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP calls to bypass ASLR protection.

About Long Le

Long Le, CISA, is a security manager at one of the largest software outsourcing companies in Vietnam. He has been actively involved in computer security for more than 10 years since he and his friends founded the pioneer Vietnamese security research group VNSECURITY (http://vnsecurity.net). Described as neither a researcher nor a hacker, he loves playing wargames and Capture-The-Flag with the CLGT team in his spare time. In 2007 he was an organizing and technical committee member of VNSECON -the first international security conference in VN.

About Thanh Nguyen (Red Dragon)

Thanh Nguyen is a member of Security Center of Excellence at Intel Corporation where he focuses on (in)security analysis and hacking of various Intel next generation technologies/components in firmware, chipset and processor. Thanh has 15 years of hacking experience in a wide range of technologies from high scalability web architecture to low level OS development, chipset and uArch. His current interests are finding bug on PC/mobile phone platform, high scalability architecture, rootkit, reverse engineering and hacking proprietary algorithms/protocols. Thanh is a founder of VNSECURITY and member of The Hacker’s Choice (thc.org) security research groups.