CET - Intel Control-flow Enforcement Technology

Sissejuhatus

TODO

Tööpõhimõte

TODO

Kasutamine - Ubuntu

TODO

Haavatavuse näide

Haavatavuse ilmestamise programm rop_lab.c

$ cat rop_lab.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

// This is our "Gadget". The program never calls this function honestly!
void malicious_gadget() {
    printf("\n⚡ [ATTACK SUCCESS] Control flow hijacked! Malicious code executing.\n");
    exit(0);
}

void vulnerable_function(char *str) {
    char buffer[16];

    // VULNERABILITY: strcpy does not check bounds.
    // It will overwrite the buffer, the frame pointer, and the Return Address!
    strcpy(buffer, str);

    printf("[CPU] Function executing normally inside buffer layout.\n");
}

int main() {
    // We are crafting a malicious payload payload manually.
    // 16 bytes to fill the buffer + 8 bytes to smash the saved frame pointer
    // + 8 bytes containing the exact memory address of malicious_gadget()
    char payload[32];

    // Fill the padding area with 'A's (0x41)
    memset(payload, 'A', 24);

    // Get the exact memory address of our target gadget
    unsigned long target = (unsigned long)malicious_gadget;

    // Append the target address onto the end of our overflow payload
    memcpy(payload + 24, &target, 8);

    printf("[Lab] Target Gadget Address is at: %p\n", (void*)target);
    printf("[Lab] Launching attack payload against vulnerable function...\n");

    vulnerable_function(payload);

    printf("[CPU] Returned safely to main. (This should not happen if hacked!)\n");
    return 0;
}

Kasulikud lisamaterjalid

• TODO