• Save
Dive into ROP - a quick introduction to Return Oriented Programming
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Dive into ROP - a quick introduction to Return Oriented Programming

on

  • 14,006 views

A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern ...

A tutorial created to introduce you to the core concepts of Return Oriented Programming (ROP). ROP is an essential technique in defeating exploit mitigation protection such as DEP, found in modern operating systems.

Statistics

Views

Total Views
14,006
Views on SlideShare
9,021
Embed Views
4,985

Actions

Likes
19
Downloads
0
Comments
1

13 Embeds 4,985

http://blog.exploitlab.net 4848
http://blog.naver.com 36
http://www.mybestcv2.co.il 34
http://hienact.wordpress.com 32
https://twitter.com 15
http://www.feedspot.com 8
https://hienact.wordpress.com 4
http://reader.aol.com 3
http://webcache.googleusercontent.com 1
http://www.tubebox.us 1
http://www.slideee.com 1
http://www.inoreader.com 1
http://2851662314069024595_89f081bf9b540d0f27204aa821c8c10338e06f51.blogspot.com 1
More...

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Dive into ROP - a quick introduction to Return Oriented Programming Presentation Transcript

  • 1. net-square © Saumil ShahDive into ROPReturn Oriented ProgrammingIntroduction and Core ConceptsSAUMIL SHAHwww.net-square.com
  • 2. net-square © Saumil ShahIntroductionThis tutorial shall introduce youto Return Oriented Programmingcommonly known as "ROP".We will cover the core conceptsbehind ROP and a small exampledemonstrating them.
  • 3. net-square © Saumil Shah# who am iSaumil ShahCEO Net-square.• Hacker, Speaker, Trainer,Author.• M.S. Computer SciencePurdue University.• @therealsaumil• LinkedIn: saumilshah
  • 4. net-square © Saumil ShahBackground• Here are some good refresher tutorialsbefore you dive into ROP:• Operating Systems – A Primer– understand how processes run,• How Functions Work– stack, frames, calls, returns, etc.,• Introduction to Debuggers– to try the discussed code example yourself.
  • 5. net-square © Saumil ShahBackground• And you need to know how stackoverflows work.
  • 6. net-square © Saumil ShahAgendaExploit Mitigation via DEPExecutable vs. Non-executableregionsRet2LibCReturn Oriented Programming
  • 7. net-square © Saumil ShahDEP: Data Execution Prevention• Execute Code, not Data.• Data areas marked non-executable.– Stack marked non-executable.– Heap marked non-executable.• Hardware enforced (NX).• You can load your shellcode in the stackor the heap...• ...but you cant jump to it.
  • 8. net-square © Saumil ShahExploitation – the good old way• Memory corruption exploits work in twostages:• Stage 1 – leverage memory corruption tocontrol process execution.• Stage 2 – direct process execution toinjected shellcode.
  • 9. net-square © Saumil ShahExploitation – the good old wayEIP CONTROLMemoryCorruptionJump toShellcodePre EIP Post EIP
  • 10. net-square © Saumil ShahExample: Stack OverflowSet EIP to landin shellcode inthe stackOverwriteReturn Addressin frameExecuteshellcode fromstackPre EIP Post EIP• Exceed bounds of local variable.• Overwrite saved return address inthe frame.• Control EIP when vulnerablefunction returns.• Shellcode is injected on the stackas part of the payload.• EIP can be set directly to a stackaddress, or...• ...perform a "jump throughregister" technique.
  • 11. net-square © Saumil ShahStack Overflow with DEPSet EIP to landin shellcode inthe stackOverwriteReturn Addressin frameExecuteshellcode fromstackPre EIP Post EIP• Entire stack region is marked as"non-executable".• EIP can land in the stack...• ...but no execution.• CPU will refuse to fetch-and-execute.
  • 12. net-square © Saumil ShahEIP control• EIP movementrestricted.– Cant jump to Heap.– Cant jump to Stack.• Can only land inexecutable regions.Program ImageHeapStackDLLDLLDLL
  • 13. net-square © Saumil ShahThe Solution?• We borrow bits and pieces of code...• ...that already exists in executableregions of the process!• We then create a SEQUENCE of operationsto be carried out.
  • 14. net-square © Saumil ShahOrchestrating Code Execution• Assume a series of cards where each cardindicates an operation to be performed.• The code for that operation is present inthe executable regions of the processmemory.– binary or shared library.• A card shall contain the address of thecode it wants to execute.
  • 15. net-square © Saumil ShahOrchestrating Code Execution• If we can create a chain of cards, eachcorresponding to a basic operation...• ...we can perform complex operations.• Example: Assume a complex operationbroken down into a sequence of basicoperations A, D, C, B, D, E.
  • 16. net-square © Saumil Shahbinobj1 (read,exec)binobj3 (read,exec)binobj2 (read,exec)AEHDFBCGExecute A, take next cardExecute D, take next cardExecute C, take next cardExecute B, take next cardExecute D, take next cardExecute E, take next card
  • 17. net-square © Saumil ShahOrchestrating Code Execution• Complex code can therefore betransformed into a sequence of primitiveoperations...• ...which are already present in theprocess executable regions.• These operations are called GADGETS.
  • 18. net-square © Saumil ShahROP – The Origins• The first idea of executing EXISTING codewas discussed in 1997.• Solar Designers Ret2LibC technique.• Devised to defeat non executable stack.
  • 19. net-square © Saumil ShahRet2LibC• Make EIP "return to an existing function"after a stack overflow.• If we cant execute shellcode...• ...we will "return" to system("/bin/sh")
  • 20. net-square © Saumil ShahRet2LibC - how does it work?• Create a fake frame on the stack.• After an overflowed function returns...• ...set the EIP return address to the newfunction.• Append the fake frame.• New function executes.– parameters consumed from the fake frame.• system("/bin/sh")
  • 21. net-square © Saumil ShahRet2LibC – how does it work?• The following function is vulnerable to astack overflow:void func1(char *s){char buffer[80];strcpy(buffer, s);::}
  • 22. net-square © Saumil ShahStack frame for func1()bufferreturn addresss• If s points to a string greater than 80characters, it will result in a stackoverflow.• The return address will be overwrittenwith an attacker controlled value.• When func1() returns, EIP can be set toan arbitrary address, resulting inprocess execution hijacking.
  • 23. net-square © Saumil ShahJump to shellcode - regular wayAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddr of shellcode on stackshellcode• Traditional way of implementing a"Post-EIP" jump to shellcode.• Other technique involve a "trampolinejump" or "Jump Through Register".• Either way, EIP lands in stack memory,occupied by shellcode.
  • 24. net-square © Saumil ShahJump to shellcode – with DEPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddr of shellcode on stackshellcode• The traditional way does NOT work ifstack is marked as non-executable.• EIP cannot be made to land in stackmemory.• EIP MUST stay within the binary orshared libraries (valid executablememory regions)
  • 25. net-square © Saumil ShahAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of system() in libcreturn from system()The Ret2LibC way• func1() is made to "return" tosystem() by overwriting its returnaddress with the address ofsystem() in libc.• A fake calling frame for system()is appended after the returnaddress for func1()• Return address for system() andparameter (pointer to "/bin/sh")are provided in the fake callingframe.address of string "/bin/sh""/bin/sh0"
  • 26. net-square © Saumil ShahAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of system() in libcreturn from system()The Ret2LibC wayaddress of string "/bin/sh""/bin/sh0"libcsystem()RET• Before func1() returns, ESP pointsto the overwritten returnaddress...• ...which now contains address ofsystem() in libc.ESP
  • 27. net-square © Saumil ShahAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of system() in libcreturn from system()The Ret2LibC wayaddress of string "/bin/sh""/bin/sh0"libcsystem()RET• After func1() returns, the savedreturn address is popped off thestack and EIP returns to system().ESP
  • 28. net-square © Saumil ShahAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of system() in libcreturn from system()The Ret2LibC wayaddress of string "/bin/sh""/bin/sh0"libcsystem()RET• system() will execute "/bin/sh"passed to it as a parameter.• When system() returns, EIP can bemade to return to an attackercontrolled address.ESPEIP
  • 29. net-square © Saumil ShahRet2LibC - Conclusions• It is possible to invoke an arbitraryfunction simply by placing a fake frame instack memory.• It is also possible to retain EIP controlafter the arbitrary function returns.• Ret2LibC is the basis for Return OrientedProgramming.
  • 30. net-square © Saumil ShahReturn Oriented Programming• Series of returns to functions.• Chained frames.• Transform EIP based primitives into stubs(gadgets) that can be "returned into".• We govern arbitrary code execution bycontrolling frames on the stack.• ESP is the new EIP!
  • 31. net-square © Saumil ShahIntroduction to ReturnOriented ProgrammingBasic Concepts
  • 32. net-square © Saumil ShahConcepts• Functions revisited• Function calls and returns• Stack overflows revisited• Creating stack frames• Chaining frames• ESP control
  • 33. net-square © Saumil ShahFunctions Revisited• How is a function called?• What does the stack frame look like?
  • 34. net-square © Saumil ShahCalling a function• Add two ints x, y.• add(3,4)• What does the callingframe look like?void add(int x, int y){int sum;sum = x + y;printf("%dn", sum);}int main(){add(3, 4);}
  • 35. net-square © Saumil ShahStack frame for add(3,4)frame for add()return address from add()34call add
  • 36. net-square © Saumil ShahReturn from add(3,4)• add() is about to return.• RET after epilogue of add().• Where does ESP point to?– immediately before the RET• What does the stack look like?
  • 37. net-square © Saumil ShahBefore the RETreturn address from add()34ESP
  • 38. net-square © Saumil ShahAnother function• Stack overflow infunc1.• Can we call add(5, 6)after returning fromfunc1?void func1(char *s){char buffer[128];strcpy(buffer, s);}int main(){func1(argv[1]);}
  • 39. net-square © Saumil ShahStack frame for func1()bufferreturn address from func1s
  • 40. net-square © Saumil Shahstrcpy(buffer, s)bufferreturn address from func1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  • 41. net-square © Saumil ShahBefore the RETbufferreturn address from func1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAESP
  • 42. net-square © Saumil ShahAfter the RETbufferreturn address from func1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEIP = 0x41414141ESP
  • 43. net-square © Saumil ShahReturn to add()• Insert a fake frame in the buffer.• Make func1() return to:add(01010101, 02020202)• What does the stack frame look like?
  • 44. net-square © Saumil Shahstrcpy(buffer, s)bufferreturn address from func1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of add()return from add()0101010102020202
  • 45. net-square © Saumil ShahBefore func1() returnsbufferreturn address from func1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of add()return from add()0101010102020202ESP
  • 46. net-square © Saumil ShahReturn to add()bufferreturn address from func1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of add()return from add()0101010102020202ESPEIP = add()
  • 47. net-square © Saumil ShahReturn to add()• By carefully creating a frame...• ...we can make the program "return toour function".• We control the parameters.• We also control where to jump to afterour function returns.
  • 48. net-square © Saumil Shahrop_victim.cint main(int argc, char *argv[]){add(3, 4);func1(argv[1]);}void func1(char *s){char buffer[128];strcpy(buffer, s);}void print_hello(void){printf("Hello Worldn");}void add(int x, int y){int sum;sum = x + y;printf("%d + %d = %dn", x, y, sum);}stack overflow lurks here!
  • 49. net-square © Saumil ShahBuilding rop_victim• Create a file called "rop_victim.c" withthe contents as shown in the previousslide.• Compile "rop_victim.c" as follows• And run it normally:$ gcc rop_victim.c –o rop_victim$ ./rop_victim HELLOWORLD
  • 50. net-square © Saumil ShahMaking func1() return to add()• We shall exploit the stack overflow infunc1() and make it return to add().• For this, we must inspect the callingframe for add()...• ...and eventually place a fake frame foradd() on the stack when overflowingfunc1().
  • 51. net-square © Saumil ShahInspecting add()s calling frame• Open "rop_victim" in gdb, and set abreakpoint just before the call to add() inmain().• We want to inspect the stack memorybefore call add()...• ...and immediately after call add() aswell.$ gdb rop_victim
  • 52. net-square © Saumil Shahgdbing add• Set a breakpoint before call add()(gdb) disassemble main0x08048454 <+0>: push %ebp0x08048455 <+1>: mov %esp,%ebp0x08048457 <+3>: and $0xfffffff0,%esp0x0804845a <+6>: sub $0x10,%esp0x0804845d <+9>: movl $0x4,0x4(%esp)0x08048465 <+17>: movl $0x3,(%esp)0x0804846c <+24>: call 0x80484bd <add>0x08048471 <+29>: cmpl $0x1,0x8(%ebp)0x08048475 <+33>: jle 0x8048487 <main+51>0x08048477 <+35>: mov 0xc(%ebp),%eax(gdb) break *0x0804846c
  • 53. net-square © Saumil ShahBefore add• Run rop_victim and single step into add()• We are inside add() now.• Look at the stack frame.(gdb) run HELLOWORLDStarting program: /home/krafty/rop_intro/rop_victim HELLOWORLDBreakpoint 1, 0x0804846c in main ()(gdb) stepi0x080484bd in add ()(gdb) where#0 0x080484bd in add ()#1 0x08048471 in main ()
  • 54. net-square © Saumil ShahStack frame before add(3, 4)• Dump the stack:(gdb) x/10x $esp0xbffff41c: 0x08048471 0x00000003 0x00000004 0x0804851b0xbffff42c: 0x00292ff4 0x08048510 0x00000000 0xbffff4b80x0804847134return addressfrom add()param1param2
  • 55. net-square © Saumil ShahOverflowing func1()• Overflow func1 and......return to add(01010101, 02020202)• Create a fake frame.• Overwrite stack memory.return from func1param1param2return from add0x080484bd0x010101010x020202020x42424242
  • 56. net-square © Saumil ShahCreating a fake frame• Create the buffer overflow payload asfollows:• Write a program to create such a bufferand use it as an input to rop_victim.c080484bdAAAAAA.........AAAAAA 42424242 01010101 02020202distanceto EIPaddressof addreturnfrom addparam1 param2
  • 57. net-square © Saumil ShahESP• Where will ESP be after returning fromadd?• Verify080484bdAAAAAA...140...AAAAAA 42424242 01010101 02020202(gdb) x/64x $esp0xbffff2e4: 0x01010101 0x02020202 0x00292f00 0x080485100xbffff2f4: 0x00000000 0xbffff378 0x00153bd6 0x00000002ESP
  • 58. net-square © Saumil ShahChaining functions• After add(01010101, 02020202), we wantto run add(03030303, 04040404).• How should we set up the frames?• First, study the frame after add() returns.
  • 59. net-square © Saumil ShahAfter add() returnsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of add424242420101010102020202ESPEIP = 42424242
  • 60. net-square © Saumil ShahWhere does the new frame go?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of add424242420101010102020202address of add??0303030304040404
  • 61. net-square © Saumil ShahWhere does the new frame go?• We get only ONE chance at strcpy.• How do we preserver params 01010101and 02020202?• We can only APPEND the second framebelow our first frame.• We have to unwind the first frame beforereturning to the second frame.• Answer: Return to Epilogue!
  • 62. net-square © Saumil ShahChaining the framesAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404add(01010101, 02020202)add(03030303, 04040404)
  • 63. net-square © Saumil ShahKeeping ESP in controlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404ESPReturn from func1
  • 64. net-square © Saumil ShahKeeping ESP in controlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404ESPReturn from func1Return to add()
  • 65. net-square © Saumil ShahKeeping ESP in controlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404ESPReturn from func1Return to add()Return to POP/POP/RET
  • 66. net-square © Saumil ShahKeeping ESP in controlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404ESPReturn from func1Return to add()Return to POP/POP/RETPOPPOP
  • 67. net-square © Saumil ShahKeeping ESP in controlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404Return from func1Return to add()Return to POP/POP/RETPOPPOPESPRET - Return to add()
  • 68. net-square © Saumil ShahKeeping ESP in controlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaddress of addaddress of POP/POP/RET0101010102020202address of add424242420303030304040404Return from func1Return to add()Return to POP/POP/RETPOPPOPESPRET - Return to add()Finally EIP = 0x42424242
  • 69. net-square © Saumil ShahChained Frames• Create another buffer overflow payload:080484bdAAAAAA...140...AAAAAA 08048422 01010101 02020202distanceto EIPaddressof addPOP/POP/RETparam1 param2080484bd 42424242 03030303 04040404addressof addreturnfrom addparam1 param2 Use msfelfscan tofind the address ofPOP/POP/RET fromrop_victim binary.
  • 70. net-square © Saumil ShahIts all about ESP!• ESP is the new EIP.• ROP involves keeping the ESP movingthrough the frames on the stack.• Frames can be chained by returning toepilogues of functions.– to appropriately unwind the parameterspushed on the stack.• We must never lose sight of RET
  • 71. net-square © Saumil ShahCode Execution – The ROP Way• Piece together snippets of code• Gadgets – primitive operations, to besearched for within the process binary orshared libraries.• Every gadget must end with a RET.• We find gadgets in function epilogues.
  • 72. net-square © Saumil Shahbinobj1binobj3binobj2AEDf1()f6()f4()f2()f3()BCf7()f5()f8()RETRETRETRETRETRETRETRETExecute A, take next cardExecute D, take next cardExecute C, take next cardExecute B, take next cardExecute D, take next cardExecute E, take next card
  • 73. net-square © Saumil ShahTo Conclude• ROP requires a different way of thinkingabout code execution.• Code is not executed as a series ofopcodes and operands.• Instead, code is executed via a series ofchained frames on the stack.• Rather, a series of chained GADGETS onthe stack.
  • 74. net-square © Saumil ShahTo Conclude• The objective of this tutorial was tointroduce you to the concept of "ReturnOriented Programming".• Theres a lot more to be talked aboutwhen it comes to ROP.• Exploits on modern operating systemswhich implement DEP necessarily requireROP to execute shellcode.
  • 75. net-square © Saumil ShahTo Conclude• ROP requires a lot of hands-on practice.• There are sophisticated tools availablefor assembling your own ROP chains.– skyrack– RoPeMe– ropshell.com, etc.
  • 76. net-square © Saumil ShahAll-New! EXPLOITLAB 2013saumil@net-square.com@therealsaumil | blog.exploitlab.net