Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Return Oriented Programming 
The chosen one 
Alex Moneger 
Security Engineer
Introduction 
 ROP = Return Oriented Programming 
 Uses the “ret” instruction to drive the execution flow 
 Allows to b...
Refresher 
 Ret2libc uses function addresses at known locations 
 Never executes code on the stack 
 Problem: ASLR rand...
General concepts 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Non-randomized addresses 
 Check the randomization again: 
cisco@kali:~/src/seccon/ch8$ ./aslr 
Stack base address: 0xbfc...
Impact 
 .text section is not randomized 
 .data section is not randomized 
 PLT is a fixed offset from .text 
 GOT is...
.text 
 What can we do in .text? 
 .text is the code section, so contains instructions 
 How can we re-use those instru...
BoF is control of eip, 
ROP is control of esp 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confide...
Visual flow 
 I want to add 2 values together 
 Then put that value at a memory 
address 
 i.e: 4 (eax) + 3 (ebx) = 7 (...
Steps 
1. Know what you want to achieve (hardest) 
2. Have a vague low-level idea of how to do it 
3. Find gadgets 
4. Fin...
Finding instructions 
 Find all “ret”s in a program “xc3” 
 Disassemble backwards (pick a reasonable amount of instructi...
Finding instructions 
1. Use objdump 
 Suboptimal, requires ret instruction to be semantically correct 
2. Search for “xc...
Ropeme 
 Ropeme disassembles backwards a number of instructions 
 Allows you to search for gadgets using wildcards: 
cis...
Useful gadgets 
 Pop reg => put a value in reg 
 add [reg1] reg2 => add reg2 to memory address in reg1 
 mov [reg1] reg...
Put gadgets together 
 Create high level gadgets, by putting low level gadgets together: 
# Write value in eax to memory ...
ROP flow 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Stages 
 ROP exploit generally has multiple stages 
1. Stage 0: 
 Stabilize exploit 
 Take control of eip 
 Copy paylo...
Stage 1 
3. Stage 1: 
 Change memory permissions (optional) 
 Execute payload 
 Cleanup (optional) 
© 2013-2014 Cisco a...
Getting function addresses 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
GOT dereferencing 
 Remember the GOT? 
 Grab an arbitrary address from it 
 Add the libc offset with the function you w...
Example 
 Example: 
 Find execve based on strcpy (0xb7ed8b70) 
 &Strcpy GOT = 0x08049fec 
 &Execve – &strcpy = 0x27b10...
Calling the function 
 Calling the dereferenced function (value in edx) 
# Call register 
0x804c244L: call edx ; leave ;;...
Copying payload 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Stage 0 
 2 options: 
 Build shellcode from pieces of memory 
 Do multiple GOT dereferencing 
 Both end up the same: 
...
Copying shellcode 
 Find individual shellcode bytes in memory 
 Use a copy function (i.e: strcpy) to copy bytes from mem...
Building payload 
 Identify fake stack 
 Find address of functions your interested in 
 Copy function addresses to fake...
Stack pivoting 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Stack pivoting 
 Build a fake stack in memory with your payload 
 Move to it to start execution of payload 
 Called sta...
How to do it? 
 You need a way to control the stack pointer 
 Esp needs to be controlled, and redirected 
 Useful gadge...
What it looks like 
 Stage 0 “copying” stack  Stage 1 “payload” stack 
0x8061dda 
0x27b10 
0x8060883 
0x41414141 
0x8052...
That’s it! 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Exercise time! 
 Find what protections are active on ch8 
 No source, but I left symbols ;) 
 Reverse it 
 Find the vu...
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
ROP ‘n’ ROLL, a peak into modern exploits
Next

0

Share

08 - Return Oriented Programming, the chosen one

* Introduction to ROP
* Finding gadgets
* Chaining gadgets
* Stack pivoting

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

08 - Return Oriented Programming, the chosen one

  1. 1. Return Oriented Programming The chosen one Alex Moneger Security Engineer
  2. 2. Introduction  ROP = Return Oriented Programming  Uses the “ret” instruction to drive the execution flow  Allows to bypass ASLR and DEP  Relies on the fact that .text section is at a fixed address  Used in all modern exploits © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. Refresher  Ret2libc uses function addresses at known locations  Never executes code on the stack  Problem: ASLR randomizes the addresses  Any other fixed address candidates? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. General concepts © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Non-randomized addresses  Check the randomization again: cisco@kali:~/src/seccon/ch8$ ./aslr Stack base address: 0xbfcb9a74 Heap base address: 0x8cbd008 Memcpy libc address: 0xb76ad9a0 Code section address: 0x804857e Data section address: 0x80498d0 RO data section address: 0x8048670 cisco@kali:~/src/seccon/ch8$ ./aslr Stack base address: 0xbfd14d04 Heap base address: 0x85d7008 Memcpy libc address: 0xb76ce9a0 Code section address: 0x804857e Data section address: 0x80498d0 RO data section address: 0x8048670  With ASLR enabled, .text is not randomized © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Impact  .text section is not randomized  .data section is not randomized  PLT is a fixed offset from .text  GOT is at fixed address, because in the same segment as .text  Can we re-use any of this? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. .text  What can we do in .text?  .text is the code section, so contains instructions  How can we re-use those instructions?  Remember pop;pop;ret construct from ret2libc?  We can re-use any instructions with a trailing “ret”  This let’s us keep control of the execution stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. BoF is control of eip, ROP is control of esp © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Visual flow  I want to add 2 values together  Then put that value at a memory address  i.e: 4 (eax) + 3 (ebx) = 7 (eax)  0x1234 (mem) = 7 (eax) &mov mem reg ; ret 0x1234 &pop;ret &add reg reg; ret 3 4 &pop;pop;ret mov; ret pop reg ret add; ret pop reg pop reg © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. Steps 1. Know what you want to achieve (hardest) 2. Have a vague low-level idea of how to do it 3. Find gadgets 4. Find a way to stitch them together 5. Debug 6. Exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Finding instructions  Find all “ret”s in a program “xc3”  Disassemble backwards (pick a reasonable amount of instructions)  Set of instructions  Referred to as “gadgets”  That gives you a set you can play with © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. Finding instructions 1. Use objdump  Suboptimal, requires ret instruction to be semantically correct 2. Search for “xc3” opcode manually and disassemble back from there  Lot of manual work 3. Use a proper tool  We’ll use a tool, for once ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. Ropeme  Ropeme disassembles backwards a number of instructions  Allows you to search for gadgets using wildcards: cisco@kali:~/src/seccon/ch8$ ropshell.py Simple ROP interactive shell: [generate, load, search] gadgets ROPeMe> generate ch6 4 Generating gadgets for ch6 with backward depth=4 It may take few minutes depends on the depth and file size... Processing code block 1/1 Generated 93 gadgets Dumping asm gadgets to file: ch6.ggt ... OK ROPeMe> search add eax % Searching for ROP gadget: add eax % with constraints: [] 0x80482fcL: add eax 0x3ee8 ; add [eax+0x5b] bl ; leave ;; 0x80485f8L: add eax 0x83038745 ; add al 0x6e ;; ROPeMe> search pop % -leave Searching for ROP gadget: pop % with constraints: ['-leave'] 0x8048528L: pop ebp ;; 0x8048495L: pop ebx ; pop edi ; pop ebp ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. Useful gadgets  Pop reg => put a value in reg  add [reg1] reg2 => add reg2 to memory address in reg1  mov [reg1] reg2 => mov reg2 into memory address in reg1  Call reg => call the address in reg  Jmp reg => jump to address © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. Put gadgets together  Create high level gadgets, by putting low level gadgets together: # Write value in eax to memory 0x8048502L: pop ebx ; pop ebp ;; 0x80484feL: add [ebx+0x5d5b04c4] eax ;; # Load memory value into eax 0x8048502L: pop ebx ; pop ebp ;; 0x804875eL: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;; # Load eax with a value 0x804dad5L: mov eax edi ; pop ebx ; pop esi ; pop edi ; pop ebp ;;  It’s up to you to find meaningful gadgets to use  Use those high level gadgets to build payloads © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. ROP flow © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. Stages  ROP exploit generally has multiple stages 1. Stage 0:  Stabilize exploit  Take control of eip  Copy payload into fake frame  Dereference GOT 2. Stack pivot from stage 0 to stage 1 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. Stage 1 3. Stage 1:  Change memory permissions (optional)  Execute payload  Cleanup (optional) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Getting function addresses © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. GOT dereferencing  Remember the GOT?  Grab an arbitrary address from it  Add the libc offset with the function you want  Call it  Or write it to mem, and call it later © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  21. 21. Example  Example:  Find execve based on strcpy (0xb7ed8b70)  &Strcpy GOT = 0x08049fec  &Execve – &strcpy = 0x27b10 # Get the GOT address of strcpy (0x08049fec) into ebx 0x8052b9dL: pop ebx ; lea eax [edx+eax*8] ;; # Move the content of GOT entry (&strcpy) into edx 0x8052b98L: mov edx [ebx] ; pop ebx ; lea eax [edx+eax*8] ;; # Move delta between functions 0x27b10 into ecx 0x8060883L: pop ecx ;; # Add &strcpy with offset = &execve! 0x8061ddaL: add edx ecx;; 0x8061dda 0x27b10 0x8060883 0x41414141 0x8052b98 0x08049fec 0x8052b9d © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  22. 22. Calling the function  Calling the dereferenced function (value in edx) # Call register 0x804c244L: call edx ; leave ;;  Writing the dereferenced function somewhere (ie: 0x12345678) # Move address value (0x12345678) into eax 0x8058ae0L: pop eax ; pop ebx ;; # Move adx to that address 0x8056579L: mov [eax] edx ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  23. 23. Copying payload © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  24. 24. Stage 0  2 options:  Build shellcode from pieces of memory  Do multiple GOT dereferencing  Both end up the same:  Build fake stack frame to transfer control to © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  25. 25. Copying shellcode  Find individual shellcode bytes in memory  Use a copy function (i.e: strcpy) to copy bytes from memory to fake stack frame  Ropc can give you the memory addresses of shellcode bytes cisco@kali:~/src/seccon/ch8$ ropc -s "x6ax0bx58x99x52x66x68x2dx70x89xe1x52x6ax68x68x2fx62x61x73x68x2fx62x69x6ex89xe3x52x51x53x89xe1xc dx80" -f ch8 0x00000000 -> "x6a" (NOT FOUND) 0x080485b4 -> "x0b" 0x080480f8 -> "x58" 0x08048378 -> "x99" 0x0804836a -> "x52" © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  26. 26. Building payload  Identify fake stack  Find address of functions your interested in  Copy function addresses to fake stack  Copy arguments to fake stack  Stack pivot to new stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  27. 27. Stack pivoting © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  28. 28. Stack pivoting  Build a fake stack in memory with your payload  Move to it to start execution of payload  Called stack pivoting, because you lead the execution flow to your own stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  29. 29. How to do it?  You need a way to control the stack pointer  Esp needs to be controlled, and redirected  Useful gadgets: Eax contains the value of your new frame 0x8055c61L: xchg esp eax ;; # leave = mov esp, ebp; pop ebp; Control ebp = control esp 0x8049844L: leave ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  30. 30. What it looks like  Stage 0 “copying” stack  Stage 1 “payload” stack 0x8061dda 0x27b10 0x8060883 0x41414141 0x8052b98 0x08049fec 0x8052b9d Esp = 0x12345678 Esp = 0x08048a00 0x12345678 – 0x4 Leave; ret Copy data Copy data Copy data Copy data Copy data © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  31. 31. That’s it! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  32. 32. Exercise time!  Find what protections are active on ch8  No source, but I left symbols ;)  Reverse it  Find the vulnerability  Exploit it  You probably wont finish this today, but keep chewing on it ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

* Introduction to ROP * Finding gadgets * Chaining gadgets * Stack pivoting

Views

Total views

922

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×