Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux Binary Exploitation - Return-oritend Programing

975 views

Published on

Linux Binary Exploitation - Return-oritend Programing

Published in: Technology
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Linux Binary Exploitation - Return-oritend Programing

  1. 1. Linux Binary Exploitation Return-oriented Programing angelboy@chroot.org
  2. 2. Outline • ROP • Using ROP bypass ASLR • Stack migration
  3. 3. Outline • ROP • Using ROP bypass ASLR • Stack migration
  4. 4. ROP • 透過 ret 去執⾏行行其他包含 ret 的程式碼片段 • 這些片段⼜又稱為 gadget
  5. 5. ROP • Why do we need ROP ? • Bypass DEP • Static linking can do more thing
  6. 6. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
  7. 7. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
  8. 8. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
  9. 9. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
  10. 10. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2 exit
  11. 11. ROP • ROP chain • 由眾多的 ROP gadget 組成 • 藉由不同的 register 及記憶體操作,呼叫 system call 達成任意代碼執⾏行行 • 基本上就是利利⽤用 ROP gadget 來來串串出我們之前寫的 shellcode 的效果
  12. 12. ROP • Gadget • read/write register/memory • pop rax;pop rcx ; ret • mov [rax],rcx ; ret • system call • syscall • change rsp • pop rsp ; ret • leave ; ret
  13. 13. ROP • Write to Register • pop reg ; ret • mov reg, reg ; ret • …
  14. 14. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0 0 retoverflow rax rbx
  15. 15. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0 0 retoverflow rax rbx
  16. 16. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsppop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0xdead 0 retoverflow rax rbx
  17. 17. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0xdead 0 retoverflow rax rbx
  18. 18. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0xdead 0xbeef retoverflow rax rbx
  19. 19. ROP • Write to Memory • mov [reg],reg • mov [reg+xx], reg • …
  20. 20. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0 0 rax rbx 0x602080 0 0x602080 retoverflow
  21. 21. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0 0 rax rbx 0x602080 0 0x602080 retoverflow
  22. 22. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0 rax rbx 0x602080 0 0x602080 retoverflow
  23. 23. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0xdeadbeef rax rbx 0x602080 0 0x602080 retoverflow
  24. 24. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0xdeadbeef rax rbx 0x602080 0 0x602080 retoverflow
  25. 25. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0xdeadbeef rax rbx 0x602080 0xdeadbeef 0x602080 retoverflow
  26. 26. ROP • execve(“/bin/sh”,NULL,NULL) • write to memory • 將 “/bin/sh” 寫入已知位置記憶體中 • 可分多次將所需字串串寫入記憶體中 /bin/das 0x602080 0x602088 hx00x00x00…
  27. 27. ROP • execve(“/bin/sh”,NULL,NULL) • write to register • rax = 0x3b , rdi = address of “/bin/sh” • rsi = 0 , rdx = 0 • syscall
  28. 28. ROP • find gadget • https://github.com/JonathanSalwan/ROPgadget
  29. 29. ROP • find gadget • ROPgadget - - binary binary • ROPgadget - - ropchain - - binary binary • 在 Static linking 通常可以組成功 execve 的 rop chain 但通常都很長, 需要⾃自⼰己找更更短的 gadget 來來改短⼀一點
  30. 30. Outline • ROP • Using ROP bypass ASLR • Stack migration
  31. 31. Using ROP bypass ASLR • 假設 dynamic 編譯的程式中有 Buffer Overflow 的漏洞洞且在沒 PIE 情況下 ( 先不考慮 StackGuard 的情況) • How to bypass ASLR and DEP ? • Use .plt section to leak some information • ret2plt • 通常⼀一般的程式中都會有 put 、 send 、write 等 output function !31
  32. 32. Using ROP bypass ASLR ret code stack high low rsp !32 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
  33. 33. Using ROP bypass ASLR ret pop rdi
 ret code stack high low rsp !33 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
  34. 34. Using ROP bypass ASLR ret pop rdi
 ret code stack high low rsp !34 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
  35. 35. Using ROP bypass ASLR ret pop rdi
 ret put@plt code stack high low rsp !35 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
  36. 36. Using ROP bypass ASLR ret pop rdi
 ret jmp *(put@GOT) code stack high low rsp !36 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
  37. 37. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) code stack high low rsp !37 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
  38. 38. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) code stack high low rsp !38 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx Information leak
  39. 39. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) ret code stack high low rsp !39 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
  40. 40. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) ret pop rdi ret code stack high low rsp !40 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
  41. 41. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) ret pop rdi ret code stack high low rsp !41 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
  42. 42. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) ret pop rdi ret pop rsi ret code stack high low rsp !42 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
  43. 43. Using ROP bypass ASLR ret pop rdi
 ret jmp put(put@GOT) ret pop rdi ret pop rsi ret code stack high low rsp !43 puts@GOT 0 rdi puts@GOT rsi 0 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
  44. 44. Using ROP bypass ASLR ret pop rdx ret code stack high low rsp !44 puts@GOT 0 rdi puts@GOT rsi 0 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
  45. 45. Using ROP bypass ASLR ret pop rdx ret code stack high low rsp !45 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
  46. 46. Using ROP bypass ASLR ret pop rdx ret jmp read@plt code stack high low rsp !46 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
  47. 47. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) code stack high low !47 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  48. 48. rsp Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) code stack high low rsp !48 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 GOT Hijacking puts -> system
  49. 49. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret code stack high low !49 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  50. 50. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret code stack high low !50 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  51. 51. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret code stack high low !51 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  52. 52. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp puts@plt code stack high low !52 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  53. 53. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp *(puts@GOT) code stack high low !53 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  54. 54. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp system(“/bin/sh”) code stack high low !54 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
  55. 55. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp system(“/bin/sh”) code stack high low !55 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp GET SHELL
  56. 56. Using ROP bypass ASLR !56 • Bypass PIE • 必須比平常多 leak ⼀一個 code 段的位置,藉由這個值算出 code base 進 ⽽而推出所有 GOT 等資訊 • 有了了 code base 之後其他就跟沒有 PIE 的情況下⼀一樣
  57. 57. Using ROP bypass ASLR !57 • Bypass StackGuard • canary 只有在 function return 時做檢查 • 只檢查 canary 值時否⼀一樣 • 所以可以先想辦法 leak 出 canary 的值,塞⼀一模⼀一樣的內容就可 bypass,或是想辦法不要改到 canary 也可以
  58. 58. Using ROP bypass ASLR !58 • Weakness in fork • canary and memory mappings are same as parent.
  59. 59. Outline • ROP • Using ROP bypass ASLR • Stack migration
  60. 60. Stack Migration • 將 ROP Chain 寫在已知固定位置上 • 再利利⽤用 leave 搬移 Stack 位置到已知位置 • 可無限接 ROP Chain • 必須注意到 Migration 之後 stack 要留留⼤大⼀一點,有些 function 可能會需要很 ⼤大的 stack frame ,太⼩小可能會存取到唯獨區域,導致 Segmentation Fault !60
  61. 61. Stack Migration !61 return address rbp rbp/rsp push rbp mov rbp,rsp … leave ret high low
  62. 62. Stack Migration !62 buf1 rbp push rbp mov rbp,rsp … leave ret aaaa aaaa rsp gets() buf1 high low buf1 leave_ret pop rdi
  63. 63. Stack Migration !63 buf1 push rbp mov rbp,rsp … leave ret aaaa aaaa rsp gets() buf1 buf1 leave_ret leave = mov rsp,rbp ; pop rbp rbp pop rdi high low
  64. 64. Stack Migration !64 buf1 rbp/rsp push rbp mov rbp,rsp … leave ret aaaa aaaa gets() buf1 buf1 leave_ret leave = mov rsp,rbp ; pop rbp pop rdi high low
  65. 65. Stack Migration !65 buf1 rsp push rbp mov rbp,rsp … leave ret aaaa aaaa gets() buf1 buf1 leave_ret rbp pop rdi high low
  66. 66. Stack Migration !66 buf1 rsp push rbp mov rbp,rsp … leave ret pop rdi
 ret aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi 0 high low rbp
  67. 67. Stack Migration !67 buf1 rsppush rbp mov rbp,rsp … leave ret pop rdi
 ret aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi buf1 high low rbp
  68. 68. Stack Migration !68 buf1 rsp push rbp mov rbp,rsp … leave ret pop rdi
 ret gets(buf1) aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi buf1 high low rbp
  69. 69. Stack Migration !69 buf1 rsp push rbp mov rbp,rsp … leave ret pop rdi
 ret gets(buf1) ret aaaa aaaa gets() buf1 buf1 leave_ret rbp pop rdi rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret
  70. 70. Stack Migration !70 buf1 rsp leave
 ret aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret leave = mov rsp,rbp ; pop rbp rbp
  71. 71. Stack Migration !71 leave
 ret buf1 rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
  72. 72. Stack Migration !72 pop rdi
 ret buf1 rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
  73. 73. Stack Migration !73 pop rdi
 ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp buf2 rsp
  74. 74. Stack Migration !74 pop rdi
 ret puts(puts@GOT) ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2 Information leakage
  75. 75. Stack Migration !75 pop rdi
 ret puts(puts@GOT) ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
  76. 76. Stack Migration !76 pop rdi
 ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
  77. 77. Stack Migration !77 pop rdi
 ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
  78. 78. Stack Migration !78 pop rdi
 ret gets(buf2) ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_retrsp rbp buf2
  79. 79. Stack Migration !79 pop rdi
 ret gets(buf2) ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_retrsp rbp buf2 buf1 pop rdi &/bin/sh /bin/sh system
  80. 80. Stack Migration !80 pop rdi
 ret gets(buf2) ret leave ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_retrsp rbp buf2 buf1 pop rdi &/bin/sh /bin/sh system leave = mov rsp,rbp ; pop rbp
  81. 81. Stack Migration !81 pop rdi
 ret gets(buf2) ret leave ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system
  82. 82. Stack Migration !82 pop rdi
 ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system
  83. 83. Stack Migration !83 pop rdi
 ret buf1 rdi &/bin/sh buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system
  84. 84. Stack Migration !84 pop rdi ret system(“/bin/sh”) buf1 rdi &/bin/sh buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system GET SHELL
  85. 85. Stack Migration • 若若能妥善利利⽤用,在沒有 libc 的情況下,有機會將整個 libc 給 dump 出來來, 更更有機會直接找出 system 的位置 • 無限 ROP ,幾乎可以做出所有事情,但唯⼀一要注意的是 buf ⼤大⼩小要控制 好,盡量量選 bss 後半段位置,否則可能因為 stack 不夠⼤大⽽而 segfault !85
  86. 86. Stack Migration • Other migration gadget • add rsp,0xNN ; ret • sub rsp,0xNN ; ret • ret 0xNN • xchg rsp,exx ; ret • partial overwrite rbp !86
  87. 87. Stack Migration !87 ret add rsp,0x30 ret you can’t control gadget rsp rop chain high low
  88. 88. Stack Migration !88 ret add rsp,0x30 ret you can’t control gadget rop chain high low rsp
  89. 89. Stack Migration !89 ret add rsp,0x30 ret you can’t control gadget rop chain high low rsp
  90. 90. Reference • http://www.slideshare.net/hackstuff/rop-40525248 !90
  91. 91. Q & A

×