An Intro on Data-oriented Attacks

Aj MaChInE
Aj MaChInE
An Intro on Data-oriented Attacks @ 若渴 2020.1.19 <ajblane0612@gmail.com> AjMaChInE
Reference ● [0] 2019, Exploitation Techniques and Defenses for Data- Oriented Attacks ● [1] 2018, Block Oriented Programming - Automating Data-Only Attacks ● [2] 2016, Data-Oriented Programming - On the Expressiveness of Non-Control Data Attacks ● [3] BOPC, https://github.com/HexHive/BOPC
DOA Overview [0][1][2]
The ProFTPd DOP Attack [0]
Array mons starts at 0x80cf6e0 send(fd, &mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
Action: Get main_server 2. read operator & 1. copy operator : AWP(&mons, ARP(&main_server), size) → AWP(0x80cf6e0, 0x871ae3c, size) structure* main_server at 0x80d6314 send(fd,&mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
Action: Get main_server->ServerName main_server->ServerName = main_server + offset = 0x871ae3c + 0x10 = 0x871ae4c offset we known & .bss section * main_server * mons * resp_buf * ssl_ctx
3. copy operator: AWP(main_server->ServerName, &ssl_ctx, size) → AWP(0x871ae4c, 0x80de0c8, size) Action: Get ssl_ctx - 1 step .bss section * main_server * mons * resp_buf * ssl_ctx
4. dereference operator: resp_buf = *(main_server->ServerName) resp_buf = *(0x80de0c8) resp_buf = 0x874d7b8 = ssl_ctx copy operator: AWP(main_server->ServerName, ssl_ctx, size) Action: Get ssl_ctx - 2 step .bss section * main_server * mons * resp_buf * ssl_ctx
cert = main_server->ServerName + offset cert = 0x874d7b8 + offset cert = 0x874d868 Action: Get cert and Derference 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
5. read operator: AWP(&mons, ARP(main_server->ServerName), size) Action: Get PK after dereferencing 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
BOPC – Block-oriented Programming Compiler [2][3] ● AWP (hard requirement) ● Python 2 ● Angr
The basic block "abstractions" [3] ● absblk.py ● Transition form a basic block to abstraction.(regwr, splmemwr,..)
CFG -> For basic blocks -> abstractions [3]
Angr ● Block-oriented symbolic execution ● status.history.actions – action.type == 'reg' and action.action == 'write' – action.type == 'mem' and action.action == 'read – action.type == 'exit' and action.exit_type == 'conditional' ● blk.vex.jumpkind == "Ijk_Sys_syscall" – BYPASS_UNSUPPORTED_SYSCALL ● state.se.constraints (AST) – <Bool packet_0_stdin_6_480[471:464] != 13> ● state.posix.dumps(0) ● Initial .bss/ .data section ● project.inspect.make_breakpoint('mem_read', ...)
On the Fly to Resolve the Constraints [2]
Constraint Issues [2]
simulate.py [3]
1 of 18

An Intro on Data-oriented Attacks

Download to read offline
Education

DOA是一個令人驚豔的技術,因此在若渴分享。

Aj MaChInE
Aj MaChInE

Recommended

(No)SQL Timing Attacks for Data Retrieval(No)SQL Timing Attacks for Data Retrieval
(No)SQL Timing Attacks for Data RetrievalPositive Hack Days
1.1K views22 slides
opentsdb in a real enviromentopentsdb in a real enviroment
opentsdb in a real enviromentChen Robert
11.6K views8 slides
Distributed Data Processing Workshop - SBUDistributed Data Processing Workshop - SBU
Distributed Data Processing Workshop - SBUAmir Sedighi
9.2K views23 slides
Create a RESTful API with NodeJS, Express and MongoDBCreate a RESTful API with NodeJS, Express and MongoDB
Create a RESTful API with NodeJS, Express and MongoDBHengki Sihombing
961 views12 slides
Elasticsearch 1.x Cluster Installation (VirtualBox)Elasticsearch 1.x Cluster Installation (VirtualBox)
Elasticsearch 1.x Cluster Installation (VirtualBox)Amir Sedighi
9.8K views29 slides
Fluent plugin-dstatFluent plugin-dstat
Fluent plugin-dstatshunsuke Mikami
1.6K views7 slides

More Related Content

What's hot

Gnocchi v3 brownbagGnocchi v3 brownbag
Gnocchi v3 brownbagGordon Chung
593 views45 slides
Mysql参数-GDBMysql参数-GDB
Mysql参数-GDBzhaolinjnu
898 views12 slides

What's hot(20)

New kid on the block node.jsNew kid on the block node.js
New kid on the block node.js
Joel Divekar2.4K views
1404 app dev series - session 8 - monitoring & performance tuning1404 app dev series - session 8 - monitoring & performance tuning
1404 app dev series - session 8 - monitoring & performance tuning
MongoDB847 views
To Hire, or to train, that is the question (Percona Live 2014)To Hire, or to train, that is the question (Percona Live 2014)
To Hire, or to train, that is the question (Percona Live 2014)
Geoffrey Anderson1.3K views
Gnocchi v3 brownbagGnocchi v3 brownbag
Gnocchi v3 brownbag
Gordon Chung593 views
Mysql参数-GDBMysql参数-GDB
Mysql参数-GDB
zhaolinjnu898 views
Gnocchi Profiling v2Gnocchi Profiling v2
Gnocchi Profiling v2
Gordon Chung638 views
Gnocchi v4 (preview)Gnocchi v4 (preview)
Gnocchi v4 (preview)
Gordon Chung657 views
Multi-core Node.pdfMulti-core Node.pdf
Multi-core Node.pdf
Ahmed Hassan71 views
Social Analytics with MongoDBSocial Analytics with MongoDB
Social Analytics with MongoDB
Patrick Stokes5.5K views
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9218 views
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Tipo virus espia con esto aprenderan a espiar a personas etc jeropas de mrd :v
Arian Gutierrez173 views
Postgres connections at scalePostgres connections at scale
Postgres connections at scale
Mydbops442 views
Performance evaluation of apache tajoPerformance evaluation of apache tajo
Performance evaluation of apache tajo
Jihoon Son2K views
Introduce leo-redundant-managerIntroduce leo-redundant-manager
Introduce leo-redundant-manager
Paras Patel611 views
MongoDB Drivers And High Availability: Deep DiveMongoDB Drivers And High Availability: Deep Dive
MongoDB Drivers And High Availability: Deep Dive
emptysquare684 views
Introduction to MongoDB with PHPIntroduction to MongoDB with PHP
Introduction to MongoDB with PHP
fwso10.3K views
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-Set
Vivek Parihar4.1K views
Nsq.io on Node.js and ShellNsq.io on Node.js and Shell
Nsq.io on Node.js and Shell
Luis Faustino2.4K views
Troubleshooting CassandraTroubleshooting Cassandra
Troubleshooting Cassandra
Jeremy Hanna1.5K views
Using MMS to Build New EnvironmentsUsing MMS to Build New Environments
Using MMS to Build New Environments
MongoDB6.5K views

Similar to An Intro on Data-oriented Attacks

introtomongodbintrotomongodb
introtomongodbsaikiran
228 views52 slides

Similar to An Intro on Data-oriented Attacks(20)

introtomongodbintrotomongodb
introtomongodb
saikiran228 views
Let the Tiger Roar! - MongoDB 3.0 + WiredTigerLet the Tiger Roar! - MongoDB 3.0 + WiredTiger
Let the Tiger Roar! - MongoDB 3.0 + WiredTiger
Jon Rangel4.3K views
Ajax Performance Tuning and Best PracticesAjax Performance Tuning and Best Practices
Ajax Performance Tuning and Best Practices
Doris Chen3.6K views
Building Your First App with Shawn Mcarthy Building Your First App with Shawn Mcarthy
Building Your First App with Shawn Mcarthy
MongoDB1K views
Large Scale Log collection using LogStash & mongoDB Large Scale Log collection using LogStash & mongoDB
Large Scale Log collection using LogStash & mongoDB
Gaurav Bhardwaj4.9K views
Exploiting GPU's for Columnar DataFrrames by Kiran LonikarExploiting GPU's for Columnar DataFrrames by Kiran Lonikar
Exploiting GPU's for Columnar DataFrrames by Kiran Lonikar
Spark Summit3.7K views
Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...
Lessons Learned: Running InfluxDB Cloud and Other Cloud Services at Scale | T...
InfluxData380 views
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
2022 COSCUP - Let's speed up your PostgreSQL services!.pptx
José Lin153 views
Bio bigdata Bio bigdata
Bio bigdata
Mk Kim3.8K views
FOSDEM 2015: gdb tips and tricks for MySQL DBAsFOSDEM 2015: gdb tips and tricks for MySQL DBAs
FOSDEM 2015: gdb tips and tricks for MySQL DBAs
Valerii Kravchuk2.4K views
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
Sqreen950 views
오픈 소스 프로그래밍 - NoSQL with Python오픈 소스 프로그래밍 - NoSQL with Python
오픈 소스 프로그래밍 - NoSQL with Python
Ian Choi105 views
Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...
Lessons Learned Running InfluxDB Cloud and Other Cloud Services at Scale by T...
InfluxData630 views
Fullstack LX - Improving your application performanceFullstack LX - Improving your application performance
Fullstack LX - Improving your application performance
Nuno Caneco1.4K views
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman519 views
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman600 views
Webinar slides: How to Secure MongoDB with ClusterControlWebinar slides: How to Secure MongoDB with ClusterControl
Webinar slides: How to Secure MongoDB with ClusterControl
Severalnines459 views
Boost Development With Java EE7 On EAP7 (Demitris Andreadis)Boost Development With Java EE7 On EAP7 (Demitris Andreadis)
Boost Development With Java EE7 On EAP7 (Demitris Andreadis)
Red Hat Developers1.9K views
PostgreSQL 9.5 - Major FeaturesPostgreSQL 9.5 - Major Features
PostgreSQL 9.5 - Major Features
InMobi Technology1.5K views
Performance Tuning Cheat Sheet for MongoDBPerformance Tuning Cheat Sheet for MongoDB
Performance Tuning Cheat Sheet for MongoDB
Severalnines1.4K views

More from Aj MaChInE

A study on NetSpectreA study on NetSpectre
A study on NetSpectreAj MaChInE
211 views27 slides

More from Aj MaChInE(19)

A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE493 views
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE211 views
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE1.2K views
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE345 views
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE795 views
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE281 views
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE858 views
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE981 views
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE718 views
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE430 views
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE434 views
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE4K views
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE1.3K views
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE1.2K views
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE2.6K views
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE1.3K views
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE4.8K views
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE2.2K views
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE2.6K views

Recently uploaded

Sociology KS5Sociology KS5
Sociology KS5WestHatch
50 views23 slides
Psychology KS5Psychology KS5
Psychology KS5WestHatch
53 views5 slides

Recently uploaded(20)

OEB 2023 Co-learning To Speed Up AI Implementation in Courses.pptxOEB 2023 Co-learning To Speed Up AI Implementation in Courses.pptx
OEB 2023 Co-learning To Speed Up AI Implementation in Courses.pptx
Inge de Waard148 views
Class 10 English lesson plansClass 10 English lesson plans
Class 10 English lesson plans
Tariq KHAN172 views
ICS3211_lecture 08_2023.pdfICS3211_lecture 08_2023.pdf
ICS3211_lecture 08_2023.pdf
Vanessa Camilleri68 views
Sociology KS5Sociology KS5
Sociology KS5
WestHatch50 views
Psychology KS5Psychology KS5
Psychology KS5
WestHatch53 views
Compare the flora and fauna of Kerala and Chhattisgarh ( Charttabulation) Compare the flora and fauna of Kerala and Chhattisgarh ( Charttabulation)
Compare the flora and fauna of Kerala and Chhattisgarh ( Charttabulation)
AnshulDewangan395 views
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptxGopal Chakraborty Memorial Quiz 2.0 Prelims.pptx
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptx
Debapriya Chakraborty221 views
Streaming Quiz 2023.pdfStreaming Quiz 2023.pdf
Streaming Quiz 2023.pdf
Quiz Club NITW87 views
2022 CAPE Merit List 2023 2022 CAPE Merit List 2023
2022 CAPE Merit List 2023
Caribbean Examinations Council3K views
Women from Hackney’s History: Stoke Newington by Sue DoeWomen from Hackney’s History: Stoke Newington by Sue Doe
Women from Hackney’s History: Stoke Newington by Sue Doe
History of Stoke Newington103 views
Chemistry of sex hormones.pptxChemistry of sex hormones.pptx
Chemistry of sex hormones.pptx
RAJ K. MAURYA97 views
Industry4wrd.pptxIndustry4wrd.pptx
Industry4wrd.pptx
BC Chew153 views
NS3 Unit 2 Life processes of animals.pptxNS3 Unit 2 Life processes of animals.pptx
NS3 Unit 2 Life processes of animals.pptx
manuelaromero201389 views
Structure and Functions of Cell.pdfStructure and Functions of Cell.pdf
Structure and Functions of Cell.pdf
Nithya Murugan142 views
Classification of crude drugs.pptxClassification of crude drugs.pptx
Classification of crude drugs.pptx
GayatriPatra1449 views
AI Tools for Business and StartupsAI Tools for Business and Startups
AI Tools for Business and Startups
Svetlin Nakov57 views
STERILITY TEST.pptxSTERILITY TEST.pptx
STERILITY TEST.pptx
Anupkumar Sharma102 views
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
Jisc49 views
STYP infopack.pdfSTYP infopack.pdf
STYP infopack.pdf
Fundacja Rozwoju Społeczeństwa Przedsiębiorczego143 views
Narration lesson plan.docxNarration lesson plan.docx
Narration lesson plan.docx
Tariq KHAN90 views

An Intro on Data-oriented Attacks

  • 1. An Intro on Data-oriented Attacks @ 若渴 2020.1.19 <ajblane0612@gmail.com> AjMaChInE
  • 2. Reference ● [0] 2019, Exploitation Techniques and Defenses for Data- Oriented Attacks ● [1] 2018, Block Oriented Programming - Automating Data-Only Attacks ● [2] 2016, Data-Oriented Programming - On the Expressiveness of Non-Control Data Attacks ● [3] BOPC, https://github.com/HexHive/BOPC
  • 4. The ProFTPd DOP Attack [0]
  • 5. Array mons starts at 0x80cf6e0 send(fd, &mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 6. Action: Get main_server 2. read operator & 1. copy operator : AWP(&mons, ARP(&main_server), size) → AWP(0x80cf6e0, 0x871ae3c, size) structure* main_server at 0x80d6314 send(fd,&mons, size) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 7. Action: Get main_server->ServerName main_server->ServerName = main_server + offset = 0x871ae3c + 0x10 = 0x871ae4c offset we known & .bss section * main_server * mons * resp_buf * ssl_ctx
  • 8. 3. copy operator: AWP(main_server->ServerName, &ssl_ctx, size) → AWP(0x871ae4c, 0x80de0c8, size) Action: Get ssl_ctx - 1 step .bss section * main_server * mons * resp_buf * ssl_ctx
  • 9. 4. dereference operator: resp_buf = *(main_server->ServerName) resp_buf = *(0x80de0c8) resp_buf = 0x874d7b8 = ssl_ctx copy operator: AWP(main_server->ServerName, ssl_ctx, size) Action: Get ssl_ctx - 2 step .bss section * main_server * mons * resp_buf * ssl_ctx
  • 10. cert = main_server->ServerName + offset cert = 0x874d7b8 + offset cert = 0x874d868 Action: Get cert and Derference 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 11. 5. read operator: AWP(&mons, ARP(main_server->ServerName), size) Action: Get PK after dereferencing 7 times (D1-D7) .bss section * main_server * mons * resp_buf * ssl_ctx
  • 12. BOPC – Block-oriented Programming Compiler [2][3] ● AWP (hard requirement) ● Python 2 ● Angr
  • 13. The basic block "abstractions" [3] ● absblk.py ● Transition form a basic block to abstraction.(regwr, splmemwr,..)
  • 14. CFG -> For basic blocks -> abstractions [3]
  • 15. Angr ● Block-oriented symbolic execution ● status.history.actions – action.type == 'reg' and action.action == 'write' – action.type == 'mem' and action.action == 'read – action.type == 'exit' and action.exit_type == 'conditional' ● blk.vex.jumpkind == "Ijk_Sys_syscall" – BYPASS_UNSUPPORTED_SYSCALL ● state.se.constraints (AST) – <Bool packet_0_stdin_6_480[471:464] != 13> ● state.posix.dumps(0) ● Initial .bss/ .data section ● project.inspect.make_breakpoint('mem_read', ...)
  • 16. On the Fly to Resolve the Constraints [2]