Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

4,041 views

Published on

Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/

http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

  • Be the first to comment

Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains

  1. 1. Exploit Research DEP Bypass with ROP Chains OPEN SECURITY WWW.OPENSECURITY.IN AJIN ABRAHAM @AJINABRAHAM
  2. 2. Data Execution Prevention [DEP]  Hardware Data Execution Prevention utilizes the NX ("No eXecute page protection“ of AMD) or XD (“eXecute Disable“ of Intel) bit on DEP compatible CPU‟s, and will mark certain parts of the memory as non executable.  Normally the part in memory containing data (heap, stack and memory pool) are marked as non executable.  So arbitrary code injection on these areas won‟t get executed.  Different DEP options in Windows OS OptIn : Only a limited set of Windows system modules/binaries are protected by DEP. OptOut : All programs, processes, services on the Windows system are protected, except for processes in the exception list AlwaysOn : All programs, processes, services, etc on the Windows system are protected. No exceptions AlwaysOff : DEP is turned off. @ajinabraham
  3. 3. How Will We Execute the Shellcode When DEP Is Enabled?  We will craft a Windows API call that will disable DEP for a specific memory region that we can control.  We have to use the instructions in the executable region of the process and chain them in a particular order to call the Windows API to disable DEP.  So once DEP is disabled, we can execute the shellcode in the memory region that we control.  For that purpose we use ROP Chains. @ajinabraham
  4. 4. Bypassing DEP with ROP Chains  A ROP Chain is a chain of instruction that contains a sequence of gadgets.  A *Gadget is a group of instructions in the ROP Chain that ends with a RET instruction.  A ROP NOP is a pointer to a RET.  With ROP Chains, we will jump from one part of the chain to another part without executing a single instructions in the DEP protected region.  In Effect what we are doing is, we use ROP Chains to setup the stack with parameter for the Windows API call and finally call the API to disable DEP. * Gadget actually refers to higher-level macros/code snippets as per Hovav Shacham. @ajinabraham
  5. 5. Exploitation when DEP is Enabled Exploitation in 2 Stages 1st Stage Disable DEP. 2nd Stage Jump to Shellcode and Execute it. @ajinabraham
  6. 6. Windows APIs for disabling DEP API / OS XP SP2 XP SP3 Vista SP0 Vista SP1 Windows 7 Windows 8 Windows 2003 SP1 Windows 2008 VirtualAlloc yes yes yes yes yes yes yes yes HeapCreate yes yes yes yes yes yes yes yes no (1) yes no (1) yes no (2) no(2) no (1) yes NtSetInformationProcess yes yes yes no (2) no (2) no(2) yes no (2) VirtualProtect yes yes yes yes yes yes yes yes WriteProcessMemory yes yes yes yes yes yes yes yes SetProcessDEPPolicy (1) Doesn‟t exist. (2) Will fail because of default DEP Policy settings. Source: https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ @ajinabraham
  7. 7. Universal APIs for disabling DEP  Available across all Windows Builds till date. VirtualAlloc() VirtualProtect() @ajinabraham
  8. 8. Invoking a Function Stack Layout void add(int a, int b) { int x=25; char y=„a‟; printf(“Sum is %dn”,a+b); } ESP EBP - x add(2,3); } a Local Variables 25 EBP EBP int main() { Low Memory EBP + x RETN 2 3 High Memory Parameters
  9. 9. VirtualAlloc() VirtualAlloc() is a Windows API present in kernel32.dll used to disable DEP.  it will allocate new memory. One of the parameters to this function specifies the execution/access level of the newly allocated memory, so the goal is to set that value to EXECUTE_READWRITE.  VirtualAlloc() Win API Call Structure  LPVOID WINAPI VirtualAlloc ( _In_opt_ LPVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect => A pointer to VirtualAlloc() => => => => Return Address (Redirect Execution to ESP) dwSize (0x1) flAllocationType (0x1000) ) flProtect (0x40) ); @ajinabraham
  10. 10. Stack Should Contain Return Address Return Address pointing to another ROP chain that will copy the shellcode to the newly allocated memory and jump to it. lpAddress Starting address of the region where we want to allocate the memory. You can provide a hardcoded value. dwSize Size of the region in bytes. We use rop chains to create and write this value to the stack. flAllocationType Set to 0×1000 (MEM_COMMIT). We use rop chains to create and write this value to the stack. flProtect Set to 0×40 (EXECUTE_READWRITE). We use rop chains to create and write this value to the stack. @ajinabraham
  11. 11. VirtualProtect()  VirtualProtect() is another Windows API present in kernel32.dll used to disable DEP.  The VirtualProtect function changes the access protection of memory in the calling process.  VirtualProtect() Win API Call Structure BOOL WINAPI VirtualProtect => A pointer to VirtualProtect() _In_ LPVOID lpAddress, => Return Address (Redirect Execution to ESP) _In_ SIZE_T dwSize, => dwSize (0x201) _In_ DWORD flNewProtect, => flNewProtect (0x40) _Out_ PDWORD lpflOldProtect => A writable pointer ( ); @ajinabraham
  12. 12. Stack Should Contain Return Address Return Address pointing to the shellcode on the stack. This value is dynamically created using ROP chains. lpAddress Pointer to the base address of the region of pages whose access protection attributes need to be changed. i.e. this will be the base address of the shellcode. It is a dynamically created value. dwSize Size of the region in bytes. It is a dynamically created value using ROP chains. flNewProtect lpflOldProtect Set to 0×00000040 : PAGE_EXECUTE_READWRITE. This parameter specifies the new protection flag. It is also dynamically created. Pointer to variable that will receive the old protection flag. It is a writable static address. @ajinabraham
  13. 13. Ways to write a ROP Chain Basically three ways.  1. We can load all the API parameters into the various registers and use a PUSHAD instruction to push them to the stack in the proper order.(Easiest)  2. we can directly write the parameters to the stack in the proper order and then return to them (this will be more difficult).  3. Create entire payload using ROP Chain (requires some ninja skills). @ajinabraham
  14. 14. Let‟s Exploit Something  We will use the VirtualAlloc() API call to disable DEP.  Our Strategy  Use ROP chains to put the parameters for VirtualAlloc() in the stack.  Call the function VirtualAlloc() which will disable DEP.  Jump to shellcode and execute it. To achieve this we can put the required values in register and then use a pushad instruction to put these values into the stack at once. @ajinabraham
  15. 15. Exploit Code Structure ESP EIP JUNK RET ROP Chain NOPS Exploit Shellcode @ajinabraham
  16. 16. Thank You  References  https://www.corelan.be/index.php/2010/06/16/exploit-writingtutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/  http://www.fuzzysecurity.com/tutorials/expDev/7.html @ajinabraham

×