Bypassing DEP using ROP
•Download as PPTX, PDF•
0 likes•658 views
Demonstration of how to bypass Data Execution Prevention mitigation on Windows using techniques like Return Oriented Programming
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Bypassing DEP using ROP
Similar to Bypassing DEP using ROP (20)
More from Japneet Singh
Recently uploaded
Recently uploaded (20)
Bypassing DEP using ROP
- 1. Bypassing DEP using ROP By Japneet Singh
- 2. Agenda • Buffer overflow exploits • Data execution prevention (DEP) • Key idea behind bypassing DEP • ROP • Demo
- 3. Buffer overflow exploits • 2 stages • Memory corruption to inject shellcode • Redirect process execution to injected shellcode
- 4. Vulnerable code int main(int argc, char *argv[]) { … char buffer[2048]{}; HANDLE h = ::CreateFileA(argv[1], …); … DWORD bytesRead = 0; if (!::ReadFile(h, buffer, 2048, &bytesRead, …)) { … ProcessInput(buffer, bytesRead); … } void ProcessInput(char *str, int size) { char inputCopy[MAX_PATH]{}; memcpy(inputCopy, str, size); printf(inputCopy); }
- 5. Stack based buffer overflow Stack frame of main() Parameters to ProcessInput() Return address to main() Stack frame of ProcessInput() On entering ProcessInput Stack frame of main() Overwritten area Overwritten area Address of Shellcode Shellcode Shellcode NOPs On memcpy FFFF F200 FFFF F200 Stack frame of main() Overwritten area Overwritten area Address of Shellcode Shellcode Shellcode NOPs F200 FFFF On return from ProcessInput
- 6. Buffer overflow mitigations • To make buffer overflows harder, make either of the two stages harder to implement • Windows Vista introduced few mechanisms to make buffer overflows harder: • ASLR – Pseudo-randomize the addresses where binaries load, and where stacks/heaps get laid out. • DEP – Mark memory areas as executable or non-executable. Any attempt to execute code from an area marked as non-executable would lead to access violation.
- 7. If DEP is enabled Stack frame of main() Parameters to ProcessInput() Return address to main() Stack frame of ProcessInput() On entering ProcessInput Stack frame of main() Overwritten area Overwritten area Address of Shellcode Shellcode Shellcode NOPs On memcpy FFFF F200 FFFF F200 Stack frame of main() Overwritten area Overwritten area Address of Shellcode Shellcode Shellcode NOPs F200 FFFF On return from ProcessInput
- 8. Key idea behind bypassing DEP • Find and execute relevant instructions from existing code which is already marked executable.
- 9. Return oriented programming (ROP) • Figure out what instructions are needed to be executed • Find out a small groups of required instructions in the existing code, such that each small group is followed by return. Such small groups of instructions ending with return are called Rop Gadgets. • Setup the stack so that each each Rop Gadget’s return leads exactly to execution of next Gadget.
- 10. How ROP works ... … Return from Function 1 Function 1 parameters Function 1 address Gadget 2 address Gadget 1 address … Stack Code in loaded Exe/Dll(s) **** **** **** push esp ret **** **** **** mov esp, ebp pop ebp ret FFFF F200 **** **** **** **** ret
- 11. One more concept • Modifying a page protection using VirtualProtect • Can make memory pages executable VirtualProtect(address, size, PAGE_EXECUTE_READWRITE, &oldProtection)
- 12. Using ROP to bypass DEP Stack frame of main() Shellcode Address of VirtualProtect Address of shellcode Parameters to VirtualProtect Stack frame to be used by VirtualProtect F200 FFFF On return from ProcessInput Code in loaded Exe/Dll(s) **** **** **** **** ret VirtualProtect in Kernel32.dll
- 13. Demo • Making stack executable via VirtualProtect call using simple ROP
- 14. Current scenario • Many Advanced exploit detection engines introduced mitigations for ROP • Windows 10 introduced Control flow guard to mitigate ROP • ROP is almost dead, and not seen in the wild! • But, there are other ROP-less techniques