5. Stack based buffer overflow
Stack frame of main()
Parameters to ProcessInput()
Return address to main()
Stack frame of ProcessInput()
On entering ProcessInput
Stack frame of main()
Overwritten area
Overwritten area
Address of Shellcode
Shellcode
Shellcode
NOPs
On memcpy
FFFF
F200
FFFF
F200
Stack frame of main()
Overwritten area
Overwritten area
Address of Shellcode
Shellcode
Shellcode
NOPs
F200
FFFF
On return from ProcessInput
6. Buffer overflow mitigations
• To make buffer overflows harder, make either of the two stages
harder to implement
• Windows Vista introduced few mechanisms to make buffer overflows
harder:
• ASLR – Pseudo-randomize the addresses where binaries load, and where
stacks/heaps get laid out.
• DEP – Mark memory areas as executable or non-executable. Any attempt to
execute code from an area marked as non-executable would lead to access
violation.
7. If DEP is enabled
Stack frame of main()
Parameters to ProcessInput()
Return address to main()
Stack frame of ProcessInput()
On entering ProcessInput
Stack frame of main()
Overwritten area
Overwritten area
Address of Shellcode
Shellcode
Shellcode
NOPs
On memcpy
FFFF
F200
FFFF
F200
Stack frame of main()
Overwritten area
Overwritten area
Address of Shellcode
Shellcode
Shellcode
NOPs
F200
FFFF
On return from ProcessInput
8. Key idea behind bypassing DEP
• Find and execute relevant instructions from existing code which is
already marked executable.
9. Return oriented programming (ROP)
• Figure out what instructions are needed to be executed
• Find out a small groups of required instructions in the existing code,
such that each small group is followed by return. Such small groups of
instructions ending with return are called Rop Gadgets.
• Setup the stack so that each each Rop Gadget’s return leads exactly to
execution of next Gadget.
10. How ROP works
...
…
Return from Function 1
Function 1 parameters
Function 1 address
Gadget 2 address
Gadget 1 address
…
Stack Code in loaded Exe/Dll(s)
****
****
****
push esp
ret
****
****
****
mov esp, ebp
pop ebp
ret
FFFF
F200
****
****
****
****
ret
11. One more concept
• Modifying a page protection using VirtualProtect
• Can make memory pages executable
VirtualProtect(address, size, PAGE_EXECUTE_READWRITE, &oldProtection)
12. Using ROP to bypass DEP
Stack frame of main()
Shellcode
Address of VirtualProtect
Address of shellcode
Parameters to VirtualProtect
Stack frame to be used by
VirtualProtect
F200
FFFF
On return from ProcessInput Code in loaded Exe/Dll(s)
****
****
****
****
ret
VirtualProtect in
Kernel32.dll
14. Current scenario
• Many Advanced exploit detection engines introduced mitigations for
ROP
• Windows 10 introduced Control flow guard to mitigate ROP
• ROP is almost dead, and not seen in the wild!
• But, there are other ROP-less techniques