Return Oriented Programming (ROP) Based Exploits - Part I

13,168 views

Published on

Return Oriented Programming (ROP) Based Exploits - Part I by Anish & Team @ null B'lore Meet in September, 2010

Published in: Technology
2 Comments
5 Likes
Statistics
Notes
  • Dear NJU, may I ask question that why x80 is needed to add back to EAX? Reference to the return pointer or...?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dear NJU, may I ask question that why x80 is needed to add back to EAX? Reference to the return pointer or...?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
13,168
On SlideShare
0
From Embeds
0
Number of Embeds
103
Actions
Shares
0
Downloads
190
Comments
2
Likes
5
Embeds 0
No embeds

No notes for slide

Return Oriented Programming (ROP) Based Exploits - Part I

  1. 1.
  2. 2. Return Oriented Programming (ROP) Based Exploits - Part I<br />
  3. 3. Exploit - ex·ploit<br />to use selfishly for one's own ends<br />
  4. 4. Exploit Discovery<br />Big space in computer security <br />Exploits are discovered by Security Researchers and Hackers alike<br />Zero day attacks are a result of newly created exploits or un-patched vulnerabilities<br />
  5. 5. Exploit Mitigation<br />Windows XP Sp2 was the first widespread OS to incorporate exploit mitigation<br />Protected stack metadata (Visual studio compiler/ GS flag)<br />Protected heap metadata (RtlHeap Safe Unlinking)<br />SafeSEH (Compile time execution handler registration)<br />Software, Hardware enforced Data Execution Prevention (DEP)<br />Windows Vista implements Address Space Layout Randomization (ASLR)<br />
  6. 6. Break the mitigation<br />BlackHat Presentations<br />Security Forums<br />Blogs<br />
  7. 7. Whose responsibility is it to mitigate ?<br />Heap Protection<br />SEH Chain validation<br />DEP<br />ASLR<br />Stack Cookies<br />Safe SEH<br />
  8. 8. DEP - Data Execution Prevention<br />When an attempt is made to execute code from a DEP protected data page,an access violation (STATUS_ACCESS_VIOLATION (0xc0000005)) will occur. <br />In most cases, this will result in process termination (unhandled exception).<br />
  9. 9. DEP - Data Execution Prevention<br />Without DEP On<br />With DEP On<br />
  10. 10. Problem<br />With DEP on, code from the stack won’t work<br />
  11. 11. Work-Around<br />We need to build a chain of instructions. We need to jump from one part of the chain to the other part of the chain without ever executing a single bit from our DEP protected region. <br />Or, to use a better term, we need to return from one instruction to the address of the next instruction<br />Each instruction (series of instructions) in our chain will be called a "gadget". <br />Each gadget will return to the next gadget ( = to the address of the next gadget, placed on the stack), or will call the next address directly.<br />We will need to use existing instructions (instructions in executable areas within the process)<br />and put them in such an order (and "chain" them together) so they would produce what we <br />need and put data in registers and/or on the stack<br />
  12. 12. Letter<br />The chocolate bombs you sent, bombs they are in size . Received them, yesterday. <br />Planted the rose plant, bomb was delicious … had to mention again. Set to go for shopping, 5 p.m. tomorrow. <br />The chocolate bombs you sent, bombs they are in size . Received them, yesterday. <br />Planted the rose plant, bomb was delicious … had to mention again. Set to go for shopping, 5 p.m. tomorrow. <br />ThebombsReceivedyesterday PlantedbombSet5 p.m. tomorrow<br />
  13. 13. Don’t sleep yet<br />
  14. 14. Gadget<br />We need to take a value from the stack, put it in EAX, and increase it with 0×80<br />
  15. 15. Gadget<br />We need to take a value from the stack, put it in EAX, and increase it with 0×80<br />-- - - - - - - - -- -- - - - - --- - - -- <br />-- - - - - - - - -- -- - - - - --- - - -- <br />-- - - - - - - - -- -- - - - - --- - - -- <br />WindowsFunction_1()<br />ADD EBX, 30<br />TEST AL, AL<br />POP EAX<br />RET<br />POP EAX<br />RET<br />ADD EAX, 80<br />POP EBX<br />RET<br />-- - - - - - - - -- -- - - - - --- - - -- <br />-- - - - - - - - -- -- - - - - --- - - -- <br />-- - - - - - - - -- -- - - - - --- - - -- <br />WindowsFunction_2()<br />INC EAX<br />ADD EAX, 80<br />POP EBX<br />RET<br />-- - - - - - - - -- -- - - - - --- - - -- <br />-- - - - - - - - -- -- - - - - --- - - -- <br />-- - - - - - - - -- -- - - - - --- - - -- <br />
  16. 16. Gadget<br />   Stack address Stack value <br />ESP points here -> 0010F730 10026D56 (pointer to POP EAX + RET)   <br /> 0010F734 50505050 (this will be popped into EAX)   <br /> 0010F738 1002DC24 (pointer to ADD EAX,80  + POP EBX + RET)   <br /> 0010F73C DEADBEEF (this will be popped into EBX, padding)<br />
  17. 17. Windows Function Calls to bypass DEP<br />VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory. <br />This will allow you to create a new executable memory region, copy your shellcode to it, and execute it<br />HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory. <br />SetProcessDEPPolicy()<br />NtSetInformationProcess()<br />VirtualProtect(PAGE_READ_WRITE_EXECUTE). <br />This function will change the access protection level of a given memory page, allowing you to mark the location where your shellcode resides as executable.<br />WriteProcessMemory()<br />
  18. 18. Windows Function Calls to bypass DEP<br />Each one of those functions requires the stack or registers to be set up in a specific way.<br />when an API is called, it will assume that the parameters to the function are placed at the top of the stack (= at ESP)<br />
  19. 19. How to chain<br />Demo <br />
  20. 20. Finding ROP gadgets<br />There are 2 approaches to finding gadgets that will help you building the ROP chain :<br /> You can specifically search for instructions and see if they are followed by a RET.  <br /> The instructions between the one you are looking for, and the RET instruction (which will <br /> end the gadget) should not break the gadget. <br /> You can look for all RET instructions and then walk back, see if the previous instructions <br /> include the instruction you are looking for. <br />pvefindaddr<br />
  21. 21. First part of the Exploit<br />Testing ROP with a Windows API<br />VirtualProtect()<br />Demo <br />
  22. 22. Now you can sleep  <br />
  23. 23. Thank You<br />
  24. 24. Images<br />http://s280.photobucket.com/albums/kk176/sabbath_X/?action=view&current=Pumpkin_ Grin_lll_by_midnightINK.jpg&newest=1<br />http://www.indiamike.com/india/attachments/7595d1210760693-what-the-strange-questions-for-india-experts-chilli-and-lemon.jpg<br />http://www.animevice.com/profile/kao/all-images/84-142612/albert_wesker___reside nt_evil_by_megakay/83-203102/<br />http://la-vie-bohem.deviantart.com/art/Yawn-115528201?q=boost%3Apopular+yawn+baby&qo=32<br />http://SillyScreamingQueen.deviantart.com/art/Sleepy-54882830?q=boost%3Apopular+sleepy&qo=6<br />

×