Advance ROP Attacks

Advance ROP Attacks

Rashid Bhatt

@raashidbhatt

Agenda
• Introduction to ROP Attacks

• ROP Attack Variants

• Alphanumeric ROP exploits

• Searching gadgets

• Questions?

ROP Attacks
• Introduced by hovad shacham
• Circumvents DEP (data execution prevention)
• Turing Complete`ness
• More useful than ret-2-lib ( branching)
• Applicable to various architectures

ROP Attacks
• Gadgets are the building blocks
• Gadgets end with RET instruction
• Example gadgets
• Mov eax, ebx
• Ret
• Pop eax
• Ret

ROP attacks
x86 stack layout
. Registers ebp and esp point to base and top of the
stack respective
. EBP used to access local and passed paramters
eg . [ebp + 8] first parameter (EBP + 4) for ret
address
. ESP used are a pointer for popping values out from
stack

ROP attacks
• RET x86 instruction
• Pops a value from the stack into EIP

• Used to return control from a function

• RET can have a argument eg RET 8

• RET 8 == EIP = stack[top], add ESP , 8

X86 stack layout
calling conventions
__stdcall ( varadic arguments)
Int __stdcall function(int a, int b) // < paramerts
{
int b,c; // local c variables
return 0;
}
function(10, 20); // function call __stdcall

X86 disassembly

push 20 // arguments pushed from right to left
push 10
call function
function:
push ebp // Stack epilouge
mov ebp, esp
sub esp, 8 //8 bytes for two variabeles
….
….
add esp, 8
pop ebp
ret 8 // ret 8 stack clearance by callie

X86 stack layout
calling conventions
__cdecl( const no of args)
Int __cdelc function(int a, int b) // < paramerts
{
int b,c; // local c variables
return 0;
}
function(10, 20); // function call __cdecl

X86 disassembly

push 20 // arguments pushed from right to left
push 10
call function
add esp, 8 // stack clearance
function:
push ebp // Stack epilouge
mov ebp, esp
sub esp, 8 //8 bytes for two variabeles
….
….
add esp, 8
pop ebp
ret // ret no stack clearence

Basic stack overflow
• A local stack variable gets overflowed

• CALL instruction pushes the EIP to the stack

• Find a trampoline eg jmp esp to change the
value to eip to attacker controlled buffer

• demo

What about NX bit ?
• DEP restricts the execution of segments
marked as r/w
• We can re-use code from the address space of
executable
• Useful code chunks called as ROP gadgets
• Multiple gadgets can be chained together and
even API calls

ROP Basics(load and store gadgets)
• storing and loading values from and into
memory

• Primitive example pop eax; ret / pop ebx ret/ pop r32, ret

• To memory store pop eax, pop edx, ret / mov [eax], edx; ret

Wait a sec!
» Handling NULL bytes

• Some parameters contain NULL
• Even some addresses contain zero values
• Cannot inject NULL or zero values
• Bug prone functions eg strcpy stop copying
when they encounter a NULL byte (00 hex)

Handling NULL bytes
• Let x = value containing a ( many) NULL byte
• Let y = mask = 0xffffffff
• Mathematical axiom
• A xor B = z (say)
• Now z xor B = A
• We can 0x00000000 xor 0xffffffff = z (say)
• Xor it back to get the original value
• We have xor esi, ebx ; ret!

ROP basics(arithmetic )
• Msvcrt32.dll 0x77c4d6f add ebx, esi; stc; ret

• Kernel32.dll 0x7c902af5 sub eax,ecx; ret

• We have same for mul and div !

• Try in immunity search: add r32, r32;any;ret;

• You will find huge no. of gadgets

ROP basics(LOOPS)
• UNCONDITIONAL LOOPS or INFINITE LOOPS
• Pop back the value in ESP, pop esp;ret
7C80BCA8 5C POP ESP //kernel32.dll
7C80BCA9 C3 RETN

ROP basics(conditional jumps )
• The tricky part
• We need to modify ESP , based on certain
comparisons
. comparisons include greater than , less than ,
equal to;
X <y
X >y
X == some_val
.

Comparing with zero
• Divert flow through adding a certain value to esp

• Store two values on the stack , value_to_be_checked and esp_delta (the value to
be added to esp)

• Load the val in a general purpose register say eax
• X86 instruction NEG computes the two's complement and updates CF

. if val == 0 the CF = 0; else CF = 1
• ADC x86 instruction add the source and dest with carry flag(ADC – add
with carry flag)
• Make a general purpose reg and zero by xor r32,r32; then apply adc
r32,32

Comparing with zero(contd..)
• We have a REG (say eax) containing a single 1 bit or all 0 bits

• Apply NEG instruction on that REG to obtain the two's complement

• 2's comp will transform it into all zero's or all ones
• Perform bit-wise AND with ESP_DELTA

. according we will get ESP_DELTA as zero or its original value

• ADD esp, ESP_DALTA to divert the control flow

• DEMO

Checking for == (equality)
• Two values val1, val2 to be checked for equality

• Load two values using load and store gadgets as shown earlier

• Perform x86 SUB val1, val2,store back the result
• If both the values are same result will be zero,

. Check the result to zero as show in the previous slide
• ADD esp, ESP_DALTA to divert the control flow

• DEMO

Checking for <, > (less or greater)
• Two values val1, val2 to be checked for equality

• Load two values using load and store gadgets as shown earlier

• Perform x86 SUB val1, val2, SUB intruction sets the CF if dest > source
• Save CF using xor r32, r32;ret; adc r32,r32 ret; as shown in ealier slide

. CF will be 1 if dest > source else 0
• DEMO

JUMP oriented Programming
Attacks

• ROP used gadgets ending with RET x86 instruction

• JOP uses statements ending with Indirect Jump call

• Instead of stack uses a dispatcher table to jump to different locations

• Thwarts certain Anti-ROP defences

JOP attacks (Dispatch table and
Dispatcher gadget)

JUMP oriented Programming
Attacks

• Dispatcher gadget increments a REG by certain value to make it point to next loc to
jump on

• Add ebx, 4 ; JMP [ebx]

• Here , EBX points to the Dispatcher table

• Same gadgets as in ROP attacks

JOP(attack Model)

• Cannot work on stack buffer overflow , because control flow diverts through a ret
Instruction
• Will be detected by anti-ROP defenses if(stack overflow is used)

• Attack vectors include

• 1: pointer overwrite
• 2: Arbitrary DWORD overwrite
• 3: C++ vtable overwrite

Alphanumeric ROP Shellcode
• Traditional Shellcode can be made alphanumeric by choosing only certain
instruction

Example . pop ecx has an
opcode 0x59 which is the ASCII code of the character Y)

• Similar technique used in ROP shellcode

. Selecting a printable address rather than a printable opcode(in trad.
shellcodes)

Basic Technique by adding two printable addresses. The range of ASCII printable
characters is between 0x21 and 0x7e

Example . A non-printable gadget in kernel32.dll at 0x77D4B8C2 {pop ebx;ret} can be
represented by adding two printable addresses

0X225D414B(printable) + 0x55777777(printable) = 0x77D4B8C2(no-printable)

• Combined together can be used to transform a printable code into non-
printable
• Similar technique used in ROP shellcode

. Selecting a printable address rather than a printable opcode(in trad.
shellcodes)

Alphanumeric ROP
Shellcode(gadgets)
• Gadgets used for decoding addresses should be printable(bytes should be
in range of 0x21 - 0x7e
• We also need a memory region which has a printable address to store the
decoded gadgets addresses marked as r/w

. From reg to mem we have urlmon.dll
0x772C2E5E MOV DWORD PTR DS:[ECX],EAX
. ESP related CRYPTUI.dll 0x775513E30 XCHG EAX,ESP
. MSCTF.DLL 0x74722973 POP EAX
. Mshtml.dll 0x7D504962 ADD EAX,ECX
. msimtf.dll MEM to reg 0x74714263 MOV EAX,DWORD PTR DS:[ECX]
. All of the dll's loaded by internet explorer


Alphanumeric ROP Messagebeep Shellcode >>

s)rt:i=3PI'w""w"bIP}PI'www""bIP}PI'w"P`
w^.,wxxxxs)rt"P`w0>Qu

DEMO

Effectively searching gadgets

• Immunity debugger search for all sequences in all modules

• ANY for any no of op codes and any reg

• Match Different registers eg POP RA, RB ; RA and RB will be different

• Best Practice search in reverse order

Advance ROP Attacks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Advance ROP Attacks

Similar to Advance ROP Attacks (20)

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Recently uploaded

Recently uploaded (20)

Advance ROP Attacks