This document discusses data-oriented attacks and provides an example of a data-only attack on the ProFTPd server. It introduces the concepts of data-oriented programming (DOP) and block-oriented programming (BOP). It also describes the BOPC framework, which uses symbolic execution and abstract representations of basic blocks to automate data-only attacks by modeling data flows between program blocks.

1. An Intro on Data-oriented Attacks @ 若渴
2020.1.19
<ajblane0612@gmail.com>
AjMaChInE

2. Reference
● [0] 2019, Exploitation Techniques and Defenses for Data-
Oriented Attacks
● [1] 2018, Block Oriented Programming - Automating
Data-Only Attacks
● [2] 2016, Data-Oriented Programming - On the
Expressiveness of Non-Control Data Attacks
● [3] BOPC, https://github.com/HexHive/BOPC

3. DOA Overview [0][1][2]

4. The ProFTPd DOP Attack [0]

5. Array mons starts at 0x80cf6e0
send(fd, &mons, size)
.bss section
* main_server
* mons
* resp_buf
* ssl_ctx

6. Action: Get main_server
2. read operator & 1. copy operator :
AWP(&mons, ARP(&main_server), size)
→ AWP(0x80cf6e0, 0x871ae3c, size)
structure* main_server at 0x80d6314
send(fd,&mons, size)
.bss section
* main_server
* mons
* resp_buf
* ssl_ctx

7. Action: Get main_server->ServerName
main_server->ServerName
= main_server + offset
= 0x871ae3c + 0x10
= 0x871ae4c
offset we known
&
.bss section
* main_server
* mons
* resp_buf
* ssl_ctx

8. 3. copy operator:
AWP(main_server->ServerName, &ssl_ctx, size)
→ AWP(0x871ae4c, 0x80de0c8, size)
Action: Get ssl_ctx - 1 step .bss section
* main_server
* mons
* resp_buf
* ssl_ctx

9. 4. dereference operator:
resp_buf = *(main_server->ServerName)
resp_buf = *(0x80de0c8)
resp_buf = 0x874d7b8 = ssl_ctx
copy operator:
AWP(main_server->ServerName, ssl_ctx, size)
Action: Get ssl_ctx - 2 step .bss section
* main_server
* mons
* resp_buf
* ssl_ctx

10. cert = main_server->ServerName + offset
cert = 0x874d7b8 + offset
cert = 0x874d868
Action: Get cert and Derference 7 times (D1-D7) .bss section
* main_server
* mons
* resp_buf
* ssl_ctx

11. 5. read operator:
AWP(&mons, ARP(main_server->ServerName), size)
Action: Get PK after dereferencing 7 times (D1-D7) .bss section
* main_server
* mons
* resp_buf
* ssl_ctx

12. BOPC – Block-oriented Programming
Compiler [2][3]
● AWP (hard requirement)
● Python 2
● Angr

13. The basic block "abstractions" [3]
● absblk.py
● Transition form a basic block to abstraction.(regwr,
splmemwr,..)

14. CFG -> For basic blocks -> abstractions [3]

15. Angr
● Block-oriented symbolic execution
● status.history.actions
– action.type == 'reg' and action.action == 'write'
– action.type == 'mem' and action.action == 'read
– action.type == 'exit' and action.exit_type == 'conditional'
● blk.vex.jumpkind == "Ijk_Sys_syscall"
– BYPASS_UNSUPPORTED_SYSCALL
● state.se.constraints (AST)
– <Bool packet_0_stdin_6_480[471:464] != 13>
● state.posix.dumps(0)
● Initial .bss/ .data section
● project.inspect.make_breakpoint('mem_read', ...)

16. On the Fly to Resolve the Constraints [2]

17. Constraint Issues [2]

18. simulate.py [3]