Download as PDF, PPTX
![@bellis1000
Vulnerability
512 byte copy into
object’s name[] char
array
BSidesMCR 2018](https://image.slidesharecdn.com/bsidestalkbillyellis-180816165818/85/Introduction-to-Return-Oriented-Exploitation-on-ARM64-Billy-Ellis-86-320.jpg)
![@bellis1000
Vulnerability
name[] array is
only 64 bytes long
512 byte copy into
object’s name[] char
array
BSidesMCR 2018](https://image.slidesharecdn.com/bsidestalkbillyellis-180816165818/85/Introduction-to-Return-Oriented-Exploitation-on-ARM64-Billy-Ellis-87-320.jpg)
![@bellis1000
Vulnerability
Will overflow causing
function pointer to be
overwritten!
512 byte copy into
object’s name[] char
array
BSidesMCR 2018](https://image.slidesharecdn.com/bsidestalkbillyellis-180816165818/85/Introduction-to-Return-Oriented-Exploitation-on-ARM64-Billy-Ellis-88-320.jpg)
![@bellis1000
Payload structure
char name[64];
BSidesMCR 2018](https://image.slidesharecdn.com/bsidestalkbillyellis-180816165818/85/Introduction-to-Return-Oriented-Exploitation-on-ARM64-Billy-Ellis-118-320.jpg)
More Related Content
Similar to Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
![[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...](https://cdn.slidesharecdn.com/ss_thumbnails/d1t2s05u25yuumatakienkentarovar5-230102092618-bbf74898-thumbnail.jpg?width=640&height=640&fit=bounds)
Introduction to Return-Oriented Exploitation on ARM64 - Billy Ellis
- 1. An Introduction to Return-Oriented Exploitationon ARM64 by Billy Ellis BSidesMCR 2018@bellis1000
- 2. whoami •Billy Ellis •17 yearold from UK •App development & programming for 5 years •Interested in security & exploitation for 2 years @bellis1000 BSidesMCR 2018
- 3. • Created various‘exploit exercise’ binaries for ARM/ARM64 • Author of ‘Beginner’s Guide to Exploitation on ARM’ • Run a YouTube channel teaching various exploit development & iOS jailbreaking videos My work @bellis1000 BSidesMCR 2018
- 4. • Introduce ‘return-oriented’exploitation techniques (for those who are unfamiliar) • Cover fundamentals of ARM/ARM64 • Demo a ROP exploit on ARM64 Focus of my talk @bellis1000 BSidesMCR 2018
- 5. Why target ARM? @bellis1000BSidesMCR 2018
- 6. • Almost allsmartphones & tablets run on ARM-based chips • Some laptops now also use ARM • Embedded systems / co-processors (TouchBar) too Why target ARM? @bellis1000 BSidesMCR 2018
- 7. • Mobile deviceshave become much more popular in the last decade • Makes ARM a worth while target for attackers Why target ARM? @bellis1000 BSidesMCR 2018
- 8.
- 9. • 32-bit RISCarchitecture • Instructions of fixed size (32 bits) • 16-bit mode known as ‘thumb’ • 16 registers ARMv7 @bellis1000 BSidesMCR 2018
- 10. • R0 -R12 (general purpose) • R13 (stack pointer) • R14 (link register) • R15 (program counter) ARMv7 Registers @bellis1000 BSidesMCR 2018
- 11. • aka ARM64 •64-bit ARM architecture • Supports AArch32 for backwards compatibility • Supports exception levels (EL3 - EL0) ARMv8 @bellis1000 BSidesMCR 2018
- 12. • 30 generalpurpose registers (X0 - X29) • W0 - W29 (32-bit context) • Link Register X30 • Stack Pointer X31 • Program Counter (not directly modifiable) ARMv8 Registers @bellis1000 BSidesMCR 2018
- 13.
- 14.
- 15.
- 16.
- 17.
- 18. Differences @bellis1000 ARMv7 ARMv8 Adds specified registers’ values totop of stack BSidesMCR 2018
- 19.
- 20. Differences @bellis1000 ARMv7 ARMv8 Store register pair atlocation specified BSidesMCR 2018
- 21.
- 22. Differences @bellis1000 ARMv7 ARMv8 Remove top items fromstack and place into specified registers BSidesMCR 2018
- 23. Differences @bellis1000 ARMv7 ARMv8 Load register pair from memorylocation specified BSidesMCR 2018
- 24.
- 25.
- 26. What is ROP? @bellis1000BSidesMCR 2018
- 27. • Return OrientedProgramming • Modern exploit technique • Code re-use attack • Originally used as alternative to shellcode What is ROP? @bellis1000 BSidesMCR 2018
- 28. • Old fashionedmethod of writing a payload • Involves writing byte-representation of instructions to memory • Jump to that memory to execute the payload What is shellcode? @bellis1000 BSidesMCR 2018
- 29.
- 30. Example @bellis1000 • NX /DEP prevent stack data being executed • Not possible on modern systems BSidesMCR 2018
- 31. ROP provides a workaround! @bellis1000BSidesMCR 2018
- 32. • Uses legitimateinstructions out of context • Chains together several ‘gadgets’ to achieve desired outcome • NX / DEP no longer matters How does it work? @bellis1000 BSidesMCR 2018
- 33. • Short sequencesof instructions ending with a ‘RET’ • The ‘RET’ is required in order to chain gadgets • Gadgets are found within __TEXT segment • Usually found at the end of a function Gadgets @bellis1000 BSidesMCR 2018
- 34.
- 35.
- 36.
- 37.
- 38. Example gadget @bellis1000 Memory location (topof stack) Load Pair of registers X29 & X30 (X30 is Link Register) BSidesMCR 2018
- 39. Example gadget @bellis1000 Return -branch to X30 BSidesMCR 2018
- 40. Gadget chaining @bellis1000 • Gadgetscan be chained using their ‘RET’ instructions • Place gadget addresses in order on stack • Each ‘RET’ will jump to the next address on the stack BSidesMCR 2018
- 41.
- 42. Example @bellis1000 Fill stack withjunk up until return address BSidesMCR 2018
- 43. Example @bellis1000 Overwrite return address withfirst gadget address BSidesMCR 2018
- 44.
- 45. Example @bellis1000 Gadgets are executed oneafter the other BSidesMCR 2018
- 46. Example @bellis1000 The ‘RET’ jumpsto the next gadget BSidesMCR 2018
- 47. Finding gadgets @bellis1000 • Searchbinary for ‘RET’ instructions • Search backwards from the ‘RET’ to find useful instructions • Many great tools do this automatically for multiple architectures BSidesMCR 2018
- 48. ARM Gadget Finders @bellis1000 •https://github.com/JonathanSalwan/ROPgadget • https://github.com/sashs/Ropper • http://ropshell.com BSidesMCR 2018
- 49. Complex ROP Chains @bellis1000 •Many exploits require huge gadget chains • Sometimes involving hundreds of gadgets for complex tasks • e.g. kernel patching BSidesMCR 2018
- 50. What’s the problem? @bellis1000BSidesMCR 2018
- 51. What’s the problem? @bellis1000 •All vulnerabilities are different • Some may limit the amount of gadgets that can be executed • Some may only allow a single gadget worth of arbitrary code execution • e.g. non-stack-based function pointer overwrite BSidesMCR 2018
- 52. Solution: Stack Pivot @bellis1000BSidesMCR 2018
- 53. What is StackPivoting? @bellis1000 • Creating a fake stack • Control SP value to point to new location • Populate this memory with ROP chain • Redirect code execution to first gadget in the chain BSidesMCR 2018
- 54. The Stack @bellis1000 • Theoreticallyit is a stack of items BSidesMCR 2018
- 55. The Stack @bellis1000 • Theoreticallyit is a stack of items • PUSH to add item BSidesMCR 2018
- 56. The Stack @bellis1000 • Theoreticallyit is a stack of items • PUSH to add item • POP to remove item BSidesMCR 2018
- 57. In reality… @bellis1000 • It’sjust an abstraction • The stack does not exist as we imagine it • It is just an area of memory like any other BSidesMCR 2018
- 58.
- 59. In reality… @bellis1000 Stack Pointerpoints to top of stack BSidesMCR 2018
- 60.
- 61.
- 62. In reality… @bellis1000 “POP {R1}” Stackis one item shorter BSidesMCR 2018
- 63. In reality… @bellis1000 “POP {R1}” Thismemory does not need to be cleared BSidesMCR 2018
- 64.
- 65.
- 66. In reality… @bellis1000 “PUSH {R2}” Newitem is added to top of stack BSidesMCR 2018
- 67.
- 68.
- 69. Stack Pivot @bellis1000 Attacker controlled memorypopulated with gadget addresses BSidesMCR 2018
- 70.
- 71. Stack Pivot @bellis1000 Modify SPregister to point to start of ROP stack BSidesMCR 2018
- 72. Stack Pivot @bellis1000 Program nowtreats this as the stack BSidesMCR 2018
- 73. How do wecontrol Stack Pointer? @bellis1000 BSidesMCR 2018
- 74. How do wecontrol SP? @bellis1000 • Use a pivot gadget • Overwrite SP value BSidesMCR 2018
- 75. Stack Pivot Gadget @bellis1000BSidesMCR 2018
- 76. Stack Pivot Gadget @bellis1000 OverwriteSP with value of X5 BSidesMCR 2018
- 77. Stack Pivot Gadget @bellis1000 LoadX30 and Return BSidesMCR 2018
- 78.
- 79. Target Overview @bellis1000 Target Name: Architecture: Description: bsides_demo ARMv7/ARMv8 Smallbinary vulnerable to a heap buffer overflow allowing a function pointer to be overwritten. BSidesMCR 2018
- 80. Aim @bellis1000 • Call secret()function • Pass correct code as first parameter BSidesMCR 2018
- 81.
- 82.
- 83.
- 84.
- 85.
- 86. @bellis1000 Vulnerability 512 byte copyinto object’s name[] char array BSidesMCR 2018
- 87. @bellis1000 Vulnerability name[] array is only64 bytes long 512 byte copy into object’s name[] char array BSidesMCR 2018
- 88. @bellis1000 Vulnerability Will overflow causing functionpointer to be overwritten! 512 byte copy into object’s name[] char array BSidesMCR 2018
- 89. @bellis1000 Vulnerability Conveniently placed call tofunction pointer ;) BSidesMCR 2018
- 90. @bellis1000 Vulnerability Offset 0x40 (64)bytes from ‘name’ buffer BSidesMCR 2018
- 91.
- 92.
- 93. @bellis1000 secret() Compared against W0 (firstarg) BSidesMCR 2018
- 94.
- 95.
- 96.
- 97.
- 98.
- 99.
- 100. @bellis1000 Too easy! • Thepoint is to show a ROP example • This is not a real-life exploit • We’ll assume we must call secret() from its entry point BSidesMCR 2018
- 101. @bellis1000 Exploit plan • Gaincode execution • Set up X0/W0 with secret code • Jump to secret() BSidesMCR 2018
- 102. What do weknow? @bellis1000 • We can control R15/PC by overwriting pointer • We can execute a single gadget • We need a stack pivot! BSidesMCR 2018
- 103. Stack Pivot Criteria @bellis1000 •Must be a single gadget • Must point SP to start of our heap buffer BSidesMCR 2018
- 104.
- 105. Look familiar? @bellis1000 Overwrites SP withvalue of X5 BSidesMCR 2018
- 106. Look familiar? @bellis1000 main() setsup X5 to point to heap object BSidesMCR 2018
- 107. @bellis1000 Checklist • Find stackpivot • Load X0/W0 with code • Call secret() BSidesMCR 2018
- 108.
- 109. Two gadgets @bellis1000 Load X3and X4 with controlled values BSidesMCR 2018
- 110.
- 111. Two gadgets @bellis1000 Move valueof X4 into X0 BSidesMCR 2018
- 112.
- 113. @bellis1000 Checklist • Find stackpivot • Load X0/W0 with code • Call secret() BSidesMCR 2018
- 114. @bellis1000 Checklist • Find stackpivot • Load X0/W0 with code • Call secret() BSidesMCR 2018
- 115. Building the exploit! @bellis1000BSidesMCR 2018
- 116.
- 117. @bellis1000 Payload structure This datais written to the object’s heap chunk BSidesMCR 2018
- 118.
- 119. @bellis1000 Payload structure Function pointerthat gets overwritten BSidesMCR 2018
- 120. @bellis1000 Payload structure Points tostack pivot gadget BSidesMCR 2018
- 121. @bellis1000 Payload structure Junk bytes loadedinto X29 BSidesMCR 2018
- 122. @bellis1000 Payload structure Points tosecond gadget BSidesMCR 2018
- 123. @bellis1000 Payload structure Junk bytes loadedinto X3 BSidesMCR 2018
- 124. @bellis1000 Payload structure secret() code loadedinto X4 BSidesMCR 2018
- 125. @bellis1000 Payload structure Junk bytes loadedinto X29 BSidesMCR 2018
- 126. @bellis1000 Payload structure Points tothird gadget BSidesMCR 2018
- 127. @bellis1000 Payload structure Junk bytes loadedinto X29 BSidesMCR 2018
- 128. @bellis1000 Payload structure Points to secret()function BSidesMCR 2018
- 129.
- 130.
- 131.
- 132. @bellis1000 Some useful links •https://azeria-labs.com • http://liveoverflow.com • https://quequero.org/2014/04/introduction-to-arm-architecture/ • https://github.com/Billy-Ellis/Exploit-Challenges • https://zygosec.com BSidesMCR 2018
- 133.