SlideShare ist ein Scribd-Unternehmen logo

Bypassing ASLR Exploiting CVE 2015-7545

Als PPTX, PDF herunterladen
Kernel TLV
Kernel TLV

Nadav Markus goes over the path from a simple crash POC provided by Google Project Zero (for CVE-2015-7547), to a fully weaponized exploit. He explores how an attacker can utilize the behavior of the Linux kernel in order to bypass ASLR, allowing an attacker to remotely execute code on vulnerable targets.

Software
1 von 47
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1
Introduction • Vulnerability in glibc • Discovered by Google, patched at 16-feb-2016 • Released crash-poc • This presentation is about exploitation strategy 3
getaddrinfo() • A function used to resolve a hostname to IP-address(es) • OUT-addressinfo* is later used for connect() or bind() • Performs DNS queries • Stack-overflow vulnerability was found, handling DNS-replies 4 “Given node and service, which identify an Internet host and a service, getaddrinfo() returns one or more addrinfo structures, each of which contains an Internet address that can be specified in a call to bind(2) or connect(2).”
getaddrinfo() • struct addrinfo -> ai_family • AF_INET, AF_INET6, AF_UNSPEC • AF_UNSPEC indicates any address family is valid, IPv4 or IPv6 • IPv4=A, IPv6=AAAA • This is the common usecase 5 int getaddrinfo(const char *node, const char *service, const struct addrinfo *hints, struct addrinfo **res);
The Bug 6 Victim Attacker dns-query A & AAAA over UDP calls glibc’s getaddrinfo() alloca(2048) _nss_dns_gethostbyname4_r(..) { … host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048);
The Bug 7 Victim Attacker dns-reply FLAGS=TRUNCATED, ‘xAA’*2500 _alloca() buffer isn’t sufficient malloc(MAXPACKET) instead (MAXPACKET=0x10000) “…If the answer section of the response is truncated and if the requester supports TCP, it SHOULD try the query again using TCP.” (RFC-DNS)
The Bug 8 Victim Attacker dns-query A & AAAA over TCP
The Bug 9 Victim Attacker reuses the ‘malloced’ buffer ‘A’ valid dns-reply
The Bug 10 Victim Attacker ‘AAAA’ malformed dns-reply Mismatch between the stack and the heap buffer! If ‘AAAA’ dns-response’s size is greater than 2048, we smash the stack! ‘A’ valid dns-reply
Reply Arbitrary DNS • Assume attacker can answer arbitrary DNS requests • Acquiring the domain • Local Arp Poisoning • Any other way .. 11
DEP & ASLR • Unable to exploit reliably without bypassing DEP & ASLR • We can set RIP to anywhere, but where to? • How to ROP? Overflow . . . RET ; pop, jmp original buffer retaddress
ASLR Bypass Techniques • Non PIE executables • Read memory vulnerability • Spray (without DEP) • Can’t get reliable address at 64 bit.. • How about guessing? 13
fork() • Standard way of creating processes in UNIX • Child process inherits: • Memory Layout (includes loaded modules ) • Registers state • Stack 14 pid = fork(); if (0 < pid) { /* Parent code goes here... */ } else if (0 == pid) { /* Child code goes here... */ } …
fork – the kernel view 15 /* * Ok, this is the main fork-routine. * * It copies the process, and if successful kick-starts * it and waits for it to finish using the VM if required. */ long do_fork(unsigned long clone_flags, unsigned long stack_start, unsigned long stack_size, int __user *parent_tidptr, int __user *child_tidptr) … p = copy_process(clone_flags, stack_start, stack_size, child_tidptr, NULL, trace); /kernel/fork.c
fork – the kernel view 16 /* * This creates a new process as a copy of the old one, * but does not actually start it yet. * * It copies the registers, and all the appropriate * parts of the process environment (as per the clone * flags). The actual kick-off is left to the caller. */ static struct task_struct *copy_process(unsigned long clone_flags, unsigned long stack_start, unsigned long stack_size, int __user *child_tidptr, struct pid *pid, int trace) … retval = copy_mm(clone_flags, p); /kerne/fork.c
fork – the kernel view 17 /* * Allocate a new mm structure and copy contents from the * mm structure of the passed in task structure. */ struct mm_struct *dup_mm(struct task_struct *tsk) { ... memcpy(mm, oldmm, sizeof(*mm)); ...
exec vs fork • exec allows us to change the current executing image in a process • There are different handlers for different file formats – the kernel chooses the correct one from the binfmt handlers: 18 static int exec_binprm(struct linux_binprm *bprm) { ... ret = search_binary_handler(bprm);
exec vs fork 19 • /fs/binfmt_elf.c contains the logic for executing ELF files • Core function that set ups exec for ELF – load_elf_binary • Specifically, we are interested in how randomization is implemented, and what get randomized • Key functions in randomization: • randomize_stack_top – top of the stack • arch_randomize_brk – heap • mmap (not in this specific file, but used for each loaded shared object), and elf_map (which invokes the same functionality, but for the main executable in case of PIE from the kernel) • We will see later how some of these randomization features affect our exploit..
Attacker 10.1.1.137 Victim Trigger fork() 20
Attacker 10.1.1.137 Victimfork() child-process (PID=3312): 21
Attacker 10.1.1.137 Victimfork() child-process (PID=3312): 1212100C CALL getaddrinfo 12121012 test eax, eax … dns-queries 22
Attacker 10.1.1.137 Victimfork() child-process (PID=3312): 1212100C CALL getaddrinfo OVERFLOW RIP=0x01010101 INVALID-OPCODE CRASH! 12121012 test eax, eax … malicious dns-replies host @ 10.1.1.137 23
Attacker 10.1.1.137 Victim Trigger fork() 24
Attacker 10.1.1.137 Victimfork() child-process (PID=3313): 1212100C CALL getaddrinfo 12121012 test eax, eax … dns-queries 25
Attacker 10.1.1.137 Victimfork() child-process (PID=3313): 1212100C CALL getaddrinfo OVERFLOW RIP=0x12121012 12121012 test eax, eax … malicious dns-replies host @ 10.1.1.137 26
Attacker 10.1.1.137 Victimfork() child-process (PID=3313): 1212100C CALL getaddrinfo OVERFLOW RIP=0x12121012 12121012 test eax, eax … connect() TCP syn 10.1.1.137 0x12121012 is the correct address! 27
Exploit Strategy • We can enumerate all possible addresses • ~2 ^ 64 • Not feasible 28
Byte by Byte Approach • Instead of overwriting RIP entirely, we can overwrite just a portion of it • Remaining bytes are of the original address 29 CALL getaddrinfo() Original RIP = 0x12121012 DNS request-response (malformed) AAAAA..AAA../x00 Attacker Overwritten RIP = 0x12121000 12 10 12 12 00 00 00 00 00 10 12 12 00 00 00 00 Original RIP Overwritten RIP LSB MSB
Byte by Byte Approach 8 * 256  30 Return Address Sent Buffer Response? 0x0000000012121000 AAA...0x00 NO 0x0000000012121001 AAA...0x01 NO 0x00000000121210…. … NO 0x0000000012121012 AAA...0x12 YES 0x0000000012120012 AAA…0x12 0x00 NO 0x0000000012120112 AAA…0x12 0x01 NO 0x000000001212….12 … NO 0x0000000012121012 AAA…0x12 0x10 YES …. …
Finding Potentially Exploitable Applications • fork() && getaddrinfo() • Using the correct flow • Indication of crash • http://codesearch.debian.net • Indexes source code of ~18,000 packages • ~1,300 potential exploitable apps 31
Finding Potentially Exploitable Applications … 914 xtrace 915 openbgpd 916 balsa 917 tinyproxy 918 powerman 919 mahimahi 920 pcs 921 eric 922 ruby-pg 923 nut 924 gnulib … 32
child process – fork() tinyproxy 33 Tinyproxy CONNECT www.somewhere.com user dns-query A & AAAA somewhere.com DNS server HTTP request (tcp-syn 80) www.somewhere.com 1. CONNECT is used to trigger fork() remotely 2. http-request is used as an indication of success
Game Over? 34
Is RIP Really Controlled? • So let’s enumerate getaddrinfo’s return address • But we crash  • Local-variables are overridden • Some are pointers .. • So let’s leak them  35 … Stack buffer … … … Local variable Local variable Local variable Local variable … Frame pointer Return address
Segfault (1st) • RBX originally points the stack • We can leak this address too! • Address pointed by RBX only has to be writeable • Flow is not effected 36
Leak RBX (arbitrary stack address) (/proc/PID/maps) limit base length 0x7ffd07882000 0x7ffd078a3000 0x21000 0x0 [stack] 0x7ffd079f0000 0x7ffd079f2000 0x2000 0x0 [vvar] • We cannot leak lower 12 bits, since anything will do  • Stack size is greater than 0x1000 37 AA A2 88 07 FD 7F 00 00 Stack 0x7ffd078a3000 0x7ffd07882000
Segfault (2nd) • RDI is controlled (hostbuffer.buf) • R14 is the original alloca() buffer • free(RDI) if not equal • Abort crash • We don’t get to overwrite RIP .. • How to predict R14 value? 38 ... host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048); ... /* might malloc host_buffer.buf */ if (host_buffer.buf != orig_host_buffer) free (host_buffer.buf); ... return status;
Stack is Identical for Different fork()s 39 tinyproxy daemon orig_host_buffer = alloca(2048); orig_host_buffer @ 0x7ffd078a3080 child orig_host_buffer = alloca(2048); orig_host_buffer @ 0x7ffd078a3080 child orig_host_buffer = alloca(2048); orig_host_buffer @ 0x7ffd078a3080 child … … … fork() fork() fork()
Precise Pointers 40 • Stack is identical in different forks • host_buffer.buf PTR is the same in all executions • Use constant offset from stack base! ... host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048); ... /* might malloc host_buffer.buf */ if (host_buffer.buf != orig_host_buffer) free (host_buffer.buf); ... return status;
Leak Stack Base • Use 1th crash (mov [rbx], sil) • Use leaked arbitrary stack address as a starting point • Add 0x1000 offset at a time 41 rbx Sent Buffer Response? 0x00007fffed000000 AAA...0x00 0x00 0x00 0xed 0xff 0x7f YES 0x00007fffed001000 AAA...0x00 0x10 0x00 0xed 0xff 0x7f YES 0x00007fffed002000 AAA...0x00 0x20 0x00 0xed 0xff 0x7f YES 0x00007fffed003000 AAA...0x00 0x30 0x00 0xed 0xff 0x7f YES 0x00007fffed004000 AAA...0x00 0x40 0x00 0xed 0xff 0x7f YES 0x00007fffed005000 AAA...0x00 0x50 0x00 0xed 0xff 0x7f YES 0x00007fffed006000 AAA...0x00 0x60 0x00 0xed 0xff 0x7f YES 0x00007fffed007000 AAA...0x00 0x70 0x00 0xed 0xff 0x7f YES 0x00007fffed008000 AAA...0x00 0x80 0x00 0xed 0xff 0x7f NO
Game Over? 42 0xaa0000 Stack base … … 0xa9fc00 (-0x400) orig_host_buffer … … … … … … 0xa9f500 (-0xb00) Local variable 0xa9f4f8 (-0xb08) Local variable … 0xa9f400 (-0xc00) Frame pointer 0xa9f3f8 (-0xc08) Return address Leaked => 0x400 is constant offset =>
Offset from Stack-Base is Constant? 43 /arch/x86/kernel/process.c unsigned long arch_align_stack(unsigned long sp) { if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) sp -= get_random_int() % 8192; return sp & ~0xf; }
Leak libc base (for fun & gadgets) 44 • Gain control over RIP (leak all local variables in the way … ) • Leak getaddrinfo()’s return address • Get libc’s base address • Constant offset from ret address! • ROP (ret2libc) glibc module (+0xaabbcc ) return address => ( 0 ) glibc start =>
libc Version? • Different offset for different versions • We don’t know what the version is • So we just enumerate  45 glibc module (+0xaabbcc ) return address => ( 0 ) glibc start => glibc module(+0x998877) return address => ( 0 ) glibc start => ... … …
Complete Exploitation Flow • Leak arbitrary stack pointer ( 1st segfault => rbx) • Leak stack base • Leak random stack offset (for precise stack variables) • Leak getaddrinfo()’s return address • Enumerate ret2libc offsets, until successfully exploited 46
Demo 47
Questions? 48

Empfohlen

VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel TLV
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 

Empfohlen

VLANs in the Linux Kernel
VLANs in the Linux KernelVLANs in the Linux Kernel
VLANs in the Linux KernelKernel TLV
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptablesKernel TLV
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
Kernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel Proc Connector and Containers
Kernel Proc Connector and ContainersKernel TLV
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeKernel TLV
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
Embedded linux network device driver development
Embedded linux network device driver developmentEmbedded linux network device driver development
Embedded linux network device driver developmentAmr Ali (ISTQB CTAL Full, CSM, ITIL Foundation)
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
Staging driver sins
Staging driver sinsStaging driver sins
Staging driver sinsStephen Hemminger
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkmarkdgray
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the CanariesKernel TLV
 
Linux Ethernet device driver
Linux Ethernet device driverLinux Ethernet device driver
Linux Ethernet device driver艾鍗科技
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interfaceDenys Haryachyy
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 

Weitere ähnliche Inhalte

Was ist angesagt?

Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeKernel TLV
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet FiltersKernel TLV
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] IO Visor Project
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernellcplcp1
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkmarkdgray
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the CanariesKernel TLV
 
Linux Ethernet device driver
Linux Ethernet device driverLinux Ethernet device driver
Linux Ethernet device driver艾鍗科技
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 

Was ist angesagt? (20)

Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016] CETH for XDP [Linux Meetup Santa Clara | July 2016]
CETH for XDP [Linux Meetup Santa Clara | July 2016]
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
Embedded linux network device driver development
Embedded linux network device driver developmentEmbedded linux network device driver development
Embedded linux network device driver development
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 
Staging driver sins
Staging driver sinsStaging driver sins
Staging driver sins
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
 
Linux Ethernet device driver
Linux Ethernet device driverLinux Ethernet device driver
Linux Ethernet device driver
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
DPDK KNI interface
DPDK KNI interfaceDPDK KNI interface
DPDK KNI interface
 

Ähnlich wie Bypassing ASLR Exploiting CVE 2015-7545

Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROPJapneet Singh
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROPSaumil Shah
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary ExploitationFlorian Müller
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoValeriia Maliarenko
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptThorOdinson55
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Tim Bunce
 

Ähnlich wie Bypassing ASLR Exploiting CVE 2015-7545 (20)

Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
test
testtest
test
 
Return Oriented Programming
Return Oriented ProgrammingReturn Oriented Programming
Return Oriented Programming
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
netLec2.pdf
netLec2.pdfnetLec2.pdf
netLec2.pdf
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
An introduction to ROP
An introduction to ROPAn introduction to ROP
An introduction to ROP
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
 
Java Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey KovalenkoJava Jit. Compilation and optimization by Andrey Kovalenko
Java Jit. Compilation and optimization by Andrey Kovalenko
 
dokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.pptdokumen.tips_linux-networking-commands.ppt
dokumen.tips_linux-networking-commands.ppt
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )
 

Mehr von Kernel TLV

SGX Trusted Execution Environment
SGX Trusted Execution EnvironmentSGX Trusted Execution Environment
SGX Trusted Execution EnvironmentKernel TLV
 
Present Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityPresent Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityKernel TLV
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to BottomKernel TLV
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsKernel TLV
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Kernel TLV
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and WhereKernel TLV
 
KernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernel TLV
 
Userfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentUserfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentKernel TLV
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesKernel TLV
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingKernel TLV
 
WiFi and the Beast
WiFi and the BeastWiFi and the Beast
WiFi and the BeastKernel TLV
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDKKernel TLV
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux InterruptsKernel TLV
 
Userfaultfd and Post-Copy Migration
Userfaultfd and Post-Copy MigrationUserfaultfd and Post-Copy Migration
Userfaultfd and Post-Copy MigrationKernel TLV
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDKKernel TLV
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersKernel TLV
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 

Mehr von Kernel TLV (20)

SGX Trusted Execution Environment
SGX Trusted Execution EnvironmentSGX Trusted Execution Environment
SGX Trusted Execution Environment
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
Present Absence of Linux Filesystem Security
Present Absence of Linux Filesystem SecurityPresent Absence of Linux Filesystem Security
Present Absence of Linux Filesystem Security
 
OpenWrt From Top to Bottom
OpenWrt From Top to BottomOpenWrt From Top to Bottom
OpenWrt From Top to Bottom
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance Tools
 
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
Emerging Persistent Memory Hardware and ZUFS - PM-based File Systems in User ...
 
File Systems: Why, How and Where
File Systems: Why, How and WhereFile Systems: Why, How and Where
File Systems: Why, How and Where
 
KernelTLV Speaker Guidelines
KernelTLV Speaker GuidelinesKernelTLV Speaker Guidelines
KernelTLV Speaker Guidelines
 
Userfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future DevelopmentUserfaultfd: Current Features, Limitations and Future Development
Userfaultfd: Current Features, Limitations and Future Development
 
Linux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use CasesLinux Kernel Cryptographic API and Use Cases
Linux Kernel Cryptographic API and Use Cases
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival Guide
 
FD.IO Vector Packet Processing
FD.IO Vector Packet ProcessingFD.IO Vector Packet Processing
FD.IO Vector Packet Processing
 
WiFi and the Beast
WiFi and the BeastWiFi and the Beast
WiFi and the Beast
 
Introduction to DPDK
Introduction to DPDKIntroduction to DPDK
Introduction to DPDK
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
Linux Interrupts
Linux InterruptsLinux Interrupts
Linux Interrupts
 
Userfaultfd and Post-Copy Migration
Userfaultfd and Post-Copy MigrationUserfaultfd and Post-Copy Migration
Userfaultfd and Post-Copy Migration
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDK
 
Windows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel DevelopersWindows Internals for Linux Kernel Developers
Windows Internals for Linux Kernel Developers
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 

Kürzlich hochgeladen

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 

Kürzlich hochgeladen (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 

Bypassing ASLR Exploiting CVE 2015-7545

  • 1. Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1
  • 2. Introduction • Vulnerability in glibc • Discovered by Google, patched at 16-feb-2016 • Released crash-poc • This presentation is about exploitation strategy 3
  • 3. getaddrinfo() • A function used to resolve a hostname to IP-address(es) • OUT-addressinfo* is later used for connect() or bind() • Performs DNS queries • Stack-overflow vulnerability was found, handling DNS-replies 4 “Given node and service, which identify an Internet host and a service, getaddrinfo() returns one or more addrinfo structures, each of which contains an Internet address that can be specified in a call to bind(2) or connect(2).”
  • 4. getaddrinfo() • struct addrinfo -> ai_family • AF_INET, AF_INET6, AF_UNSPEC • AF_UNSPEC indicates any address family is valid, IPv4 or IPv6 • IPv4=A, IPv6=AAAA • This is the common usecase 5 int getaddrinfo(const char *node, const char *service, const struct addrinfo *hints, struct addrinfo **res);
  • 5. The Bug 6 Victim Attacker dns-query A & AAAA over UDP calls glibc’s getaddrinfo() alloca(2048) _nss_dns_gethostbyname4_r(..) { … host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048);
  • 6. The Bug 7 Victim Attacker dns-reply FLAGS=TRUNCATED, ‘xAA’*2500 _alloca() buffer isn’t sufficient malloc(MAXPACKET) instead (MAXPACKET=0x10000) “…If the answer section of the response is truncated and if the requester supports TCP, it SHOULD try the query again using TCP.” (RFC-DNS)
  • 8. The Bug 9 Victim Attacker reuses the ‘malloced’ buffer ‘A’ valid dns-reply
  • 9. The Bug 10 Victim Attacker ‘AAAA’ malformed dns-reply Mismatch between the stack and the heap buffer! If ‘AAAA’ dns-response’s size is greater than 2048, we smash the stack! ‘A’ valid dns-reply
  • 10. Reply Arbitrary DNS • Assume attacker can answer arbitrary DNS requests • Acquiring the domain • Local Arp Poisoning • Any other way .. 11
  • 11. DEP & ASLR • Unable to exploit reliably without bypassing DEP & ASLR • We can set RIP to anywhere, but where to? • How to ROP? Overflow . . . RET ; pop, jmp original buffer retaddress
  • 12. ASLR Bypass Techniques • Non PIE executables • Read memory vulnerability • Spray (without DEP) • Can’t get reliable address at 64 bit.. • How about guessing? 13
  • 13. fork() • Standard way of creating processes in UNIX • Child process inherits: • Memory Layout (includes loaded modules ) • Registers state • Stack 14 pid = fork(); if (0 < pid) { /* Parent code goes here... */ } else if (0 == pid) { /* Child code goes here... */ } …
  • 14. fork – the kernel view 15 /* * Ok, this is the main fork-routine. * * It copies the process, and if successful kick-starts * it and waits for it to finish using the VM if required. */ long do_fork(unsigned long clone_flags, unsigned long stack_start, unsigned long stack_size, int __user *parent_tidptr, int __user *child_tidptr) … p = copy_process(clone_flags, stack_start, stack_size, child_tidptr, NULL, trace); /kernel/fork.c
  • 15. fork – the kernel view 16 /* * This creates a new process as a copy of the old one, * but does not actually start it yet. * * It copies the registers, and all the appropriate * parts of the process environment (as per the clone * flags). The actual kick-off is left to the caller. */ static struct task_struct *copy_process(unsigned long clone_flags, unsigned long stack_start, unsigned long stack_size, int __user *child_tidptr, struct pid *pid, int trace) … retval = copy_mm(clone_flags, p); /kerne/fork.c
  • 16. fork – the kernel view 17 /* * Allocate a new mm structure and copy contents from the * mm structure of the passed in task structure. */ struct mm_struct *dup_mm(struct task_struct *tsk) { ... memcpy(mm, oldmm, sizeof(*mm)); ...
  • 17. exec vs fork • exec allows us to change the current executing image in a process • There are different handlers for different file formats – the kernel chooses the correct one from the binfmt handlers: 18 static int exec_binprm(struct linux_binprm *bprm) { ... ret = search_binary_handler(bprm);
  • 18. exec vs fork 19 • /fs/binfmt_elf.c contains the logic for executing ELF files • Core function that set ups exec for ELF – load_elf_binary • Specifically, we are interested in how randomization is implemented, and what get randomized • Key functions in randomization: • randomize_stack_top – top of the stack • arch_randomize_brk – heap • mmap (not in this specific file, but used for each loaded shared object), and elf_map (which invokes the same functionality, but for the main executable in case of PIE from the kernel) • We will see later how some of these randomization features affect our exploit..
  • 21. Attacker 10.1.1.137 Victimfork() child-process (PID=3312): 1212100C CALL getaddrinfo 12121012 test eax, eax … dns-queries 22
  • 22. Attacker 10.1.1.137 Victimfork() child-process (PID=3312): 1212100C CALL getaddrinfo OVERFLOW RIP=0x01010101 INVALID-OPCODE CRASH! 12121012 test eax, eax … malicious dns-replies host @ 10.1.1.137 23
  • 24. Attacker 10.1.1.137 Victimfork() child-process (PID=3313): 1212100C CALL getaddrinfo 12121012 test eax, eax … dns-queries 25
  • 25. Attacker 10.1.1.137 Victimfork() child-process (PID=3313): 1212100C CALL getaddrinfo OVERFLOW RIP=0x12121012 12121012 test eax, eax … malicious dns-replies host @ 10.1.1.137 26
  • 26. Attacker 10.1.1.137 Victimfork() child-process (PID=3313): 1212100C CALL getaddrinfo OVERFLOW RIP=0x12121012 12121012 test eax, eax … connect() TCP syn 10.1.1.137 0x12121012 is the correct address! 27
  • 27. Exploit Strategy • We can enumerate all possible addresses • ~2 ^ 64 • Not feasible 28
  • 28. Byte by Byte Approach • Instead of overwriting RIP entirely, we can overwrite just a portion of it • Remaining bytes are of the original address 29 CALL getaddrinfo() Original RIP = 0x12121012 DNS request-response (malformed) AAAAA..AAA../x00 Attacker Overwritten RIP = 0x12121000 12 10 12 12 00 00 00 00 00 10 12 12 00 00 00 00 Original RIP Overwritten RIP LSB MSB
  • 29. Byte by Byte Approach 8 * 256  30 Return Address Sent Buffer Response? 0x0000000012121000 AAA...0x00 NO 0x0000000012121001 AAA...0x01 NO 0x00000000121210…. … NO 0x0000000012121012 AAA...0x12 YES 0x0000000012120012 AAA…0x12 0x00 NO 0x0000000012120112 AAA…0x12 0x01 NO 0x000000001212….12 … NO 0x0000000012121012 AAA…0x12 0x10 YES …. …
  • 30. Finding Potentially Exploitable Applications • fork() && getaddrinfo() • Using the correct flow • Indication of crash • http://codesearch.debian.net • Indexes source code of ~18,000 packages • ~1,300 potential exploitable apps 31
  • 31. Finding Potentially Exploitable Applications … 914 xtrace 915 openbgpd 916 balsa 917 tinyproxy 918 powerman 919 mahimahi 920 pcs 921 eric 922 ruby-pg 923 nut 924 gnulib … 32
  • 32. child process – fork() tinyproxy 33 Tinyproxy CONNECT www.somewhere.com user dns-query A & AAAA somewhere.com DNS server HTTP request (tcp-syn 80) www.somewhere.com 1. CONNECT is used to trigger fork() remotely 2. http-request is used as an indication of success
  • 34. Is RIP Really Controlled? • So let’s enumerate getaddrinfo’s return address • But we crash  • Local-variables are overridden • Some are pointers .. • So let’s leak them  35 … Stack buffer … … … Local variable Local variable Local variable Local variable … Frame pointer Return address
  • 35. Segfault (1st) • RBX originally points the stack • We can leak this address too! • Address pointed by RBX only has to be writeable • Flow is not effected 36
  • 36. Leak RBX (arbitrary stack address) (/proc/PID/maps) limit base length 0x7ffd07882000 0x7ffd078a3000 0x21000 0x0 [stack] 0x7ffd079f0000 0x7ffd079f2000 0x2000 0x0 [vvar] • We cannot leak lower 12 bits, since anything will do  • Stack size is greater than 0x1000 37 AA A2 88 07 FD 7F 00 00 Stack 0x7ffd078a3000 0x7ffd07882000
  • 37. Segfault (2nd) • RDI is controlled (hostbuffer.buf) • R14 is the original alloca() buffer • free(RDI) if not equal • Abort crash • We don’t get to overwrite RIP .. • How to predict R14 value? 38 ... host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048); ... /* might malloc host_buffer.buf */ if (host_buffer.buf != orig_host_buffer) free (host_buffer.buf); ... return status;
  • 38. Stack is Identical for Different fork()s 39 tinyproxy daemon orig_host_buffer = alloca(2048); orig_host_buffer @ 0x7ffd078a3080 child orig_host_buffer = alloca(2048); orig_host_buffer @ 0x7ffd078a3080 child orig_host_buffer = alloca(2048); orig_host_buffer @ 0x7ffd078a3080 child … … … fork() fork() fork()
  • 39. Precise Pointers 40 • Stack is identical in different forks • host_buffer.buf PTR is the same in all executions • Use constant offset from stack base! ... host_buffer.buf = orig_host_buffer = (querybuf *) alloca (2048); ... /* might malloc host_buffer.buf */ if (host_buffer.buf != orig_host_buffer) free (host_buffer.buf); ... return status;
  • 40. Leak Stack Base • Use 1th crash (mov [rbx], sil) • Use leaked arbitrary stack address as a starting point • Add 0x1000 offset at a time 41 rbx Sent Buffer Response? 0x00007fffed000000 AAA...0x00 0x00 0x00 0xed 0xff 0x7f YES 0x00007fffed001000 AAA...0x00 0x10 0x00 0xed 0xff 0x7f YES 0x00007fffed002000 AAA...0x00 0x20 0x00 0xed 0xff 0x7f YES 0x00007fffed003000 AAA...0x00 0x30 0x00 0xed 0xff 0x7f YES 0x00007fffed004000 AAA...0x00 0x40 0x00 0xed 0xff 0x7f YES 0x00007fffed005000 AAA...0x00 0x50 0x00 0xed 0xff 0x7f YES 0x00007fffed006000 AAA...0x00 0x60 0x00 0xed 0xff 0x7f YES 0x00007fffed007000 AAA...0x00 0x70 0x00 0xed 0xff 0x7f YES 0x00007fffed008000 AAA...0x00 0x80 0x00 0xed 0xff 0x7f NO
  • 41. Game Over? 42 0xaa0000 Stack base … … 0xa9fc00 (-0x400) orig_host_buffer … … … … … … 0xa9f500 (-0xb00) Local variable 0xa9f4f8 (-0xb08) Local variable … 0xa9f400 (-0xc00) Frame pointer 0xa9f3f8 (-0xc08) Return address Leaked => 0x400 is constant offset =>
  • 42. Offset from Stack-Base is Constant? 43 /arch/x86/kernel/process.c unsigned long arch_align_stack(unsigned long sp) { if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) sp -= get_random_int() % 8192; return sp & ~0xf; }
  • 43. Leak libc base (for fun & gadgets) 44 • Gain control over RIP (leak all local variables in the way … ) • Leak getaddrinfo()’s return address • Get libc’s base address • Constant offset from ret address! • ROP (ret2libc) glibc module (+0xaabbcc ) return address => ( 0 ) glibc start =>
  • 44. libc Version? • Different offset for different versions • We don’t know what the version is • So we just enumerate  45 glibc module (+0xaabbcc ) return address => ( 0 ) glibc start => glibc module(+0x998877) return address => ( 0 ) glibc start => ... … …
  • 45. Complete Exploitation Flow • Leak arbitrary stack pointer ( 1st segfault => rbx) • Leak stack base • Leak random stack offset (for precise stack variables) • Leak getaddrinfo()’s return address • Enumerate ret2libc offsets, until successfully exploited 46