a single gadget weird machine
play

a single gadget weird machine Framing Signals a return to portable - PowerPoint PPT Presentation

Dec 28, 2022 •750 likes •1.65k views

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

  1. a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos

  2. stack buffer overflow stack return addr buffer sp 1

  3. stack buffer overflow stack return addr buffer sp 1

  4. stack buffer overflow stack return addr buffer sp 1

  5. stack buffer overflow stack sp return addr buffer 1

  6. stack buffer overflow stack sp return addr buffer 1

  7. stack buffer overflow stack sp return addr buffer 1

  8. stack sp return addr buffer 2

  9. stack sp return addr buffer code 2

  10. return oriented programming / ret2libc stack return addr buffer code 2

  11. return addr return addr return addr buffer code 2

  12. Return Oriented Programming - dependent on available gadgets - chains may differ greatly between different binaries - non-trivial to program - ASLR makes it harder to guess gadgets without an info-leak 3

  13. Sigreturn Oriented Programming - minimal number of gadgets - constructing shellcode by chaining system calls - easy to change functionality of shellcode - gadgets are always present 4

  14. unix signals stack sp 5

  15. unix signals stack sp 5

  16. unix signals stack ucontext sp 5

  17. unix signals stack ucontext siginfo sp 5

  18. unix signals stack ucontext siginfo sp sigreturn 5

  19. unix signals stack good: kernel agnostic about signal handlers ucontext siginfo sp sigreturn 5

  20. unix signals stack bad: kernel agnostic about signal handlers ucontext (we can fake 'em) siginfo sp sigreturn 5

  21. two gadgets - call to sigreturn - syscall & return 6

  22. forged signal frame sigreturn 7

  23. program counter forged signal frame sigreturn 7

  24. program counter stack pointer forged signal frame sigreturn 7

  25. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn 7

  26. program counter stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 7

  27. syscall & return stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 7

  28. syscall & return next sigframe syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 7

  29. next syscall(...) 8

  30. socket() bind() listen() accept() execve() 9

  31. parent clone(...) 10

  32. parent clone(...) child 10

  33. clone() (wait) 11

  34. usage scenarios - stealthy backdoor - code signing circumvention - generic shellcode for exploitation 12

  35. usage scenarios stealthy backdoor - - code signing circumvention - generic shellcode for exploitation 12

  36. stealthy backdoor basic idea: - use the inotify API to wait for a file to be read - when this file is read: open a listen socket to spawn a shell - terminate the listening socket quickly if nobody connects 13

  37. backdoor close() inotify_init() inotify_add_watch() read() clone() 14

  38. backdoor close() alarm() listen() inotify_init() close() accept() inotify_add_watch() close() dup2() read() socket() alarm() clone() setsockopt() execve() bind() 14

  39. usage scenarios - stealthy backdoor - code signing circumvention - generic shellcode for exploitation 15

  40. code signing circumvention - serialize system calls over a socket - write into our own signal frames useful to bypass code-signing restrictions 16

  41. system call proxy read() read() read() read() 17

  42. system call proxy read() read() syscall nr arg1 ???() arg2 ... read() read() 18

  43. and... It's turing complete 19

  44. usage scenarios - stealthy backdoor - code signing circumvention - generic shellcode for exploitation 20

  45. SROP exploit on x86-64 we have: - a stack buffer overflow - not a single gadget from the binary assumption: - we can guess/leak the location of a writable address (any address!) - we have some control over RAX (function's return value) 21

  46. two gadgets - call to sigreturn - syscall & return 22

  47. two gadgets - call to sigreturn: RAX = 15 + syscall - syscall & return 22

  48. one gadget - RAX = 15 - syscall & return 22

  49. [vsyscall] 23

  50. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 24

  51. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 24

  52. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 0f05 syscall c3 return 24

  53. syscall(arg1, arg2, arg3, ...) = result 24

  54. execve("/bin/sh", ["/bin/sh", "-c", "...", NULL], NULL) 24

  55. execve("/bin/sh", ["/bin/sh", "-c", "...", NULL], NULL) 24

  56. syscall(arg1, arg2, arg3, ...) = result 24

  57. read(fd, addr, ...) = result 24

  58. read(fd, stack_addr, ...) = result 24

  59. read(fd, stack_addr, 306) = 306 24

  60. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs 24

  61. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return 24

  62. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = ... 24

  63. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 24

  64. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return 24

  65. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = ... 24

  66. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 24

  67. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 RAX == 15 == __NR_rt_sigreturn top of stack points to syscall & return 24

  68. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 RAX == 15 == __NR_rt_sigreturn top of stack points to syscall & return mprotect(stack_addr, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC) 24

  69. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 RAX == 15 == __NR_rt_sigreturn top of stack points to syscall & return mprotect(stack_addr, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC) top of stack points to our code 24

  70. CVE-2012-5976 (asterisk) 25

  71. On some systems SROP gadgets are randomised, on others, they are not Operating system Gadget Memory map Linux i386 sigreturn [vdso] Linux < 3.11 ARM sigreturn [vectors] 0x ffff 0000 Linux < 3.3 x86-64 syscall & return [vsyscall] 0x ffffffffff 600000 Linux ≥ 3.3 x86-64 syscall & return Libc Linux x86-64 sigreturn Libc FreeBSD 9.2 x86-64 sigreturn 0x7 ffffffff 000 Mac OSX x86-64 sigreturn Libc iOS ARM sigreturn Libsystem iOS ARM syscall & return Libsystem 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos memory corruption, the problem that just won't go away 25+ years after the morris worm and

879 views • 62 slides
Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB Linux USB Terminology Brief history of USB gadget subsystem Other filesystem-based gadget interfaces Using USB gadget configfs

439 views • 21 slides
Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

DM204 , 2010 SCHEDULING, TIMETABLING AND ROUTING Lecture 18 Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Single Machine

439 views • 43 slides
Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as: All instructions take the same time (CPI = 1), but some instructions are shorter than others: ADD uses Instruction Memory, Register File, ALU,

95 views • 5 slides
Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020 https://tinyurl.com/fosdem-gadget Hi, Im Alban Alban Crequy CTO, Kinvolk Github: alban Twitter: albcr Email: alban@kinvolk.io Kinvolk Driving

426 views • 30 slides
Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows Christopher Olston and Benjamin Reed Yahoo! Research Web Scale problems Lots of servers, users, and data Fun to have power at your fingertip

505 views • 33 slides
Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Dispatching Rules Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules Lecture 10 Single Machine Models 2. Single Machine Models Marco Chiarandini 2 Dispatching Rules Dispatching Rules Outline

417 views • 7 slides
Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting) Dr Mark Ellio+ Reader in Public Law, University of Cambridge Fellow &amp; Director of

426 views • 14 slides
Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of single queue systems includes an ATM machine ATM machine. A single line of people waiting to get money forms in front of the machine. in front of

401 views • 21 slides
Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine Scheduling to Minimize w j C j Given: n jobs j = 1 , . . . , n , processing times p j &gt; 0, weights w j &gt; 0 Task: schedule jobs on a single

393 views • 20 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides
Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

2/9/2019 Talk Outline Fostering Self-Directed Learning in MOOCs: 1. MOOC Weird Stuff One Modest Little Study to 2. MOOC Systematic Literature Review Help Save the Planet 3. MOOC ID Considerations and Challenges 4. MOOC ID for Self-directed

386 views • 16 slides
T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr. Yuan, Co-Director of MIST Daniel Gibney CpE research center at UCF. Leaphar Castro EE Motivation With the ever expanding use of IoT sensor

740 views • 46 slides
On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H ohn Technische Universit at Berlin Tobias Jacobs NEC Laboratories Europe 18th Combinatorial Optimization Workshop Aussois 2014 Generalized

1.06k views • 89 slides
From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning with Maggy Moritz Meister, @morimeister Software Engineer, Logical Clocks Jim Dowling, @jim_dowling Associate Professor, KTH Royal Institute of

505 views • 33 slides
O NGOING ISSUES FOR 2018 1. Juvenile Expungement-Chief Newton 2. Cannabis Legalization (SB?)-

O NGOING ISSUES FOR 2018 1. Juvenile Expungement-Chief Newton 2. Cannabis Legalization (SB?)-

L EGISLATIVE C OMMITTEE S TRATEGY M EETING March 9, 2018 B ILL R EVIEWS -N EED TO G ET C OMPLETED Read Entire Bill Summary of Bill Add to the Abstract Position Reasoning E XECUTIVE D IRECTOR S R EPORT Executive Director Ed

739 views • 14 slides
Staff Brief 9 August Welcome all Todays presentation covers: Corporate objectives System

Staff Brief 9 August Welcome all Todays presentation covers: Corporate objectives System

Staff Brief 9 August Welcome all Todays presentation covers: Corporate objectives System delivery plan and financial recovery Executive team restructure and next steps Housekeeping Corporate objectives 1. Secure financial recovery,

607 views • 9 slides
Mental Health Information and Strategy Session 16th July 10-11.30am Virtual Meeting Via Zoom

Mental Health Information and Strategy Session 16th July 10-11.30am Virtual Meeting Via Zoom

Mental Health Information and Strategy Session 16th July 10-11.30am Virtual Meeting Via Zoom AGENDA 10.00 Welcome 10.10 Forum Central Updates - Team Updates - Communities of Interest/ongoing key priorities within FC - Emerging MH Data

471 views • 15 slides
All in the Exponential Family: Bregman Duality in Thermodynamic Variational Inference Rob

All in the Exponential Family: Bregman Duality in Thermodynamic Variational Inference Rob

All in the Exponential Family: Bregman Duality in Thermodynamic Variational Inference Rob Brekelmans Vaden Masrani Frank Wood Greg Ver Steeg Aram Galstyan 1 &lt;latexit

638 views • 31 slides
+ BAY AREA NETWORK for POSITIVE HEALTH Engaging the Invisible: Locating and Linking the

+ BAY AREA NETWORK for POSITIVE HEALTH Engaging the Invisible: Locating and Linking the

+ BAY AREA NETWORK for POSITIVE HEALTH Engaging the Invisible: Locating and Linking the Long-Term, Out-of-Care PLWH in the Bay Area + Background 650,000 PLWH are not receiving HIV care in the United States HIV treatment is critical to

309 views • 6 slides
Petr koda Astronomical Institute, Czech Academy of Sciences Ondejov Jakub Koza, Andrej

Petr koda Astronomical Institute, Czech Academy of Sciences Ondejov Jakub Koza, Andrej

Facilitating Knowledge Discovery in Large Archives of Astronomical Spectra using Distributed Cloud-based Engine Petr koda Astronomical Institute, Czech Academy of Sciences Ondejov Jakub Koza, Andrej Palika, Ji Ndvornk and

457 views • 14 slides
Ideal extension of semigroups and their applications Hamidreza Rahimi rahimi@iauctb.ac.ir

Ideal extension of semigroups and their applications Hamidreza Rahimi rahimi@iauctb.ac.ir

5 th BLAST 2013 August 5-9, 2013 , Orange, California, USA Ideal extension of semigroups and their applications Hamidreza Rahimi rahimi@iauctb.ac.ir Department of Mathematics, Islamic Azad University, Central Tehran Branch , Tehran, Iran

869 views • 66 slides
Transformation in the making Mike Webb Vice President of Technology Services, E-Comm Rachel Holmes

Transformation in the making Mike Webb Vice President of Technology Services, E-Comm Rachel Holmes

Transformation in the making Mike Webb Vice President of Technology Services, E-Comm Rachel Holmes Executive Lead, Strategic Public Safety Initiatives, Ministry of Public Safety and Solicitor General The What The biggest change to 9-1-1 since

594 views • 21 slides

More recommend