data re use for rop exploits
play

Data re-use for ROP Exploits Long Le Thanh Nguyen longld at - PowerPoint PPT Presentation

Jan 22, 2023 •706 likes •1.21k views

Payload Already Inside: Data re-use for ROP Exploits Long Le Thanh Nguyen longld at vnsecurity.net rd at vnsecurity.net HITB2010KUL 1 DEEPSEC 2010 DEEPSEC 2010 Agenda Introduction Recap on stack overflow & mitigations

  1. Payload Already Inside: Data re-use for ROP Exploits Long Le Thanh Nguyen longld at vnsecurity.net rd at vnsecurity.net HITB2010KUL 1 DEEPSEC 2010 DEEPSEC 2010

  2. Agenda ● Introduction ● Recap on stack overflow & mitigations ● Multistage ROP technique ► Stage-0 (stage-1 loader) ► Stage-1 (actual payload) ♦ Payload strategy ♦ Resolve run-time libc addresses ● Putting all together, ROPEME! ► Practical ROP payloads ♦ A complete stage-0 loader ♦ Practical ROP gadgets catalog ♦ ROP automation ► ROPEME Tool & DEMO ● Countermeasures ● Summary 2 B.A.D.

  3. Why this talk? ● Buffer overflow exploit on modern OS is difficult ► Non Executable (NX/XD) ► Address Space Layout Randomization (ASLR) ► ASCII-Armor Address Mapping ► Stack Protector / ProPolice High entropy ASLR and ASCII-Armor Address Mapping make Return-to-Libc / Return-Oriented-Programming (ROP) exploitation techniques become difficult 3 B.A.D.

  4. What to be presented? ● Practical and reliable combination technique to bypass NX, stack/mmap/shared lib ASLR and ASCII-Armor protections on x86 OS to exploit memory/stack corruption vulnerabilities ► Multistage ROP exploitation technique ● ROPEME tool ► Practical ROP gadgets catalog ► Automation 4 B.A.D.

  5. What not? ● Not a return-oriented programming talk ● We also do not talk about ► ASLR implementation flaws / information leaks ► Compilation protections ♦ Stack Protector / ProPolice ♦ FORTIFY_SOURCE ► Mandatory Access Control ♦ SELinux ♦ AppArmor ♦ RBAC/Grsecurity 5 B.A.D.

  6. Agenda ● Introduction ● Recap on stack overflow & mitigations ● Multistage ROP technique ► Stage-0 (stage-1 loader) ► Stage-1 (actual payload) ♦ Payload strategy ♦ Resolve run-time libc addresses ● Putting all together, ROPEME! ► Practical ROP payloads ♦ A complete stage-0 loader ♦ Practical ROP gadgets catalog ♦ ROP automation ► ROPEME Tool & DEMO ● Countermeasures ● Summary 6 B.A.D.

  7. Sample vulnerable program #include <string.h> #include <stdio.h> int main ( int argc, char **argv) { char buf[256]; int i; seteuid (getuid()); if (argc < 2) classic buffer { puts ("Need an argument\n"); overflow exit (1); } // vulnerable code strcpy (buf, argv[1]); printf ("%s\nLen:%d\n", buf, ( int )strlen(buf)); return (0); } 7 B.A.D.

  8. Stack overflow Stack growth AA...AA AAAA AAAA AAAA AAAA Saved EBP Saved EIP ● Attacker controlled ► Execution flow: EIP ► Stack: ESP 8 B.A.D.

  9. Mitigation techniques ● Non eXcutable (PaX, ExecShield..) ► Hardware NX/XD bit ► Emulation ● Address Space Layout Randomization (ASLR) ► stack, heap, mmap, shared lib ► application base (required userland compiler support for PIE) ● ASCII-Armor mapping ► Relocate all shared-libraries to ASCII-Armor area (0-16MB). Lib addresses start with NULL byte ● Compilation protections ► Stack Canary / Protector ► FORTIFY_SOURCE 9 B.A.D.

  10. NX / ASLR / ASCII-Armor ASCII-Armor No PIE NX $ cat /proc/self/maps 00 a97000-00c1d000 r-xp 00000000 fd:00 91231 /lib/libc-2.12.so 00 c1d000-00c1f000 r--p 00185000 fd:00 91231 /lib/libc-2.12.so 00 c1f000-00c20000 rw-p 00187000 fd:00 91231 /lib/libc-2.12.so 00 c20000-00c23000 rw-p 00000000 00:00 0 08048000-08053000 r-xp 00000000 fd:00 21853 /bin/cat 08053000-08054000 rw-p 0000a000 fd:00 21853 /bin/cat 09fb2000-09fd3000 rw-p 00000000 00:00 0 [heap] b777a000-b777b000 rw-p 00000000 00:00 0 b778a000-b778b000 rw-p 00000000 00:00 0 bfd07000-bfd1c000 rw-p 00000000 00:00 0 [stack] ASLR 10 B.A.D.

  11. Linux ASLR ASLR Randomness Circumvention 12 bits * / 17 bits ** shared library Feasible 12 bits * / 17 bits ** mmap Feasible 13 bits * / 23 bits ** heap Feasible 19 bits * / 23 bits ** stack Depends * paxtest on Fedora 13 (ExecShield) ** paxtest on Gentoo with hardened kernel source 2.6.32 (Pax/Grsecurity) *** Bypassing ASLR depends on the vulns, ASLR implementation and environmental factors 11 B.A.D.

  12. Recap - Basic code injection ● Traditional in 1990s ► Everything is statically mapped ► Can perform arbitrary computation ● Does not work with NX ● Difficult with ASLR 12 B.A.D.

  13. Recap - Return-to-libc ● Bypass NX ● Difficult with ASLR/ASCII-Armor ► Libc function’s addresses ► Location of arguments on stack ► NULL byte ► Hard to make chained ret-to-libc calls 13 B.A.D.

  14. Recap – Return-Oriented Programming I ● Based on ret-to-libc and “borrowed code chunks” ideas ● Gadgets: sequence of instructions ending with RET * pop edi pop ebx add [eax], ebx pop ebp ret ret ret Load a value to the Lift ESP up 8 bytes Add register's value to register the memory location * Possible to do ROP without Returns such as jmp *reg 14 B.A.D.

  15. Recap – Return-Oriented Programming II ● With enough of gadgets, ROP payloads could perform arbitrary computation (Turing-complete) ● Problems ► Small number of gadgets from vulnerable binary ► Libs have more gadgets, but ASLR/ASCII-Armor makes it difficult similar to return-to-libc technique 15 B.A.D.

  16. Exploitability v.s. Mitigation Techniques Mitigation Exploitability NX Easy ASLR Easy Stack Canary / SSP Depends* NX + ASLR w/o PIE + ASCII-Armor Depends* NX + ASLR with PIE + Hard* Stack Canary + ASCII-Armor * depends on the vulns, context and environmental factors 16 B.A.D.

  17. Agenda ● Introduction ● Recap on stack overflow & mitigations ● Multistage ROP technique ► Stage-0 (stage-1 loader) ► Stage-1 (actual payload) ♦ Payload strategy ♦ Resolve run-time libc addresses ● Putting all together, ROPEME! ► Practical ROP payloads ♦ A complete stage-0 loader ♦ Practical ROP gadgets catalog ♦ ROP automation ► ROPEME Tool & DEMO ● Countermeasures ● Summary 17 B.A.D.

  18. Multistage payload Basic idea is to build  ► A generic Stage-0 payload which helps to bypass stack/mmap/shared lib ASLR, NX & ASCII-Armor protections using a small amount of ROP gadgets inside executable files (available in most of binaries compiled using GCC) to load a more complex Stage- 1's payload. ► Stage-1 payload could be a full ROP shellcode, chained libc calls or normal shellcode 18 B.A.D.

  19. Stage-0: Build stack at a fixed location I  Build custom stack at a known location ► Full control of stack, no need to worry about randomized stack addresses ► Easy to control of function's arguments ► Control of stack frames 19 B.A.D.

  20. Stage-0: Build stack at a fixed location II 20 B.A.D.

  21. Stage-0: Build stack at a fixed location III ● Location for the new stack? ► Data section of binary ♦ Writable ♦ Address is known in advance 21 B.A.D.

  22. Stage-0: Build stack at a fixed location IV [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 08048134 000134 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 08048148 000148 000020 00 A 0 0 4 [ 3] .note.gnu.build-i NOTE 08048168 000168 000024 00 A 0 0 4 [ 4] .gnu.hash GNU_HASH 0804818c 00018c 000020 04 A 5 0 4 [ 5] .dynsym DYNSYM 080481ac 0001ac 0000b0 10 A 6 1 4 [ 6] .dynstr STRTAB 0804825c 00025c 000073 00 A 0 0 1 [ 7] .gnu.version VERSYM 080482d0 0002d0 000016 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 080482e8 0002e8 000020 00 A 6 1 4 [ 9] .rel.dyn REL 08048308 000308 000008 08 A 5 0 4 0x08049804 [10] .rel.plt REL 08048310 000310 000048 08 A 5 12 4 [11] .init PROGBITS 08048358 000358 000030 00 AX 0 0 4 [12] .plt PROGBITS 08048388 000388 0000a0 04 AX 0 0 4 [13] .text PROGBITS 08048430 000430 0001dc 00 AX 0 0 16 [14] .fini PROGBITS 0804860c 00060c 00001c 00 AX 0 0 4 [15] .rodata PROGBITS 08048628 000628 000028 00 A 0 0 4 [16] .eh_frame_hdr PROGBITS 08048650 000650 000024 00 A 0 0 4 [17] .eh_frame PROGBITS 08048674 000674 00007c 00 A 0 0 4 [18] .ctors PROGBITS 080496f0 0006f0 000008 00 WA 0 0 4 [19] .dtors PROGBITS 080496f8 0006f8 000008 00 WA 0 0 4 [20] .jcr PROGBITS 08049700 000700 000004 00 WA 0 0 4 [21] .dynamic DYNAMIC 08049704 000704 0000c8 08 WA 6 0 4 [22] .got PROGBITS 080497cc 0007cc 000004 04 WA 0 0 4 [23] .got.plt PROGBITS 080497d0 0007d0 000030 04 WA 0 0 4 [24] .data PROGBITS 08049800 000800 000004 00 WA 0 0 4 [25] .bss NOBITS 08049804 000804 000008 00 WA 0 0 4 22 B.A.D.

  23. Stage-0: Transfer stage-1 to the new stack Use memory copy gadgets / functions to transfer stage-1's payload to the new stack ► load reg; store [mem_addr], reg ► return to strcpy() / sprintf() Return to PLT (Procedure Linkage • Table) Resolve runtime libc address • – GOT overwriting / GOT dereferencing ● No NULL byte in stage-0 payload ● Transfer byte-per-byte of payload ● Where is my payload? ► Re-use data inside binary 23 B.A.D.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

759 views • 43 slides
Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat USA Briefing 2010 About Me VNSECURITY founding member Capture-The-Flag player CLGT Team BH USA 2010 Payload already inside: data reuse

707 views • 44 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private &amp; Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

591 views • 37 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
NCDawareRank A Novel Ranking Method that Exploits the Decomposable Structure of the Web

NCDawareRank A Novel Ranking Method that Exploits the Decomposable Structure of the Web

NCDawareRank A Novel Ranking Method that Exploits the Decomposable Structure of the Web Athanasios N. Nikolakopoulos John D. Garofalakis Computer Engineering and Informatics Department, University of Patras Computer Technology Institute and

648 views • 9 slides
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous Yue Cao , Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth Krishnamurthy, Lisa M. Marvel USENIX

376 views • 36 slides
1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

Where in the stack is security? Attacks can be targeted at any layer of the 16: protocol stack Application layer: Password and data sniffing, Forged Exploits and Defenses Up and transactions, Security holes, Buffer Overflows?

1.15k views • 9 slides
Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University Nov 4, 2014 Route Diversity is Critical to Resiliency of Internet Connectivity

387 views • 22 slides
Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky

Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky

Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky http://www.immunityinc.com/ Agenda Problems with large scale exploitation Immunity's Solutions Common Addresses Remote Language Fingerprinting

874 views • 43 slides
Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An

1 Lec04: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Join Piazza! An optional recitation at 4:30-5:30pm on Wed (in CBC 104A) Due: Lab03 (stack overflow) on Sept 21 at midnight NSA Codebreaker Challenge

423 views • 20 slides
U.S. Government 1 NSF Vision and Goals Vision A Nation that creates and exploits new

U.S. Government 1 NSF Vision and Goals Vision A Nation that creates and exploits new

Overview of the Directorate for Mathematical and Physical Sciences Nigel Sharp, nsharp@nsf.gov Program Director, Division of Astronomical Sciences U.S. Government 1 NSF Vision and Goals Vision A Nation that creates and exploits new

341 views • 21 slides
Preventing Memory Error Exploits with WIT (P. Aktridis et al.) presented by Bjoern Doebel

Preventing Memory Error Exploits with WIT (P. Aktridis et al.) presented by Bjoern Doebel

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Preventing Memory Error Exploits with WIT (P. Aktridis et al.) presented by Bjoern Doebel Dresden, 2008-07-15 Motivation Memory errors Buffer

569 views • 9 slides
Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours

1 Lec03: Writing Exploits Taesoo Kim 2 Scoreboard 3 Administrivia Survey: how many hours did you spend? (&lt;3h, 6h, 10h, &gt;20h) Join Piazza! An optional recitation on every Wed 5:00-6:00pm (in Klaus 1447)

617 views • 34 slides
Machine Detectable Network Behavioural Commonalities for Exploits &amp; Malware University of

Machine Detectable Network Behavioural Commonalities for Exploits &amp; Malware University of

Machine Detectable Network Behavioural Commonalities for Exploits &amp; Malware University of Amsterdam Alexandros Stavroulakis MSc System &amp; Network Engineering Research Project II What is this about? Automatic generation of malicious

248 views • 22 slides
GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography implementation. (Conforms to PGP and RFC 4880, not really just an alternative) Best used mostly for email encryption Uses Hybrid Encryption Install

531 views • 12 slides
EDA482/487: Machine- Oriented Programming Lecture 7: Timing &amp; Synchronization Pedro Moura

EDA482/487: Machine- Oriented Programming Lecture 7: Timing &amp; Synchronization Pedro Moura

EDA482/487: Machine- Oriented Programming Lecture 7: Timing &amp; Synchronization Pedro Moura Trancoso ppedro@chalmers.se Original slides by Ulf Assarsson Objectives Topics: Component Units - comparisons Repetition:

463 views • 22 slides
PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by

PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by

PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by Lawrie Brown (*) (*) adjusted by Fabrizio d'Amore Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the

471 views • 31 slides
Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray

Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray

Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray +TimBray Links featured in this talk: goo.gl/ggrSBj Recent security blogging: tbray.org/ongoing/What/Technology/Security Photo: Wikimedia

727 views • 45 slides
12/22/2016 Functions A unit of code that we can call Also referred to as a procedure, method, or

12/22/2016 Functions A unit of code that we can call Also referred to as a procedure, method, or

12/22/2016 Functions A unit of code that we can call Also referred to as a procedure, method, or subroutine Procedures (Functions) A function call is kind of like a jump, except it can return Must support passing data as function

801 views • 30 slides
Logic X. Zhang, Fordham Univ. 1 Motivating example Four machines A, B, C, D are connected

Logic X. Zhang, Fordham Univ. 1 Motivating example Four machines A, B, C, D are connected

Logic X. Zhang, Fordham Univ. 1 Motivating example Four machines A, B, C, D are connected on a network. It is feared that a computer virus may have infected the network. Your security team makes the following statements: If D is

1.39k views • 92 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides
Communication Networks II www.kom.tu-darmstadt.de www.httc.de Network Applications - Electronic

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Network Applications - Electronic

Communication Networks II www.kom.tu-darmstadt.de www.httc.de Network Applications - Electronic Mail Prof. Dr.-Ing. Ralf Steinmetz TU Darmstadt - Technische Universitt Darmstadt, Dept. of Electrical Engineering and Information Technology,

760 views • 41 slides

More recommend