payload already inside payload already inside data re use
play

Payload Already Inside: Payload Already Inside: Data re-use for ROP - PowerPoint PPT Presentation

Jan 28, 2024 •315 likes •759 views

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

  1. Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1

  2. Who am I? ● VNSECURITY founding member ● Capture-The-Flag player ► CLGT Team BLACKHAT USA 2010 BLACKHAT USA 2010 2 B.A.D. B.A.D.

  3. Why this talk? ● Buffer overflow exploit on modern Linux (x86) distribution is difficult ► Non Executable (NX/XD) ► Address Space Layout Randomization (ASLR) ► ASCII-Armor Address Mapping High entropy ASLR and ASCII-Armor Address Mapping make Return-to-Libc / Return-Oriented-Programming (ROP) exploitation techniques become very difficult BLACKHAT USA 2010 BLACKHAT USA 2010 3 B.A.D. B.A.D.

  4. What to be presented? ● A practical and reliable technique to bypass NX, ASLR and ASCII-Armor protections to exploit memory/stack corruption vulnerabilities ► Multistage ROP exploitation technique ● Focus on latest Linux x86 ● Our ROPEME tool ► Practical ROP gadgets catalog ► Automation scripts BLACKHAT USA 2010 BLACKHAT USA 2010 4 B.A.D. B.A.D.

  5. What not? ● Not a return-oriented programming 101 talk ● We do not talk about ► ASLR implementation flaws / information leaks ► Compilation protections ♦ Stack Protector / ProPolice ► Mandatory Access Control ♦ SELinux ♦ AppArmor ♦ RBAC/Grsecurity BLACKHAT USA 2010 BLACKHAT USA 2010 5 B.A.D. B.A.D.

  6. Agenda ● Introduction ● Recap on stack overflow & mitigations ● Multistage ROP technique ► Stage-0 (payload loader) ► Stage-1 (actual payload) ♦ Payload strategy ♦ Resolve run-time libc addresses ● Putting all together, ROPEME! ► Practical ROP payloads ♦ A complete stage-0 loader ♦ Practical ROP gadgets catalog ♦ ROP automation ► ROPEME Tool & DEMO ● Countermeasures ● Summary BLACKHAT USA 2010 BLACKHAT USA 2010 6 B.A.D. B.A.D.

  7. Sample vulnerable program #include <string.h> #include <stdio.h> int main ( int argc, char **argv) { char buf[256]; int i; seteuid (getuid()); if (argc < 2) { Overflow! puts ("Need an argument\n"); exit (1); } // vulnerable code strcpy (buf, argv[1]); printf ("%s\nLen:%d\n", buf, ( int )strlen(buf)); return (0); } BLACKHAT USA 2010 BLACKHAT USA 2010 7 B.A.D. B.A.D.

  8. Stack overflow Stack growth AA...AA AAAA AAAA AAAA AAAA Saved EBP Saved EIP ● Attacker controlled ► Execution flow: EIP ► Stack: ESP BLACKHAT USA 2010 BLACKHAT USA 2010 8 B.A.D. B.A.D.

  9. Mitigation techniques ● Non eXcutable (PaX, ExecShield..) ► Hardware NX/XD bit ► Emulation ● Address Space Layout Randomization (ASLR) ► stack, heap, mmap, shared lib ► application base (required userland compiler support for PIE) ● ASCII-Armor mapping ► Relocate all shared-libraries to ASCII-Armor area (0-16MB). Lib addresses start with NULL byte ● Compilation protections ► Stack Canary / Protector BLACKHAT USA 2010 BLACKHAT USA 2010 9 B.A.D. B.A.D.

  10. NX / ASLR / ASCII-Armor ASCII-Armor No PIE NX $ cat /proc/self/maps 00 a97000-00c1d000 r-xp 00000000 fd:00 91231 /lib/libc-2.12.so 00 c1d000-00c1f000 r--p 00185000 fd:00 91231 /lib/libc-2.12.so 00 c1f000-00c20000 rw-p 00187000 fd:00 91231 /lib/libc-2.12.so 00 c20000-00c23000 rw-p 00000000 00:00 0 08048000-08053000 r-xp 00000000 fd:00 21853 /bin/cat 08053000-08054000 rw-p 0000a000 fd:00 21853 /bin/cat 09fb2000-09fd3000 rw-p 00000000 00:00 0 [heap] b777a000-b777b000 rw-p 00000000 00:00 0 b778a000-b778b000 rw-p 00000000 00:00 0 bfd07000-bfd1c000 rw-p 00000000 00:00 0 [stack] ASLR BLACKHAT USA 2010 BLACKHAT USA 2010 10 B.A.D. B.A.D.

  11. Linux ASLR ASLR Randomness Circumvention shared library 12 bits * / 17 bits ** Feasible *** mmap 12 bits * / 17 bits ** Feasible *** heap 13 bits * / 23 bits ** Feasible * stack 19 bits * / 23 bits ** Hard * paxtest on Fedora 13 (ExecShield) ** paxtest on Gentoo with hardened kernel source 2.6.32 (Pax/Grsecurity) *** Bypassing ASLR depends on the vulns, ASLR implementation and environmental factors. 17 bits might still be in a possible range to brute force. BLACKHAT USA 2010 BLACKHAT USA 2010 11 B.A.D. B.A.D.

  12. Recap - Basic code injection Stack growth Padding &shellcode NOP … … NOP shellcode Saved EIP ● Traditional in 1990s ► Everything is static ► Can perform arbitrary computation ● Does not work with NX ● Difficult with ASLR BLACKHAT USA 2010 BLACKHAT USA 2010 12 B.A.D. B.A.D.

  13. Recap - Return-to-libc Stack growth padding &system() &next_func() &binsh … “/bin/sh” Saved EIP ● Bypass NX ● Difficult with ASLR/ASCII-Armor ► Libc function’s addresses ► Location of arguments on stack ► NULL byte  Hard to make chained ret-to-libc calls BLACKHAT USA 2010 BLACKHAT USA 2010 13 B.A.D. B.A.D.

  14. Recap – Return-Oriented Programming I ● Based on ret-to-libc and “borrowed code chunks” ● Gadgets: sequence of instructions ending with RET pop edi pop ebx add [eax], ebx pop ebp ret ret ret Load a value to Lift ESP up 8 Add register's value to the register bytes the memory location BLACKHAT USA 2010 BLACKHAT USA 2010 14 B.A.D. B.A.D.

  15. Recap – Return-Oriented Programming II Stack growth “/bin/sh” ... 0x9ad25 0x9ad25: call gs:[0x10]; ret 0x80497ec 0x0 0x0 0x2a4eb 0x2a4eb: pop ecx; pop edx; ret &binsh 0x16be3 0x16be3: pop ebx; ret 0xb 0x22d4c 0x22d4c: pop eax; ret ● With enough of gadgets, ROP payloads could perform arbitrary computation (Turing-complete) ● Problems ► Small number of gadgets from vulnerable binary ► Libs have more gadgets, but ASLR/ASCII-Armor makes it difficult similar to return-to-libc technique BLACKHAT USA 2010 BLACKHAT USA 2010 15 B.A.D. B.A.D.

  16. Exploitability v.s. Mitigation Techniques Mitigation Exploitability NX Easy ASLR Feasible NX + ASCII-Armor Feasible* NX + ASLR Depends* our target to NX + ASLR + ASCII-Armor Hard* make this become easy NX + ASLR + ASCII-Armor + Stack Hard++* Canary + PIE * depends on the vulns, context and environmental factors BLACKHAT USA 2010 BLACKHAT USA 2010 16 B.A.D. B.A.D.

  17. Agenda ● Introduction ● Recap on stack overflow & mitigations ● Multistage ROP technique ► Stage-0 (payload loader) ► Stage-1 (actual payload) ♦ Payload strategy ♦ Resolve run-time libc addresses ● Putting all together, ROPEME! ► Practical ROP payloads ♦ A complete stage-0 loader ♦ Practical ROP gadgets catalog ♦ ROP automation ► ROPEME Tool & DEMO ● Countermeasures ● Summary BLACKHAT USA 2010 BLACKHAT USA 2010 17 B.A.D. B.A.D.

  18. Stage-0: Make a fixed stack I ● Why a fixed stack? ► Bypass ASLR (randomized stack) ► Control function's arguments ► Control stack frames ● Where is my fixed stack? ► Data section of binary ♦ Writable ♦ Fixed location ♦ Address is known in advance BLACKHAT USA 2010 BLACKHAT USA 2010 18 B.A.D. B.A.D.

  19. Stage-0: Make a fixed stack II Stack growth “/bin/sh” 0x8049838 system()'s argument pop-ret &system() leave; ret 0x8049820 Next stack frame pop ebp; ret 0x8049810 BLACKHAT USA 2010 BLACKHAT USA 2010 19 B.A.D. B.A.D.

  20. Stage-0: Make a fixed stack III [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL 00000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 08048134 000134 000013 00 A 0 0 1 [ 2] .note.ABI-tag NOTE 08048148 000148 000020 00 A 0 0 4 [ 3] .note.gnu.build-i NOTE 08048168 000168 000024 00 A 0 0 4 [ 4] .gnu.hash GNU_HASH 0804818c 00018c 000020 04 A 5 0 4 [ 5] .dynsym DYNSYM 080481ac 0001ac 0000b0 10 A 6 1 4 [ 6] .dynstr STRTAB 0804825c 00025c 000073 00 A 0 0 1 [ 7] .gnu.version VERSYM 080482d0 0002d0 000016 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 080482e8 0002e8 000020 00 A 6 1 4 [ 9] .rel.dyn REL 08048308 000308 000008 08 A 5 0 4 0x08049804 [10] .rel.plt REL 08048310 000310 000048 08 A 5 12 4 [11] .init PROGBITS 08048358 000358 000030 00 AX 0 0 4 [12] .plt PROGBITS 08048388 000388 0000a0 04 AX 0 0 4 [13] .text PROGBITS 08048430 000430 0001dc 00 AX 0 0 16 [14] .fini PROGBITS 0804860c 00060c 00001c 00 AX 0 0 4 [15] .rodata PROGBITS 08048628 000628 000028 00 A 0 0 4 [16] .eh_frame_hdr PROGBITS 08048650 000650 000024 00 A 0 0 4 [17] .eh_frame PROGBITS 08048674 000674 00007c 00 A 0 0 4 [18] .ctors PROGBITS 080496f0 0006f0 000008 00 WA 0 0 4 [19] .dtors PROGBITS 080496f8 0006f8 000008 00 WA 0 0 4 [20] .jcr PROGBITS 08049700 000700 000004 00 WA 0 0 4 [21] .dynamic DYNAMIC 08049704 000704 0000c8 08 WA 6 0 4 [22] .got PROGBITS 080497cc 0007cc 000004 04 WA 0 0 4 [23] .got.plt PROGBITS 080497d0 0007d0 000030 04 WA 0 0 4 [24] .data PROGBITS 08049800 000800 000004 00 WA 0 0 4 [25] .bss NOBITS 08049804 000804 000008 00 WA 0 0 4 BLACKHAT USA 2010 BLACKHAT USA 2010 20 B.A.D. B.A.D.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat

Payload Already Inside: Data re-use for ROP Exploits Long Le longld@vnsecurity.net Black Hat USA Briefing 2010 About Me VNSECURITY founding member Capture-The-Flag player CLGT Team BH USA 2010 Payload already inside: data reuse

707 views • 44 slides
Payload Integration What is a payload A payload can be anything from a small electronics box to

Payload Integration What is a payload A payload can be anything from a small electronics box to

Payload Integration What is a payload A payload can be anything from a small electronics box to a satellite. Payloads include satellites of all sizes, cameras, scientific instruments, communications equipment, sensors, and others. Payload

398 views • 15 slides
Flight Readiness Review 1 Agenda Launch Vehicle Recovery Payload Primary

Flight Readiness Review 1 Agenda Launch Vehicle Recovery Payload Primary

49er Rocketry Team The University of North Carolina at Charlotte Flight Readiness Review 1 Agenda Launch Vehicle Recovery Payload Primary Payload: UAS Retention and Deployment Camera Vision Safety

1.22k views • 76 slides
Codecs and RTP payload formats in SDPng Anders Klemets &lt;anderskl@microsoft.com&gt; Jim Alkove

Codecs and RTP payload formats in SDPng Anders Klemets &lt;anderskl@microsoft.com&gt; Jim Alkove

Codecs and RTP payload formats in SDPng Anders Klemets &lt;anderskl@microsoft.com&gt; Jim Alkove &lt;jalkove@microsoft.com&gt; AVT Yokohama IETF 7/18/02 1 Codecs and RTP payload formats There may be more than one RTP payload format for

359 views • 14 slides
Updated RTP Payload format for AC3 Streams Jason Flaks Technology Strategy Dolby Laboratories

Updated RTP Payload format for AC3 Streams Jason Flaks Technology Strategy Dolby Laboratories

Updated RTP Payload format for AC3 Streams Jason Flaks Technology Strategy Dolby Laboratories Summary Removed fragment sequence number Added time code flag Specified jitter requirements Implemented test software AC3 Payload

98 views • 5 slides
Preliminary Design Review 1 Agenda Mission Success Criteria Vehicle Recovery

Preliminary Design Review 1 Agenda Mission Success Criteria Vehicle Recovery

49er Rocketry Team University of North Carolina at Charlotte Preliminary Design Review 1 Agenda Mission Success Criteria Vehicle Recovery Payload - UAV Payload - UAV Housing Payload - Load Cell Safety

1.05k views • 79 slides
Data re-use for ROP Exploits Long Le Thanh Nguyen longld at vnsecurity.net rd at vnsecurity.net

Data re-use for ROP Exploits Long Le Thanh Nguyen longld at vnsecurity.net rd at vnsecurity.net

Payload Already Inside: Data re-use for ROP Exploits Long Le Thanh Nguyen longld at vnsecurity.net rd at vnsecurity.net HITB2010KUL 1 DEEPSEC 2010 DEEPSEC 2010 Agenda Introduction Recap on stack overflow &amp; mitigations

1.21k views • 49 slides
RTP Payload Format for Uncompressed Video draft-ietf-avt-uncomp-video-02 Ladan

RTP Payload Format for Uncompressed Video draft-ietf-avt-uncomp-video-02 Ladan

RTP Payload Format for Uncompressed Video draft-ietf-avt-uncomp-video-02 Ladan Gharai.ISI/USC Colin Perkins..ISI/USC Changes since -01: Modified: The payload header:

398 views • 7 slides
BALLOON PAYLOAD PROGRAM WILLIAM COOPER GILBERT, KC3EMR(-11) SPACE SYSTEMS LABORATORY, UNIVERSITY

BALLOON PAYLOAD PROGRAM WILLIAM COOPER GILBERT, KC3EMR(-11) SPACE SYSTEMS LABORATORY, UNIVERSITY

BALLOON PAYLOAD PROGRAM WILLIAM COOPER GILBERT, KC3EMR(-11) SPACE SYSTEMS LABORATORY, UNIVERSITY OF MARYLAND 1 BALLOON PAYLOAD PROGRAM Launch helium sounding balloons into the upper atmosphere Low density gas generates buoyancy (approx.

410 views • 24 slides
IMC Presentation Recommendation Adopt Inside Out and Back Again by Thanhha Lai Adopt One

IMC Presentation Recommendation Adopt Inside Out and Back Again by Thanhha Lai Adopt One

7 th Grade Novels IMC Presentation Recommendation Adopt Inside Out and Back Again by Thanhha Lai Adopt One Crazy Summer by Rita Williams Garcia Inside Out and Back Again by Thanhha Lai Inside Out and Back Again- Student Response Inside

577 views • 23 slides
Launch Initiative (Sensor Payload) Jason G Renner Patrick R Williamson Tin T Tran Michael A

Launch Initiative (Sensor Payload) Jason G Renner Patrick R Williamson Tin T Tran Michael A

NASA University Student Launch Initiative (Sensor Payload) Jason G Renner Patrick R Williamson Tin T Tran Michael A Bizanis Payload Name: G.A.M.B.L.S CPE496-01 Computer Engineering Design II Electrical and Computer Engineering The

503 views • 33 slides
S u bq u eries inside WHERE and SELECT cla u ses J OIN IN G DATA IN SQL Chester Isma y Data

S u bq u eries inside WHERE and SELECT cla u ses J OIN IN G DATA IN SQL Chester Isma y Data

S u bq u eries inside WHERE and SELECT cla u ses J OIN IN G DATA IN SQL Chester Isma y Data Science E v angelist , DataRobot S u bq u er y inside WHERE cla u se set -u p +-----------+--------------+-------------+--------------------+ | name

246 views • 24 slides
DUNE DAQ Data format inside FPGA David Cussans 14 th June 2018 Introduction Format for

DUNE DAQ Data format inside FPGA David Cussans 14 th June 2018 Introduction Format for

DUNE DAQ Data format inside FPGA David Cussans 14 th June 2018 Introduction Format for data inside FPGAs Part of definition of processing blocks. Want to run logic ~ 100MHz 400MHz Reuse gates multiple times in single

299 views • 8 slides
Announcement of Opportunity for Hosted Payload on board EDRS-C SATELLITE ESA-ESTEC 22/09/2011

Announcement of Opportunity for Hosted Payload on board EDRS-C SATELLITE ESA-ESTEC 22/09/2011

Announcement of Opportunity for Hosted Payload on board EDRS-C SATELLITE ESA-ESTEC 22/09/2011 ESA UNCLASSIFIED For Official Use HOSTED PAYLOAD ON BOARD EDRS-C SATELLITE - AGENDA 09:00 Arrival and registration 09:15 Welcome address

862 views • 40 slides
RANGE PAYLOAD DIAGRAM Prof. Rajkumar S. Pant Aerospace Engg. Deptt. Sources: Fielding, J. P.,

RANGE PAYLOAD DIAGRAM Prof. Rajkumar S. Pant Aerospace Engg. Deptt. Sources: Fielding, J. P.,

RANGE PAYLOAD DIAGRAM Prof. Rajkumar S. Pant Aerospace Engg. Deptt. Sources: Fielding, J. P., Introduction to Aircraft Design , Cambridge Aerospace Series 11, 1999 Ackert, S., Aircraft Payload-Range Analysis for Financiers , Aircraft Monitor ,

467 views • 36 slides
Making it in Industry: A Making it in Industry: A look from Inside look from Inside Presented

Making it in Industry: A Making it in Industry: A look from Inside look from Inside Presented

Making it in Industry: A Making it in Industry: A look from Inside look from Inside Presented at: 6 th Annual CERIAS Symposium 23 March 2005 Presented by: Dr Kate Cherry &amp; Dr Wendy Hamilton Lockheed Martin Overview Overview

454 views • 14 slides
GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography

GPG Intro What is GPG? GPG, or GNU Privacy Guard, is a public key cryptography implementation. (Conforms to PGP and RFC 4880, not really just an alternative) Best used mostly for email encryption Uses Hybrid Encryption Install

531 views • 12 slides
EDA482/487: Machine- Oriented Programming Lecture 7: Timing &amp; Synchronization Pedro Moura

EDA482/487: Machine- Oriented Programming Lecture 7: Timing &amp; Synchronization Pedro Moura

EDA482/487: Machine- Oriented Programming Lecture 7: Timing &amp; Synchronization Pedro Moura Trancoso ppedro@chalmers.se Original slides by Ulf Assarsson Objectives Topics: Component Units - comparisons Repetition:

463 views • 22 slides
Introductory Slides 5DV037 Fundamentals of Computer Science Ume a University Department

Introductory Slides 5DV037 Fundamentals of Computer Science Ume a University Department

Introductory Slides 5DV037 Fundamentals of Computer Science Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Introductory Slides 20100831 Slide 1 of 22 Alphabets An

871 views • 22 slides
PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by

PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by

PGP from: Cryptography and Network Security Fifth Edition by William Stallings Lecture slides by Lawrie Brown (*) (*) adjusted by Fabrizio d'Amore Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear, the

471 views • 31 slides
Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray

Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray

Privacy and Security: Policy and Tech Tim Bray tbray@textuality.com tbray.org @timbray +TimBray Links featured in this talk: goo.gl/ggrSBj Recent security blogging: tbray.org/ongoing/What/Technology/Security Photo: Wikimedia

727 views • 45 slides
12/22/2016 Functions A unit of code that we can call Also referred to as a procedure, method, or

12/22/2016 Functions A unit of code that we can call Also referred to as a procedure, method, or

12/22/2016 Functions A unit of code that we can call Also referred to as a procedure, method, or subroutine Procedures (Functions) A function call is kind of like a jump, except it can return Must support passing data as function

801 views • 30 slides
Logic X. Zhang, Fordham Univ. 1 Motivating example Four machines A, B, C, D are connected

Logic X. Zhang, Fordham Univ. 1 Motivating example Four machines A, B, C, D are connected

Logic X. Zhang, Fordham Univ. 1 Motivating example Four machines A, B, C, D are connected on a network. It is feared that a computer virus may have infected the network. Your security team makes the following statements: If D is

1.39k views • 92 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides

More recommend