The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Size: px

Start display at page:

Download "The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler"

Homer Shelton
6 years ago
Views:

1 The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

2 return-oriented programming Hovav Shacham presented by: Fabian Fäßler

3 ROP Hovav Shacham presented by: Fabian Fäßler

4 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 4

5 Overview Buffer Overflow + Shellcode DEP / W X return2libc return-oriented programming additional information 5

6 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 6 source: exploit-exercises.com

7 Buffer Overflow + Shellcode --> 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> eax 0xbffffc60 ecx 0xbbb5764b edx 0x ebx 0xb7fd7ff4 esp 0xbffffc50 ebp 0xbffffca8 esi 0x edi 0x eip 0x080483d4 <main+16> 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff1040 0x c 7 source: exploit-exercises.com

8 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbbb5764b 0x xb7fd7ff4 0xbffffc4c 0xbffffca8 0x x xb7ef3e40 <_IO_gets+0> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff source: exploit-exercises.com

9 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x x xb7ef3f2d <_IO_gets+237> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff source: exploit-exercises.com

10 Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret eax ecx edx ebx esp ebp esi edi eip ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x x xb7ef3f2d <_IO_gets+237> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret? 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff source: exploit-exercises.com

11 Buffer Overflow + Shellcode 0x31c x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

12 Buffer Overflow + Shellcode Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable 0x31c x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

13 DEP / W X Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable! Countermeasures: Data Execution Prevention Write XOR Execute - memory protection policy 13

14 ret2libc? 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

15 ret2libc (gdb) x system 0xb7ecffb0 < libc_system>: 0x890cec83 (gdb) disassemble system Dump of assembler code for function libc_system: 0xb7ecffb0 < libc_system+0>: sub esp,0xc 0xb7ecffb3 < libc_system+3>: mov DWORD PTR [esp+0x4],esi 0xb7ecffb7 < libc_system+7>: mov esi,dword PTR [esp+0x10] system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

16 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fc1 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

17 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

18 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

19 ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret! Gadget 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x c 0xbffffc78 0x080482c4 0xb7ff

20 ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! 20

21 ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! Evolution of ret2libc is ROP 21

22 ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 22

23 ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret 23

24 ROP - step 1/2 1. Find gadgets - advanced 24

25 ROP - step 1/2 1. Find gadgets - advanced 25

26 ROP - step 1/2 1. Find gadgets - advanced b2 : ror byte ptr [edi], -0x7c b5 : ret 26

27 ROP - step 1/2 1. Find gadgets - advanced b2 : ror byte ptr [edi], -0x7c b5 : ret algorithm: search for 0xc3 (ret), and look backwards if there are valid instructions. 27

28 ROP - step 1/2 1. Find gadgets - advanced $ python ROPgadget.py --binary ~/libc.so.6 0x00138c14 : xor al, -0x20 ; add byte ptr [eax], al ; sbb ah, cl ; cli ; call edi 0x00128f04 : xor al, -0x58 ; add byte ptr [eax], al ; cld ; ret -0xa 0x0012ab71 : sub esi, edi ; jmp esp 0x : sub esi, esi ; call dword ptr [eax] 0x : sub esp, 0x10 ; call 0x16ad8 0x0003d595 : rol byte ptr [ecx], -0x7d ; ret 0x390c 0x a : rep push eax ; jnp 0x1287a8 ; add byte ptr [esp + edi*8 + 0xfffffff3], bl ; call dword ptr [eax] 0x00072d09 : or dword ptr [ebx + 0x960ff07d], ecx ; ret 0x5589 0x000a4079 : movzx eax, al ; sub eax, 1 ; pop ebp ; ret 0x00097c4a : mov eax, 0x39 ; int 0x80 0x0011b958 : jo 0x11b901 ; hlt ; call ebx 0x c : jge 0x6557f ; mov esp, ebp ; pop ebp ; ret 0x : add eax, dword ptr [eax] ; add byte ptr [ebx + 0xfffe548d], cl ; jmp dword ptr [ebx]... 28

29 geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] 29

30 geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well. 30

31 geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well.! MIPS enforces 32bit instructions and alignment.! 31

32 ROP - step 2/2 2. The weird machine - building an instruction set. 32

33 ROP - step 2/2 2. The weird machine - building an instruction set. 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret load values into registers 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret increment registers 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret load from an address 33

34 ROP - step 2/2 2. The weird machine - building an instruction set. add: 34

35 ROP - step 2/2 2. The weird machine - building an instruction set. add: 35

36 ROP - step 2/2 2. The weird machine - building an instruction set. add: 36

37 ROP - step 2/2 2. The weird machine - building an instruction set. Loading Constant Loading from Memory Storing to Memory Add XOR And/Or/Not Shift and Rotate Unconditional Jumps Conditional Jumps System Calls Function Calls (ret2libc) 37 Write any code you like <3

38 a weird machine is born source: The science 38 of Insecurity (29c3) - Sassman, Patterson, Bratus

39 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 39

40 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 40

41 What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 41

42 Discussion What is the obvious mitigation for this? 42

43 The ASLR Lie source:

44 The ASLR Lie source:

45 The ASLR Lie source:

46 Discussion What do you think about, ROP, geometry, ASLR, W X 46

47 References The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) - [0] direct quote page 4 - Figure 5 - Figure 7 exploit-exercises.com The science of Insecurity - Sassman, Patterson, Bratus 47

Return-orientated Programming

Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming