Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Size: px

Start display at page:

Download "Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University"

Dale Nigel Burke
6 years ago
Views:

1 Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University

2 Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh

3 Crash or no Crash? Enough to build exploit GET /blabla HTTP/1.0 HTTP/ Not Found GET /AAAAAAAAAAAAAAAA connection closed

4 Don t even need to know what application is running! Exploit scenarios: 1. Open source 2. Open binary 3. Closed-binary (and source)????

5 Attack effectiveness Works on 64-bit Linux with ASLR, NX and canaries Server Requests Time (mins) nginx 2,401 1 MySQL 3, Toy proprietary service (unknown binary and source) 1,950 5

6 Attack requirements 1. Stack vulnerability, and knowledge of how to trigger it. 2. Server process that respawns after crash E.g., nginx, MySQL, Apache, OpenSSH, Samba.

7 Background Outline Stack Vulnerabilities No-eXecute memory (NX) Return-Oriented Programming (ROP) Address Space Layout Randomization (ASLR)

8 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address 0x urn; } handle_client() buf[1024]

9 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA handle_client() AAAAAAAAA AAAAAAAAA

10 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA?? AAAAAAAAA AAAAAAAAA

11 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x AAAAAAAAA AAAAAAAAA AAAAAAAAA AAAAAAAAA

12 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x x

13 Exploit protections void process_packet(int s) { char buf[1024]; 1. Make stack non-executable int len; (NX) read(s, &len, sizeof(len)); read(s, 2. buf, Randomize len); memory addresses (ASLR) Stack: urn address 0x } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x

14 Non-eXecutable (NX) memory stack Read stack Write Read heap Execute heap Write.text Read.text Read (code) Execute (code) Execute

15 Non-eXecutable (NX) memory stack Read stack Write Read heap Execute heap Write.text Read.text Read (code) Execute (code) Execute

16 Return-Oriented Programming (ROP).text: Stack: code fragment 0x dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0);...

17 Return-Oriented Programming (ROP).text: Stack: code dup2(sock, 0); 0x fragment urn; 0x dup2(sock, 1); 0x x urn; execve( /bin/sh, 0, 0); urn; 0x x ROP gadget

18 Address Space Layout Randomization (ASLR).text: 0x code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x x x800000

19 Address Space Layout Randomization (ASLR).text: 0x ?? code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x ?? 0x ?? 0x ??

20 Exploit requirements today 1. Break ASLR. 2. Copy of binary (find ROP gadgets / break NX). Is it even possible to hack unknown applications?

21 Blind Return-Oriented Programming (BROP) 1. Break ASLR. 2. Leak binary: Remotely find enough gadgets to call write(). write() binary from memory to network to disassemble and find more gadgets to finish off exploit.

22 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address buf[1024] 0x401183

23 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x401183

24 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)

25 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)

26 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)

27 How to find gadgets?.text: 0x code fragment 0x x x x x401130?????????? Stack: urn address 0x buf[1024]

28 How to find gadgets?.text: 0x code 0x x x x x fragment crash???????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA

29 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash?????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA

30 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash???? Connection hangs Stack: urn address 0x AAAAAAAAA AAAAAAAAA

31 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash crash crash Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA

32 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn

33 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn

34 Finding useful gadgets 0x Stack: Crash!! dup2(sock, 0); urn; other urn address 0x x buf[1024] sleep(10); urn;

35 Finding useful gadgets 0x Stack: dup2(sock, 0); urn; 0x x sleep(10); urn; No crash urn address 0x buf[1024]

36 How to find gadgets?.text: 0x code fragment 0x x x x x crash crash stop gadget crash crash Stack: other urn address 0x buf[1024]

37 How to find gadgets?.text: 0x code fragment Connection hangs 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA

38 How to find gadgets?.text: 0x code fragment Connection closes 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA

39 What are we looking for? write(int sock, void *buf, int len)

40 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write

41 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write AAAAA buf[1024] 0x addr sock rdi 0x buf rsi 0x len rdx 0x700000

42 Pieces of the puzzle stop gadget [call sleep] pop rsi pop rdi pop rdx call write

43 Pieces of the puzzle stop gadget [call sleep] pop rsi pop rdi call strcmp call write

44 Pieces of the puzzle stop gadget pop rsi [call sleep] call strcmp pop rdi call write

45 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop rsi pop r15 pop rdi pop r12 pop r13 pop r14 pop r15 stop gadget [call sleep] call strcmp call write

46 Pieces of the puzzle The BROP gadget pop rbx pop rsi pop r15 pop rdi pop rbp pop r12 pop r13 pop r14 pop r15 PLT stop gadget [call sleep] call strcmp call write

47 Finding the BROP gadget Stack: Connection hangs stop gadget urn address 0x buf[1024]

48 Finding the BROP gadget Stack: stop gadget crash gadget Connection closes urn address 0x buf[1024]

49 Finding the BROP gadget Stack: stop gadget crash gadget pop rbx Connection hangs urn address 0x buf[1024]

50 Stack: Finding the BROP gadget stop gadget crash gadget crash gadget pop rbx pop rbp Connection hangs urn address 0x buf[1024]

51 Stack: Finding the BROP gadget stop gadget crash gadget crash gadget crash gadget crash gadget crash gadget crash gadget urn address 0x pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 BROP gadget Connection hangs buf[1024]

52 Attack so far Can control first two arguments to calls (using BROP gadget). Need to control third argument (using call strcmp). Need to find call write Procedure Linking Table (PLT)

53 Procedure Linking Table (PLT) Origin: 0x PLT.text

54 Procedure Linking Table (PLT) Origin: 0x [GOT dereference].text call write.text... call write... call strcmp PLT PLT jmp [sleep] push 0 jmp dlresolve jmp [write] push 1 jmp dlresolve jmp [strcmp] push 2 jmp dlresolve libc sleep() {... } write() {... } strcmp() {... }

55 Finding the PLT Toward beginning of.text Each entry is 0x10 bytes apart, 0x10 aligned Most don t crash: syscalls - urn EFAULT on bad args. Can check if entry + 6 succeeds too (dlresolve slow path)

56 Fingerprinting strcmp arg1 arg2 result readable 0x0 crash 0x0 readable crash readable readable nocrash Use urn address (.text) as readable Can now control three arguments: strcmp sets RDX to length of string

57 Finding write strcmp(origin, origin) // sets RDX / write length to 7 - ELF header. set rdi to socket number, rsi to origin/addr try calling candidate PLT function. check if data received on socket. chain writes with different FD numbers to find socket. Use multiple connections.

58 Launching a shell 1. dump binary to network - not blind anymore! 2. dump symbol table to find PLT calls. 3. redirect stdin/out to socket: dup2(fd, 0); close(0); fcntl(sock, F_DUPFD, 0); 4. read() /bin/sh from socket to writable writable can be environ (from symbol table) 5. execve( /bin/sh, 0, 0)

59 Braille Fully automated: from crash to shell. 2,000 lines of Ruby. Needs function that will trigger overflow: nginx: 68 lines. mysql: 121 lines. proprietary service: 35 lines. try_exp(data) true crash false no crash

60 Attack complexity dump bin 222 find write 101 find strcmp 61 stack reading 846 find BROP gadget 469 find PLT 702 # of requests for nginx

61 BROP conclusions It s scary what a motivated attacker can do: e.g., hack unknown binaries. Hackers can get past point solutions - need principled solutions: OS: rerandomize ASLR & canaries per-fork Compiler: Encrypt or MAC pointers? Application: Dune (privilege separation)?

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases