Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

Published byNyla Pawl Modified over 9 years ago

Similar presentations

Presentation on theme: "David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz."— Presentation transcript:

1 David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz

2 Control Flow Hijack: Always control + computation computation + control shellcode (aka payload)padding&buf 2 Return-oriented programming (ROP): shellcode without code injection

3 Motivation: Return-to-libc Attack Overwrite return address with address of libc function setup fake return address and argument(s) ret will “call” libc function No injected code! 3 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp ptr to “/bin/sh” &system ret transfers control to system, which finds arguments on stack

4 Attack Surface: Linux 2/1/20124 Randomized Stack Heap Unrandomized Program Image Libc

5 Attack Surface: Windows 2/1/20125 Randomized Stack Heap Unrandomized Program Image Libc

6 How do we exploit DEP-defended systems where the text section isn’t randomized? 6

7 7 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp ptr to “/bin/sh” &system What if we don’t know the absolute address to “/bin/sh”? (objdump gives addresses, but we don’t know ASLR constants) Find an instruction sequence, aka gadget, to calculate the address at exploit time.

8 8 … argv argc return addr caller’s ebp buf “/bin/sh” argv[1] buf gadgets to compute ptr to “/bin/sh” &system Idea! Get a copy of ESP to calculate address of “/bin/sh” on randomized stack. This overcomes ASLR because ASLR only protects against knowing absolute addresses. Computed “/bin/sh” Writes

9 Return Oriented Programming Techniques 1.Return chaining 2.Semantic equivalence 3.ROP on Windows 9

10 Return Chaining Suppose we want to call 2 functions in our exploit: foo(arg1, arg2) bar(arg3, arg4) Stack unwinds up First function returns into code to advance stack pointer – e.g., pop; pop; ret 10 arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo Overwritten ret addr What does this do?

11 Return Chaining When foo is executing, &pop-pop-ret is at the saved EIP slot. When foo returns, it executes pop-pop-ret to clear up arg1 (pop), arg2 (pop), and transfer control to bar (ret) 11 arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo

12 There are many semantically equivalent ways to achieve the same net shellcode effect 12

13 ... v2v2 v1v1 a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 Equivalence 13 Desired Logic Stack Mem[v2] = v1 esp

14 Gadgets 14 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 Suppose a 5 and a 3 on stack esp eax ebx eip v1v1 a1a1

15 Gadgets 15 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a1a1 a3a3

16 Gadgets 16 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a3a3 v2v2

17 Gadgets 17 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a4a4 a5a5 v2v2

18 Gadgets 18 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a5a5 v2v2 Gadget 1Gadget 2

19 Equivalence 19 Desired Logic a3a3 v2v2 a2a2 v1v1 Stack Mem[v2] = v1 a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Implementation 2 semantically equivalent esp “Gadgets”

20 Gadgets A gadget is a set of instructions for carrying out a semantic action – mov, add, etc. Gadgets typically have a number of instructions – One instruction = native instruction set – More instructions = synthesize <- ROP Gadgets in ROP generally (but not always) end in return 20

21 ROP Programming 1.Disassemble code 2.Identify useful code sequences as gadgets 3.Assemble gadgets into desired shellcode 21

22 22 Image by Dino Dai Zovi

23 ROP Overview Idea: We forge shell code out of existing application logic gadgets Requirements: vulnerability + gadgets + some unrandomized code (we need to know the addresses of gadgets) 23

24 Return-Oriented Programming (ROP) Find needed instruction gadgets at addresses a 1, a 2, and a 3 in existing code Overwrite stack to execute a 1, a 2, and then a 3 24 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp

25 Return-Oriented Programming (ROP) 25 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp a3a3 v2v2 a2a2 v1v1 a1a1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Desired store executed!

26 Quiz void foo(char *input){ char buf[512];... strcpy (buf, input); return; } a 1 : add eax, 0x80; pop %ebp; ret a 2 : pop %eax; ret 26 Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into eax and add 0x80. Known Gadgets ret instr

27 Quiz void foo(char *input){ char buf[512];... strcpy (buf, input); return; } a 1 : add eax, 0x80; pop %ebp; ret a 2 : pop %eax; ret 27 a1a1 0xBBBBBBBB a2a2 saved ret saved ebp buf AAAAA... a 2 0xBBBBBBBB a 1 Overwrite buf gadget 1 + data gadget 2

28 ROPing Windows LPVOID WINAPI VirtualProtect( LPVOID lpAddress, // dynamically determined base addr to pages to change SIZE_T dwSize, // size of the region in bytes DWORD DWORD flNewProtect, // 0x40 = EXECUTE_READWRITE DWORD flProtect // A ptr to a variable for prev. arg ); 28 VirtualProtect() can un-DEP a memory region

29 VirtualProtect Diagram 29 flProtect (a ptr to mem) flNewProtect (static) dwSize (dynamic) lpAddress (dynamic) addr of your shellcode to unprotect &VirtualProtect Craft lpAddress Craft dwSize LPVOID WINAPI VirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD DWORD flNewProtect, DWORD flProtect );

30 ROPing Windows: An Example Exploit (pre-Win 8) 30 Shellcode Padding/NOPS 7. Change value of ESP back to where pointer to VirtualProtect is, then ret 6. Gadget to overwrite placeholder for Param 4 5. Gadget to overwrite placeholder for Param 3 with value 4. Gadget to overwrite placeholder for Param 2 with value 3. Gadget to overwrite placeholder for Param 1 with value (Pointer to shellcode = saved ESP + offset) lpAddress placeholder: base addr to pages to change dwSize placeholder: size of the region in bytes flNewProtect placeholder: EXECUTE_READWRITE flProtect : A ptr to a variable for prev. arg Pointer to VirtualProtect (static) and space for params: 2. gadgets to get stack pointer and save it to a register (push %esp; pop %eax; ret) & jump below the parameters (add esp, offset; ret) From https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ Gadgets to run shellcode (not shown) esp 1. Stack Pivot

31 Stack Pivots Pointing esp to controlled data Fact: Functions often access arguments with respect to esp Defn: A stack pivot redirects esp at attacker- controlled data Example: Attacker controls heap data pointed to be ESI. One stack pivot may be: xchg esi, esp; ret Now esp points to the attacker-controlled data. 31

32 Other References Thorough introduction: https://www.corelan.be/index.php/2010/06 /16/exploit-writing-tutorial-part-10- chaining-dep-with-rop-the-rubikstm-cube/ Adopting to Win8: http://vulnfactory.org/blog/2011/09/21/def eating-windows-8-rop-mitigation/ 32

33 Disassembling Code 33

34 Recall: Execution Model 34 Process Memory Stack Heap Processor Fetch, decode, execute read and write Code EIP

35 Disassembly user@box:~/l2$ objdump -d./file... 00000000 : 0:55 push %ebp 1:89 e5 mov %esp,%ebp 3:83 ec 10 sub $0x10,%esp 6:8b 45 0c mov 0xc(%ebp),%eax 9:03 45 08 add 0x8(%ebp),%eax c:03 45 10 add 0x10(%ebp),%eax f:89 45 fc mov %eax,0xfffffffc(%ebp) 12:8b 45 fc mov 0xfffffffc(%ebp),%eax 15:83 e0 01 and $0x1,%eax 18:84 c0 test %al,%al 1a:74 03 je 1f 1c:ff 45 fc incl 0xfffffffc(%ebp) 1f:8b 45 fc mov 0xfffffffc(%ebp),%eax 22:c9 leave 23:c3 ret Address Executable instructions Disassemble

36 Linear-Sweep Disassembly 36 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions Algorithm: 1.Decode Instruction 2.Advance EIP by len push ebp

37 Linear-Sweep Disassembly 37 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions push ebp... push ebp mov %esp, %ebp

38 Linear-Sweep Disassembly 38 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions push ebp mov %esp, %ebp Algorithm: 1.Decode Instruction 2.Advance EIP by len Note we don’t follow jumps: we just increment by instruction length

39 Disassemble from any address 39 0x550x890xe50x830xec0x10...0xc9 push ebp Normal Execution mov %esp, %ebp Disassembler EIP It’s perfectly valid to start disassembling from any address. All byte sequences will have a unique disassembly

40 Recursive Descent Follow jumps and returns instead of linear sweep Undecidable: indirect jumps – Where does jmp *eax go? 40

41 ROP Programming 1.Disassemble code 2.Identify useful code sequences ending in ret as gadgets 3.Assemble gadgets into desired shellcode 41 Disassemble all sequences ending in ret

42 ROP: Shacham et al. 1.Disassemble code 2.Identify useful code sequences as gadgets ending in ret 3.Assemble gadgets into desired shellcode 42 Automatic Manual Then Q came along and automated

43 43 Questions?

Download ppt "David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz."

Similar presentations

Calling sequence ESP.

Calling sequence ESP.
Control Flow Hijack Defenses Canaries, DEP, and ASLR

Control Flow Hijack Defenses Canaries, DEP, and ASLR
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin

Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.

Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.

C Programming and Assembly Language Janakiraman V – NITK Surathkal 2 nd August 2014.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Unleashing Mayhem on Binary Code

Unleashing Mayhem on Binary Code
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E

Similar presentations

Ads by Google