View
5.505
Download
1
Embed Size (px)
DESCRIPTION
null Pune August - 2012 Meet
Citation preview
Advance ROP Attacks
Rashid Bhatt
@raashidbhatt
Agenda• Introduction to ROP Attacks
• ROP Attack Variants
• Alphanumeric ROP exploits
• Searching gadgets
• Questions?
ROP Attacks
• Introduced by hovad shacham • Circumvents DEP (data execution prevention)• Turing Complete`ness• More useful than ret-2-lib ( branching)• Applicable to various architectures
ROP Attacks
• Gadgets are the building blocks• Gadgets end with RET instruction• Example gadgets
• Mov eax, ebx• Ret• Pop eax• Ret
ROP attacks
x86 stack layout. Registers ebp and esp point to base and top of the
stack respective. EBP used to access local and passed paramterseg . [ebp + 8] first parameter (EBP + 4) for ret address. ESP used are a pointer for popping values out from
stack
ROP attacks
• RET x86 instruction• Pops a value from the stack into EIP
• Used to return control from a function
• RET can have a argument eg RET 8
• RET 8 == EIP = stack[top], add ESP , 8
X86 stack layoutcalling conventions
__stdcall ( varadic arguments) Int __stdcall function(int a, int b) // < paramerts
{int b,c; // local c variablesreturn 0;
}function(10, 20); // function call __stdcall
X86 disassembly
push 20 // arguments pushed from right to leftpush 10call function
function:push ebp // Stack epilouge mov ebp, espsub esp, 8 //8 bytes for two variabeles…. ….add esp, 8pop ebpret 8 // ret 8 stack clearance by callie
X86 stack layoutcalling conventions
__cdecl( const no of args) Int __cdelc function(int a, int b) // < paramerts
{int b,c; // local c variablesreturn 0;
}function(10, 20); // function call __cdecl
X86 disassembly
push 20 // arguments pushed from right to leftpush 10call function add esp, 8 // stack clearance
function:push ebp // Stack epilouge mov ebp, espsub esp, 8 //8 bytes for two variabeles…. ….add esp, 8pop ebpret // ret no stack clearence
Basic stack overflow
• A local stack variable gets overflowed
• CALL instruction pushes the EIP to the stack
• Find a trampoline eg jmp esp to change the value to eip to attacker controlled buffer
• demo
What about NX bit ?
• DEP restricts the execution of segments marked as r/w
• We can re-use code from the address space of executable
• Useful code chunks called as ROP gadgets• Multiple gadgets can be chained together and
even API calls
ROP Basics(load and store gadgets)
• storing and loading values from and into memory
• Primitive example pop eax; ret / pop ebx ret/ pop r32, ret
• To memory store pop eax, pop edx, ret / mov [eax], edx; ret
Wait a sec! » Handling NULL bytes
• Some parameters contain NULL • Even some addresses contain zero values• Cannot inject NULL or zero values • Bug prone functions eg strcpy stop copying
when they encounter a NULL byte (00 hex)
Handling NULL bytes
• Let x = value containing a ( many) NULL byte• Let y = mask = 0xffffffff• Mathematical axiom • A xor B = z (say)• Now z xor B = A• We can 0x00000000 xor 0xffffffff = z (say)• Xor it back to get the original value • We have xor esi, ebx ; ret!
ROP basics(arithmetic )
• Msvcrt32.dll 0x77c4d6f add ebx, esi; stc; ret
• Kernel32.dll 0x7c902af5 sub eax,ecx; ret
• We have same for mul and div !
• Try in immunity search: add r32, r32;any;ret;
• You will find huge no. of gadgets
ROP basics(conditional jumps )
• The tricky part• We need to modify ESP , based on certain
comparisons. comparisons include greater than , less than ,
equal to;X <yX >yX == some_val
.
Comparing with zero• Divert flow through adding a certain value to esp
• Store two values on the stack , value_to_be_checked and esp_delta (the value to be added to esp)
• Load the val in a general purpose register say eax• X86 instruction NEG computes the two's complement and updates CF
. if val == 0 the CF = 0; else CF = 1
• ADC x86 instruction add the source and dest with carry flag(ADC – add with carry flag)
• Make a general purpose reg and zero by xor r32,r32; then apply adc r32,32
Comparing with zero(contd..)• We have a REG (say eax) containing a single 1 bit or all 0 bits
• Apply NEG instruction on that REG to obtain the two's complement
• 2's comp will transform it into all zero's or all ones • Perform bit-wise AND with ESP_DELTA
. according we will get ESP_DELTA as zero or its original value
• ADD esp, ESP_DALTA to divert the control flow
• DEMO
Checking for == (equality)• Two values val1, val2 to be checked for equality
• Load two values using load and store gadgets as shown earlier
• Perform x86 SUB val1, val2,store back the result • If both the values are same result will be zero,
. Check the result to zero as show in the previous slide
• ADD esp, ESP_DALTA to divert the control flow
• DEMO
Checking for <, > (less or greater)• Two values val1, val2 to be checked for equality
• Load two values using load and store gadgets as shown earlier
• Perform x86 SUB val1, val2, SUB intruction sets the CF if dest > source • Save CF using xor r32, r32;ret; adc r32,r32 ret; as shown in ealier slide
. CF will be 1 if dest > source else 0
• DEMO
ROP Attack Variants
JUMP oriented Programming Attacks
• ROP used gadgets ending with RET x86 instruction
• JOP uses statements ending with Indirect Jump call
• Instead of stack uses a dispatcher table to jump to different locations
• Thwarts certain Anti-ROP defences
JOP attacks (Dispatch table and Dispatcher gadget)
JOP(attack Model)
• Cannot work on stack buffer overflow , because control flow diverts through a ret Instruction
• Will be detected by anti-ROP defenses if(stack overflow is used)
• Attack vectors include
• 1: pointer overwrite
• 2: Arbitrary DWORD overwrite
• 3: C++ vtable overwrite
Alphanumeric ROP Shell-code
Alphanumeric ROP Shellcode• Traditional Shellcode can be made alphanumeric by choosing only certain
instruction
Example . pop ecx has anopcode 0x59 which is the ASCII code of the character Y)
• Similar technique used in ROP shellcode
. Selecting a printable address rather than a printable opcode(in trad. shellcodes)
Alphanumeric ROP ShellcodeBasic Technique by adding two printable addresses. The range of ASCII printable
characters is between 0x21 and 0x7e
Example . A non-printable gadget in kernel32.dll at 0x77D4B8C2 {pop ebx;ret} can be represented by adding two printable addresses
0X225D414B(printable) + 0x55777777(printable) = 0x77D4B8C2(no-printable)
• Combined together can be used to transform a printable code into non-printable
• Similar technique used in ROP shellcode
. Selecting a printable address rather than a printable opcode(in trad. shellcodes)
Alphanumeric ROP Shellcode(gadgets)
• Gadgets used for decoding addresses should be printable(bytes should be in range of 0x21 - 0x7e
• We also need a memory region which has a printable address to store the decoded gadgets addresses marked as r/w
. From reg to mem we have urlmon.dll
0x772C2E5E MOV DWORD PTR DS:[ECX],EAX
. ESP related CRYPTUI.dll 0x775513E30 XCHG EAX,ESP
. MSCTF.DLL 0x74722973 POP EAX
. Mshtml.dll 0x7D504962 ADD EAX,ECX
. msimtf.dll MEM to reg 0x74714263 MOV EAX,DWORD PTR DS:[ECX]
. All of the dll's loaded by internet explorer
Alphanumeric ROP Shellcode
Alphanumeric ROP Messagebeep Shellcode >>
s)rt:i=3PI'w""w"bIP}PI'www""bIP}PI'w"P`w^.,wxxxxs)rt"P`w0>Qu
DEMO
Questions ?