ROP-theHardestThingYoullDoAllWeek
Download
Report
Transcript ROP-theHardestThingYoullDoAllWeek
Agenda
Exploit basics
A defense basic
ROP
Review
Exploit basics
There are lots of ways to think about exploits.
I (like most) like to break them down into 3
sections:
– Vulnerability
Exists
– Vector
Used, delivered (points control to the payload)
– Payload
Delivered, does something
Ex
p
loi
tf
or
2
Vulnerability 1
Exploit for 1
Program
Vulnerability 2
ShellCodes
Injectable DLL
Reverse Bash
Reverse UDP
Vulnerabilities are bugs
Who creates the vulnerability?
What “uses” the vulnerability?
To do what?
Vectors
So, in the traditional view, we overwrote some
program and into memory.
In that overwrite, we have to write values that
get the machine to do something.
Depending on the machine, we overwrite
structures it needs to do stuff.
At the highest level, we poison tables needed for
operation. We poison them to divert operation
*into* our paylod.
Oldest Schools
Payload
The part that does something.
The vector diverts execution to the
payload.
Machine language code.
Normally we use the term “arbitrary code”
to describe a working paylaod.
Step 1
Step 2
Step 3
Payload
Step 4
Oldest Schooly
In a traditional stack overflow, we overwrite an address
on the stack that the Operating System needs to
navigate.
So the program was taking in data, and storing it in a
buffer.
It takes in to much input and allows that input to
overwrite a memory address needed for the OS.
The OS isn’t smart, it will blindly follow the instructions.
Oldest Schools
Defensive Measures
Operating system writers took on the challenge
of stopping the vectors. Followed by CPU
manufacturers.
Mitigation can solve lots of vulnerabilities…
NX, DX, DEP, non executable stack
W OR X
Oldest Schools
But first, whats a dll (or .so)?
MSVCRT.DLL
Some executable
Fprintf()
Fputs()
672 – fprintf
{ code }
674 – fputs
{code}
ws2_32.dll
connect()
4 – connect
{code}
Ret2Libc
Some Array
EBP RET
Some Array
SomeRet
System()
addy 4 /bin/sh
EBP
address
system()
Enter the ROP
From an academic paper by Hovav Shacham
“The Geometry of Innocent Flesh on the Bone”
And a lesser known paper by Sebastian
Krahmer “x86-64 buffer overflow exploits and
borrowed code chunks exploitation technique”
Extra credit mention to Dino Dai Zovi and
Vincenzo Iozzo.
Lots of people have contributed since then (I am
not one of them) ( I didn’t even come up with
the ransom note thing, I just thought it was too
useful not to be re-used)
So, what do I need to run a
program?
Instructions…
What makes up other programs?
– Instructions?
Do I need my own instructions?
Can I use your instructions?
What are “gadgets” ?
Gadgets
Pop eax
pop ebx
ret
mov
ret
edi, [eax]
Sub [ebx], edi
ret
Gadgets
pop edi
Pop eax
Pop ebx
ret
pop edi
ret
pop eax
ret
Pop edi
Pop eax
Ret
Pop ebx
Ret
pop ebx
ret
C3-PO
At least on x86….
C3
85 f2 7E 9c 3a 77
Null bytes… xor %eax, %eax
So… how does it move?
So, our shellcode is NOT the assembly
commands.
What does our shellcode consist of?
ESP gets incremented…
NP Complete
There is always a polynomial-time
algorithm for transforming an instance of
any NP-complete problem into an instance
of any other NP-complete problem. So if
you could solve one you could solve any
other by transforming it to the solved one.
But what is this bound by?
So, non executable stacks
Whose code is running on the stack?
We could mention some functions, like VirtualProtect() here…
Windows vista and 7 permanent DEP….
Code signing?
Where is the code coming from?
ASLR?
How many gadgets in a library?
What if a library or driver is left out of
ASLR?
Address independent gadgets?
What could we do to stop this?
Can you make it easier?
So some really smart guys (Shacham, Dai Zovi,
Sotirov) came up with the idea of making a
macro tool.
Rather than figure out the ROP gadgets, the
programmer writes in terms of macros and
intermediate code turns them into gadgets.
(BISC)
Shacham has a compiler back end…
I think the Canvas guys have a tool…
Msfpescan can be used to find gadgets.
Expect more of this.
**note: BISC is not public
Quick review
Exploit basics
– Overwriting memory structures the OS relies on…
– To poison a structure to steer it to our payload
A defensive mitigation
– W OR X
ROP
– Assembly instructions ending in a ret type instruction
called a gadget
– Gadgets chained together to do… well… anything
bounded by size.
Doggie Bags…
Notice that these major contributors are
not your kid/criminal/virusWriter. These
are legitimate computer science guys…
what does that mean?
There is a back-and-forth between
attackers and designers.
Is ROP hard or easy? Will it get harder or
easier?