Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ROP Primer

Bas
February 28, 2015

ROP Primer

A small presentation intended as an introduction to 32-bit return-oriented-program on Linux, with emphasis on CTF.

Bas

February 28, 2015
Tweet

Other Decks in Programming

Transcript

  1. CONTENTS > THE NEED FOR ROP > ROP VS RET2LIBC

    > STRATEGIES > EXAMPLE: SHELLCODEME // CTF-TEAM.VULNHUB.COM
  2. WHAT IS THIS ABOUT? > FOCUS ON BUFFER OVERFLOWS NOT

    ABOUT ALL KINDS OF VULNERABILITIES NOR AN INTRO INTO x86 ASSEMBLY RETURN-ORIENTED-PROGRAMMING IN CAPTURE THE FLAG CHALLENGES // CTF-TEAM.VULNHUB.COM
  3. CODE EXECUTION OVERFLOW A BUFFER ON THE STACK TO OVERWRITE

    SRA, WE MUST LET'S FOCUS ON BUFFER OVERFLOWS, THEY'RE EASIER TO EXPLAIN :)
  4. EXPLOIT MITIGATION SHELLCODE ON STACK SINCE NX/DEP: STACK = NON-EXECUTABLE

    BINARY WILL SEGFAULT AS SOON AS IT STARTS TO EXECUTE CODE FROM NON-EXECUTABLE MEMORY
  5. WHAT IS ROP? > RETURN-ORIENTED-PROGRAMMING > RE-USE PIECES OF PROGRAM'S

    CODE SECTION >> CODE SECTION == EXECUTABLE // CTF-TEAM.VULNHUB.COM
  6. ROP VS RET2LIBC > BOTH ROP AND RET2LIBC USE THE

    STACK TO CONTROL EXECUTION > TO EXECUTE CODE, WE'LL FAKE STACK FRAMES > FOR RET2LIBC, WE FAKE ONLY ONE STACK FRAME > ROP CAN USE THE SAME STACK FRAME LAYOUT TO FAKE CALLS!
  7. LET'S LOOK AT RET2LIBC ASSUME LIBC ADDRESS IS STATIC (NO

    ASLR) OVERFLOW A FUNCTION POINTER OR SAVED RETURN ADDRESS WITH SYSTEM() SPAWN A SHELL CAT FLAG cat flag 2>&1 /bin/sh
  8. GDB-PEDA IS OUR FRIEND BUT HOW? gdb ./vuln core START

    GDB USEFUL GDB-PEDA CMD: CHECKSEC WE HAVE OVERWRITTEN EIP WITH 'HHHH'
  9. THE STACK BEFORE THE CALL 100 CALL: SUB ESP, 4

    MOV [ESP], EIP 112 108 104 ESP < SOME VALUE < ARG1 < ARG2 < SOME VALUE
  10. THE STACK AFTER THE CALL 100 CALL: SUB ESP, 4

    MOV [ESP], EIP 112 108 104 ESP < RETURN ADDR < ARG1 < ARG2 < SOME VALUE
  11. THE STACK AFTER READ() 100 132 116 BUF < HHHH

    ESP 128 < AAAABBBB.... < EEEEFFFF....
  12. THE STACK BEFORE RET 100 132 116 BUF < HHHH

    ESP 128 < AAAABBBB.... < EEEEFFFF.... RET: MOV EIP, [ESP] ADD ESP, 4
  13. THE STACK AFTER RET 100 132 116 BUF < EIP

    = HHHH! ESP 128 < AAAABBBB.... < EEEEFFFF.... RET: MOV EIP, [ESP] ADD ESP, 4
  14. EXECUTE OUR CODE BUT WE CAN RETURN-TO-LIBC echo 0 >

    /proc/sys/kernel/randomize_va_space DISABLE ASLR: STACK IS NOT EXECUTABLE
  15. GRAB ADDR OF SYSTEM() > WE'RE GOING TO FAKE A

    CALL TO SYSTEM() > A ROP CHAIN LOOKS BASICALLY THE SAME HOW WOULD THE STACK LOOK?
  16. THE STACK AFTER NORMAL CALL 100 112 108 104 ESP

    < RETURN ADDR < ARG1 < ARG2 STACK LAYOUT AT TOP OF FUNCTION
  17. RET2SYSTEM:THE STACK BEFORE RET 100 112 108 104 ESP <

    FAKE RETURN ADDR < ARG1 < SYSTEM() RET WILL TAKE VALUE FOR EIP OFF TOP OF STACK “/bin/sh” RET
  18. 100 112 108 104 ESP < FAKE RETURN ADDR <

    ARG1 < SYSTEM() IDENTICAL STACK LAYOUT AFTER 'NORMAL' CALL! “/bin/sh” RET2SYSTEM:THE STACK AFTER RET RET
  19. STRATEGY > STORE ARGUMENT FOR SYSTEM() ON STACK > OVERWRITE

    SAVED RETURN ADDRESS > SETUP CORRECT STACK LAYOUT TO FAKE A CALL REMEMBER: ASLR IS OFF, STACK ADDR IS FIXED
  20. #FAIL! DEBUG TIME USE THE COREDUMP, LUKE MAKE BINARY CRASH

    BEFORE SYSTEM() IS CALLED BY REPLACING THE ADDRESS WITH 'BBBB'
  21. IT'S ALIVE! IMPORTANT: KEEP SHELL ALIVE WITH CAT (python exploit.py;

    cat) | ./vuln FAKE RETURN ADDR! BINARY STILL CRASHES:
  22. ROP CHAINS CAN LOOK VERY SIMILAR TO THE STACK LAYOUT

    WE USED FOR RET2LIBC ROP > ^ RET2LIBC
  23. RECYCLE CODE IN EXECUTABLE SECTIONS FUNCTIONS IN GLOBAL OFFSET TABLE

    CODE IN LIBRARIES (E.G. SYSTEM()) GADGETS IN BINARY ASLR MIGHT BE A PROBLEM WE CAN RECYCLE ALL SORT OF CODE
  24. ROP GADGETS: PUTTING THE R IN ROP ROP USES THE

    STACK EXTENSIVELY TO ACHIEVE > CONTROL OVER EIP VIA STATEMENTS > CONTROL OVER STACK RET CODE EXECUTION
  25. A BINARY HAS MANY RETURN OPCODES > RETS ARE PRECEDED

    BY OTHER INSTRUCTIONS > GIVEN ENOUGH GADGETS, WE CAN DO ANYTHING... > PREFERABLY SOMETHING LIKE THIS cat flag # ;)
  26. EXAMPLE GADGET FROM RANDOM BINARY > RETURN TO THIS GADGET

    TO SET SEVERAL REGISTERS > RET @ END MAKES SURE WE DON'T LOSE CONTROL > CORRESPONDING PYTHON CODE:
  27. BUT THIS GADGET CONTAINS MORE GADGETS > WHAT IF WE

    RETURN TO 0x40196, IN THE MIDDLE OF THE STATEMENT? > WE END UP WITH A NEW GADGET: POP R12 RECYCLING! =)
  28. LOCATING GADGETS SEVERAL TOOLS EXIST ROPSHELL.COM GDB-PEDA MY OWN ROPGADGET.PY

    git clone https://github.com/longld/peda.git ~/peda echo "source ~/peda/peda.py" >> ~/.gdbinit
  29. MANY STRATEGIES EXIST RE-USE OPEN/READ/WRITE TO GRAB THE FLAG MAKE

    MEMORY WRITEABLE & EXECUTABLE TWO EXAMPLES:
  30. ROP EXAMPLE - SHELLCODEME # disassemble binary $ objdump -d

    -M intel ./shellcodeme > shellcodeme.out FIRST, DISASSEMBLE BINARY LAUNCH GDB & OVERFLOW THAT BUF!
  31. TRICKY STACK LAYOUT RESTORE THE STACK SO THAT ESP POINTS

    TO INPUT INSPECT REGISTERS! EBP POINTS TO INPUT+16
  32. MAKE ESP POINT TO INPUT USE THE LEAVE OPCODE LEAVE:

    MOV ESP, EBP; POP EBP I USUALLY AVOID GADGETS WITH LEAVE, BECAUSE IT MESSES UP ESP AND CAUSES LOSS OF CONTROL OVER EIP
  33. TAKE A STEP BACK HOW ARE WE GOING TO EXPLOIT

    THIS WITH ROP? THE BINARY ALREADY HAS TWO USEFUL FUNCTIONS: MPROTECT & READ
  34. HIGH-LEVEL EXPLOIT OVERVIEW WE'LL BUILD A ROP CHAIN TO 'CALL'

    MPROTECT TO MAKE A SECTION OF MEMORY RWX THEN, 'CALL' READ TO READ STANDARD SHELLCODE FROM STDIN FINALLY, WE'LL RETURN TO OUR NEWLY READ SHELLCODE & SPAWN A SHELL MPROTECT READ
  35. RUN IT LIVE IN GDB STORE OUTPUT OF ROP1.PY IN

    FILE $ python rop1.py > in RUN GDB-PEDA $ gdb ./shellcodeme START PROGRAM AND USE INPUT FROM FILE gdb-peda$ r <in
  36. WHAT ABOUT THE NEXT STEP? STACK LOOKS LIKE THIS: SOLUTION:

    POP POP POP RET > EACH POP WILL ADD 4 TO ESP > FINAL RET WILL PICK UP THE ADDRESS OF THE NEXT GADGET FROM THE STACK
  37. UPDATE THE POC & RUN IT $ python rop1.py >

    in $ gdb ./shellcodeme gdb-peda$ r <in BOOM
  38. THANKS TEAM MEMBERS: NULLMODE, SUPERKOJIMAN, SWAPPAGE, BITVIJAYS, ET0X, HISTORYPEATS SHOUT-OUTS

    TO G0TMI1K, LEONJZA, RASTA_MOUSE & HIGHJACK FOR GOING THROUGH THIS PDF & GIVING FEEDBACK! IMAGES USED: ROPE: HiveHarbingerCOM // LINK SHELL: Chris 73 // LINK RECYCLING SIGN: JoseDLF // LINK