Advanced exploitation on Linux: ROP and infoleaks

Advanced exploitation on Linux: ROP and infoleaks

workshop given during hack.lu 2016 conference
exercices can be found on https://github.com/0xmilkmix/training/tree/master/hacklu

D09f0bb8d2175fd4884f630cc66e49d5?s=128

Julien Bachmann

October 18, 2016
Tweet

Transcript

  1. Software exploitation : ROP Julien Bachmann @milkmix_

  2. intro | me • Julien Bachmann / @milkmix_ • Cyber

    Security Researcher, Kudelski Security • Guest lecturer in Swiss universities on topics of software exploitation, incident response and malware reverse engineering • Previously • Pentester, incident responder
  3. software exploitation | rop • Recaps • Intro to ROP

    • Bypassing ASLR
  4. pwn | recaps • Buffer overflow basics • out-of-bound writes

    • rewrite saved instructions pointer • redirect process control flow • execute shellcode
  5. pwn | recaps • Sample program

  6. pwn | recaps • Testing • $ ./bof_01 foobar ?

    • $ ./bof_01 AAAAAAAAAAAAAAA ? • $ ./bof_01 `python -c ‘print “A”` ?
  7. pwn | recaps • Stack state at the beginning of

    vulnerable() ... &input %eip %ebp buffer ... %ebp
  8. pwn | recaps • Stack state after call to strcpy()

    ... &input %eip %ebp AAAA AAAA AAAA %ebp ...
  9. pwn | recaps • If input is more than 128

    bytes ... AAAA AAAA AAAA AAAA AAAA AAAA %ebp ... return address argument
  10. pwn | recaps • Calling convention on Linux 32 bit

    • previous example was using stdcall convention • arguments pushed in reverse order on the stack • callee clean the stack at the end • spot it: ret imm16
  11. pwn | recaps • Calling convention on Linux 32 bit

    • libc uses cdecl convention • arguments pushed in reverse order on the stack • caller clean the stack at the end • spot it: ret
  12. pwn | tips • Buffer size calculation • In this

    example: get it by reversing the function • Toolbox • MSF pattern_{create, offset}.rb (or bundled in the following) • PEDA / GEF
  13. pwn | tips • Note for 64 bit exploitation •

    Linux addressing is on 48 bits not 64 bits • Meaning maximum canonical address is 0x00007FFFFFFFFFFF • Meaning that you will not get `RIP=0x4141414141414141` but a CPU exception • Break on ret from vulnerable function and check pattern value pointed by RSP
  14. pwn | tips • In order to start learning exploitation

    concepts disable the protections at first • Compilation • remove stack canaries • -fno-stack-protector • OS • disable ASLR system wide for first exercises • # echo 0 > /proc/sys/kernel/randomize_va_space
  15. pwn | tips • To get a coredump once the

    process crash • # echo "core" > /proc/sys/kernel/core_pattern • $ ulimit -c unlimited
  16. pwn | tips • Check that your shellcode is working

  17. rop | intro • First example only works with all

    protections disabled • less likely to happen nowadays on modern systems • maybe if you are lucky or exploiting an embedded system • Protections on multiple layers • compilation • os • Only targeting execution prevention in this workshop
  18. rop | intro • What do you need to be

    able to execute your shellcode ?
  19. rop | nx • Execution rights ! • memory pages

    have access rights • defined in the Page Table Entries • check Intel Developer Manuals
  20. rop | nx • History • first implementations in August

    2004 were software only • ExecShield • W^X • PAX • introduced by Intel in Pentium 4 series • NX bit
  21. rop | nx • Concept • memory pages should either

    contain data or code • rare cases where both can mix • ex: JIT compilers • still, stack and heap can be marked as non-executable most of the time
  22. rop | nx • Bypass • we cannot add data

    in the process and then execute it • so let’s use what is already present ! • ret2libc • rop
  23. rop | nx | ret2libc • ret2libc • context :

    stack is non-executable • libc code is obviously executable • instead of having a shellcode using syscalls, directly call libc functions
  24. rop | nx | ret2libc • Concept • forge a

    stack as the standard execution would • stdcall convention • rewrite execution pointer with function address
  25. rop | nx | ret2libc • Examples • execute command

    line using system • execute process using exec*
  26. rop | nx | ret2libc • ret2libc!system @“/bin/sh” @system AAAA

    AAAA AAAA AAAA AAAA ... %ebp return address argument &input align
  27. rop | for real • ret2libc next level • calling

    a function is fun • but can’t we also directly use instructions or call multiples ? • Return Oriented Programming (ROP)
  28. rop | famous quote • Dino Dai Zovi • “preventing

    the introduction of malicious code is not enough to prevent the execution of malicious computations”
  29. rop | go go gadgeto • Concept • chain the

    execution of simple instructions already in the memory to execute code • simple instructions are called gadgets and are ended by RET • pop eax ; ret • mov [ebx], ecx ; ret
  30. rop | architecture specificities • Beware • specificity of CISC

    architecture (used by Intel processors) • a list of opcodes doesn’t have only one representation • possible to process them at various offsets • concept not applicable on RISC architectures (ARM, MIPS, …) • aligned on 2 bytes for Thumb mode and 4 bytes for standard
  31. rop | cisc B8 89 41 08 C3 mov eax,

    0xc3084189 mov dword ptr [ecx+8], ecx ret
  32. rop | cisc • Validation with Capstone

  33. rop | example • usage examples • write 4 (controlled)

    bytes at a controlled address • call function • chain functions calls
  34. rop | example pop eax ret pop ecx ret mov

    [ecx], eax ret + + = write 4 bytes
  35. rop | chain • In practice • find the gadgets

    you need • forge a stack containing their addresses : ROP chain • redirect execution flow to your ROP chain
  36. rop | find them all • Finding gadgets • Write

    your own tools • elfesteem / pefile / capstone • idapython • Existing tools • ropeme, ropper, ropgagdet, rp++, …
  37. rop | example • Taking our previous example mov dword

    ptr [ecx], eax 0x08049668 0xffffdee8
  38. rop | example • Taking our previous example • gadget1

    : pop eax ; ret • gadget2 : pop ecx ; ret • gadget3 : mov dword ptr [ecx], eax ; ret @gadget 1 AAAA AAAA AAAA ... %ebp return address 0xffffdee8 @gadget 2 0x08049668 @gadget 3 …
  39. top | example • When vulnerable function returns • eax

    = ?? • ecx = ?? @gadget 1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget 2 0x08049668 @gadget 3 … eip .section .text ... mov eax, 42 ret
  40. rop | example • After ret instruction • eax =

    ?? • ecx = ?? @gadget 1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget 2 0x08049668 @gadget 3 … eip .section .text ... pop eax ret
  41. rop | example • After pop instruction • eax =

    0xffffdee8 • ecx = ?? @gadget 1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget 2 0x08049668 @gadget 3 … eip .section .text ... pop eax ret
  42. rop | example • After ret instruction • eax =

    0xffffdee8 • ecx = ?? @gadget 1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget 2 0x08049668 @gadget 3 … eip .section .text ... pop ecx ret
  43. rop | example • After pop instruction • eax =

    0xffffdee8 • ecx = 0x08049668 @gadget 1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget 2 0x08049668 @gadget 3 … eip .section .text ... pop ecx ret
  44. rop | example • After ret instruction • eax =

    0xffffdee8 • ecx = 0x08049668 @gadget 1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget 2 0x08049668 @gadget 3 … eip .section .text ... mov dword ptr [ecx], eax ret
  45. rop | more gadgets • What are useful gadgets ?

    • redirect execution to register • stack-pivot • set registers values • read at a memory address • write-what-where • init syscall number • syscall
  46. rop | pivots • Stack pivoting • we only spoke

    about stack based buffer overflow • as such your controlled data is in the stack • other types of exploits might not be as convenient • ex: heap overflow
  47. rop | pivots • Stack pivoting • ROP chain should

    be in the stack • need to change stack pointer register to point to user controlled data • beware: this zone might not be big enough for next calls to push • __kernel_vsyscall crashes usually
  48. rop | pivots • Examples • mov esp, eax ;

    ret • xchg esp, eax ; ret • add esp, #value ; ret
  49. rop | practice • Demonstration • lets use variation of

    previous sample • tp_simple • goal : exit with chosen value • take your VM and follow along • https://github.com/0xmilkmix/training/tree/master/hacklu
  50. • Step 1 : find the overflow rop | practice

  51. • Step 2 : find the offset rop | practice

  52. • Step 3 : define payload • exit(0x42424242) rop |

    practice
  53. • Step 4 : write functionality in assembly language .section

    .text mov eax, 1 mov ebx, 0x42424242 int 0x80 rop | practice
  54. • Step 5 : requirements • syscall • eax =

    0x1 • ebx = 0x42424242 rop | practice
  55. • Step 6 : define needed instructions • int 0x80

    • xor eax, eax • inc eax • pop ebx rop | practice
  56. • Step 7 : locate gadgets • int 0x80 rop

    | practice
  57. • Step 8 : write exploit • Open your shell

    ! rop | practice
  58. • Useful when debugging • break at the end of

    the vulnerable function • use si (step into) to go through every instruction • use context to see stack and registers • run vulnerable program through strace to get error messages rop | practice
  59. • You got it, ROP is about using the code

    that’s already present • Now what about the data ? • open(“./super_special_flag”) • address space might not contain super_special_flag rop | bringing data in
  60. • First idea : use space that is already here

    and writable rop | bringing data in
  61. • Specific sections • .bss or .data • Check that

    you have enough place for your data • Note: if you want to call functions such as mprotect remember alignment on page boundary rop | bringing data in
  62. • Steps 1. use pop gadgets to set registers to

    destination and data 2. use mov gadget to write data 3. go back to step 1 rop | bringing data in
  63. rop | bringing data in

  64. • Write chain for the following call • write(1, “hack.lu”,

    7) • on tp_rop • store hack.lu in .data • using only gadgets and not ret2libc technic • https://github.com/0xmilkmix/training/tree/master/hacklu rop | practice
  65. rop | chaining calls • Sometimes you don’t want to

    pop a shell • Maybe you just want to call unlock_door on connected lock • Read content of a file • Bypass seccomp restrictions preventing exec* • Or simply stay out of the radars during an attack/defence CTF
  66. rop | chaining calls • Calling multiple functions • remember

    that they are multiple calling conventions • on 32 bit Linux, libc is mostly using cdecl • which means that the caller has to clean the stack
  67. • Calling multiple functions • like we saw in ret2libc

    part • read • system @read AAAA AAAA AAAA ... %ebp return address 0x1 @buffer 1024 @buffer read args system args @system rop | chaining calls
  68. • End of read @read AAAA AAAA AAAA ... %esp

    0x1 @rbuffer 1024 @ebuffer .section .text read: ... ret eip @system rop | chaining calls
  69. • Problem • we don’t have the correct arguments •

    what would help ? • hint: think gadgets… rop | chaining calls
  70. • Yes, something to clean the 3 entries we have

    in the stack ! • add esp, 0xc ; ret • pop reg1 ; pop reg2 ; pop reg3 ; ret rop | chaining calls
  71. • Calling multiple functions • using a pop3ret • read

    • system @read AAAA … ... %ebp return address 0x1 @buffer 1024 @system @buffer read args system args @pop3ret align rop | chaining calls
  72. • End of read @read AAAA … ... %esp 0x1

    @buffer 1024 @system read args system args @pop3ret .section .text read: ... ret eip @buffer align rop | chaining calls
  73. • Execution of pop3ret @read AAAA … ... %esp 0x1

    @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align rop | chaining calls
  74. • Execution of pop3ret @read AAAA … ... %esp 0x1

    @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align rop | chaining calls
  75. • Execution of pop3ret @read AAAA … ... %esp 0x1

    @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align rop | chaining calls
  76. • Execution of pop3ret @read AAAA … ... %esp 0x1

    @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align rop | chaining calls
  77. • Useful chains • protect / read / shellcode •

    dup2 / system • … rop | chaining calls
  78. • When calling syscalls directly • no need to pop

    arguments afterwards since they are passed in registers • Same apply on 64 bit as ABI uses registers to pass parameters also for functions calls • rdi, rsi, rdx, r10, r9, r8 rop | syscalls and 64 bit
  79. • Detection • ROP can be prevented by ASLR as

    we will see in a moment • detection techniques are based on CFI violations • Control Flow Integrity rop | prevention
  80. rop | prevention • CFI concepts • uses various heuristics

    to detect rop chains • high ratio of ret instructions per instructions blocks • shadow stack that validate that ret is returning to instruction following the right call instruction
  81. rop | prevention • CFI limitations • implementing a shadow

    stack degrade performance by at least 30% • as such most implementations are coarse grained • leaving holes that can be exploited • fine grained implementations in some academic r&d projects
  82. aslr | intro • What do you need if you

    want to call a function ?
  83. • Function address ! • before, code and sections were

    loaded at the same address every time • cat /proc/self/maps aslr | intro
  84. • Concept • Address Space Layout Randomisation • prevent attacker

    from using known addresses • ex: return to libc aslr | intro
  85. aslr | without

  86. aslr | with

  87. • Changes • stack address • heap address • libraries

    addresses • main binary address aslr | what is modified
  88. • Wait, what ? • concept seems ineffective if binary

    loading address does not change • still possible to extract gadgets from it • well, some gadgets but not a panacea… • what went wrong? aslr | strange…
  89. • Requirements • not all binaries (including libraries) are affected

    by ASLR • need to be compiled as Position Independant {Executable, Code} • -pie -fPIE • -fPIC aslr | requirements
  90. • ASLR compatible • list binary headers using readelf •

    EXEC : not compatible • DYN : compatible • when in peda use checksec command aslr | checks
  91. aslr | checks

  92. • Other subtleties • three configurations for ASLR • /proc/sys/kernel/randomize_va_space

    • 0 : disabled aslr | configuration
  93. • Other subtleties • 1 : Conservative randomization • stack,

    heap, libraries, pie, vdso, mmap() • 2 : full randomization • 1 + memory managed by brk aslr | configuration
  94. • Methods • brute-force • memory disclosure • binary or

    any loaded library not compiled with support for PIE aslr | bypass
  95. • When lazy or no other possibilities • set the

    libc base address to common base • brute-force the remaining 16 bit • only effective on 32 bit systems or if rebasing is built-into the binary • 64 bit Linux has 28 bit of entropy aslr | brute force
  96. • When the binary is not compiled as position independent

    • as said, limited number of gadgets in it • libraries loading address are randomized • but… not the content of the library aslr | disclosure
  97. system: … … printf: … strcpy: … @??? libc 0xfffc3240

    aslr | disclosure
  98. • Ok, but how to I find it my function

    ? • generate pattern that appears only once in the library • not present in other ones obviously • need a second vulnerability in the code • memory disclosure aslr | disclosure
  99. • Usage • extract information using the disclosure • match

    it against known value • calculate offset to interesting functions you want to call • or process structure like the GOT aslr | disclosure
  100. • Variant • highly dependant on the vulnerability you are

    exploiting • if able to read /proc/self/maps, extract addresses aslr | disclosure
  101. • When the main binary is not compiled as position

    independent • all text section is loaded at fixed address • this also includes the GOT address aslr | non-pie
  102. • GOT • Global Offset Table • used as a

    mapper to call functions for which loading address is unknown • pretty useful since PIC is mandatory on modern Linux distributions aslr | non-pie
  103. • GOT • for each offset there is the address

    of the corresponding function • filed by the loader when executing the binary • unless lazy binding is used, in this case only once function already called aslr | non-pie
  104. • GOT • table is specific for each binary •

    but : entries can be retrieved using objdump or radare2 • objdump -D ./binary | grep \@plt\>: aslr | dump got
  105. aslr | dump got

  106. aslr | dump got

  107. • Idea • base address of the GOT is known

    or has been leaked • read at selected offset to retrieve current address of a function • open the libc binary and retrieve offset from this function • also extract offsets from the desired functions aslr | calculate
  108. • Details • leaked_address = <value> • libc_base = leaked_address

    - offset_leaked_from_base • needed_address = libc_base + offset_needed_from_base aslr | calculate
  109. • Wait, how do I read the value ? •

    as said only a limited number of gadgets in the main binary • still possible to find memory read ones aslr | got gadgets
  110. • Example of such gadgets • mov eax, [ebx] ;

    ret • add eax, [ecx + 0x8042de4c] ; ret • … don’t forget to adjust value in ecx aslr | got gadgets
  111. • exploit tp_rop_msg • leak useful addresses • gain code

    execution • stored shellcode in .data • change page right • execute shellcode • https://github.com/0xmilkmix/training/tree/master/hacklu aslr | practice
  112. conclusion | outro • Other techniques exists • JOP :

    Jump Oriented Programming • SROP : Signal Return Oriented Programming