Software exploitation : ROP

Slide 1

Slide 1 text

Software exploitation : ROP Julien Bachmann .text .global _start _start: push $5 pop %eax cltd pushl %edx push $0x79 push $0x656b2f2e movl %esp,%ebx pushl %ex pushl %ebx pushl %edx int $0x80 mov $100,%dl sub %edx,%esp mov %esp,%ecx xchg %eax,%ebx push %edx push %ecx push %ebx xorl %eax,%eax pushl %eax push $3 pop %eax int $0x80 movb $0xff,0x4(%esp) movl %eax,0xc(%esp)

Slide 2

Slide 2 text

introduction About Objectives

Slide 3

Slide 3 text

intro | me Julien Bachmann / @milkmix_ Currently Cyber Security Architect, Kudelski Security Guest lecturer at HEIG-VD & Uni-Biel on software exploitation techniques Guest lecturer at UNIMAIL on malware and incident response Past 6 years : SCRT & ilion Security Penetration tester Incident responder

Slide 4

Slide 4 text

intro | about Pre-requisites Knowledges on operating systems internals C and x86 assembly Previous course on software exploitation basics Environment Linux with 32bits binaries No Windows, iOS or Android exploitation today :( Examples https://github.com/milkmix-/training/tree/master/rop

Slide 5

Slide 5 text

intro | objectives Attack Understanding ﬂaws impacting software Exploitation of those Defence Solutions to prevent trivial exploitation

Slide 6

Slide 6 text

exploitation techniques Recaps Detailled exploitation Protections and bypass techniques

Slide 7

Slide 7 text

pwn | recaps Buffer overﬂow basics out-of-bound writes rewrite saved instructions pointer redirect process control ﬂow execute shellcode

Slide 8

Slide 8 text

pwn | recaps Sample program

Slide 9

Slide 9 text

pwn | recaps Testing $ ./bof_01 foobar ? $ ./bof_01 AAAAAAAAAAAAAAA ? $ ./bof_01 `python -c ‘print “A”` ?

Slide 10

Slide 10 text

pwn | recaps Stack state at the beginning of vulnerable() ... &input %eip %ebp buffer ...

Slide 11

Slide 11 text

pwn | recaps Stack state after call to strcpy() ... &input %eip %ebp AAAA AAAA AAAA %ebp ...

Slide 12

Slide 12 text

pwn | recaps If input is more than 128 bytes ... AAAA AAAA AAAA AAAA AAAA AAAA %ebp ... return address argument

Slide 13

Slide 13 text

pwn | recaps Calling convention previous example was using stdcall convention arguments pushed in reverse order on the stack callee clean the stack at the end spot it: ret imm16

Slide 14

Slide 14 text

pwn | recaps Calling convention libc uses cdelc convention arguments pushed in reverse order on the stack caller clean the stack at the end spot it: ret

Slide 15

Slide 15 text

pwn | tips Buffer size calculation In this example: get it by reversing the function IDA Pro tips Toolbox MSF pattern_{create, offset}.rb PEDA

Slide 16

Slide 16 text

pwn | tips In order to learn exploitation concepts disable the protections Compilation -fno-stack-protector -z execstack OS echo 0 > /proc/sys/kernel/randomize_va_space

Slide 17

Slide 17 text

pwn | tips To get a coredump once the process crash echo "core" > /proc/sys/kernel/core_pattern ulimit -c unlimited

Slide 18

Slide 18 text

pwn | tips Check that your shellcode is working

Slide 19

Slide 19 text

pwn | details In the previous example shellcode address more or less known possible to use nop-sled to secure the exploitation

Slide 20

Slide 20 text

pwn | details Shellcode position in local exploitation environment variable command line

Slide 21

Slide 21 text

pwn | details 0xBFFFFFFF 0x00000000 argv[0] “/bin/sh” env[1] “PATH=...” env[0] “USER=...” argv[1] “--version” argv[0] “/bin/sh” 0x00000000 *envp *envp 0x00000000 *argp *argp local var **envp **argp argc @ret ebp ... $ /bin/sh --version

Slide 22

Slide 22 text

pwn | details What if the address could not be calculated? ex: user controlled input stored on the heap Check for references at the moment you take control registers stack

Slide 23

Slide 23 text

pwn | details RET 2 reg return to register ﬁnd instruction redirecting control ﬂow to stored value jmp eax call ecx

Slide 24

Slide 24 text

pwn | details POP 2 RET context: address to user-controlled buffer is stored in the stack ﬁnd pop instruction(s) followed by a ret instruction pop useless values ret

Slide 25

Slide 25 text

pwn | details value @pop/ ret %ebp buffer ... ebp return address argument &input After the overﬂow

Slide 26

Slide 26 text

pwn | details At the end of the function value @pop/ ret eip &input

Slide 27

Slide 27 text

pwn | details POP value @pop/ ret eip &input eip .section .text ... pop eax ret

Slide 28

Slide 28 text

pwn | details RET value @pop/ ret eip &input eip .section .text ... pop eax ret

Slide 29

Slide 29 text

protections | intro First example only works with all protections disabled less likely to happen nowadays maybe if you are lucky or exploiting an old system, … Protections on multiple layers compilation os

Slide 30

Slide 30 text

protections | intro What was the root cause of this vulnerability?

Slide 31

Slide 31 text

protections | unsafe ops Unsafe memory copy operation ! leading to out-of-bound memory accesses strcpy, strcat, memcpy, gets, scanf, sprintf, realpath, …

Slide 32

Slide 32 text

protections | unsafe ops Microsoft Safe String API generate compiler warnings while using those functions GCC #pragma GCC poison allows to generate error when identiﬁer found in code https://github.com/leafsr/gcc-poison

Slide 33

Slide 33 text

protections | unsafe ops GCC FORTIFY_SOURCE if that macro is enabled it checks for basic vulnerabilities compile time : static array copied using libc functions execution time : ___strcpy_chk -D_FORTIFY_SOURCE=1 -O2

Slide 34

Slide 34 text

protections | unsafe ops

Slide 35

Slide 35 text

protections | unsafe ops

Slide 36

Slide 36 text

protections | unsafe ops Warning beware of home made memory operation functions my_memcopy using a loop …

Slide 37

Slide 37 text

protections | intro What do you need to be able to modify the control ﬂow in this example ?

Slide 38

Slide 38 text

protections | canary Smash the stack ! need to be able to overwrite saved EIP other possibilities, but that will be for another course

Slide 39

Slide 39 text

protections | canary Detect overﬂows use canaries, like in the mines pro-police in GCC -fstack-protector[strong/-all]

Slide 40

Slide 40 text

protections | canary Before Pro-Police ... &input %eip %ebp buffer ...

Slide 41

Slide 41 text

protections | canary With Pro-Police ... &input %eip %ebp buffer ... canary

Slide 42

Slide 42 text

protections | canary Canary generate random value at process start value written in the stack before local variables (simplest use-case) compiler inserts check before ret instruction

Slide 43

Slide 43 text

protections | canary

Slide 44

Slide 44 text

protections | canary | bypass How to bypass this ? 1. on Unix requires to know the value 2. could try a brute-force if entropy is too small 3. use a memory leak vulnerability to retrieve the value

Slide 45

Slide 45 text

protections | intro What do you need to be able to execute your shellcode ?

Slide 46

Slide 46 text

protections | nx Execution rights ! memory pages have access rights deﬁned in the Page Table Entries check Intel Developer Manuals

Slide 47

Slide 47 text

protections | nx History ﬁrst implementations in August 2004 were software only ExecShield W^X PAX introduced by Intel in Pentium 4 serie NX bit

Slide 48

Slide 48 text

protections | nx Concept memory pages should either contain data or code rare cases where both can mix ex: JIT compilers still, stack and heap can be marked as non-executable most of the time

Slide 49

Slide 49 text

protections | nx Bypass we cannot add data in the process and then execute it so let’s use what is already present ! ret2libc rop

Slide 50

Slide 50 text

protections | nx | ret2libc ret2libc context : stack is non-executable libc code is obviously executable instead of having a shellcode using syscalls, directly call libc functions

Slide 51

Slide 51 text

protections | nx | ret2libc Concept forge a stack as the standard execution would stdcall convention rewrite execution pointer with function address

Slide 52

Slide 52 text

protections | nx | ret2libc Examples execute command line using system execute process using exec*

Slide 53

Slide 53 text

protections | nx | ret2libc ret2libc!system @“/bin/sh” @system AAAA AAAA AAAA AAAA AAAA ... %ebp return address argument &input align

Slide 54

Slide 54 text

protections | nx | rop ret2libc next level calling a function is fun but can’t we also directly use instructions or call multiples ? Return Oriented Programming (ROP)

Slide 55

Slide 55 text

protections | nx | rop Dino Dai Zovi “preventing the introduction of malicious code is not enough to prevent the execution of malicious computations”

Slide 56

Slide 56 text

protections | nx | rop Concept chain the execution of simple instructions already in the memory to execute code simple instructions are called gadgets and are ended by RET pop eax ; ret mov [ebx], ecx ; ret

Slide 57

Slide 57 text

protections | nx | rop Beware speciﬁcity of CISC architecture (used by Intel processors) a list of opcodes doesn’t have only one representation possible to process them at various offsets concept not applicable on RISC architectures (ARM, MIPS, …)

Slide 58

Slide 58 text

protections | nx | rop B8 89 41 08 C3 mov eax, 0xc3084189 mov dword ptr [ecx+8], ecx ret

Slide 59

Slide 59 text

protections | nx | rop usage examples write 4 (controlled) bytes at a controlled address call function chain functions calls

Slide 60

Slide 60 text

protections | nx | rop pop eax ret pop ecx ret mov [ecx], eax ret + + = write 4 bytes

Slide 61

Slide 61 text

protections | nx | rop In practice ﬁnd the gadgets you need forge a stack containing their addresses : ROP chain redirect execution ﬂow to your ROP chain

Slide 62

Slide 62 text

protections | nx | rop Finding gadgets Write your own tools elfesteem / peﬁle / capstone idapython Existing tools ropeme, ropgagdet, rp++

Slide 63

Slide 63 text

Taking our previous example protections | nx | rop mov dword ptr [ecx], eax 0x08049668 0xffffdee8

Slide 64

Slide 64 text

protections | nx | rop Taking our previous example gadget1 : pop eax ; ret gadget2 : pop ecx ; ret gadget3 : mov dword ptr [ecx], eax ; ret @gadget1 AAAA AAAA AAAA ... %ebp return address 0xffffdee8 @gadget2 0x08049668 @gadget3 …

Slide 65

Slide 65 text

protections | nx | rop When vulnerable function returns eax = ?? ecx = ?? @gadget1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget2 0x08049668 @gadget3 … eip .section .text ... mov eax, 42 ret

Slide 66

Slide 66 text

protections | nx | rop After ret instruction eax = ?? ecx = ?? @gadget1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget2 0x08049668 @gadget3 … eip .section .text ... pop eax ret

Slide 67

Slide 67 text

protections | nx | rop After pop instruction eax = 0xffffdee8 ecx = ?? @gadget1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget2 0x08049668 @gadget3 … eip .section .text ... pop eax ret

Slide 68

Slide 68 text

protections | nx | rop After ret instruction eax = 0xffffdee8 ecx = ?? @gadget1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget2 0x08049668 @gadget3 … eip .section .text ... pop ecx ret

Slide 69

Slide 69 text

protections | nx | rop After pop instruction eax = 0xffffdee8 ecx = 0x08049668 @gadget1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget2 0x08049668 @gadget3 … eip .section .text ... pop ecx ret

Slide 70

Slide 70 text

protections | nx | rop After ret instruction eax = 0xffffdee8 ecx = 0x08049668 @gadget1 AAAA AAAA AAAA ... esp 0xffffdee8 @gadget2 0x08049668 @gadget3 … eip .section .text ... mov dword ptr [ecx], eax ret

Slide 71

Slide 71 text

protections | nx | rop What are useful gadgets ? redirect execution to register stack-pivot set registers values read at a memory address write-what-where init syscall number syscall

Slide 72

Slide 72 text

protections | nx | rop Stack pivoting we only spoke about stack based buffer overﬂow as such your controlled data is in the stack other types of exploits might not be as convenient ex: heap overﬂow

Slide 73

Slide 73 text

protections | nx | rop Stack pivoting ROP chain should be in the stack need to change esp value to point to user controlled data

Slide 74

Slide 74 text

protections | nx | rop Examples mov esp, eax ; ret xchg esp, eax ; ret add esp, #value ; ret

Slide 75

Slide 75 text

protections | nx | rop Demonstration lets use variation of previous sample bof_01_static goal : exit with chosen value take your VM and follow along

Slide 76

Slide 76 text

protections | nx | rop Step 1 : ﬁnd the overﬂow

Slide 77

Slide 77 text

protections | nx | rop Step 2 : ﬁnd the offset

Slide 78

Slide 78 text

protections | nx | rop Step 3 : deﬁne payload exit(0x42424242)

Slide 79

Slide 79 text

protections | nx | rop Step 4 : write functionality in assembly language .section .text mov eax, 1 mov ebx, 0x42424242 int 0x80

Slide 80

Slide 80 text

protections | nx | rop Step 5 : requirements syscall eax = 0x1 ebx = 0x42424242

Slide 81

Slide 81 text

protections | nx | rop Step 6 : deﬁne needed instructions int 0x80 xor eax, eax inc eax pop ebx

Slide 82

Slide 82 text

protections | nx | rop Step 7 : locate gadgets int 0x80

Slide 83

Slide 83 text

protections | nx | rop Step 8 : write exploit

Slide 84

Slide 84 text

protections | nx | rop Useful when debugging break at the end of the vulnerable function set gadget address to 0x41414141 and check the stack layout use si (step into) to go through every instruction

Slide 85

Slide 85 text

protections | nx | rop Calling multiple functions remember that they are multiple calling conventions libc is mostly using cdecl which means that the caller has to clean the stack

Slide 86

Slide 86 text

protections | nx | rop Calling multiple functions like we saw in ret2libc part read system @read AAAA AAAA AAAA ... %ebp return address 0x1 @buffer 1024 @buffer read args system args @system

Slide 87

Slide 87 text

protections | nx | rop End of read @read AAAA AAAA AAAA ... %esp 0x1 @buffer 1024 @buffer .section .text read: ... ret eip @system

Slide 88

Slide 88 text

protections | nx | rop Problem we don’t have the correct arguments what would help ? hint: think gadgets…

Slide 89

Slide 89 text

protections | nx | rop Yes, something to clean the 3 entries we have in the stack ! add esp, 0xc ; ret pop reg1 ; pop reg2 ; pop reg3 ; ret

Slide 90

Slide 90 text

protections | nx | rop Calling multiple functions using a pop3ret read system @read AAAA … ... %ebp return address 0x1 @buffer 1024 @system @buffer read args system args @pop3ret align

Slide 91

Slide 91 text

protections | nx | rop End of read @read AAAA … ... %esp 0x1 @buffer 1024 @system read args system args @pop3ret .section .text read: ... ret eip @buffer align

Slide 92

Slide 92 text

protections | nx | rop Execution of pop3ret @read AAAA … ... %esp 0x1 @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align

Slide 93

Slide 93 text

protections | nx | rop Execution of pop3ret @read AAAA … ... %esp 0x1 @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align

Slide 94

Slide 94 text

protections | nx | rop Execution of pop3ret @read AAAA … ... %esp 0x1 @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align

Slide 95

Slide 95 text

protections | nx | rop Execution of pop3ret @read AAAA … ... %esp 0x1 @buffer 1024 @system system args @pop3ret .section .text …: pop eax pop ebx pop ecx ret eip @buffer align

Slide 96

Slide 96 text

protections | nx | rop Detection ROP can be prevented by ASLR as we will see in a moment detection techniques are based on CFI violations Control Flow Integrity

Slide 97

Slide 97 text

protections | nx | rop CFI concepts uses various heuristics to detect rop chains high ratio of ret instructions per instructions blocks shadow stack that validate that ret is returning to instruction following the right call instruction

Slide 98

Slide 98 text

protections | nx | rop CFI limitations implementing a shadow stack degrade performance by at least 30% as such most implementations are coarse grained leaving holes that can be exploited ﬁne grained implementations in some academic r&d projects

Slide 99

Slide 99 text

protections | intro What do you need if you want to call a function ?

Slide 100

Slide 100 text

protections | aslr Function address ! before, code and sections were loaded at the same address every time cat /proc/self/maps

Slide 101

Slide 101 text

protections | aslr Concept Address Space Layout Randomisation prevent attacker from using known addresses ex: return to libc

Slide 102

Slide 102 text

protections | aslr | without

Slide 103

Slide 103 text

protections | aslr | with

Slide 104

Slide 104 text

protections | aslr Changes stack address heap address libraries addresses main binary address

Slide 105

Slide 105 text

protections | aslr Wait, what ? concept seems ineffective if binary loading address does not change still possible to extract gadgets from it well, some gadgets but not a panacea… what went wrong?

Slide 106

Slide 106 text

protections | aslr Requirements not all binaries (including libraries) are affected by ASLR need to be compiled as Position Independant {Executable, Code} -pie -fPIE -fPIC

Slide 107

Slide 107 text

protections | aslr ASLR compatible list binary headers using readelf EXEC : not compatible DYN : compatible when in peda use checksec command

Slide 108

Slide 108 text

protections | aslr

Slide 109

Slide 109 text

protections | aslr Other subtleties three conﬁgurations for ASLR /proc/sys/kernel/randomize_va_space 0 : disabled

Slide 110

Slide 110 text

protections | aslr Other subtleties 1 : Conservative randomization stack, heap, libraries, pie, vdso, mmap() 2 : full randomization 1 + memory managed by brk

Slide 111

Slide 111 text

protections | aslr Bypass brute-force memory disclosure missing PIE

Slide 112

Slide 112 text

protections | aslr | brute-force When lazy or no other possibilities set the libc base address to common base brute-force the remaining 16 bits only effective on 32 bits systems or if rebasing is built-into the binary 64bits Linux has 28 bits of entropy

Slide 113

Slide 113 text

protections | aslr | disclosure When the binary is not compiled as position independent as said, limited number of gadgets in it libraries loading address are randomized but… not the content of the library

Slide 114

Slide 114 text

protections | aslr | disclosure system: … … printf: … strcpy: … @??? libc 0xfffc3240

Slide 115

Slide 115 text

protections | aslr | disclosure Ok, but how to I ﬁnd it my function ? generate pattern that appears only once in the library not present in other ones obviously need a second vulnerability in the code memory disclosure

Slide 116

Slide 116 text

protections | aslr | disclosure Usage extract information using the disclosure match it against known value calculate offset to interesting functions you want to call

Slide 117

Slide 117 text

protections | aslr | disclosure Variant highly dependant on the vulnerability you are exploiting if able to read /proc/self/maps, extract addresses

Slide 118

Slide 118 text

protections | aslr | npie When the main binary is not compiled as position independent all text section is loaded at ﬁxed address this also includes the GOT address

Slide 119

Slide 119 text

protections | aslr | npie GOT Global Offset Table used as a mapper to call functions for which loading address is unknown pretty useful since PIC is mandatory on modern Linux distro

Slide 120

Slide 120 text

protections | aslr | npie GOT for each offset there is the address of the corresponding function ﬁled by the loader when executing the binary unless lazy binding is used, in this case only once function already called

Slide 121

Slide 121 text

protections | aslr | npie GOT table is speciﬁc for each binary but : entries can be retrieved using objdump or radare2 objdump -D ./binary | grep \@plt\>:

Slide 122

Slide 122 text

protections | aslr | npie

Slide 123

Slide 123 text

protections | aslr | npie

Slide 124

Slide 124 text

protections | aslr | npie Idea base address of the GOT is known in this case read at selected offset to retrieve current address of a function open the libc binary and retrieve offset from this function also extract offsets from the desired functions

Slide 125

Slide 125 text

protections | aslr | npie Details leaked_address = libc_base = leaked_address - offset_leaked_from_base needed_address = libc_base + offset_needed_from_base

Slide 126

Slide 126 text

protections | aslr | npie Wait, how do I read the value ? as said only a limited number of gadgets in the main binary still possible to ﬁnd memory read ones

Slide 127

Slide 127 text

protections | aslr | npie Example of such gadgets mov eax, [ebx] ; ret add eax, [ecx + 0x8042de4c] ; ret … don’t forget to adjust value in ecx

Slide 128

Slide 128 text

protections | aslr | npie If we have enough time demo on bof_04 demo using PlaidCTF ropasaurusrex

Slide 129

Slide 129 text

protections | intro What do you need if you want to modify data in memory ?

Slide 130

Slide 130 text

protections | ro Rights to write at that location ! prevent modiﬁcations of the GOT and the like used when vulnerability allows to write anywhere in the memory

Slide 131

Slide 131 text

protections | ro Concept RELRO RELocation Read Only

Slide 132

Slide 132 text

protections | ro Partial RELRO -z relro reorder sections to prevent overwrite through overﬂow GOT still writable

Slide 133

Slide 133 text

protections | ro Full RELRO -z relro -z now like the previous one one loader’s job is done GOT/PLT are changed to read-only

Slide 134

Slide 134 text

conclusion What next ? labs this afternoon, yeah! after that play with the concepts by yourself create/join CTF team read books or conferences papers do not hesitate to ask for help

Slide 135

Slide 135 text

conclusion | books Modern operating systems {Linux, Windows, OSX, Android} Internals The Shellcoder’s handbook The art of software security assessment Fuzzing : brute force vulnerability discovery Practical reverse engineering

Slide 136

Slide 136 text

conclusion | con Insomni’hack AppSec Forum / Cyber Security Conference Area41 Inﬁltrate Defcon BlackHat SSTiC NoSuchCon Usenix

Slide 137

Slide 137 text

conclusion | wargames www.w3challs.com www.intruded.net www.exploit-exercices.com www.overthewire.org smashthestack.org

Slide 138

Slide 138 text

conclusion | ctf Check on ctftime.org Insomni’hack CSAW : dedicated to students Nuit du Hack Hack.lu CodeGate RuCTFe …