ROP Primer - Speaker Deck

Slide 1

Slide 1 text

BY @BARREBAS ROP PRIMER // CTF-TEAM.VULNHUB.COM

Slide 2

Slide 2 text

CONTENTS > THE NEED FOR ROP > ROP VS RET2LIBC > STRATEGIES > EXAMPLE: SHELLCODEME // CTF-TEAM.VULNHUB.COM

Slide 3

Slide 3 text

WHAT IS THIS ABOUT? > FOCUS ON BUFFER OVERFLOWS NOT ABOUT ALL KINDS OF VULNERABILITIES NOR AN INTRO INTO x86 ASSEMBLY RETURN-ORIENTED-PROGRAMMING IN CAPTURE THE FLAG CHALLENGES // CTF-TEAM.VULNHUB.COM

Slide 4

Slide 4 text

THE NEED FOR ROP CODE EXECUTION TO EXPLOIT, WE NEED > CONTROL OVER EIP

Slide 5

Slide 5 text

CODE EXECUTION OVERWRITE SAVED RETURN ADDRESS TO CONTROL EIP, WE CAN OVERWRITE GLOBAL OFFSET POINTER OR

Slide 6

Slide 6 text

CODE EXECUTION OVERFLOW A BUFFER ON THE STACK TO OVERWRITE SRA, WE MUST LET'S FOCUS ON BUFFER OVERFLOWS, THEY'RE EASIER TO EXPLAIN :)

Slide 7

Slide 7 text

EXECUTE SHELLCODE ON THE STACK HAVE TO STORE SHELLCODE SOME WRITABLE DATA SECTION OR

Slide 8

Slide 8 text

EXPLOIT MITIGATION SHELLCODE ON STACK SINCE NX/DEP: STACK = NON-EXECUTABLE BINARY WILL SEGFAULT AS SOON AS IT STARTS TO EXECUTE CODE FROM NON-EXECUTABLE MEMORY

Slide 9

Slide 9 text

WHAT IS ROP? > RETURN-ORIENTED-PROGRAMMING > RE-USE PIECES OF PROGRAM'S CODE SECTION >> CODE SECTION == EXECUTABLE // CTF-TEAM.VULNHUB.COM

Slide 10

Slide 10 text

ROP VS RET2LIBC > BOTH ROP AND RET2LIBC USE THE STACK TO CONTROL EXECUTION > TO EXECUTE CODE, WE'LL FAKE STACK FRAMES > FOR RET2LIBC, WE FAKE ONLY ONE STACK FRAME > ROP CAN USE THE SAME STACK FRAME LAYOUT TO FAKE CALLS!

Slide 11

Slide 11 text

LET'S LOOK AT RET2LIBC ASSUME LIBC ADDRESS IS STATIC (NO ASLR) OVERFLOW A FUNCTION POINTER OR SAVED RETURN ADDRESS WITH SYSTEM() SPAWN A SHELL CAT FLAG cat flag 2>&1 /bin/sh

Slide 12

Slide 12 text

INTERMEZZO: BUFFER OVERFLOWS & RET2LIBC OBVIOUS VULNERABILITY

Slide 13

Slide 13 text

EXAMPLE ENABLE COREDUMPS ulimit -c unlimited CRASH THE BINARY & GENERATE CORE

Slide 14

Slide 14 text

GDB-PEDA IS OUR FRIEND BUT HOW? gdb ./vuln core START GDB USEFUL GDB-PEDA CMD: CHECKSEC WE HAVE OVERWRITTEN EIP WITH 'HHHH'

Slide 15

Slide 15 text

ANATOMY OF A BUFFER OVERFLOW objdump -d -M intel ./rop_example CALL: SUB ESP, 4 MOV [ESP], EIP

Slide 16

Slide 16 text

THE STACK BEFORE THE CALL 100 CALL: SUB ESP, 4 MOV [ESP], EIP 112 108 104 ESP < SOME VALUE < ARG1 < ARG2 < SOME VALUE

Slide 17

Slide 17 text

THE STACK AFTER THE CALL 100 CALL: SUB ESP, 4 MOV [ESP], EIP 112 108 104 ESP < RETURN ADDR < ARG1 < ARG2 < SOME VALUE

Slide 18

Slide 18 text

MAIN() IS EXECUTED LEA: LOAD EFFECTIVE ADDRESS OF BUF BUF IS ON THE STACK!

Slide 19

Slide 19 text

THE STACK BEFORE READ() 100 132 116 BUF < RETURN ADDR ESP 128

Slide 20

Slide 20 text

THE STACK AFTER READ() 100 132 116 BUF < HHHH ESP 128 < AAAABBBB.... < EEEEFFFF....

Slide 21

Slide 21 text

MAIN() WANTS TO RETURN BUT WE HAVE OVERWRITTEN THE SAVED RETURN ADDRESS!

Slide 22

Slide 22 text

THE STACK BEFORE RET 100 132 116 BUF < HHHH ESP 128 < AAAABBBB.... < EEEEFFFF.... RET: MOV EIP, [ESP] ADD ESP, 4

Slide 23

Slide 23 text

THE STACK AFTER RET 100 132 116 BUF < EIP = HHHH! ESP 128 < AAAABBBB.... < EEEEFFFF.... RET: MOV EIP, [ESP] ADD ESP, 4

Slide 24

Slide 24 text

EXECUTE OUR CODE BUT WE CAN RETURN-TO-LIBC echo 0 > /proc/sys/kernel/randomize_va_space DISABLE ASLR: STACK IS NOT EXECUTABLE

Slide 25

Slide 25 text

GRAB ADDR OF SYSTEM() > WE'RE GOING TO FAKE A CALL TO SYSTEM() > A ROP CHAIN LOOKS BASICALLY THE SAME HOW WOULD THE STACK LOOK?

Slide 26

Slide 26 text

THE STACK AFTER NORMAL CALL 100 112 108 104 ESP < RETURN ADDR < ARG1 < ARG2 STACK LAYOUT AT TOP OF FUNCTION

Slide 27

Slide 27 text

RET2SYSTEM:THE STACK BEFORE RET 100 112 108 104 ESP < FAKE RETURN ADDR < ARG1 < SYSTEM() RET WILL TAKE VALUE FOR EIP OFF TOP OF STACK “/bin/sh” RET

Slide 28

Slide 28 text

100 112 108 104 ESP < FAKE RETURN ADDR < ARG1 < SYSTEM() IDENTICAL STACK LAYOUT AFTER 'NORMAL' CALL! “/bin/sh” RET2SYSTEM:THE STACK AFTER RET RET

Slide 29

Slide 29 text

STRATEGY > STORE ARGUMENT FOR SYSTEM() ON STACK > OVERWRITE SAVED RETURN ADDRESS > SETUP CORRECT STACK LAYOUT TO FAKE A CALL REMEMBER: ASLR IS OFF, STACK ADDR IS FIXED

Slide 30

Slide 30 text

EXPLOIT

Slide 31

Slide 31 text

#FAIL! DEBUG TIME USE THE COREDUMP, LUKE MAKE BINARY CRASH BEFORE SYSTEM() IS CALLED BY REPLACING THE ADDRESS WITH 'BBBB'

Slide 32

Slide 32 text

GDB'S STACK IS DIFFERENT LOCATION OF STACK IS DIFFERENT! UPDATE EXPLOIT WITH NEW POINTER

Slide 33

Slide 33 text

IT'S ALIVE! IMPORTANT: KEEP SHELL ALIVE WITH CAT (python exploit.py; cat) | ./vuln FAKE RETURN ADDR! BINARY STILL CRASHES:

Slide 34

Slide 34 text

ROP CHAINS CAN LOOK VERY SIMILAR TO THE STACK LAYOUT WE USED FOR RET2LIBC ROP > ^ RET2LIBC

Slide 35

Slide 35 text

RECYCLE CODE IN EXECUTABLE SECTIONS FUNCTIONS IN GLOBAL OFFSET TABLE CODE IN LIBRARIES (E.G. SYSTEM()) GADGETS IN BINARY ASLR MIGHT BE A PROBLEM WE CAN RECYCLE ALL SORT OF CODE

Slide 36

Slide 36 text

ROP GADGETS: PUTTING THE R IN ROP ROP USES THE STACK EXTENSIVELY TO ACHIEVE > CONTROL OVER EIP VIA STATEMENTS > CONTROL OVER STACK RET CODE EXECUTION

Slide 37

Slide 37 text

A BINARY HAS MANY RETURN OPCODES > RETS ARE PRECEDED BY OTHER INSTRUCTIONS > GIVEN ENOUGH GADGETS, WE CAN DO ANYTHING... > PREFERABLY SOMETHING LIKE THIS cat flag # ;)

Slide 38

Slide 38 text

EXAMPLE GADGET FROM RANDOM BINARY > RETURN TO THIS GADGET TO SET SEVERAL REGISTERS > RET @ END MAKES SURE WE DON'T LOSE CONTROL > CORRESPONDING PYTHON CODE:

Slide 39

Slide 39 text

BUT THIS GADGET CONTAINS MORE GADGETS > WHAT IF WE RETURN TO 0x40196, IN THE MIDDLE OF THE STATEMENT? > WE END UP WITH A NEW GADGET: POP R12 RECYCLING! =)

Slide 40

Slide 40 text

LOCATING GADGETS SEVERAL TOOLS EXIST ROPSHELL.COM GDB-PEDA MY OWN ROPGADGET.PY git clone https://github.com/longld/peda.git ~/peda echo "source ~/peda/peda.py" >> ~/.gdbinit

Slide 41

Slide 41 text

MANY STRATEGIES EXIST RE-USE OPEN/READ/WRITE TO GRAB THE FLAG MAKE MEMORY WRITEABLE & EXECUTABLE TWO EXAMPLES:

Slide 42

Slide 42 text

ROP EXAMPLE - SHELLCODEME WHAT ARE WE UP AGAINST? OBVIOUS VULNERABILITY =)

Slide 43

Slide 43 text

ROP EXAMPLE - SHELLCODEME # disassemble binary $ objdump -d -M intel ./shellcodeme > shellcodeme.out FIRST, DISASSEMBLE BINARY LAUNCH GDB & OVERFLOW THAT BUF!

Slide 44

Slide 44 text

TRICKY STACK LAYOUT RESTORE THE STACK SO THAT ESP POINTS TO INPUT INSPECT REGISTERS! EBP POINTS TO INPUT+16

Slide 45

Slide 45 text

MAKE ESP POINT TO INPUT USE THE LEAVE OPCODE LEAVE: MOV ESP, EBP; POP EBP I USUALLY AVOID GADGETS WITH LEAVE, BECAUSE IT MESSES UP ESP AND CAUSES LOSS OF CONTROL OVER EIP

Slide 46

Slide 46 text

FIRST ROP GADGET BOOM

Slide 47

Slide 47 text

TAKE A STEP BACK HOW ARE WE GOING TO EXPLOIT THIS WITH ROP? THE BINARY ALREADY HAS TWO USEFUL FUNCTIONS: MPROTECT & READ

Slide 48

Slide 48 text

MPROTECT CHANGES MEMORY PROTECTION FLAGS LET'S USE MPROTECT TO MAKE A SECTION OF MEMORY EXECUTABLE

Slide 49

Slide 49 text

HIGH-LEVEL EXPLOIT OVERVIEW WE'LL BUILD A ROP CHAIN TO 'CALL' MPROTECT TO MAKE A SECTION OF MEMORY RWX THEN, 'CALL' READ TO READ STANDARD SHELLCODE FROM STDIN FINALLY, WE'LL RETURN TO OUR NEWLY READ SHELLCODE & SPAWN A SHELL MPROTECT READ

Slide 50

Slide 50 text

LET'S START WITH MPROTECT THE ADDRESS OF MPROTECT WAS TAKEN FROM THE DISASSEMBLY OUTPUT

Slide 51

Slide 51 text

RUN IT LIVE IN GDB STORE OUTPUT OF ROP1.PY IN FILE $ python rop1.py > in RUN GDB-PEDA $ gdb ./shellcodeme START PROGRAM AND USE INPUT FROM FILE gdb-peda$ r

Slide 52

Slide 52 text

SUCCESS! EIP='FAKE' VMMAP > ^ 0x20000000 = RWX!

Slide 53

Slide 53 text

WHAT ABOUT THE NEXT STEP? STACK LOOKS LIKE THIS: SOLUTION: POP POP POP RET > EACH POP WILL ADD 4 TO ESP > FINAL RET WILL PICK UP THE ADDRESS OF THE NEXT GADGET FROM THE STACK

Slide 54

Slide 54 text

USING GDB-PEDA TO LOCATE PPPR gdb-peda$ ropgadget GDB LOCATED SEVERAL GADGETS WE'LL USE 0x804855D

Slide 55

Slide 55 text

UPDATE THE POC & RUN IT $ python rop1.py > in $ gdb ./shellcodeme gdb-peda$ r

Slide 56

Slide 56 text

ADD IN READ() SUPPLY “SHELLCODE” CONSISTING OF INT 3 INT 3

Slide 57

Slide 57 text

MOMENT OF TRUTH & RUN THE EXPLOIT: GRAB SOME SHELLCODE TO SPAWN A SHELL

Slide 58

Slide 58 text

MOMENT OF TRUTH & RUN THE EXPLOIT: GRAB SOME SHELLCODE TO SPAWN A SHELL

Slide 59

Slide 59 text

SHELL HAS LANDED!

Slide 60

Slide 60 text

THANKS TEAM MEMBERS: NULLMODE, SUPERKOJIMAN, SWAPPAGE, BITVIJAYS, ET0X, HISTORYPEATS SHOUT-OUTS TO G0TMI1K, LEONJZA, RASTA_MOUSE & HIGHJACK FOR GOING THROUGH THIS PDF & GIVING FEEDBACK! IMAGES USED: ROPE: HiveHarbingerCOM // LINK SHELL: Chris 73 // LINK RECYCLING SIGN: JoseDLF // LINK

Slide 61

Slide 61 text

ROP PRIMER // CTF-TEAM.VULNHUB.COM BY @BARREBAS // BARREBAS.GITHUB.IO