Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Example ROP in MIPS

Chen
November 04, 2023
Technology
0
30

Example ROP in MIPS

Chen

November 04, 2023
Tweet

More Decks by Chen

See All by Chen
defense
tiffany_04192
0
69
Dijkstra’s Algorithm
tiffany_04192
0
97
Floyd-Warshall
tiffany_04192
0
77
Topological sort DFS
tiffany_04192
0
79
BFS
tiffany_04192
0
86
DFS
tiffany_04192
0
88
Cache behavior
tiffany_04192
0
74
Cache miss paper
tiffany_04192
0
96
Greedy
tiffany_04192
0
88

Other Decks in Technology

See All in Technology
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
230
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
870
JSON攻略法.pdf
miyakemito
8
5.1k
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
1
380
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
6
860
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
6
2.5k
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
130
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
940
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
180
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
7
560
開発パフォーマンスを最大化するための開発体制
ham0215
2
470

Featured

See All Featured
Visualization
eitanlees
136
14k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.5k
Thoughts on Productivity
jonyablonski
58
3.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Code Review Best Practice
trishagee
55
15k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k

Transcript

  1. 34 Example ROP in MIPS (1) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗ 1. ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟

    2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp $pc Buffer overflow occurs buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ

  2. 35 $ra Example ROP in MIPS (2) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗ 1.

    ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp $pc $ra controlled by attacker now buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ

  3. 36 $ra $pc 0x1200 Example ROP in MIPS (3) ͻ

    EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗ 1. ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp We go where attacker says buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ

  4. 37 $ra Example ROP in MIPS (4) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗ 1.

    ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp We change $a0 and $ra buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ $pc Regs $a0 = 0x3506

  5. 38 $ra $pc Example ROP in MIPS (5) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗

    1. ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp Now we execute another gadget buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ Regs $a0 = 0x3506

  6. 39 $ra Example ROP in MIPS (6) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗ 1.

    ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp It sets $a1 and $ra buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ $pc Regs $a0 = 0x3506 $a1 = 55

  7. 40 $ra $pc Example ROP in MIPS (7) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗

    1. ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp We execute the final gadget buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ Regs $a0 = 0x3506 $a1 = 55

  8. 41 $ra $pc Example ROP in MIPS (8) ͻ EŽǁůĞƚ͛ƐĚŽŝƚǀŝĂZKW͘^ƚĞƉƐ͗

    1. ^ĞƚΨĂϬƚŽƚŚĞĂĚĚƌĞƐƐŽĨƚŚĞƐƚƌŝŶŐͬ͞ďŝŶͬsh͟ 2. Set $v0 to the syscall number for 'exec' 3. Ask the OS to do the syscall PS1=bash$ SHELL=/bin/bash LSCOLOR=... ... lw $a0, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 8 jr $ra ... 0x3506 0x3500 0x1200 ... lw $a0, 8($sp) lw $a1, 4($sp) lw $ra, 0($sp) addi $sp, $sp, 12 jr $ra ... 0x1800 0x1804 ... syscall ... 0x4880 0x0000 0x0000 0x0000 0x0000 0x9800 ... # (Read a string from the user into a buffer) ... lw $ra, 0($sp) addi $sp, $sp, 4 jr $ra ... Stack (junk) (junk) (junk) (junk) 0x1200 0x1804 0x3506 0x4880 55 Vulnerable IXQFWLRQ¶Vra $sp Boom: shell buffer ;&ƵŶĐƚŝŽŶ͛ƐĐĂůůĞƌͿ Regs $a0 = 0x3506 $a1 = 55