Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at...
-
Upload
kobe-tewksbury -
Category
Documents
-
view
219 -
download
1
Transcript of Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at...
![Page 1: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/1.jpg)
Introduction to Information
SecurityROP – Recitation 5
nirkrako at post.tau.ac.ilitamarg at post.tau.ac.il
![Page 2: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/2.jpg)
Return Oriented Programming
• Return oriented programming is a different way to control the flow of EIP in a program
• Motivation: • Write or Execute: as a result of overflows, the first
prevention technique is to make:o Executable memory segments read-oo nlyo Writeable memory segments Non-Executable.
• Most slides in this presentation were taken as is from:• Return-oriented Programming: Exploitation without
Code Injection • By Erik Buchanan, Ryan Roemer, Stefan Savage,
Hovav Shacham from the University of California, San Diego
• http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf
![Page 3: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/3.jpg)
Getting started• Need control of memory around %esp• Rewrite stack:
o Buffer overflow on stacko Format string vuln to rewrite stack contents
• Move stack:o Overwrite saved frame pointer on stack; on leave/ret, move %esp to
area under attacker controlo Overflow function pointer to a register spring for %esp:o set or modify %esp from an attacker-controlled registero then return
![Page 4: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/4.jpg)
Schematic: return to libc
• Control hijacking without executing code
Avishai Wool, lecture 1 - 4
args
ret-addrsfp
local buf
stack
exec()printf()
“/bin/sh”
libc.so
![Page 5: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/5.jpg)
Return to libc• Stack progress trace
![Page 6: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/6.jpg)
Returning to Code Chunks (aka Gadgets)• Instead of working with small “opcodes” and
%eip, we now use larger chunks of code and %esp
• All the “larger chunks” do multiple register manipulations, and we must consider the effect of all of them.
• Not everything we want is possible directly, so we have to be creative and work around the problem.
• All chunks end with 0xc3 (RET)• We are effectively using a new ‘language’ to
code.
![Page 7: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/7.jpg)
Chunk guidelines• All chunk ends with 0xc3• Chunks should be as minimal as possible,
containing minimum amount of data• Chunks are better if they appear in more “stable”
and common libraries such as: libc. (and can then be reused for different binaries).
• Chunks can not contain Junks.o If the CPU can not interpret the junk in the chunk, it will stop the
program with illegal instruction exception.
![Page 8: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/8.jpg)
ROP – Machine level
• Stack pointer (%esp) determines which instruction• sequence to fetch & execute
o Processor doesn’t automatically increment %esp; — but
• the “ret” at end of each instruction sequence does
![Page 9: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/9.jpg)
No-op equivalent
• No-op instruction does nothing but advance %eipo Return-oriented equivalent:o point to return instructiono advances %espo Useful in nop sled
![Page 10: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/10.jpg)
Loading Immediates
• Instructions can encode constants• Return-oriented equivalent:
o Store on the stack;o Pop into register to use
![Page 11: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/11.jpg)
Control flow
• Ordinary programming:o (Conditionally) set %eip to new value
• Return-oriented equivalent:o (Conditionally) set %esp to new value
![Page 12: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/12.jpg)
Multiple instruction sequence
• Sometimes more than one instruction sequence neededo to encode logical unit
• Example: load from memory into register:o Load address of source word into %eaxo Load memory at (%eax) into %ebx
![Page 13: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/13.jpg)
Conditional Jump #0
• Negative causes the carry flag to be turn on.• Carry flag can be used in conjunction with ADC.
![Page 14: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/14.jpg)
Conditional Jump #1• ADDR TO: XOR EAX,EAX ; RET• ADDR TO: POP ECX ; RET• DWORD 0• ADDR TO: ADC CL, AL ; RET• ADDR TO: ROL ECX, 1; RET• ADDR TO: ROL ECX, 1; RET• ADDR TO: XCHG EAX, ECX ; RET• ADDR TO: ADD ESP, EAX ; RET.• ADDR TO: POP ESP ; RET # Go somewhere else.• ADDR TO: EXIT
![Page 15: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/15.jpg)
Gadget summary• We can write complex shellcode by returning to relevant gadgets.• All gadgets end with ret. (0xc3)• Gadgets can not contain junk (everything must be interpretable)• “JMP” is analogous to finding code that modifies the ESP.• We don’t have to maintain the original alignment of code (on x86).• Example:
o MOV EAX, 0x5DC3o This is interpreted into: B8 5D C3o However,o POP EBPo RETNo This is interpreted into:o 5D C3
• Using rop_ptrace.py we debug the executable and are able to locate relevant gadgets
• To have we everything flowing correctly and make sure we are aware of where ESP and EIP are pointing to at all times.
![Page 16: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/16.jpg)
Infosec ROP Tools• ./rop_ptrace.py• ./memmap.py• ./disas_at_va.py
![Page 17: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/17.jpg)
./rop_ptrace.py• ./rop_ptrace.py
o Usage: ./rop_ptrace.py [filename] [depth] “OPCODE”
• rop_ptrace.py helps you by loading the binary into memory, therefore causing the creation of all linked shared objects (SO). The list of libraries can also be shown via shell command ‘ldd filename’.
• After loading the binary and waiting for the SOs to load it will search for code chunks ending with ROP and then look back until [depth] bytes.
• rop_ptrace.py then codes and disassembles the chunk• rop_ptrace.py uses distorm3 to disassemble and
python-ptrace library to debug the executable.
![Page 18: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/18.jpg)
./rop_ptrace.py cont.
• [rop_ptrace.py example]
![Page 19: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/19.jpg)
./memmap.py• Usage: ./memmap.py [filename]
o Prints the libraries, memories mapped to, and their permissions.
• Usage: ./memmap.py [filename] [string]o Attempts to locate the string within the mapped memory sections.
• memmap.py uses python-ptrace
![Page 20: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/20.jpg)
./memmap.py cont.• [memmap.py example]
![Page 21: Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.](https://reader036.fdocuments.us/reader036/viewer/2022062409/56649c7c5503460f94930010/html5/thumbnails/21.jpg)
./disas_at_va.py cont.• disas_at_va.py [filename] [va] [length]
o Disassembles [length] number of bytes at virtual address [va] after loading the binary [filename] to memory.
• Uses python-ptrace and distorm3.