Lec07: Return-oriented programming
Transcript of Lec07: Return-oriented programming
![Page 1: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/1.jpg)
Lec07: Return-oriented programming
Taesoo Kim
1
![Page 2: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/2.jpg)
Scoreboard2
![Page 3: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/3.jpg)
Administrivia• Please submit both ‘working exploit’ and write-up on time!
• Due: Lab04 is due on Oct 11
• Due: Lab05 is out and its due on Oct 18 (two weeks)!
• NSA Codebreaker Challenge → Due: Nov 29
3
![Page 4: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/4.jpg)
Best Write-ups for Lab04xor gkamuzora3, burak
stackshield gkamuzora3, nhicks6
weak-random palai, stong
gs-random stong, riya
terminator seulbae, stong
assassination jwalsh45, nhicks6
mini-heartbleed stong, riya
pltgot nhicks6, stong
ssp palai, nhicks6
fd palai, fsang
4
![Page 5: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/5.jpg)
Discussion: Lab04• What’s the most “annoying” bug or challenge?
• What’s the most “interesting” bug or challenge?
• So, should we use canary or not?
• So, which one would you like to use?
5
![Page 6: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/6.jpg)
Take-outs from Stack Canary?• Stack Canary indirectly protects the “integrity” of RA, funcptr, etc
• (e.g., exploitation mitigation → NX, canary)
• We better prevent buffer overflows at the first place
• (e.g., code analysis, better APIs)
6
![Page 7: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/7.jpg)
Subtle Design Choices for the Stack Canary• Where to put? (e.g., right above ra? fp? local vars?)
• Which value should I use? (e.g., secrete? random? per exec? per func?)
• How to check its integrity? (e.g., xor? cmp?)
• What to do after you find corrupted? (e.g., crash? report?)
7
![Page 8: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/8.jpg)
Subtle Design Choices for the Stack Canary• Where to put? (e.g., right above ra? fp? local vars?)
• gs-random, terminator
• Which value should I use? (e.g., secrete? random? per exec? per func?)
• xor, weak-random, gs-random, terminator
• How to check its integrity? (e.g., xor? cmp?)
• xor
• What to do after you find corrupted? (e.g., crash? report?)
• ssp, stackshield
• Fundaemtnal limitations → stackshield, assassination, gs-random
8
![Page 9: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/9.jpg)
Discussion: xor• How xor canary works?
• What happens if RA is overwritten (or leaked)?
• RA ^ canary
• what happens if RA is overwritten?
• what if we make it random?
9
![Page 10: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/10.jpg)
Discussion: xor @prologue pop %eax xor $0x63736265,%eax push %eax
10
![Page 11: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/11.jpg)
Discussion: stackshield (safestack)• How stackshield works? (can you overwrite ra/fp?)
• Compared to xor, what’s better?
• Then, could you control its control flow?
11
![Page 12: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/12.jpg)
Discussion: weak-random• How weak-random is implemented?
• How did you exploit?
• What if we use a perfect random value (e.g., /dev/random)?
12
![Page 13: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/13.jpg)
Discussion: gs-random• Near perfect (Microsoft CL):
• strong randomness: /dev/random
• protect fp/ra
13
![Page 14: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/14.jpg)
Discussion: gs-random void echo(char *msg) { char buf[80];
strcpy(buf, msg); capitalize(buf); strcpy(msg, buf); ... }
14
![Page 15: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/15.jpg)
Discussion: gs-random (arbitrary overwrite)15
![Page 16: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/16.jpg)
Discussion: gs-random16
![Page 17: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/17.jpg)
Discussion: terminator• Why is the terminator canary special?
• 0x0d000aff: NULL(0x00), CR (0x0d), LF (0x0a) and EOF (0xff)
17
![Page 18: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/18.jpg)
Discussion: terminator• What’s the vulnerability?
18
![Page 19: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/19.jpg)
Discussion: terminator (off-by-one)19
![Page 20: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/20.jpg)
Discussion: terminator• How to prevent this vulnerability?
20
![Page 21: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/21.jpg)
Discussion: assassination• Near perfect (GCC)
• random canary
• protect fp, ra
• What’s the bug?
• How to prevent?
21
![Page 22: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/22.jpg)
Discussion: mini-heartbleed22
![Page 23: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/23.jpg)
Discussion: ssp• What happens if you cause a crash?
23
![Page 24: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/24.jpg)
Discussion: ssp24
![Page 25: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/25.jpg)
Discussion: ssp25
![Page 26: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/26.jpg)
Discussion: ssp26
![Page 27: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/27.jpg)
Discussion: pltgot• What was the vulnerability?
• Where to overwrite?
• How to prevent?
27
![Page 28: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/28.jpg)
Discussion: fd• Overwriting ‘struct FILE’
@libio.h struct _IO_FILE { int _flags; ... struct _IO_wide_data { ... const struct _IO_jump_t *_wide_vtable; } }
28
![Page 29: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/29.jpg)
Discussion: fd• Why need vtable?
29
![Page 30: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/30.jpg)
Discussion: fd _IO_wfile_jumps (default) _IO_wfile_jumps_mmap ...
fclose(fp)? - _IO_file_close(): close() - _IO_file_close_mmap(): munmap() & close()
30
![Page 31: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/31.jpg)
Discussion: fd• How to prevent this vulnerability?
31
![Page 32: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/32.jpg)
Today’s Tutorial• In-class tutorial:
• Ret-to-libc
• Code pointer leakage / gadget finding
• First ROP!
32
![Page 33: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/33.jpg)
Reminder: crackme0x00void start() { printf("IOLI Crackme Level 0x00\n"); printf("Password:");
char buf[32]; memset(buf, 0, sizeof(buf)); read(0, buf, 256);
if (!strcmp(buf, "250382")) printf("Password OK :)\n"); else printf("Invalid Password!\n"); }
33
![Page 34: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/34.jpg)
Reminder: crackme0x00 $ checksec ./target [*] '/home/lab/tut-rop/target' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
34
![Page 35: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/35.jpg)
Reminder: crackme0x00int main(int argc, char *argv[]) { setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stdin, NULL, _IONBF, 0);
void *self = dlopen(NULL, RTLD_NOW); printf("stack : %p\n", &argc); printf("system(): %p\n", dlsym(self, "system")); printf("printf(): %p\n", dlsym(self, "printf"));
start();
return 0; }
35
![Page 36: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/36.jpg)
Ret-to-libc: printf [buf ] [.....] [ra ] -> printf [dummy] [arg1 ] -> "Password OK :)"
36
![Page 37: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/37.jpg)
Ret-to-libc: system [buf ] [.....] [ra ] -> system [dummy] [arg1 ] -> "/bin/sh"
37
![Page 38: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/38.jpg)
Chaining Two Function Calls printf("Password OK:)") system("/bin/sh")
38
![Page 39: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/39.jpg)
Chaining Two Function Calls [buf ] [..... ] [old-ra ] -> 1) printf [ra ] -------------------> 2) system [old-arg1 ] -> 1) "Password OK :)" [arg1 ] -> "/bin/sh"
39
![Page 40: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/40.jpg)
Chaining N Function Calls [buf ] [..... ] [old-ra ] -> 1) printf [ra ] -------------------> pop/ret gadget [old-arg1 ] -> 1) "Password OK :)" [ra ] -> 2) system [ra ] -------------------> pop/ret gadget [arg1 ] -> "/bin/sh" [ra ] ...
40
![Page 41: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/41.jpg)
Tutorial Goal: Chaining Three Calls open("/proc/flag", O_RDONLY) read(3, tmp, 1024) write(1, tmp, 1024)
41
![Page 42: Lec07: Return-oriented programming](https://reader036.fdocuments.us/reader036/viewer/2022081418/62a016e6c3fb5c61d74909b5/html5/thumbnails/42.jpg)
In-class Tutorial• Step1: Ret-to-libc
• Step2: Understanding module base
• Step3: First ROP
$ ssh [email protected] -p 9006 $ ssh [email protected] -p 9006 Password: lab06
$ cd tut-rop $ cat README
42