![ROP
• Gadget
• read/write register/memory
• pop rax;pop rcx ; ret
• mov [rax],rcx ; ret
• system call
• syscall
• change rsp
• pop rsp ; ret
• leave ; ret](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-12-320.jpg)
![ROP
• Write to Memory
• mov [reg],reg
• mov [reg+xx], reg
• …](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-19-320.jpg)
![ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0 0
rax rbx
0x602080
0
0x602080
retoverflow](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-20-320.jpg)
![ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0 0
rax rbx
0x602080
0
0x602080
retoverflow](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-21-320.jpg)
![ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0
rax rbx
0x602080
0
0x602080
retoverflow](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-22-320.jpg)
![ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0xdeadbeef
rax rbx
0x602080
0
0x602080
retoverflow](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-23-320.jpg)
![ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0xdeadbeef
rax rbx
0x602080
0
0x602080
retoverflow](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-24-320.jpg)
![ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0xdeadbeef
rax rbx
0x602080
0xdeadbeef
0x602080
retoverflow](https://image.slidesharecdn.com/rop-180421171602/85/Linux-Binary-Exploitation-Return-oritend-Programing-25-320.jpg)
Linux Binary Exploitation - Return-oritend Programing
- 1. Linux Binary Exploitation Return-oriented Programing [email protected]
- 2. Outline • ROP • Using ROP bypass ASLR • Stack migration
- 3. Outline • ROP • Using ROP bypass ASLR • Stack migration
- 4. ROP • 透過 ret 去執⾏行行其他包含 ret 的程式碼片段 • 這些片段⼜又稱為 gadget
- 5. ROP • Why do we need ROP ? • Bypass DEP • Static linking can do more thing
- 6. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
- 7. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
- 8. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
- 9. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2
- 10. ROP • ROP chain • 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制,我們可以藉由 ret = pop rip 指令,持續的控制 rip gadget2 1 gadget1 high low rsp retoverflow pop rax ret syscall gadget1 gadget2 exit
- 11. ROP • ROP chain • 由眾多的 ROP gadget 組成 • 藉由不同的 register 及記憶體操作,呼叫 system call 達成任意代碼執⾏行行 • 基本上就是利利⽤用 ROP gadget 來來串串出我們之前寫的 shellcode 的效果
- 12. ROP • Gadget • read/write register/memory • pop rax;pop rcx ; ret • mov [rax],rcx ; ret • system call • syscall • change rsp • pop rsp ; ret • leave ; ret
- 13. ROP • Write to Register • pop reg ; ret • mov reg, reg ; ret • …
- 14. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0 0 retoverflow rax rbx
- 15. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0 0 retoverflow rax rbx
- 16. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsppop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0xdead 0 retoverflow rax rbx
- 17. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0xdead 0 retoverflow rax rbx
- 18. ROP • Write to Register • let rax = 0xdead rbx = 0xbeef 0x401041 0xdead 0x4010fb high low rsp pop rax ret 0x401041 0xbeef pop rbx ret 0x4010fb 0xdead 0xbeef retoverflow rax rbx
- 19. ROP • Write to Memory • mov [reg],reg • mov [reg+xx], reg • …
- 20. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0 0 rax rbx 0x602080 0 0x602080 retoverflow
- 21. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0 0 rax rbx 0x602080 0 0x602080 retoverflow
- 22. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0 rax rbx 0x602080 0 0x602080 retoverflow
- 23. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0xdeadbeef rax rbx 0x602080 0 0x602080 retoverflow
- 24. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0xdeadbeef rax rbx 0x602080 0 0x602080 retoverflow
- 25. ROP • Write to Memory • let *0x602080 = 0xdeadbeef 0x40108a 0xdeadbeef 0x4010d1 high low rsp pop rax pop rbx ret 0x40108a 0xbeef mov [rax],rbx ret 0x4010d1 0x602080 0xdeadbeef rax rbx 0x602080 0xdeadbeef 0x602080 retoverflow
- 26. ROP • execve(“/bin/sh”,NULL,NULL) • write to memory • 將 “/bin/sh” 寫入已知位置記憶體中 • 可分多次將所需字串串寫入記憶體中 /bin/das 0x602080 0x602088 hx00x00x00…
- 27. ROP • execve(“/bin/sh”,NULL,NULL) • write to register • rax = 0x3b , rdi = address of “/bin/sh” • rsi = 0 , rdx = 0 • syscall
- 28. ROP • find gadget • https://github.com/JonathanSalwan/ROPgadget
- 29. ROP • find gadget • ROPgadget - - binary binary • ROPgadget - - ropchain - - binary binary • 在 Static linking 通常可以組成功 execve 的 rop chain 但通常都很長, 需要⾃自⼰己找更更短的 gadget 來來改短⼀一點
- 30. Outline • ROP • Using ROP bypass ASLR • Stack migration
- 31. Using ROP bypass ASLR • 假設 dynamic 編譯的程式中有 Buffer Overflow 的漏洞洞且在沒 PIE 情況下 ( 先不考慮 StackGuard 的情況) • How to bypass ASLR and DEP ? • Use .plt section to leak some information • ret2plt • 通常⼀一般的程式中都會有 put 、 send 、write 等 output function !31
- 32. Using ROP bypass ASLR ret code stack high low rsp !32 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
- 33. Using ROP bypass ASLR ret pop rdi ret code stack high low rsp !33 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
- 34. Using ROP bypass ASLR ret pop rdi ret code stack high low rsp !34 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
- 35. Using ROP bypass ASLR ret pop rdi ret put@plt code stack high low rsp !35 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
- 36. Using ROP bypass ASLR ret pop rdi ret jmp *(put@GOT) code stack high low rsp !36 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
- 37. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) code stack high low rsp !37 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
- 38. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) code stack high low rsp !38 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx Information leak
- 39. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) ret code stack high low rsp !39 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
- 40. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) ret pop rdi ret code stack high low rsp !40 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… put@GOT rdi 0 rsi 0 rdx
- 41. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) ret pop rdi ret code stack high low rsp !41 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
- 42. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) ret pop rdi ret pop rsi ret code stack high low rsp !42 put@plt pop rdi put@GOT pop rdi 0 pop rsi puts@GOT …… 0 rdi 0 rsi 0 rdx
- 43. Using ROP bypass ASLR ret pop rdi ret jmp put(put@GOT) ret pop rdi ret pop rsi ret code stack high low rsp !43 puts@GOT 0 rdi puts@GOT rsi 0 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
- 44. Using ROP bypass ASLR ret pop rdx ret code stack high low rsp !44 puts@GOT 0 rdi puts@GOT rsi 0 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
- 45. Using ROP bypass ASLR ret pop rdx ret code stack high low rsp !45 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
- 46. Using ROP bypass ASLR ret pop rdx ret jmp read@plt code stack high low rsp !46 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8
- 47. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) code stack high low !47 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 48. rsp Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) code stack high low rsp !48 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 GOT Hijacking puts -> system
- 49. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret code stack high low !49 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 50. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret code stack high low !50 puts@GOT 0 rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 51. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret code stack high low !51 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 52. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp puts@plt code stack high low !52 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 53. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp *(puts@GOT) code stack high low !53 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 54. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp system(“/bin/sh”) code stack high low !54 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp
- 55. Using ROP bypass ASLR ret pop rdx ret jmp read(0,put@GOT,8) ret pop rdi ret jmp system(“/bin/sh”) code stack high low !55 puts@GOT &/bin/sh rdi puts@GOT rsi 8 rdx pop rdx read@plt pop rdi Address of /bin/sh puts@plt 0x8 rsp GET SHELL
- 56. Using ROP bypass ASLR !56 • Bypass PIE • 必須比平常多 leak ⼀一個 code 段的位置,藉由這個值算出 code base 進 ⽽而推出所有 GOT 等資訊 • 有了了 code base 之後其他就跟沒有 PIE 的情況下⼀一樣
- 57. Using ROP bypass ASLR !57 • Bypass StackGuard • canary 只有在 function return 時做檢查 • 只檢查 canary 值時否⼀一樣 • 所以可以先想辦法 leak 出 canary 的值,塞⼀一模⼀一樣的內容就可 bypass,或是想辦法不要改到 canary 也可以
- 58. Using ROP bypass ASLR !58 • Weakness in fork • canary and memory mappings are same as parent.
- 59. Outline • ROP • Using ROP bypass ASLR • Stack migration
- 60. Stack Migration • 將 ROP Chain 寫在已知固定位置上 • 再利利⽤用 leave 搬移 Stack 位置到已知位置 • 可無限接 ROP Chain • 必須注意到 Migration 之後 stack 要留留⼤大⼀一點,有些 function 可能會需要很 ⼤大的 stack frame ,太⼩小可能會存取到唯獨區域,導致 Segmentation Fault !60
- 61. Stack Migration !61 return address rbp rbp/rsp push rbp mov rbp,rsp … leave ret high low
- 62. Stack Migration !62 buf1 rbp push rbp mov rbp,rsp … leave ret aaaa aaaa rsp gets() buf1 high low buf1 leave_ret pop rdi
- 63. Stack Migration !63 buf1 push rbp mov rbp,rsp … leave ret aaaa aaaa rsp gets() buf1 buf1 leave_ret leave = mov rsp,rbp ; pop rbp rbp pop rdi high low
- 64. Stack Migration !64 buf1 rbp/rsp push rbp mov rbp,rsp … leave ret aaaa aaaa gets() buf1 buf1 leave_ret leave = mov rsp,rbp ; pop rbp pop rdi high low
- 65. Stack Migration !65 buf1 rsp push rbp mov rbp,rsp … leave ret aaaa aaaa gets() buf1 buf1 leave_ret rbp pop rdi high low
- 66. Stack Migration !66 buf1 rsp push rbp mov rbp,rsp … leave ret pop rdi ret aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi 0 high low rbp
- 67. Stack Migration !67 buf1 rsppush rbp mov rbp,rsp … leave ret pop rdi ret aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi buf1 high low rbp
- 68. Stack Migration !68 buf1 rsp push rbp mov rbp,rsp … leave ret pop rdi ret gets(buf1) aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi buf1 high low rbp
- 69. Stack Migration !69 buf1 rsp push rbp mov rbp,rsp … leave ret pop rdi ret gets(buf1) ret aaaa aaaa gets() buf1 buf1 leave_ret rbp pop rdi rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret
- 70. Stack Migration !70 buf1 rsp leave ret aaaa aaaa gets() buf1 buf1 leave_ret pop rdi rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret leave = mov rsp,rbp ; pop rbp rbp
- 71. Stack Migration !71 leave ret buf1 rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
- 72. Stack Migration !72 pop rdi ret buf1 rdi buf1 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
- 73. Stack Migration !73 pop rdi ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp buf2 rsp
- 74. Stack Migration !74 pop rdi ret puts(puts@GOT) ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2 Information leakage
- 75. Stack Migration !75 pop rdi ret puts(puts@GOT) ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
- 76. Stack Migration !76 pop rdi ret buf1 rdi puts@GOT buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
- 77. Stack Migration !77 pop rdi ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rsp rbp buf2
- 78. Stack Migration !78 pop rdi ret gets(buf2) ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_retrsp rbp buf2
- 79. Stack Migration !79 pop rdi ret gets(buf2) ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_retrsp rbp buf2 buf1 pop rdi &/bin/sh /bin/sh system
- 80. Stack Migration !80 pop rdi ret gets(buf2) ret leave ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_retrsp rbp buf2 buf1 pop rdi &/bin/sh /bin/sh system leave = mov rsp,rbp ; pop rbp
- 81. Stack Migration !81 pop rdi ret gets(buf2) ret leave ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system
- 82. Stack Migration !82 pop rdi ret buf1 rdi buf2 buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system
- 83. Stack Migration !83 pop rdi ret buf1 rdi &/bin/sh buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system
- 84. Stack Migration !84 pop rdi ret system(“/bin/sh”) buf1 rdi &/bin/sh buf2 pop rdi puts@GOT puts() pop rdi buf2 gets() high low leave_ret rbp rsp buf2 buf1 pop rdi &/bin/sh /bin/sh system GET SHELL
- 85. Stack Migration • 若若能妥善利利⽤用,在沒有 libc 的情況下,有機會將整個 libc 給 dump 出來來, 更更有機會直接找出 system 的位置 • 無限 ROP ,幾乎可以做出所有事情,但唯⼀一要注意的是 buf ⼤大⼩小要控制 好,盡量量選 bss 後半段位置,否則可能因為 stack 不夠⼤大⽽而 segfault !85
- 86. Stack Migration • Other migration gadget • add rsp,0xNN ; ret • sub rsp,0xNN ; ret • ret 0xNN • xchg rsp,exx ; ret • partial overwrite rbp !86
- 87. Stack Migration !87 ret add rsp,0x30 ret you can’t control gadget rsp rop chain high low
- 88. Stack Migration !88 ret add rsp,0x30 ret you can’t control gadget rop chain high low rsp
- 89. Stack Migration !89 ret add rsp,0x30 ret you can’t control gadget rop chain high low rsp
- 91. Q & A