SlideShare une entreprise Scribd logo

Modern Exploit Techniques: Return Oriented Programming

A
Alexandre Moneger

Buffer overflow exploitation without operating system protections is a well understood subject. But how does one achieve the same results with all protections enabled (N/X, ASLR, …). Hint: re-use what the vulnerable binary offers you.

Ingénierie
1  sur  15
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 “Mind the Gap” Security Briefings + Training May 6th-8th, 2014 Alex Moneger, Security Engineer ROP ‘n’ ROLL, a peak into modern exploits May 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 1. Why BoF exploitation doesn’t work anymore 2. OS defenses 3. Return Oriented Programming concepts 4. Attack flow 5. Mitigations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 • Short buffer, long string • Overflow into the stack management zones • Take control of execution flow • Return into buffer and execute shellcode NOP sled Shellcode SC Add ress
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 • Reliably know the buffer’s address • Be able to execute code in a data section • Needs to overwrite return address
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 • ASLR => buffer address is non-predictable • NX => Can’t execute shellcode on the stack • Other compiler level protections I wont mention • Attacker objective => Bypass ASLR and NX: Find a spot which uses predictable addresses (bypass ASLR) Build in memory payload (bypass NX) • Hard but hard enough?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 • Stands for Return Oriented Programming • Uses your code to get execution • Control stack pointer register instead of instruction pointer • Only way to exploit a modern OS • Used in recent exploits since a few years • No good mitigation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 • ASLR does not randomize .text section • .text section holds the code of the binary • Use the target to execute code for us • Find asm instructions (gadgets) from target to build payload • Use multiple “stages”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Looking for gadgets we can re-use • These come from the target binary itself • Examples: # Load a value in register 0x8048502L: pop ebx ; pop ebp ; ret; # Move a value from register and put it in memory 0x80484feL: add [ebx+0x5d5b04c4] eax ; ret; # Call function in 0x804c244L: call edx ; leave ; ret;
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 • Needs gadgets at predictable locations • Uses the binary itself to execute code • At first ROP does not execute anything, your code does • Turn off/change OS protections • Then execute payload
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • Control the stack/heap (as usual) • Locate a fake stack location • Use the gadgets previously found to build our payload on the fake stack • Transfer control to the fake stack • Execute payload
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Attacker controlled memory Fake Stack Code section
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 • Position independent code (GCC => -pie -fpie): Randomizes code section (full ASLR) More expensive at runtime (all addresses are relative) • No other “real world” mitigations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 • Modern attacks can bypass OS protections • A security bug in your code can be exploited • Catch and fix security bugs early • Again: OS protections are not a silver bullet, but they make life harder for the attacker • Make them work!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Thank you.

Recommandé

Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Install dev stack
Install dev stackInstall dev stack
Install dev stackBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 

Recommandé

Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Install dev stack
Install dev stackInstall dev stack
Install dev stackBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Cloud Native Day Tel Aviv
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecuritySkeeve Stevens
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Presentation hybrid cloud
Presentation hybrid cloudPresentation hybrid cloud
Presentation hybrid cloudKaran Chhabra
 
Being Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterBeing Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterOPNFV
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundaryPatrick Fussell
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
BEST REST in OpenStack
BEST REST in OpenStackBEST REST in OpenStack
BEST REST in OpenStackVikram G Hosakote
 
Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...OPNFV
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Cloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationCloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationVikram G Hosakote
 
Moving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecMoving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecOpenStack
 
OpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsOpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsKota Tsuyuzaki
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security MmanagementSuresh Thivanka Rupasinghe
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 

Contenu connexe

Tendances

Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Cloud Native Day Tel Aviv
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Presentation hybrid cloud
Presentation hybrid cloudPresentation hybrid cloud
Presentation hybrid cloudKaran Chhabra
 
Being Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterBeing Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterOPNFV
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundaryPatrick Fussell
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...OPNFV
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Cloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationCloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationVikram G Hosakote
 
Moving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecMoving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecOpenStack
 
OpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsOpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsKota Tsuyuzaki
 

Tendances (20)

Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Presentation hybrid cloud
Presentation hybrid cloudPresentation hybrid cloud
Presentation hybrid cloud
 
Being Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterBeing Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from Master
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundary
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with Trivy
 
BEST REST in OpenStack
BEST REST in OpenStackBEST REST in OpenStack
BEST REST in OpenStack
 
Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Cloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationCloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test Automation
 
Moving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecMoving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTec
 
OpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsOpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorlets
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 

Similaire à Modern Exploit Techniques: Return Oriented Programming

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudMark Voelker
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldKernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldAnne Nicolas
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Mysql performance tuning
Mysql performance tuningMysql performance tuning
Mysql performance tuningPhilip Zhong
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudAll Things Open
 

Similaire à Modern Exploit Techniques: Return Oriented Programming (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack Cloud
 
Directors scrum review
Directors scrum reviewDirectors scrum review
Directors scrum review
 
OpenDataPlane Project
OpenDataPlane ProjectOpenDataPlane Project
OpenDataPlane Project
 
MySQL NoSQL APIs
MySQL NoSQL APIsMySQL NoSQL APIs
MySQL NoSQL APIs
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldKernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
 
Managers monthly review
Managers monthly reviewManagers monthly review
Managers monthly review
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
Mysql performance tuning
Mysql performance tuningMysql performance tuning
Mysql performance tuning
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack Cloud
 

Plus de Alexandre Moneger

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 

Plus de Alexandre Moneger (9)

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 

Dernier

Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Erbil Polytechnic University
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTSneha Padhiar
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdfCh10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdfChristianCDAM
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmDeepika Walanjkar
 
Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solidnamansinghjarodiya
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfalene1
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfisabel213075
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 

Dernier (20)

Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
Comparative study of High-rise Building Using ETABS,SAP200 and SAFE., SAFE an...
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENTFUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
FUNCTIONAL AND NON FUNCTIONAL REQUIREMENT
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdfCh10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdf
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
 
Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solid
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 

Modern Exploit Techniques: Return Oriented Programming

  • 1. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 “Mind the Gap” Security Briefings + Training May 6th-8th, 2014 Alex Moneger, Security Engineer ROP ‘n’ ROLL, a peak into modern exploits May 2014
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 1. Why BoF exploitation doesn’t work anymore 2. OS defenses 3. Return Oriented Programming concepts 4. Attack flow 5. Mitigations
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 • Short buffer, long string • Overflow into the stack management zones • Take control of execution flow • Return into buffer and execute shellcode NOP sled Shellcode SC Add ress
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 • Reliably know the buffer’s address • Be able to execute code in a data section • Needs to overwrite return address
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 • ASLR => buffer address is non-predictable • NX => Can’t execute shellcode on the stack • Other compiler level protections I wont mention • Attacker objective => Bypass ASLR and NX: Find a spot which uses predictable addresses (bypass ASLR) Build in memory payload (bypass NX) • Hard but hard enough?
  • 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 • Stands for Return Oriented Programming • Uses your code to get execution • Control stack pointer register instead of instruction pointer • Only way to exploit a modern OS • Used in recent exploits since a few years • No good mitigation
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 • ASLR does not randomize .text section • .text section holds the code of the binary • Use the target to execute code for us • Find asm instructions (gadgets) from target to build payload • Use multiple “stages”
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Looking for gadgets we can re-use • These come from the target binary itself • Examples: # Load a value in register 0x8048502L: pop ebx ; pop ebp ; ret; # Move a value from register and put it in memory 0x80484feL: add [ebx+0x5d5b04c4] eax ; ret; # Call function in 0x804c244L: call edx ; leave ; ret;
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 • Needs gadgets at predictable locations • Uses the binary itself to execute code • At first ROP does not execute anything, your code does • Turn off/change OS protections • Then execute payload
  • 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • Control the stack/heap (as usual) • Locate a fake stack location • Use the gadgets previously found to build our payload on the fake stack • Transfer control to the fake stack • Execute payload
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Attacker controlled memory Fake Stack Code section
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 • Position independent code (GCC => -pie -fpie): Randomizes code section (full ASLR) More expensive at runtime (all addresses are relative) • No other “real world” mitigations
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 • Modern attacks can bypass OS protections • A security bug in your code can be exploited • Catch and fix security bugs early • Again: OS protections are not a silver bullet, but they make life harder for the attacker • Make them work!
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Thank you.