Linux Binary Exploitation - Return-oritend Programing

1. Linux Binary Exploitation
Return-oriented Programing
angelboy@chroot.org

2. Outline
• ROP
• Using ROP bypass ASLR
• Stack migration

3. Outline
• ROP
• Using ROP bypass ASLR
• Stack migration

4. ROP
• 透過 ret 去執⾏行行其他包含 ret 的程式碼片段
• 這些片段⼜又稱為 gadget

5. ROP
• Why do we need ROP ?
• Bypass DEP
• Static linking can do more thing

6. ROP
• ROP chain
• 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制，我們可以藉由
ret = pop rip 指令，持續的控制 rip
gadget2
1
gadget1
high
low
rsp
retoverflow
pop rax
ret
syscall
gadget1
gadget2

7. ROP
• ROP chain
• 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制，我們可以藉由
ret = pop rip 指令，持續的控制 rip
gadget2
1
gadget1
high
low
rsp
retoverflow
pop rax
ret
syscall
gadget1
gadget2

8. ROP
• ROP chain
• 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制，我們可以藉由
ret = pop rip 指令，持續的控制 rip
gadget2
1
gadget1
high
low
rsp
retoverflow
pop rax
ret
syscall
gadget1
gadget2

9. ROP
• ROP chain
• 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制，我們可以藉由
ret = pop rip 指令，持續的控制 rip
gadget2
1
gadget1
high
low
rsp
retoverflow
pop rax
ret
syscall
gadget1
gadget2

10. ROP
• ROP chain
• 在夠長的 buffer overflow 後 stack 內容幾乎都由我們控制，我們可以藉由
ret = pop rip 指令，持續的控制 rip
gadget2
1
gadget1
high
low
rsp
retoverflow
pop rax
ret
syscall
gadget1
gadget2
exit

11. ROP
• ROP chain
• 由眾多的 ROP gadget 組成
• 藉由不同的 register 及記憶體操作，呼叫 system call 達成任意代碼執⾏行行
• 基本上就是利利⽤用 ROP gadget 來來串串出我們之前寫的 shellcode 的效果

12. ROP
• Gadget
• read/write register/memory
• pop rax;pop rcx ; ret
• mov [rax],rcx ; ret
• system call
• syscall
• change rsp
• pop rsp ; ret
• leave ; ret

13. ROP
• Write to Register
• pop reg ; ret
• mov reg, reg ; ret
• …

14. ROP
• Write to Register
• let rax = 0xdead rbx = 0xbeef
0x401041
0xdead
0x4010fb
high
low
rsp
pop rax
ret
0x401041
0xbeef
pop rbx
ret
0x4010fb
0 0
retoverflow
rax rbx

15. ROP
• Write to Register
• let rax = 0xdead rbx = 0xbeef
0x401041
0xdead
0x4010fb
high
low
rsp
pop rax
ret
0x401041
0xbeef
pop rbx
ret
0x4010fb
0 0
retoverflow
rax rbx

16. ROP
• Write to Register
• let rax = 0xdead rbx = 0xbeef
0x401041
0xdead
0x4010fb
high
low
rsppop rax
ret
0x401041
0xbeef
pop rbx
ret
0x4010fb
0xdead 0
retoverflow
rax rbx

17. ROP
• Write to Register
• let rax = 0xdead rbx = 0xbeef
0x401041
0xdead
0x4010fb
high
low
rsp
pop rax
ret
0x401041
0xbeef
pop rbx
ret
0x4010fb
0xdead 0
retoverflow
rax rbx

18. ROP
• Write to Register
• let rax = 0xdead rbx = 0xbeef
0x401041
0xdead
0x4010fb
high
low
rsp
pop rax
ret
0x401041
0xbeef
pop rbx
ret
0x4010fb
0xdead 0xbeef
retoverflow
rax rbx

19. ROP
• Write to Memory
• mov [reg],reg
• mov [reg+xx], reg
• …

20. ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0 0
rax rbx
0x602080
0
0x602080
retoverflow

21. ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0 0
rax rbx
0x602080
0
0x602080
retoverflow

22. ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0
rax rbx
0x602080
0
0x602080
retoverflow

23. ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0xdeadbeef
rax rbx
0x602080
0
0x602080
retoverflow

24. ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0xdeadbeef
rax rbx
0x602080
0
0x602080
retoverflow

25. ROP
• Write to Memory
• let *0x602080 = 0xdeadbeef
0x40108a
0xdeadbeef
0x4010d1
high
low
rsp
pop rax
pop rbx
ret
0x40108a
0xbeef
mov [rax],rbx
ret
0x4010d1
0x602080 0xdeadbeef
rax rbx
0x602080
0xdeadbeef
0x602080
retoverflow

26. ROP
• execve(“/bin/sh”,NULL,NULL)
• write to memory
• 將 “/bin/sh” 寫入已知位置記憶體中
• 可分多次將所需字串串寫入記憶體中
/bin/das
0x602080 0x602088
hx00x00x00…

27. ROP
• execve(“/bin/sh”,NULL,NULL)
• write to register
• rax = 0x3b , rdi = address of “/bin/sh”
• rsi = 0 , rdx = 0
• syscall

28. ROP
• find gadget
• https://github.com/JonathanSalwan/ROPgadget

29. ROP
• find gadget
• ROPgadget - - binary binary
• ROPgadget - - ropchain - - binary binary
• 在 Static linking 通常可以組成功 execve 的 rop chain 但通常都很長，
需要⾃自⼰己找更更短的 gadget 來來改短⼀一點

30. Outline
• ROP
• Using ROP bypass ASLR
• Stack migration

31. Using ROP bypass ASLR
• 假設 dynamic 編譯的程式中有 Buffer Overflow 的漏洞洞且在沒 PIE 情況下 (
先不考慮 StackGuard 的情況）
• How to bypass ASLR and DEP ?
• Use .plt section to leak some information
• ret2plt
• 通常⼀一般的程式中都會有 put 、 send 、write 等 output function
!31

32. Using ROP bypass ASLR
ret
code stack
high
low
rsp
!32
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
0
rdi
0
rsi
0
rdx

33. Using ROP bypass ASLR
ret
pop rdi
ret
code stack
high
low
rsp
!33
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
0
rdi
0
rsi
0
rdx

34. Using ROP bypass ASLR
ret
pop rdi
ret
code stack
high
low
rsp
!34
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx

35. Using ROP bypass ASLR
ret
pop rdi
ret
put@plt
code stack
high
low
rsp
!35
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx

36. Using ROP bypass ASLR
ret
pop rdi
ret
jmp *(put@GOT)
code stack
high
low
rsp
!36
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx

37. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
code stack
high
low
rsp
!37
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx

38. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
code stack
high
low
rsp
!38
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx
Information leak

39. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
ret
code stack
high
low
rsp
!39
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx

40. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
ret
pop rdi
ret
code stack
high
low
rsp
!40
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
put@GOT
rdi
0
rsi
0
rdx

41. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
ret
pop rdi
ret
code stack
high
low
rsp
!41
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
0
rdi
0
rsi
0
rdx

42. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
ret
pop rdi
ret
pop rsi
ret
code stack
high
low
rsp
!42
put@plt
pop rdi
put@GOT
pop rdi
0
pop rsi
puts@GOT
……
0
rdi
0
rsi
0
rdx

43. Using ROP bypass ASLR
ret
pop rdi
ret
jmp put(put@GOT)
ret
pop rdi
ret
pop rsi
ret
code stack
high
low
rsp
!43
puts@GOT
0
rdi
puts@GOT
rsi
0
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8

44. Using ROP bypass ASLR
ret
pop rdx
ret
code stack
high
low
rsp
!44
puts@GOT
0
rdi
puts@GOT
rsi
0
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8

45. Using ROP bypass ASLR
ret
pop rdx
ret
code stack
high
low
rsp
!45
puts@GOT
0
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8

46. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read@plt
code stack
high
low
rsp
!46
puts@GOT
0
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8

47. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
code stack
high
low
!47
puts@GOT
0
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

48. rsp
Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
code stack
high
low
rsp
!48
puts@GOT
0
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
GOT Hijacking
puts -> system

49. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
code stack
high
low
!49
puts@GOT
0
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

50. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
pop rdi
ret
code stack
high
low
!50
puts@GOT
0
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

51. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
pop rdi
ret
code stack
high
low
!51
puts@GOT
&/bin/sh
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

52. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
pop rdi
ret
jmp puts@plt
code stack
high
low
!52
puts@GOT
&/bin/sh
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

53. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
pop rdi
ret
jmp *(puts@GOT)
code stack
high
low
!53
puts@GOT
&/bin/sh
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

54. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
pop rdi
ret
jmp system(“/bin/sh”)
code stack
high
low
!54
puts@GOT
&/bin/sh
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp

55. Using ROP bypass ASLR
ret
pop rdx
ret
jmp read(0,put@GOT,8)
ret
pop rdi
ret
jmp system(“/bin/sh”)
code stack
high
low
!55
puts@GOT
&/bin/sh
rdi
puts@GOT
rsi
8
rdx
pop rdx
read@plt
pop rdi
Address of /bin/sh
puts@plt
0x8
rsp
GET SHELL

56. Using ROP bypass ASLR
!56
• Bypass PIE
• 必須比平常多 leak ⼀一個 code 段的位置，藉由這個值算出 code base 進
⽽而推出所有 GOT 等資訊
• 有了了 code base 之後其他就跟沒有 PIE 的情況下⼀一樣

57. Using ROP bypass ASLR
!57
• Bypass StackGuard
• canary 只有在 function return 時做檢查
• 只檢查 canary 值時否⼀一樣
• 所以可以先想辦法 leak 出 canary 的值，塞⼀一模⼀一樣的內容就可
bypass，或是想辦法不要改到 canary 也可以

58. Using ROP bypass ASLR
!58
• Weakness in fork
• canary and memory mappings are same as parent.

59. Outline
• ROP
• Using ROP bypass ASLR
• Stack migration

60. Stack Migration
• 將 ROP Chain 寫在已知固定位置上
• 再利利⽤用 leave 搬移 Stack 位置到已知位置
• 可無限接 ROP Chain
• 必須注意到 Migration 之後 stack 要留留⼤大⼀一點，有些 function 可能會需要很
⼤大的 stack frame ，太⼩小可能會存取到唯獨區域，導致 Segmentation Fault
!60

61. Stack Migration
!61
return address
rbp
rbp/rsp
push rbp
mov rbp,rsp
…
leave
ret
high
low

62. Stack Migration
!62
buf1
rbp
push rbp
mov rbp,rsp
…
leave
ret
aaaa
aaaa
rsp
gets()
buf1 high
low
buf1
leave_ret
pop rdi

63. Stack Migration
!63
buf1
push rbp
mov rbp,rsp
…
leave
ret
aaaa
aaaa
rsp
gets()
buf1
buf1
leave_ret
leave = mov rsp,rbp ; pop rbp
rbp
pop rdi
high
low

64. Stack Migration
!64
buf1
rbp/rsp
push rbp
mov rbp,rsp
…
leave
ret
aaaa
aaaa
gets()
buf1
buf1
leave_ret
leave = mov rsp,rbp ; pop rbp
pop rdi
high
low

65. Stack Migration
!65
buf1
rsp
push rbp
mov rbp,rsp
…
leave
ret
aaaa
aaaa
gets()
buf1
buf1
leave_ret
rbp
pop rdi
high
low

66. Stack Migration
!66
buf1
rsp
push rbp
mov rbp,rsp
…
leave
ret
pop rdi
ret
aaaa
aaaa
gets()
buf1
buf1
leave_ret
pop rdi
rdi
0
high
low
rbp

67. Stack Migration
!67
buf1
rsppush rbp
mov rbp,rsp
…
leave
ret
pop rdi
ret
aaaa
aaaa
gets()
buf1
buf1
leave_ret
pop rdi
rdi
buf1
high
low
rbp

68. Stack Migration
!68
buf1
rsp
push rbp
mov rbp,rsp
…
leave
ret
pop rdi
ret
gets(buf1) aaaa
aaaa
gets()
buf1
buf1
leave_ret
pop rdi
rdi
buf1
high
low
rbp

69. Stack Migration
!69
buf1
rsp
push rbp
mov rbp,rsp
…
leave
ret
pop rdi
ret
gets(buf1)
ret
aaaa
aaaa
gets()
buf1
buf1
leave_ret
rbp
pop rdi
rdi
buf1
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret

70. Stack Migration
!70
buf1
rsp
leave
ret
aaaa
aaaa
gets()
buf1
buf1
leave_ret
pop rdi
rdi
buf1
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
leave = mov rsp,rbp ; pop rbp
rbp

71. Stack Migration
!71
leave
ret
buf1
rdi
buf1
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rsp
rbp
buf2

72. Stack Migration
!72
pop rdi
ret
buf1
rdi
buf1
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rsp
rbp
buf2

73. Stack Migration
!73
pop rdi
ret
buf1
rdi
puts@GOT
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rbp
buf2
rsp

74. Stack Migration
!74
pop rdi
ret
puts(puts@GOT)
ret
buf1
rdi
puts@GOT
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rsp
rbp
buf2
Information leakage

75. Stack Migration
!75
pop rdi
ret
puts(puts@GOT)
ret
buf1
rdi
puts@GOT
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rsp
rbp
buf2

76. Stack Migration
!76
pop rdi
ret
buf1
rdi
puts@GOT
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rsp
rbp
buf2

77. Stack Migration
!77
pop rdi
ret
buf1
rdi
buf2
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rsp
rbp
buf2

78. Stack Migration
!78
pop rdi
ret
gets(buf2)
ret
buf1
rdi
buf2
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_retrsp
rbp
buf2

79. Stack Migration
!79
pop rdi
ret
gets(buf2)
ret
buf1
rdi
buf2
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_retrsp
rbp
buf2
buf1
pop rdi
&/bin/sh
/bin/sh
system

80. Stack Migration
!80
pop rdi
ret
gets(buf2)
ret
leave
ret
buf1
rdi
buf2
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_retrsp
rbp
buf2
buf1
pop rdi
&/bin/sh
/bin/sh
system
leave = mov rsp,rbp ; pop rbp

81. Stack Migration
!81
pop rdi
ret
gets(buf2)
ret
leave
ret
buf1
rdi
buf2
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rbp
rsp
buf2
buf1
pop rdi
&/bin/sh
/bin/sh
system

82. Stack Migration
!82
pop rdi
ret
buf1
rdi
buf2
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rbp
rsp
buf2
buf1
pop rdi
&/bin/sh
/bin/sh
system

83. Stack Migration
!83
pop rdi
ret
buf1
rdi
&/bin/sh
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rbp
rsp
buf2
buf1
pop rdi
&/bin/sh
/bin/sh
system

84. Stack Migration
!84
pop rdi
ret
system(“/bin/sh”)
buf1
rdi
&/bin/sh
buf2
pop rdi
puts@GOT
puts()
pop rdi
buf2
gets()
high
low
leave_ret
rbp
rsp
buf2
buf1
pop rdi
&/bin/sh
/bin/sh
system
GET SHELL

85. Stack Migration
• 若若能妥善利利⽤用，在沒有 libc 的情況下，有機會將整個 libc 給 dump 出來來，
更更有機會直接找出 system 的位置
• 無限 ROP ，幾乎可以做出所有事情，但唯⼀一要注意的是 buf ⼤大⼩小要控制
好，盡量量選 bss 後半段位置，否則可能因為 stack 不夠⼤大⽽而 segfault
!85

86. Stack Migration
• Other migration gadget
• add rsp,0xNN ; ret
• sub rsp,0xNN ; ret
• ret 0xNN
• xchg rsp,exx ; ret
• partial overwrite rbp
!86

87. Stack Migration
!87
ret
add rsp,0x30
ret
you
can’t
control
gadget
rsp
rop chain
high
low

88. Stack Migration
!88
ret
add rsp,0x30
ret
you
can’t
control
gadget
rop chain
high
low
rsp

89. Stack Migration
!89
ret
add rsp,0x30
ret
you
can’t
control
gadget
rop chain
high
low
rsp

90. Reference
• http://www.slideshare.net/hackstuff/rop-40525248
!90

91. Q & A