Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (11)
Semelhante a Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Semelhante a Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux (20)
Último
Último (20)
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
- 1. SELF INTRODUCTION & THE STORY THAT I TRIED TO MAKE SAYONARA ROP CHAIN IN LINUX 2016/04/27 Lightning Talks inaz2
- 2. ABOUT ME • inaz2 • http://twitter.com/inaz2 • Security engineer & Python programmer • AVTOKYO 2014 & 2015 speaker • Weblog: Momoiro Technology • http://inaz2.hatenablog.com/ • Written in Japanese but Google Translate will help us 2
- 3. LOW LAYER AND ME • Got in touch at Plaid CTF 2013 (year of ropasaurusrex) • Tried to understand exploitation for 3 years • “ROP Illmatic: Exploring Universal ROP on glibc x86-64” (AVTOKYO 2014) • Introduced Return-to-dl-resolve technique • Introduced JIT-ROP techniques in Linux • Wrote “roputils” library for writing stable exploit codes • “Abusing Interrupts for Reliable Windows Kernel Exploitation” (AVTOKYO 2015) • Verified IDT overwrite techniques still work in 32 bit Windows 3
- 4. 4
- 5. LOW LAYER AND ME • Got in touch at Plaid CTF 2013 (year of ropasaurusrex) • Tried to understand exploitation for 3 years • “ROP Illmatic: Exploring Universal ROP on glibc x86-64” (AVTOKYO 2014) • Introduced Return-to-dl-resolve technique • Introduced JIT-ROP techniques in Linux • Wrote “roputils” library for writing stable exploit codes • “Abusing Interrupts for Reliable Windows Kernel Exploitation” (AVTOKYO 2015) • Verified IDT overwrite techniques still work in 32 bit Windows 5
- 6. 6
- 7. LOW LAYER AND ME • Got in touch at Plaid CTF 2013 (year of ropasaurusrex) • Tried to understand exploitation for 3 years • “ROP Illmatic: Exploring Universal ROP on glibc x86-64” (AVTOKYO 2014) • Introduced Return-to-dl-resolve technique • Introduced JIT-ROP techniques in Linux • Wrote “roputils” library for writing stable exploit codes • “Abusing Interrupts for Reliable Windows Kernel Exploitation” (AVTOKYO 2015) • Verified IDT overwrite techniques still work in 32 bit Windows 7
- 8. 8
- 9. SAYONARA ROP CHAIN • https://www.corelan.be/index.php/2011/07/03/universal- depaslr-bypass-with-msvcr71-dll-and-mona-py/ • Universal ASLR & NX/DEP bypass in Windows x86 • Use gadgets in non-ASLR DLLs • Metasploit also generates its variant by generate_rop_payload() 9
- 10. 10
- 11. TRYING TO MAKE LINUX VERSION • Return-to-dl-resolve technique works in x86 Linux (w/o PIE) 1. Send crafted symbol structure to fixed address (bss section etc.) 2. Call it by dl-resolve@plt with adjusted arguments • We don’t have to do stack pivot 11
- 12. 12
- 13. BUT IT WON’T WORKS ON X64 • On x64 Linux, code section and data section are not adjacent • Code at 0x400000, data at 0x600000 • Symbol version check is enabled by default • Fail to find VERSYM and raise SEGV • We need to read the pointer link_map@got and overwrite [link_map+0x1c8] to 0 13
- 14. 14
- 15. RECAP • I tried to make universal ROP chain for Linux • For x86, succeeded by return-to-dl-resolve technique • But for x64, we have to traverse link_map and patch • Heavy task for ROP… Game Over \(^o^)/ 15
- 16. REFERENCE • Advanced return-into-lib(c) exploits (PaX case study) (Phrack 58) • http://phrack.org/issues/58/4.html • Return to Dynamic Linker (Codegate 2014 Junior) • http://www.codegate.org/content/board/post_list.php?bid=48&q=Retu rn+to+Dynamic+Linker • How the ELF Ruined Christmas (USENIX Security 2015) • https://www.usenix.org/conference/usenixsecurity15/technical- sessions/presentation/di-frederico 16