Cerritos, Network Cabling, Phone System, WIFI, Fiber Optic, Low Cost, High Quality, 877-448-4968
Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus...
Transcript of Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus...
![Page 1: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/1.jpg)
DEP & ROPMBE - 03/10/15
DEP & ROP
Modern Binary ExploitationCSCI 4968 - Spring 2015
Markus Gaasedelen
1
![Page 2: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/2.jpg)
Syllabus and ReviewMBE - 01/27/2015
Lecture Overview
1. Introducing DEP2. The History of DEP3. Bypassing DEP with ROP4. Stack Pivoting
2
![Page 3: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/3.jpg)
Data Execution PreventionMBE - 03/24/15
Class up until Now
• Reverse Engineering• Basic memory corruption• Shellcoding• Format strings• Classical exploitation, few
protections, pretty eZ• Time to add some ‘modern’
to the binary exploitation madness
3
![Page 4: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/4.jpg)
DEP & ROPMBE - 03/10/15
Modern Exploit Mitigations
• Theres a number of modern exploit mitigations that we’ve generally been turning off for the labs and exercises• DEP• ASLR• Stack Canaries
• … ?
4
![Page 5: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/5.jpg)
DEP & ROPMBE - 03/10/15
Modern Exploit Mitigations
• Theres a number of modern exploit mitigations that we’ve generally been turning off for the labs and exercises• DEP• ASLR• Stack Canaries
• … ?
• Today we turn one back on for the remainder of the course• no more silly -z execstack in our gcc commands
5
![Page 6: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/6.jpg)
DEP & ROPMBE - 03/10/15
Course Terminology
6
• Data Execution Prevention• An exploit mitigation technique used to ensure that only
code segments are ever marked as executable• Meant to mitigate code injection / shellcode payloads• Also known as DEP, NX, XN, XD, W^X
![Page 7: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/7.jpg)
Runtime Process Without DEP
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Memory
Stack
ELF Executable
.text segment
.rodata segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
R-X (Read, Execute)
RWX (Read, Write, Execute)
Libraries (libc)
R-- (Read)
RWX (Read, Write, Execute)
Like an ELF, multiple segmentsR-XR-- ...
![Page 8: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/8.jpg)
Runtime Process Without DEP
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Memory
Stack
ELF Executable
.text segment
.rodata segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
R-X (Read, Execute)
RWX (Read, Write, Execute)
Libraries (libc)
R-- (Read)
RWX (Read, Write, Execute)
Like an ELF, multiple segmentsR-XR-- ...
![Page 9: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/9.jpg)
Runtime Process Without DEP
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Memory
Stack
ELF Executable
.text segment
.rodata segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
R-X (Read, Execute)
RW- (Read, Write, Execute)
Libraries (libc)
R-- (Read)
RW- (Read, Write, Execute)
Like an ELF, multiple segmentsR-XR-- ...
![Page 10: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/10.jpg)
Runtime Process With DEP
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Memory
Stack
ELF Executable
.text segment
.rodata segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
R-X (Read, Execute)
RW- (Read, Write)
Libraries (libc)
R-- (Read)
RW- (Read, Write)
Like an ELF, multiple segmentsR-XR-- ...
![Page 11: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/11.jpg)
DEP & ROPMBE - 03/10/15
DEP Basics
• No segment of memory should ever be Writable and Executable at the same time, ‘W^X’
• Common data segments• Stack, Heap• .bss• .ro
• .data
• Common code segments• .text• .plt
11
![Page 12: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/12.jpg)
DEP & ROPMBE - 03/10/15
DEP in Action
• Data should never be executable, only code
• What happens if we stack smash, inject shellcode, and try to jump onto the stack?
12
![Page 13: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/13.jpg)
DEP & ROPMBE - 03/10/15
DEP in Action
• Data should never be executable, only code
• What happens if we stack smash, inject shellcode, and try to jump onto the stack?
13
![Page 14: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/14.jpg)
DEP & ROPMBE - 03/10/15
DEP in Action
• Data should never be executable, only code
• What happens if we stack smash, inject shellcode, and try to jump onto the stack?
yay mitigation technologies!
14
SEGFAULTat 0xbffffc04
![Page 15: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/15.jpg)
Syllabus and ReviewMBE - 01/27/2015
Lecture Overview
1. Introducing DEP2. The History of DEP3. Bypassing DEP with ROP4. Stack Pivoting
15
![Page 16: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/16.jpg)
DEP & ROPMBE - 03/10/15
History of DEP
16
• When was DEP implemented?
![Page 17: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/17.jpg)
DEP & ROPMBE - 03/10/15
History of DEP
17
• When was DEP implemented?• August 14th, 2004 - Linux Kernel 2.6.8
![Page 18: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/18.jpg)
DEP & ROPMBE - 03/10/15
History of DEP
18
• When was DEP implemented?• August 14th, 2004 - Linux Kernel 2.6.8
• August 25th, 2004 - Windows XP SP2
![Page 19: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/19.jpg)
DEP & ROPMBE - 03/10/15
History of DEP
19
• When was DEP implemented?• August 14th, 2004 - Linux Kernel 2.6.8
• August 25th, 2004 - Windows XP SP2
• June 26th, 2006 - Mac OSX 10.5
![Page 20: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/20.jpg)
DEP & ROPMBE - 03/10/15
History of DEP
20
• When was DEP implemented?• August 14th, 2004 - Linux Kernel 2.6.8
• August 25th, 2004 - Windows XP SP2
• June 26th, 2006 - Mac OSX 10.5
about 10 years ago
![Page 21: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/21.jpg)
DEP & ROPMBE - 03/10/15
2004 in Perspective
21
• Facebook is created• G-Mail launches as beta• Ken Jennings begins his 74 win streak on Jeopardy• Halo 2 is released, as is Half Life 2• LOST airs its first episode
![Page 22: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/22.jpg)
DEP & ROPMBE - 03/10/15
Security is Young
22
• Technologies in modern exploit mitigations are incredibly young, and the field of computer security is rapidly evolving
• DEP is one of the of the main mitigation technologies you must bypass in modern exploitation
![Page 23: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/23.jpg)
Syllabus and ReviewMBE - 01/27/2015
Lecture Overview
1. Introducing DEP2. The History of DEP3. Bypassing DEP with ROP4. Stack Pivoting
23
![Page 24: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/24.jpg)
DEP & ROPMBE - 03/10/15
Bypassing DEP
24
• DEP stops an attacker from easily executing injected shellcode assuming they gain control of EIP• shellcode almost always ends up in a RW- region
• If you can’t inject (shell)code to do your bidding, you must re-use the existing code!• This is technique is usually some form of ROP
![Page 25: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/25.jpg)
DEP & ROPMBE - 03/10/15
Course Terminology
25
• Return Oriented Programming• A technique in exploitation to reuse existing code
gadgets in a target binary as a method to bypass DEP• Also known as ROP
• Gadget• A sequence of meaningful instructions typically followed
by a return instruction• Usually multiple gadgets are chained together to
compute malicious actions like shellcode does• These chains are called ROP Chains
![Page 26: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/26.jpg)
DEP & ROPMBE - 03/10/15
Relevant Quotes
“Preventing the introduction of malicious code is not enough to prevent the
execution of malicious computations”
-Dino Dai Zovi
26
![Page 27: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/27.jpg)
DEP & ROPMBE - 03/10/15
Gadgets
• ROP Chains are made up of gadgets• Example gadgets -
xor eax, eaxret
pop ebxpop eaxret
add eax, ebxret
27
![Page 28: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/28.jpg)
DEP & ROPMBE - 03/10/15
$ ropgadget --binary /bin/bash
28
![Page 29: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/29.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
• It is almost always possible to create a logically equivalent ROP chain for a given piece of shellcode
29
xor eax, eax
xor ebx, ebx
inc eax
int 0x80
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - shellcode exit(0) - ROP chain
![Page 30: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/30.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
30
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 31: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/31.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
31
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 32: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/32.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
32
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 33: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/33.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
33
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 34: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/34.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
34
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 35: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/35.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
35
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 36: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/36.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
36
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 37: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/37.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
37
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80
exit(0) - ROP chain
RO
P chain
![Page 38: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/38.jpg)
DEP & ROPMBE - 03/10/15
Understanding ROP
38
xor eax, eaxret
xor ebx, ebxret
inc eaxret
int 0x80exits ...
exit(0) - ROP chain
RO
P chain
![Page 39: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/39.jpg)
DEP & ROPMBE - 03/10/15
Bypassing DEP with ROP
• We called exit(0) without using any sort of shellcode!
• With that said, writing ROP can be difficult and you will usually have to get creative with what gadgets you find
39
![Page 40: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/40.jpg)
DEP & ROPMBE - 03/10/15
/levels/lecture/rop/rop_exit
• Play around with ROP on the warzone
• Can you make a ROP chain to set arbitrary exit values? 0? 200? 64?
40
![Page 41: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/41.jpg)
DEP & ROPMBE - 03/10/15
Relevant Tips/Tools/Commands
• $ ropgadget --binary ./rop_exit > /tmp/gadgetzXYZ.txt• $ cat /tmp/gadgetzXYZ.txt | grep “pop eax” | grep …
• $ asm• easy way to get the bytes for gadgets you’re looking for
• $ gdbpeda• searchmem, find raw bytes in an executing program
• ropsearch, a crappy rop gadget finder
• python def q(addr):
return struct.pack(“I”, addr)41
![Page 42: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/42.jpg)
Syllabus and ReviewMBE - 01/27/2015
Lecture Overview
1. Introducing DEP2. The History of DEP3. Bypassing DEP with ROP4. Stack Pivoting
42
![Page 43: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/43.jpg)
DEP & ROPMBE - 03/10/15
Typical Constraints in ROP
• Typically in modern exploitation you might only get one targeted overwrite rather than a straight stack smash
• What can you do when you only have one gadget worth of execution? • Answer: Stack Pivoting
43
![Page 44: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/44.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting
44
You control the orange
You have one gadget before you drop into
arbitrary data on the stack
![Page 45: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/45.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting
45
You control the orange
You have one gadget before you drop into
arbitrary data on the stack
![Page 46: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/46.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting
46
You control the orange
You have one gadget before you drop into
arbitrary data on the stack
Use your one gadget to move ESP into a more
favorable location (Stack Pivot)
![Page 47: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/47.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting
47
You control the orange
You have one gadget before you drop into
arbitrary data on the stack
Use your one gadget to move ESP into a more
favorable location (Stack Pivot)
add esp, 0x40cret
![Page 48: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/48.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting
48
You control the orange
You have one gadget before you drop into
arbitrary data on the stack
Use your one gadget to move ESP into a more
favorable location (Stack Pivot)
add esp, 0x40cret
![Page 49: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/49.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting Tips
49
add esp, 0xXXXXret
sub esp, 0xXXXXret
ret 0xXXXX
leave ; (mov esp, ebp)ret
xchg eXX, espret
any gadgets that touch esp will probably be of interest
for a pivot scenario
![Page 50: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/50.jpg)
DEP & ROPMBE - 03/10/15
Stack Pivoting Tips
50
• You may not find an exact pivot, or you may need to pivot multiple times!
• You can always pad your ROP Chains with ROP NOPs which are simply gadgets that point to ret’s
![Page 51: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/51.jpg)
DEP & ROPMBE - 03/10/15
/levels/lecture/rop/rop_pivot
• Play around with Stack Pivoting on the warzone
51
![Page 52: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/52.jpg)
DEP & ROPMBE - 03/13/15
ret2libc
3
• ‘ret2libc’ is a technique of ROP where you return to functions in standard libraries (libc), rather than using gadgets
• If you know the addresses of the functions you want to ROP through in libc (assuming libc exists), ret2libc is easier than making a ROP chain with gadgets
![Page 53: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/53.jpg)
DEP & ROPMBE - 03/13/15
Common ret2libc Targets
4
• system()• Executes something on the command line• system(“cat flag.txt”);
• (f) open() / read() / write()• Open/Read/Write a file contents
![Page 54: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/54.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
5
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 55: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/55.jpg)
DEP & ROPMBE - 03/13/15
Returning to System
6
• We want to call system(“cat flag.txt”);
• Because we are ROPing into system rather than calling it, you have to think about setting up the stack (to pass arguments) a little bit differently
![Page 56: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/56.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
7
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 57: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/57.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
8
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 58: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/58.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
9
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 59: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/59.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
10
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 60: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/60.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
11
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 61: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/61.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
12
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 62: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/62.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
13
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 63: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/63.jpg)
DEP & ROPMBE - 03/13/15
REWIND
14
![Page 64: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/64.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
15
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 65: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/65.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
16
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 66: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/66.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
17
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 67: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/67.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
18
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
![Page 68: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/68.jpg)
DEP & ROPMBE - 03/13/15
ret2libc example
19
0x08045430: ret
system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...
w0w_u_g0t_th3_fl4g_such_h4ck3r
![Page 69: Modern Binary Exploitation CSCI 4968 - Spring 2015 Markus ...security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdfshellcode assuming they gain control of EIP •](https://reader033.fdocuments.net/reader033/viewer/2022060210/5f04b4987e708231d40f4bcb/html5/thumbnails/69.jpg)
DEP & ROPMBE - 03/13/15
Chaining Calls
20