Download - Advance ROP Attacks
![Page 1: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/1.jpg)
Advance ROP Attacks
Rashid Bhatt
@raashidbhatt
![Page 2: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/2.jpg)
Agenda• Introduction to ROP Attacks
• ROP Attack Variants
• Alphanumeric ROP exploits
• Searching gadgets
• Questions?
![Page 3: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/3.jpg)
ROP Attacks
• Introduced by hovad shacham • Circumvents DEP (data execution prevention)• Turing Complete`ness• More useful than ret-2-lib ( branching)• Applicable to various architectures
![Page 4: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/4.jpg)
ROP Attacks
• Gadgets are the building blocks• Gadgets end with RET instruction• Example gadgets
• Mov eax, ebx• Ret• Pop eax• Ret
![Page 5: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/5.jpg)
ROP attacks
x86 stack layout. Registers ebp and esp point to base and top of the
stack respective. EBP used to access local and passed paramterseg . [ebp + 8] first parameter (EBP + 4) for ret address. ESP used are a pointer for popping values out from
stack
![Page 6: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/6.jpg)
ROP attacks
• RET x86 instruction• Pops a value from the stack into EIP
• Used to return control from a function
• RET can have a argument eg RET 8
• RET 8 == EIP = stack[top], add ESP , 8
![Page 7: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/7.jpg)
X86 stack layoutcalling conventions
__stdcall ( varadic arguments) Int __stdcall function(int a, int b) // < paramerts
{int b,c; // local c variablesreturn 0;
}function(10, 20); // function call __stdcall
X86 disassembly
push 20 // arguments pushed from right to leftpush 10call function
function:push ebp // Stack epilouge mov ebp, espsub esp, 8 //8 bytes for two variabeles…. ….add esp, 8pop ebpret 8 // ret 8 stack clearance by callie
![Page 8: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/8.jpg)
X86 stack layoutcalling conventions
__cdecl( const no of args) Int __cdelc function(int a, int b) // < paramerts
{int b,c; // local c variablesreturn 0;
}function(10, 20); // function call __cdecl
X86 disassembly
push 20 // arguments pushed from right to leftpush 10call function add esp, 8 // stack clearance
function:push ebp // Stack epilouge mov ebp, espsub esp, 8 //8 bytes for two variabeles…. ….add esp, 8pop ebpret // ret no stack clearence
![Page 9: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/9.jpg)
Basic stack overflow
• A local stack variable gets overflowed
• CALL instruction pushes the EIP to the stack
• Find a trampoline eg jmp esp to change the value to eip to attacker controlled buffer
• demo
![Page 10: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/10.jpg)
What about NX bit ?
• DEP restricts the execution of segments marked as r/w
• We can re-use code from the address space of executable
• Useful code chunks called as ROP gadgets• Multiple gadgets can be chained together and
even API calls
![Page 11: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/11.jpg)
ROP Basics(load and store gadgets)
• storing and loading values from and into memory
• Primitive example pop eax; ret / pop ebx ret/ pop r32, ret
• To memory store pop eax, pop edx, ret / mov [eax], edx; ret
![Page 12: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/12.jpg)
Wait a sec! » Handling NULL bytes
• Some parameters contain NULL • Even some addresses contain zero values• Cannot inject NULL or zero values • Bug prone functions eg strcpy stop copying
when they encounter a NULL byte (00 hex)
![Page 13: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/13.jpg)
Handling NULL bytes
• Let x = value containing a ( many) NULL byte• Let y = mask = 0xffffffff• Mathematical axiom • A xor B = z (say)• Now z xor B = A• We can 0x00000000 xor 0xffffffff = z (say)• Xor it back to get the original value • We have xor esi, ebx ; ret!
![Page 14: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/14.jpg)
ROP basics(arithmetic )
• Msvcrt32.dll 0x77c4d6f add ebx, esi; stc; ret
• Kernel32.dll 0x7c902af5 sub eax,ecx; ret
• We have same for mul and div !
• Try in immunity search: add r32, r32;any;ret;
• You will find huge no. of gadgets
![Page 15: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/15.jpg)
ROP basics(conditional jumps )
• The tricky part• We need to modify ESP , based on certain
comparisons. comparisons include greater than , less than ,
equal to;X <yX >yX == some_val
.
![Page 16: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/16.jpg)
Comparing with zero• Divert flow through adding a certain value to esp
• Store two values on the stack , value_to_be_checked and esp_delta (the value to be added to esp)
• Load the val in a general purpose register say eax• X86 instruction NEG computes the two's complement and updates CF
. if val == 0 the CF = 0; else CF = 1
• ADC x86 instruction add the source and dest with carry flag(ADC – add with carry flag)
• Make a general purpose reg and zero by xor r32,r32; then apply adc r32,32
![Page 17: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/17.jpg)
Comparing with zero(contd..)• We have a REG (say eax) containing a single 1 bit or all 0 bits
• Apply NEG instruction on that REG to obtain the two's complement
• 2's comp will transform it into all zero's or all ones • Perform bit-wise AND with ESP_DELTA
. according we will get ESP_DELTA as zero or its original value
• ADD esp, ESP_DALTA to divert the control flow
• DEMO
![Page 18: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/18.jpg)
Checking for == (equality)• Two values val1, val2 to be checked for equality
• Load two values using load and store gadgets as shown earlier
• Perform x86 SUB val1, val2,store back the result • If both the values are same result will be zero,
. Check the result to zero as show in the previous slide
• ADD esp, ESP_DALTA to divert the control flow
• DEMO
![Page 19: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/19.jpg)
Checking for <, > (less or greater)• Two values val1, val2 to be checked for equality
• Load two values using load and store gadgets as shown earlier
• Perform x86 SUB val1, val2, SUB intruction sets the CF if dest > source • Save CF using xor r32, r32;ret; adc r32,r32 ret; as shown in ealier slide
. CF will be 1 if dest > source else 0
• DEMO
![Page 20: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/20.jpg)
ROP Attack Variants
![Page 21: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/21.jpg)
JUMP oriented Programming Attacks
• ROP used gadgets ending with RET x86 instruction
• JOP uses statements ending with Indirect Jump call
• Instead of stack uses a dispatcher table to jump to different locations
• Thwarts certain Anti-ROP defences
![Page 22: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/22.jpg)
JOP attacks (Dispatch table and Dispatcher gadget)
![Page 23: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/23.jpg)
JOP(attack Model)
• Cannot work on stack buffer overflow , because control flow diverts through a ret Instruction
• Will be detected by anti-ROP defenses if(stack overflow is used)
• Attack vectors include
• 1: pointer overwrite
• 2: Arbitrary DWORD overwrite
• 3: C++ vtable overwrite
![Page 24: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/24.jpg)
Alphanumeric ROP Shell-code
![Page 25: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/25.jpg)
Alphanumeric ROP Shellcode• Traditional Shellcode can be made alphanumeric by choosing only certain
instruction
Example . pop ecx has anopcode 0x59 which is the ASCII code of the character Y)
• Similar technique used in ROP shellcode
. Selecting a printable address rather than a printable opcode(in trad. shellcodes)
![Page 26: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/26.jpg)
Alphanumeric ROP ShellcodeBasic Technique by adding two printable addresses. The range of ASCII printable
characters is between 0x21 and 0x7e
Example . A non-printable gadget in kernel32.dll at 0x77D4B8C2 {pop ebx;ret} can be represented by adding two printable addresses
0X225D414B(printable) + 0x55777777(printable) = 0x77D4B8C2(no-printable)
• Combined together can be used to transform a printable code into non-printable
• Similar technique used in ROP shellcode
. Selecting a printable address rather than a printable opcode(in trad. shellcodes)
![Page 27: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/27.jpg)
Alphanumeric ROP Shellcode(gadgets)
• Gadgets used for decoding addresses should be printable(bytes should be in range of 0x21 - 0x7e
• We also need a memory region which has a printable address to store the decoded gadgets addresses marked as r/w
. From reg to mem we have urlmon.dll
0x772C2E5E MOV DWORD PTR DS:[ECX],EAX
. ESP related CRYPTUI.dll 0x775513E30 XCHG EAX,ESP
. MSCTF.DLL 0x74722973 POP EAX
. Mshtml.dll 0x7D504962 ADD EAX,ECX
. msimtf.dll MEM to reg 0x74714263 MOV EAX,DWORD PTR DS:[ECX]
. All of the dll's loaded by internet explorer
![Page 28: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/28.jpg)
Alphanumeric ROP Shellcode
Alphanumeric ROP Messagebeep Shellcode >>
s)rt:i=3PI'w""w"bIP}PI'www""bIP}PI'w"P`w^.,wxxxxs)rt"P`w0>Qu
DEMO
![Page 29: Advance ROP Attacks](https://reader035.vdocuments.net/reader035/viewer/2022062405/5565fe44d8b42a2a4d8b4cba/html5/thumbnails/29.jpg)
Questions ?