Control Flow Hijack: Always control + computation

Control Flow Hijack: Always control + computation

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz Control Flow Hijack: Always control + computation shellcode (aka payload) computation padding + &buf control Return-oriented programming (ROP): shellcode without code injection 2

Motivation: Return-to-libc Attack ret transfers control to system, which finds arguments on stack Overwrite return address with address of libc function setup fake return address and argument(s) ret will call libc function ptr to argv /bin/sh argc return addr &system callers ebp

%ebp buf (64 bytes) argv[1] No injected code! buf %esp 3 Attack Surface: Linux Unrandomized Randomized Program Image Libc

Stack Heap 2/1/2012 4 Attack Surface: Windows Unrandomized Randomized Program Image Libc Stack Heap 2/1/2012 5 How do we exploit DEP-defended systems where the text section isnt randomized?

6 Find an instruction sequence, aka gadget, to calculate the address at exploit time. ptr to argv /bin/sh argc return addr &system callers ebp What if we dont know the absolute address to /bin/sh? (objdump gives addresses, but we

dont know ASLR constants) %ebp buf (64 bytes) argv[1] buf %esp 7 Writes Computed /bin/sh &system Idea! Get a copy of ESP to calculate address of /bin/sh on randomized stack.

This overcomes ASLR because ASLR only protects against knowing absolute addresses. gadgets to compute argv ptr to /bin/sh argc return addr callers ebp buf /bin/sh argv[1] buf 8 Return Oriented Programming Techniques

1. 2. 3. Return chaining Semantic equivalence ROP on Windows 9 Return Chaining Suppose we want to call 2 functions in our exploit: foo(arg1, arg2) bar(arg3, arg4) What does this do? Stack unwinds up First function returns into code to advance stack pointer

arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo e.g., pop; pop; ret Overwritten ret addr 10 Return Chaining When foo is executing, &pop-pop-ret is at the saved EIP slot. When foo returns, it executes pop-pop-ret to

clear up arg1 (pop), arg2 (pop), and transfer control to bar (ret) arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo 11 There are many semantically equivalent ways to achieve the same net shellcode effect 12 Equivalence

Mem[v2] = v1 Desired Logic ... v2 ... v1 esp Stack a1: mov eax, [esp] a2: mov ebx, [esp+8] a3: mov [ebx], eax Implementation 1 13 Gadgets a5 Mem[v2] = v1

v2 Desired Logic a3 eax v1 ebx eip a1 Suppose a5 and a3 on stack a1: a2: a3:

a4: a5: v1 Stack esp pop eax; ret pop ebx; ret mov [ebx], eax Implementation 2 14 Gadgets a5 Mem[v2] = v1

v2 Desired Logic a3 esp v1 Stack eax v1 ebx eip a31 a1: a2: a3:

a4: a5: pop eax; ret pop ebx; ret mov [ebx], eax Implementation 2 15 Gadgets a5 Mem[v2] = v1 v2 Desired Logic a3

esp v1 Stack eax v1 ebx v2 eip a3 a1: a2: a3: a4: a5:

pop eax; ret pop ebx; ret mov [ebx], eax Implementation 2 16 Gadgets a5 Mem[v2] = v1 v2 Desired Logic a3 esp

v1 Stack eax v1 ebx v2 eip a54 a1: a2: a3: a4: a5: pop eax;

ret pop ebx; ret mov [ebx], eax Implementation 2 17 Gadgets a5 Mem[v2] = v1 v2 Desired Logic a3 esp v1

Stack eax v1 ebx v2 eip a5 a1: a2: a3: a4: a5: pop eax; Gadget 1 ret

pop ebx; Gadget 2 ret mov [ebx], eax Implementation 2 18 Equivalence a3 Mem[v2] = v1 v2 Desired Logic a2 semantically equivalent a1: mov eax, [esp]

a2: mov ebx, [esp+8] a3: mov [ebx], eax Implementation 1 v1 Stack esp Gadgets a1: pop eax; ret a2: pop ebx; ret a3: mov [ebx], eax Implementation 2 19 Gadgets A gadget is a set of instructions for carrying out a semantic action mov, add, etc.

Gadgets typically have a number of instructions One instruction = native instruction set More instructions = synthesize <- ROP Gadgets in ROP generally (but not always) end in return 20 ROP Programming 1. Disassemble code 2. Identify useful code sequences as gadgets 3. Assemble gadgets into desired shellcode 21 Image by Dino Dai Zovi 22

ROP Overview Idea: We forge shell code out of existing application logic gadgets Requirements: vulnerability + gadgets + some unrandomized code (we need to know the addresses of gadgets) 23 Return-Oriented Programming (ROP) Mem[v2] = v1 argv Desired Shellcode return addr

argc callers ebp Find needed instruction gadgets at addresses a1, a2, and a3 in existing code Overwrite stack to execute a1, a2, and then a3 %ebp buf (64 bytes) argv[1] buf %esp 24 Return-Oriented Programming (ROP) a3

Mem[v2] = v1 Desired Shellcode a1: pop eax; ret a2: pop ebx; ret a3: mov [ebx], eax Desired store executed! v2 argv a 2 argc v1 return addr a1 callers ebp %ebp

buf (64 bytes) argv[1] buf %esp 25 Quiz void foo(char *input){ char buf[512]; ... strcpy (buf, input); return; ret instr } a1: add eax, 0x80; pop %ebp; ret a2: pop %eax; ret Draw a stack diagram and ROP exploit to

pop a value 0xBBBBBBBB into eax and add 0x80. Known Gadgets 26 Quiz void foo(char *input){ char buf[512]; ... strcpy (buf, input); return; } a1: add eax, 0x80; pop %ebp; ret a2: pop %eax; ret gadget 1 + data

pop ebp> a1 0xBBBBBBBB a2 saved ret saved ebp buf Overwrite buf AAAAA ... a2 0xBBBBBBBB a1 gadget 2 27 ROPing Windows LPVOID WINAPI VirtualProtect( LPVOID lpAddress, // dynamically determined base addr to pages to change SIZE_T dwSize, // size of the region in bytes DWORD DWORD flNewProtect, // 0x40 = EXECUTE_READWRITE DWORD flProtect // A ptr to a variable for prev. arg

); VirtualProtect() can un-DEP a memory region 28 VirtualProtect Diagram flProtect (a ptr to mem) LPVOID WINAPI VirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD DWORD flNewProtect, DWORD flProtect ); flNewProtect (static) dwSize (dynamic) lpAddress

(dynamic) addr of your shellcode to unprotect &VirtualProtect Craft lpAddress Craft dwSize 29 ROPing Windows: An Example Exploit (pre-Win 8) Shellcode Padding/NOPS 7. Change value of ESP back to where pointer to VirtualProtect is, then ret Gadgets to run shellcode (not shown) 6. Gadget to overwrite placeholder for Param 4 5. Gadget to overwrite placeholder for Param 3 with value 4. Gadget to overwrite placeholder for Param 2 with value

3. Gadget to overwrite placeholder for Param 1 with value (Pointer to shellcode = saved ESP + offset) 1. Stack Pivot esp lpAddress placeholder: base addr to pages to change dwSize placeholder: size of the region in bytes flNewProtect placeholder: EXECUTE_READWRITE flProtect: A ptr to a variable for prev. arg Pointer to VirtualProtect (static) and space for params: 2. gadgets to get stack pointer and save it to a register (push %esp; pop %eax; ret) & jump below the parameters (add esp, offset; ret) From https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ 30 Stack Pivots Pointing esp to controlled data

Fact: Functions often access arguments with respect to esp Defn: A stack pivot redirects esp at attacker-controlled data Example: Attacker controls heap data pointed to be ESI. One stack pivot may be: xchg esi, esp; ret Now esp points to the attacker-controlled data. 31 Other References Thorough introduction: https://www.corelan.be/index.php/2010/06 /16/exploit-writing-tutorial-part-10chaining-dep-with-rop-the-rubikstm-cube/ Adopting to Win8: http://vulnfactory.org/blog/2011/09/21/ defeating-windows-8-rop-mitigation/ 32 Disassembling Code 33

Recall: Execution Model Fetch, decode, execute Code EIP Processor Stack Heap read and write Process Memory 34 Disassembly Address [email protected]:~/l2$ objdump -d ./file

... Disassemble 00000000 : 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 83 ec 10 sub $0x10,%esp 6: 8b 45 0c mov 0xc(%ebp),%eax 9: 03 45 08 add 0x8(%ebp),%eax c: 03 45 10 add 0x10(%ebp),%eax f: 89 45 fc

mov %eax,0xfffffffc(%ebp) 12: 8b 45 fc mov 0xfffffffc(%ebp),%eax 15: 83 e0 01 and $0x1,%eax 18: 84 c0 test %al,%al 1a: 74 03 je 1f 1c: ff 45 fc incl 0xfffffffc(%ebp) 1f: 8b 45 fc mov 0xfffffffc(%ebp),%eax 22: c9 leave

23: c3 ret Executable instructions Linear-Sweep Disassembly Executable Instructions 0x55 0x89 0xe5 0x83 0xec 0x10 ... 0xc9 Disassembler EIP Algorithm: 1. Decode Instruction 2. Advance EIP by len push ebp 36

Linear-Sweep Disassembly Executable Instructions 0x55 0x89 0xe5 0x83 0xec 0x10 ... 0xc9 Disassembler EIP ... push ebp mov %esp, %ebp 37 Linear-Sweep Disassembly Executable Instructions 0x55 0x89 0xe5 0x83 0xec 0x10 Disassembler

EIP Algorithm: 1. Decode Instruction 2. Advance EIP by len ... 0xc9 Note we dont follow jumps: we just increment by instruction length push ebp mov %esp, %ebp 38 Disassemble from any address push ebp

mov %esp, %ebp 0x55 0x89 0xe5 0x83 0xec 0x10 Normal Execution ... 0xc9 Disassembler EIP Its perfectly valid to start disassembling from any address. All byte sequences will have a unique disassembly 39 Recursive Descent Follow jumps and returns instead of linear sweep Undecidable: indirect jumps

Where does jmp *eax go? 40 ROP Programming Disassemble all sequences ending in ret 1. Disassemble code 2. Identify useful code sequences ending in ret as gadgets 3. Assemble gadgets into desired shellcode 41 ROP: Shacham et al. 1. Disassemble code 2. Identify useful code sequences as gadgets

ending in ret 3. Assemble gadgets into desired shellcode Automatic Manual Then Q came along and automated 42 Questions? 43

Recently Viewed Presentations

  • All 4 Quarterly Update Q4 2018 All 4

    All 4 Quarterly Update Q4 2018 All 4

    Source: IPA Touchpoints 2018: Reach = used in the last month. Base = 16+ All 4 is the no. 1 reaching video on demand platform for young audiences, reaching 32.9% of 16-24's, and 31.9% of 16-34's. In Q4 2018, the...
  • Neurological emergencies

    Neurological emergencies

    Apnoea, cyanosis, hypoxia and hypotension are all associated with poor outcome. When manipulating the airway of a patient with a head injury remember the possibility of an associated cervical spine injury. ... Suxamethonium has the disadvantage of causing hyperkalaemia, which...
  • Medicare Regulation Update: Practical Application for CDI Professionals

    Medicare Regulation Update: Practical Application for CDI Professionals

    Presents at 11:45 pm with abdominal pain, triage done, vitals stable, sent to waiting room. Called back at 12:30 am and ED doc sees patient- visit starts the clock, first midnight in 23½ hours ... Pt on day 2 who...
  • 1-MVA-4A-GrowOffice-CloudIntro

    1-MVA-4A-GrowOffice-CloudIntro

    250k customers. $1.5. billion. 2. 00. million licenses. Microsoft Cloud Growth FY14. We've come a long way with our cloud business coupled with incredible growth with Windows 8 fueling what is just the beginning of our pathway toward leadership with...
  • FPGA     Xilinx  ISE5.2  XST  HDL  XST       ISE5.2 iMPACT

    FPGA Xilinx ISE5.2 XST HDL XST ISE5.2 iMPACT

    5.1 ISE5.2中的综合工具XST XST的综合约束文件是XCF(XST Constrain File),而在布局布线阶段,最重要的约束文件是用户约束文件UCF(User Constraint File),两者有着千丝万缕的关系,UCF几乎支持XCF的所有约束语言与命令。
  • Welcome! LOSFA Professional School Counselor Workshop 2015

    Welcome! LOSFA Professional School Counselor Workshop 2015

    "P" grades are not included in the TOPS Core GPA calculation. For high schools using any grading scale other than a 4.00 scale, all grade values must be converted to a 4.00 scale (through the graduating class of 2016 -...
  • PHYSICS 231 INTRODUCTORY PHYSICS I Lecture 6 Last

    PHYSICS 231 INTRODUCTORY PHYSICS I Lecture 6 Last

    A) Ball 1 B) Ball 2 C) Ball 3 D) All have the same speed. s 1.51 m/s Tarzan swings from a vine whose length is 12 m. If Tarzan starts at an angle of 30 degrees with respect to...
  • Beamforming to Enable Concurrent Links for 802.11ay.

    Beamforming to Enable Concurrent Links for 802.11ay.

    The spectrum efficiency of regular non-return-to-zero (NRZ) OOK signal is analyzed. The spectrum efficiency of NBB OOK signal is higher compared to the regular OOK signal. March 2017. Month Year. John Doe, Some Company. Page . Shouxing Simon Qu, BlackBerry,...