ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Smashing the Stack for Fun and Profit

University of Washington Procedures and Stacks II The Hardware/Software Interface CSE351 Winter 2013.

Machine/Assembler Language Putting It All Together Noah Mendelsohn Tufts University Web:

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

ESCA Lab Sunhee Kong. 0x500 Shellcode Running program Shellcode A small piece of malicious code used as the payload in the exploitation of.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

PC hardware and x86 3/3/08 Frans Kaashoek MIT

Buffer Overflow. Process Memory Organization.

Practical Session 3. The Stack The stack is an area in memory that its purpose is to provide a space for temporary storage of addresses and data items.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

September 22, 2014 Pengju (Jimmy) Jin Section E

Process Control. Major Requirements of an Operating System Interleave the execution of several processes to maximize processor utilization while providing.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

6.828: PC hardware and x86 Frans Kaashoek

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Computer Security and Penetration Testing

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Mitigation of Buffer Overflow Attacks

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.

Smashing the Stack Overview The Stack Region Buffer Overflow

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.

Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.

CPS4200 Unix Systems Programming Chapter 2. Programs, Processes and Threads A program is a prepared sequence of instructions to accomplish a defined task.

CNIT 127: Exploit Development Ch 1: Before you begin.

Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

Introduction to Information Security ROP – Recitation 5.

Process Management Azzam Mourad COEN 346.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.

Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)

Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Practical Session 3.

Introduction to Information Security

Mitigation against Buffer Overflow Attacks

C function call conventions and the stack

Introduction to Information Security

Exploiting & Defense Day 2 Recap

Recitation: Attack Lab

Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]

Advanced Buffer Overflow: Pointer subterfuge

Assembly Language Programming II: C Compiler Calling Sequences

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

Multi-modules programming

Week 2: Buffer Overflow Part 1.

Week 2: Buffer Overflow Part 2.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.

System and Cyber Security

Return-to-libc Attacks

Presentation transcript:

ROP Exploit

ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each gadget returns to the next gadget until hacker program is eventually executed. Gadgets: a set of useful instructions terminated by a “return” instruction (ret binary instruction code is c3). Usually, they are not part of a function bodies, so they do not have a “leave” instruction.

Overview Idea: In our exploit, we intelligently modify the return address so that it executes our Gadgets. For our exploit to work, we need a vulnerable application and a set of gadgets.

Vulnerable Code

Our aim is to spawn a shell using EXECVE function.

Execve Function Syntax: execve(const char *path, char *const argv[], char *const envp[]) Functionality: The execve function executes the program pointed to by filename. Arguments: argv is an array of argument strings passed to the new program. envp is an array of strings, conventionally of the form key=value, which are passed as environment to the new program. %eax shall have: execve identifier0x0b (or 11) %ebx shall have: const char *pathA pointer to “/bin/sh” %ecx shall have: char *const argv[]A pointer to “/bin/sh” pointer array %edx shall have: char *const envp[]NULL

Execve Function When the %eax is configured as 11 in our ROP exploit it invokes the execve function since the system call number of the execve function is 11. The objective of our exploit is to invoke this execve function for /bin/sh. /bin/sh is passed as an argv argument to the main and its pointer is stored in %ebx register through the gadgets. Pointer to/bin/sh pointer array is stored in %ecx register through the gadgets. Remember, it does not have to be /bin/sh. It could be telnet ! Since /bin/sh can run with no environment variables, NULL is stored in %edx register through the gadgets as well. A total of more than 400 gadgets!

Gadgets For the purpose of our project, we have utilized 9 gadgets. Gadgets are loaded with the vulnerable Code. Real hackers have gadget scanning tools to find and list useful gadgets as per their preference.

Gadget1 This particular gadget will Initialize %eax to 0.

Gadget2 This Gadget will initialize %eax to 1.

Gadget3 This Gadget will increment %eax by 1.

Gadget4 This Gadget will multiply %eax by 2.

Gadgets 5, 6 and 7 This Gadget will move %eax to %ebx, %ecx and %edx.

Gadget 8 This Gadget will add %eax to %edx and then move %edx to %eax.

Gadget9 This gadget will Interrupt for system call.

Exploit Compiling Options: gcc –o ROP ROP.c -mpreferred-stack-boundary=2 –fno-stack-protector –ggdb – std=c99 Exploit Input: ….$./ROP `cat payload1` `cat payload2` /bin/sh./ROP: vulnerable executable. payload1: input1 to the first string copy redirecting the pointer of input2 to return address location. payload2: gadget chain to spawn the shell (execve as /bin/sh) bin/sh/: passed to main as argv[3] since there is no boundary to argv entries!

Before first strcpy RETURN EBP POINTER FOR input2 input1 (16 BYTES)  Our first string copy fills the input buffer with A’s and the pointer of the second input with our return address pointer.

After first strcpy RETURN EBP POINTER OF input2 CONTAINS RETURN ADDRESS POINTER input1 (16 BYTES) FILLED WITH A’s  Our input = 16A’s + Return Address Pointer  After first string copy our input buffer will be filled with A’s and the pointer now contains the return address pointer.

After Second strcpy.... GADGET 5 GADGET 4 GADGET 3 GADGET 2 GADGET 1 EBP POINTER (WILL BE FILLED BY RETURN ADDRESS POINTER) INPUT(16 BYTES)  Our second string consists of gadget address chain.  After second string copy all the gadgets will be placed on the stack starting from return address.  When main completes its execution and performs ret, our gadget chain will be executed.

Screenshots of Demo

Pointer is filled with the return address

Gadgets

Demo Recording Time!

Exploit Evolution Firstly, we used the concept of ROP to perform exit(1) using our gadgets. Then, we used the concept of ROP to perform exit(5) using our gadgets. Next, we redesigned the exploit to spawn a hardcoded “/bin/sh” shell. Finally, we redesigned it to spark flexible system calls.

Things to Avoid Return address pointer or gadget address that have 0x00. Null byte will terminate strcpy function. Return address pointer or gadget addresses that have 0x20. Space will terminate an argv string.

Task Assignment Ali Qahtani Himanavanth Reddy Manobiram Vangeepuram Harshil Pandya Reading and Brainstorming ×××× Vulnerable Code Design ×× Gadget design×× Exploit Design×× Verification and Testing ×××× Exploit Evolution×× Slides and Demo Development ××× ×

Thank you !