David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz

Control Flow Hijack: Always control + computation computation + control shellcode (aka payload)padding&buf 2 Return-oriented programming (ROP): shellcode without code injection

Motivation: Return-to-libc Attack Overwrite return address with address of libc function setup fake return address and argument(s) ret will “call” libc function No injected code! 3 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp ptr to “/bin/sh” &system ret transfers control to system, which finds arguments on stack

Attack Surface: Linux 2/1/20124 Randomized Stack Heap Unrandomized Program Image Libc

Attack Surface: Windows 2/1/20125 Randomized Stack Heap Unrandomized Program Image Libc

How do we exploit DEP-defended systems where the text section isn’t randomized? 6

7 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp ptr to “/bin/sh” &system What if we don’t know the absolute address to “/bin/sh”? (objdump gives addresses, but we don’t know ASLR constants) Find an instruction sequence, aka gadget, to calculate the address at exploit time.

8 … argv argc return addr caller’s ebp buf “/bin/sh” argv[1] buf gadgets to compute ptr to “/bin/sh” &system Idea! Get a copy of ESP to calculate address of “/bin/sh” on randomized stack. This overcomes ASLR because ASLR only protects against knowing absolute addresses. Computed “/bin/sh” Writes

Return Oriented Programming Techniques 1.Return chaining 2.Semantic equivalence 3.ROP on Windows 9

Return Chaining Suppose we want to call 2 functions in our exploit: foo(arg1, arg2) bar(arg3, arg4) Stack unwinds up First function returns into code to advance stack pointer – e.g., pop; pop; ret 10 arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo Overwritten ret addr What does this do?

Return Chaining When foo is executing, &pop-pop-ret is at the saved EIP slot. When foo returns, it executes pop-pop-ret to clear up arg1 (pop), arg2 (pop), and transfer control to bar (ret) 11 arg4 arg3 &(pop-pop-ret) bar arg2 arg1 &(pop-pop-ret) foo

There are many semantically equivalent ways to achieve the same net shellcode effect 12

... v2v2 v1v1 a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 Equivalence 13 Desired Logic Stack Mem[v2] = v1 esp

Gadgets 14 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 Suppose a 5 and a 3 on stack esp eax ebx eip v1v1 a1a1

Gadgets 15 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a1a1 a3a3

Gadgets 16 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a3a3 v2v2

Gadgets 17 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a4a4 a5a5 v2v2

Gadgets 18 Desired Logic a5a5 v2v2 a3a3 v1v1 Stack Mem[v2] = v1 a 1 : pop eax; a 2 : ret a 3 : pop ebx; a 4 : ret a 5 : mov [ebx], eax Implementation 2 esp eax ebx eip v1v1 a5a5 v2v2 Gadget 1Gadget 2

Equivalence 19 Desired Logic a3a3 v2v2 a2a2 v1v1 Stack Mem[v2] = v1 a 1 : mov eax, [esp] a 2 : mov ebx, [esp+8] a 3 : mov [ebx], eax Implementation 1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Implementation 2 semantically equivalent esp “Gadgets”

Gadgets A gadget is a set of instructions for carrying out a semantic action – mov, add, etc. Gadgets typically have a number of instructions – One instruction = native instruction set – More instructions = synthesize <- ROP Gadgets in ROP generally (but not always) end in return 20

ROP Programming 1.Disassemble code 2.Identify useful code sequences as gadgets 3.Assemble gadgets into desired shellcode 21

22 Image by Dino Dai Zovi

ROP Overview Idea: We forge shell code out of existing application logic gadgets Requirements: vulnerability + gadgets + some unrandomized code (we need to know the addresses of gadgets) 23

Return-Oriented Programming (ROP) Find needed instruction gadgets at addresses a 1, a 2, and a 3 in existing code Overwrite stack to execute a 1, a 2, and then a 3 24 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp

Return-Oriented Programming (ROP) 25 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp a3a3 v2v2 a2a2 v1v1 a1a1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Desired store executed!

Quiz void foo(char *input){ char buf[512];... strcpy (buf, input); return; } a 1 : add eax, 0x80; pop %ebp; ret a 2 : pop %eax; ret 26 Draw a stack diagram and ROP exploit to pop a value 0xBBBBBBBB into eax and add 0x80. Known Gadgets ret instr

Quiz void foo(char *input){ char buf[512];... strcpy (buf, input); return; } a 1 : add eax, 0x80; pop %ebp; ret a 2 : pop %eax; ret 27 a1a1 0xBBBBBBBB a2a2 saved ret saved ebp buf AAAAA... a 2 0xBBBBBBBB a 1 Overwrite buf gadget 1 + data gadget 2

ROPing Windows LPVOID WINAPI VirtualProtect( LPVOID lpAddress, // dynamically determined base addr to pages to change SIZE_T dwSize, // size of the region in bytes DWORD DWORD flNewProtect, // 0x40 = EXECUTE_READWRITE DWORD flProtect // A ptr to a variable for prev. arg ); 28 VirtualProtect() can un-DEP a memory region

VirtualProtect Diagram 29 flProtect (a ptr to mem) flNewProtect (static) dwSize (dynamic) lpAddress (dynamic) addr of your shellcode to unprotect &VirtualProtect Craft lpAddress Craft dwSize LPVOID WINAPI VirtualProtect( LPVOID lpAddress, SIZE_T dwSize, DWORD DWORD flNewProtect, DWORD flProtect );

ROPing Windows: An Example Exploit (pre-Win 8) 30 Shellcode Padding/NOPS 7. Change value of ESP back to where pointer to VirtualProtect is, then ret 6. Gadget to overwrite placeholder for Param 4 5. Gadget to overwrite placeholder for Param 3 with value 4. Gadget to overwrite placeholder for Param 2 with value 3. Gadget to overwrite placeholder for Param 1 with value (Pointer to shellcode = saved ESP + offset) lpAddress placeholder: base addr to pages to change dwSize placeholder: size of the region in bytes flNewProtect placeholder: EXECUTE_READWRITE flProtect : A ptr to a variable for prev. arg Pointer to VirtualProtect (static) and space for params: 2. gadgets to get stack pointer and save it to a register (push %esp; pop %eax; ret) & jump below the parameters (add esp, offset; ret) From Gadgets to run shellcode (not shown) esp 1. Stack Pivot

Stack Pivots Pointing esp to controlled data Fact: Functions often access arguments with respect to esp Defn: A stack pivot redirects esp at attacker- controlled data Example: Attacker controls heap data pointed to be ESI. One stack pivot may be: xchg esi, esp; ret Now esp points to the attacker-controlled data. 31

Other References Thorough introduction: /16/exploit-writing-tutorial-part-10- chaining-dep-with-rop-the-rubikstm-cube/ Adopting to Win8: eating-windows-8-rop-mitigation/ 32

Disassembling Code 33

Recall: Execution Model 34 Process Memory Stack Heap Processor Fetch, decode, execute read and write Code EIP

Disassembly objdump -d./file : 0:55 push %ebp 1:89 e5 mov %esp,%ebp 3:83 ec 10 sub $0x10,%esp 6:8b 45 0c mov 0xc(%ebp),%eax 9: add 0x8(%ebp),%eax c: add 0x10(%ebp),%eax f:89 45 fc mov %eax,0xfffffffc(%ebp) 12:8b 45 fc mov 0xfffffffc(%ebp),%eax 15:83 e0 01 and $0x1,%eax 18:84 c0 test %al,%al 1a:74 03 je 1f 1c:ff 45 fc incl 0xfffffffc(%ebp) 1f:8b 45 fc mov 0xfffffffc(%ebp),%eax 22:c9 leave 23:c3 ret Address Executable instructions Disassemble

Linear-Sweep Disassembly 36 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions Algorithm: 1.Decode Instruction 2.Advance EIP by len push ebp

Linear-Sweep Disassembly 37 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions push ebp... push ebp mov %esp, %ebp

Linear-Sweep Disassembly 38 Disassembler EIP 0x550x890xe50x830xec0x10...0xc9 Executable Instructions push ebp mov %esp, %ebp Algorithm: 1.Decode Instruction 2.Advance EIP by len Note we don’t follow jumps: we just increment by instruction length

Disassemble from any address 39 0x550x890xe50x830xec0x10...0xc9 push ebp Normal Execution mov %esp, %ebp Disassembler EIP It’s perfectly valid to start disassembling from any address. All byte sequences will have a unique disassembly

Recursive Descent Follow jumps and returns instead of linear sweep Undecidable: indirect jumps – Where does jmp *eax go? 40

ROP Programming 1.Disassemble code 2.Identify useful code sequences ending in ret as gadgets 3.Assemble gadgets into desired shellcode 41 Disassemble all sequences ending in ret

ROP: Shacham et al. 1.Disassemble code 2.Identify useful code sequences as gadgets ending in ret 3.Assemble gadgets into desired shellcode 42 Automatic Manual Then Q came along and automated

43 Questions?