self introduction & the story that i tried to make sayonara rop chain in linux
TRANSCRIPT
![Page 1: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/1.jpg)
SELF INTRODUCTION &
THE STORY THAT I TRIED TO MAKE SAYONARA ROP CHAIN IN LINUX
2016/04/27
Lightning Talks
inaz2
![Page 2: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/2.jpg)
ABOUT ME
• inaz2
• http://twitter.com/inaz2
• Security engineer & Python programmer
• AVTOKYO 2014 & 2015 speaker
• Weblog: Momoiro Technology
• http://inaz2.hatenablog.com/
• Written in Japanese but Google Translate will help us
2
![Page 3: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/3.jpg)
LOW LAYER AND ME
• Got in touch at Plaid CTF 2013 (year of ropasaurusrex)
• Tried to understand exploitation for 3 years
• “ROP Illmatic: Exploring Universal ROP on glibc x86-64”
(AVTOKYO 2014)
• Introduced Return-to-dl-resolve technique
• Introduced JIT-ROP techniques in Linux
• Wrote “roputils” library for writing stable exploit codes
• “Abusing Interrupts for Reliable Windows Kernel Exploitation”
(AVTOKYO 2015)
• Verified IDT overwrite techniques still work in 32 bit Windows
3
![Page 4: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/4.jpg)
4
![Page 5: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/5.jpg)
LOW LAYER AND ME
• Got in touch at Plaid CTF 2013 (year of ropasaurusrex)
• Tried to understand exploitation for 3 years
• “ROP Illmatic: Exploring Universal ROP on glibc x86-64”
(AVTOKYO 2014)
• Introduced Return-to-dl-resolve technique
• Introduced JIT-ROP techniques in Linux
• Wrote “roputils” library for writing stable exploit codes
• “Abusing Interrupts for Reliable Windows Kernel Exploitation”
(AVTOKYO 2015)
• Verified IDT overwrite techniques still work in 32 bit Windows
5
![Page 6: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/6.jpg)
6
![Page 7: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/7.jpg)
LOW LAYER AND ME
• Got in touch at Plaid CTF 2013 (year of ropasaurusrex)
• Tried to understand exploitation for 3 years
• “ROP Illmatic: Exploring Universal ROP on glibc x86-64”
(AVTOKYO 2014)
• Introduced Return-to-dl-resolve technique
• Introduced JIT-ROP techniques in Linux
• Wrote “roputils” library for writing stable exploit codes
• “Abusing Interrupts for Reliable Windows Kernel Exploitation”
(AVTOKYO 2015)
• Verified IDT overwrite techniques still work in 32 bit Windows
7
![Page 8: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/8.jpg)
8
![Page 9: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/9.jpg)
SAYONARA ROP CHAIN
• https://www.corelan.be/index.php/2011/07/03/universal-
depaslr-bypass-with-msvcr71-dll-and-mona-py/
• Universal ASLR & NX/DEP bypass in Windows x86
• Use gadgets in non-ASLR DLLs
• Metasploit also generates its variant by
generate_rop_payload()
9
![Page 10: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/10.jpg)
10
![Page 11: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/11.jpg)
TRYING TO MAKE LINUX VERSION
• Return-to-dl-resolve technique works in x86 Linux (w/o PIE)
1. Send crafted symbol structure to fixed address (bss section etc.)
2. Call it by dl-resolve@plt with adjusted arguments
• We don’t have to do stack pivot
11
![Page 12: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/12.jpg)
12
![Page 13: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/13.jpg)
BUT IT WON’T WORKS ON X64
• On x64 Linux, code section and data section are not adjacent
• Code at 0x400000, data at 0x600000
• Symbol version check is enabled by default
• Fail to find VERSYM and raise SEGV
• We need to read the pointer link_map@got and overwrite
[link_map+0x1c8] to 0
13
![Page 14: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/14.jpg)
14
![Page 15: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/15.jpg)
RECAP
• I tried to make universal ROP chain for Linux
• For x86, succeeded by return-to-dl-resolve technique
• But for x64, we have to traverse link_map and patch
• Heavy task for ROP… Game Over \(^o^)/
15
![Page 16: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/16.jpg)
REFERENCE
• Advanced return-into-lib(c) exploits (PaX case study) (Phrack 58)
• http://phrack.org/issues/58/4.html
• Return to Dynamic Linker (Codegate 2014 Junior)
• http://www.codegate.org/content/board/post_list.php?bid=48&q=Retu
rn+to+Dynamic+Linker
• How the ELF Ruined Christmas (USENIX Security 2015)
• https://www.usenix.org/conference/usenixsecurity15/technical-
sessions/presentation/di-frederico
16
![Page 17: Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux](https://reader031.vdocuments.us/reader031/viewer/2022030305/587152251a28ab8e5b8b46c7/html5/thumbnails/17.jpg)
THANK YOU!
@inaz2
17