Upload
nellie
View
126
Download
2
Tags:
Embed Size (px)
DESCRIPTION
ASLR smack and laugh reference. What ASLR means. ASLR stands for address space layout randomization It’s a security technology to prevent exploitation of buffer overflows It’s implemented and enabled by default into important operating systems - PowerPoint PPT Presentation
Citation preview
1
ASLR smack and laugh reference
2
What ASLR meansASLR stands for address space layout
randomizationIt’s a security technology to prevent
exploitation of buffer overflowsIt’s implemented and enabled by default into
important operating systems It introduces randomness into the address
space of a process
3
ASLR contd.. With ASLR the predictability of memory
addresses is reduced by randomizing the address space layout for each instantiation of a program. So the job of ASLR is to prevent exploits by moving process entry points to random locations, because this decreases the probability that an individual exploit will succeed. Common exploits fail by crashing the process with a high probability instead of executing malicious code.
4
Testing ASLR
Fig 1: Without ASLR
Fig 2: With ASLR
24 bits out of 32 are randomized
ASLR can be disabled at boot-time passing the norandmaps parameter Or at runtime via echo 0 >/proc/sys/kernel/randomize_va_space
5
Techniques to bypass ASLRStack juggling methods
Ret2ret Ret2esp Ret2eax Ret2 pop
GOT hijackingOverwriting DTORS
6
ret2ret Relies on a pointer previously stored on
the stack as a potential return address to the shellcode.
A potential return address is a base address of a pointer in the upper stack frame, above the saved return address
The gap between the location of the potential return address on the stack and the shellcode, padded with addresses that contain a RET instruction.
Each RET performs a POP action and increments ESP by 4 bytes, and afterward jumps to the next one.
The last RET will jump to the potential return address and will lead to the shellcode
7
Ret2ret contd… Vulnerable code
Ret2ret procedure
strcpy(buf,argv[1]); Calculate the buffer start and end addresses ( the target range for exploitation)
Search for a potential return address in the upper stack frame by examining the EBP
If an address is found, subjecting it to byte-alignment conversion might produce an address that falls between the buffer start and end address. For example, if buf starts at 0xbffff6d0 and ends at 0xbffff6d8 and the address found by EBP examination is 0xbffff6f0 , then 0xbffff6f0 & 0xFFFFFF00 = 0xbffff600 is an address that falls within buffer start and end addresses.
We find a RET address from dump and fill up the locations all the way to that pointer with that RET address.
8
Ret2pop resembles the previous
method, except it's focused on a buffer overflow within a program function scope
When the buffer is used as the 2nd argument in the function, the combination of
POP followed by a RET would skip the 1st argument jump directly to the 2nd argument
The pop command causes the stack to skip 4 bytes
The next instruction is ret which leads to the pointer to the shell code
9
ret2pop contd… vulnerable code ret2pop
techniqueVulnerable code
This code contains a strcpy vulnerability in function and a perfect pointer to argv because an argv argument is directly passed to function. Note that Argv is the 2nd parameter
Find a pop-ret sequence
The address of the pop ret sequence is 0x08048467 which will be the last entry of ret2pop chain
10
ret2esp ret2esp procedure vulnerable codeThe principle of this
method is interpret hardcoded data as instruction
ret2esp takes advantage of the instruction sequence
jmp *espThe hardcoded value
58623 is ffe4 which is translated to ‘jmp *esp
11
ret2esp contd.. From the dump of the assembler code we can find something like:
0x08048397 <main+19>: movl $0xe4ff,0xfffffff4(%ebp) If we analyze the memory location of 0x08048397 (gdb) x/7b 0x080483970x8048397 <main+19>: 0xc7 0x45 0xf4 0xff 0xe4 ... (gdb) x/1i 0x804839a
0x804839a <main+22>: jmp *%esp
We need to overwrite the instruction pointer with 0x804839a and have ESP point to the shellcode
12
ret2eaxThe idea of this approach is to
use the information that is stored in the accumulator, the EAX register
A function that returns a value, stores this value by using EAX
a function that returns a string, writes a pointer to this string into EAX right before the execution is continued by the calling function
The exploit requires overwriting of the return address with address of a call *eax instruction
Fig : ret2eax
13
ret2eax contd…Strcpy returns a pointer
to buf, the pointer is written into EAX
Next step is to find the address of a call *esp:
objdump –D ret2eax|grep –B 2 call|grep eax 8048493: call *%eax
The return address will be overwritten with 0x08048493
14
GOT hijackingGOT stands for global offset tablePLT stands for procedure linkage tableThese tables are involved when a library
function is called.PLT contains instructions(namely jmp
instructions) and GOT contains pointers.
15
GOT & PLT When a library function(e.g. printf) is called
jump to its relevant entry of the PLT which points to an entry in GOT
Jump to the address that this entry of the GOT contains
If the function is called for the first time this address points to the next instruction in the
PLT, which calls the dynamic linker to resolve the function’s address. If the function’s address has been found somehow it is written to the GOT and the function is executed.
Otherwise the GOT already contains the
address that points to printf. The function is executed immediately. The part of the PLT
that calls the dynamic linker is no longer used.
The execution of the function is finished. Go on with the execution of the calling function
Printf() call
PLT
GOTlibc
Dynamic linker
16
Ret2got vulnerable code Approach
The GOT entry of a function “A” will be patched, so that it points to another function ”B”. Every time function A is called, function B will be executed with the parameters function A has been called with
The objective is to have the 2nd printf function printf(“Array …”) be intrerprted as system(“Array …”). System will try to execute the Array script. An attacker could create a script called Array that contains /bin/sh for instance
The first printf simply triggers the dynamic linker to resolve its address
17
ret2got contd… code analysis exploitation
techniqueSo 0x08048332 has to be
written to the location 0x080496ac
1st strcpy accepts argv[1] . argv[1] can be used to overflow buffer array and overwrite ptr with the GOT reference of printf 0x080496ac
2nd strcpy accepts argv[2]. Argv[2] will be 0x08048332
18
DTORS vulnerabilities#include <stdio.h>#include <stdlib.h> static void cleanup(void) __attribute__
((destructor)); main() { printf("Some actions happen in the
main() function..\n"); printf("and then when main() exits, the
destructor is called..\n"); exit(0);} void cleanup(void) { printf("In the cleanup function now..\n"); }
In binary programs compiled with the GNU C compiler, special table sections called .dtors is made for destructors. The destructor functions are executed just before main exits with an exit system call
E.g. The cleanup function is defined with the dest Attribute
The .dtors table section of the binary is an array of 32 bit addresses terminated by a null address
The array always begins with 0xffffffff and ends with the NULL address of 0x00000000
Between these two are the addresses of all the functions that have been declared with the destructor attribute
19
DTORS contd…If we examine with ‘nm’
command:080495b4 d
__DTOR_END__080495ac d
__DTOR_LIST__……080483e8 t cleanup
.dtors section starts at _DTOR_LIST_ and ends at _DTOR_END_
080495ac will contain 0xffffffff
080495b4 will contain 0x00000000
080495b0 will contain e8830408, the address of cleanup function
If we examine with ‘objdump -s -j .dtors ./dtors_sample’, we can see the actual contents of the .dtors section: 80495ac ffffffff e8830408 00000000 ............
20
DTORS contd….dtors section is included in all binaries compiled
with the GNU C compiler, regardless of whether any functions were declared with the destructor attribute.
Since the .dtors section is writable, if the address after the 0xffffffff is overwritten with a memory address, the program's execution flow will be directed to that address when the program exits.
A code with a format string vulnerability e.g. printf(string)can be exploited to execute a shell script by overwriting the .dtors section
21
THANK YOU