ASLR smack and laugh reference

  • View

  • Download

Embed Size (px)


ASLR smack and laugh reference. What ASLR means. ASLR stands for address space layout randomization It’s a security technology to prevent exploitation of buffer overflows It’s implemented and enabled by default into important operating systems - PowerPoint PPT Presentation

Text of ASLR smack and laugh reference

ASLR smack and laugh reference

ASLR smack and laugh reference1 What ASLR meansASLR stands for address space layout randomizationIts a security technology to prevent exploitation of buffer overflowsIts implemented and enabled by default into important operating systems It introduces randomness into the address space of a process

2 ASLR contd.. With ASLR the predictability of memory addresses is reduced by randomizing the address space layout for each instantiation of a program. So the job of ASLR is to prevent exploits by moving process entry points to random locations, because this decreases the probability that an individual exploit will succeed. Common exploits fail by crashing the process with a high probability instead of executing malicious code.

3 Testing ASLR

Fig 1: Without ASLR Fig 2: With ASLR

24 bits out of 32 are randomized ASLR can be disabled at boot-time passing the norandmaps parameter Or at runtime via echo 0 >/proc/sys/kernel/randomize_va_space

4 Techniques to bypass ASLRStack juggling methodsRet2retRet2espRet2eaxRet2 popGOT hijackingOverwriting DTORS5 ret2retRelies on a pointer previously stored on the stack as a potential return address to the shellcode. A potential return address is a base address of a pointer in the upper stack frame, above the saved return addressThe gap between the location of the potential return address on the stack and the shellcode, padded with addresses that contain a RET instruction.Each RET performs a POP action and increments ESP by 4 bytes, and afterward jumps to the next one.The last RET will jump to the potential return address and will lead to the shellcode

66 Ret2ret contd Vulnerable code Ret2ret procedure strcpy(buf,argv[1]);Calculate the buffer start and end addresses ( the target range for exploitation)

Search for a potential return address in the upper stack frame by examining the EBP

If an address is found, subjecting it to byte-alignment conversion might produce an address that falls between the buffer start and end address. For example, if buf starts at 0xbffff6d0 and ends at 0xbffff6d8 and the address found by EBP examination is 0xbffff6f0 , then 0xbffff6f0 & 0xFFFFFF00 = 0xbffff600 is an address that falls within buffer start and end addresses.

We find a RET address from dump and fill up the locations all the way to that pointer with that RET address.7

Ret2pop resembles the previous method, except it's focused on a buffer overflow within a program function scopeWhen the buffer is used as the 2nd argument in the function, the combination of POP followed by a RET would skip the 1st argument jump directly to the 2nd argumentThe pop command causes the stack to skip 4 bytes The next instruction is ret which leads to the pointer to the shell code

88 ret2pop contd vulnerable code ret2pop techniqueVulnerable code

This code contains a strcpy vulnerability in function and a perfect pointer to argv because an argv argument is directly passed to function. Note that Argv is the 2nd parameterFind a pop-ret sequence

The address of the pop ret sequence is 0x08048467 which will be the last entry of ret2pop chain

9 ret2esp ret2esp procedure vulnerable codeThe principle of this method is interpret hardcoded data as instructionret2esp takes advantage of the instruction sequence jmp *espThe hardcoded value 58623 is ffe4 which is translated to jmp *esp

10 ret2esp contd..From the dump of the assembler code we can find something like:0x08048397 : movl $0xe4ff,0xfffffff4(%ebp)If we analyze the memory location of 0x08048397(gdb) x/7b 0x080483970x8048397 : 0xc7 0x45 0xf4 0xff 0xe4 ... (gdb) x/1i 0x804839a0x804839a : jmp *%esp

We need to overwrite the instruction pointer with 0x804839a and have ESP point to the shellcode

11ret2eaxThe idea of this approach is to use the information that is stored in the accumulator, the EAX registerA function that returns a value, stores this value by using EAXa function that returns a string, writes a pointer to this string into EAX right before the execution is continued by the calling functionThe exploit requires overwriting of the return address with address of a call *eax instruction

12Fig : ret2eax

ret2eax contdStrcpy returns a pointer to buf, the pointer is written into EAXNext step is to find the address of a call *esp: objdump D ret2eax|grep B 2 call|grep eax 8048493: call *%eaxThe return address will be overwritten with 0x0804849313

GOT hijackingGOT stands for global offset tablePLT stands for procedure linkage tableThese tables are involved when a library function is called.PLT contains instructions(namely jmp instructions) and GOT contains pointers.

14 GOT & PLTWhen a library function(e.g. printf) is called jump to its relevant entry of the PLT which points to an entry in GOTJump to the address that this entry of the GOT containsIf the function is called for the first time this address points to the next instruction in the PLT, which calls the dynamic linker to resolve the functions address. If the functions address has been found somehow it is written to the GOT and the function is executed. Otherwise the GOT already contains the address that points to printf. The function is executed immediately. The part of the PLT that calls the dynamic linker is no longer used.The execution of the function is finished. Go on with the execution of the calling function

Printf() callPLTGOTlibcDynamic linker15 Ret2got vulnerable code ApproachThe GOT entry of a function A will be patched, so that it points to another function B. Every time function A is called, function B will be executed with the parameters function A has been called withThe objective is to have the 2nd printf function printf(Array ) be intrerprted as system(Array ). System will try to execute the Array script. An attacker could create a script called Array that contains /bin/sh for instanceThe first printf simply triggers the dynamic linker to resolve its address

16 ret2got contd code analysis exploitation techniqueSo 0x08048332 has to be written to the location 0x080496ac1st strcpy accepts argv[1] . argv[1] can be used to overflow buffer array and overwrite ptr with the GOT reference of printf 0x080496ac2nd strcpy accepts argv[2]. Argv[2] will be 0x08048332

17 DTORS vulnerabilities#include #include static void cleanup(void) __attribute__ ((destructor));main() { printf("Some actions happen in the main() function..\n"); printf("and then when main() exits, the destructor is called..\n"); exit(0);}void cleanup(void) { printf("In the cleanup function now..\n"); }In binary programs compiled with the GNU C compiler, specialtable sections called.dtors is made for destructors. The destructor functions are executed just before main exits with an exit system call

E.g. The cleanup function is defined with the dest Attribute

The .dtors table section of the binary is an array of 32 bit addresses terminated by a null address

The array always begins with 0xffffffffand ends with the NULL address of0x00000000

Between these two are the addresses of all the functions that have been declared with the destructor attribute18 DTORS contdIf we examine with nm command:080495b4 d __DTOR_END__080495ac d __DTOR_LIST__080483e8 t cleanup.dtors section starts at _DTOR_LIST_ and ends at _DTOR_END_080495ac will contain 0xffffffff 080495b4 will contain 0x00000000080495b0 will contain e8830408, the address of cleanup function

If we examine with objdump -s -j .dtors ./dtors_sample, we can see the actual contents of the .dtors section: 80495ac ffffffff e8830408 00000000 ............19 DTORS contd.dtorssection is included in all binaries compiled with the GNU C compiler, regardless of whether any functions were declared with the destructor attribute.Since the.dtorssection iswritable, if the address after the0xffffffffis overwritten with a memory address, the program's execution flow will be directed to that address when the program exits.A code with a format string vulnerability e.g. printf(string)can be exploited to execute a shell script by overwriting the .dtors section20