Upload
pablosole
View
16
Download
2
Embed Size (px)
DESCRIPTION
A medida que pasa el tiempo, las protecciones de seguridad de los sistemas operativos han ido avanzando y con ellas, las t?cnicas para sobrepasarlas. Security Cookies, NX pages (DEP), ASLR y SafeSEH son algunas de estas protecciones y para construir un exploit confiable es necesario encargarse de todas y cada una.
Citation preview
09/20/10 1
HangingonaROPe
Pablo SolImmunity
09/20/10 2
Fromacrashtoaworkingexploit
WhatdoweusedtodoafterEIPwascontrolled? WhydoweneedROP? ROP101(ortheinfinitewheelofpain...) Problemsofthemanualapproach Anautomaticanswer GadgetsasSMTformulas ROPfromminiASM Summary Conclusions
09/20/10 3
WhatdoweusedtodoafterEIPwascontrolled?
StackMemory
Buffer..
SavedFrame
ReturnAddress
FuncArgs....
PWN!!!
StackMemory
Buffer..
Garbage
SHELLCODE....
JMPESP
09/20/10 4
WhydoweneedROP?DataExecutionPreventionStackMemory
Buffer..
Garbage
SHELLCODE....
JMPESP
stack and heapare not executable
anymore!
09/20/10 5
ROP101ortheinfinitewheelofpain...
MOV ECX,DWORD PTR [EAX]LEA EDX,DWORD PTR [EBP+8]PUSH EDXPUSH DWORD PTR [EBP+10]PUSH DWORD PTR [EBP+C]PUSH EAXCALL DWORD PTR [ECX+C]
StackSwapping
XCHG EAX,ESPRETN
09/20/10 6
ROP101ortheinfinitewheelofpain...
StackMemory
AddrPOPEAX
VALUEforEAX
AddrPOPECX
VALUEforECX
...
...
...
...
...
POPEAXRETN
POPECXRETN
AddrSUBr1,r2 SUBEAX,ECXRETN
09/20/10 7
Problemsofthemanualapproach
Findingthecorrectstackswapsequencecanbehard.
Findingthecorrectgadgetsthatweneedcanbehard.
Bypassingbadcharswhileyoutrytofindyourgadgetsisdifficult.
Evenforsimpleexamplescanbeaverytimeconsumingtask.
09/20/10 8
PreviousAutomaticApproaches
Scanningforverysimple/knownsequences movedx,[ecx];ret;
Expressiontrees/matching WOOT'10,Dullien,Kornau,Weinmann
09/20/10 9
ProblemswithPreviousAutomaticApproaches
Simplescanning Imprecise Falsepositivesandfalsenegatives
Expressiontrees Possiblyitmightmisssomesemanticallyequal
gadgets
09/20/10 10
Anautomaticanswer
ProvidedIknowwheremycontrolledbufferisinmemory,whatifIcouldfindastackswapgadgetautomatically?
WhatifIcouldcreateaROPchainfromsomeeasyprogramminglanguage?
Bothproblemscanbesolvedusingthesametool.
09/20/10 11
ROPviaSMTFormulaSolving
09/20/10 12
SAT&SMT
Booleansatisfiabilityproblem ((x^y)^!(z^y)) Isthereavariableassignmentthatmakesthe
formulaTRUE Solvingthisautomatically
SMTsolvers Allowhigherorderlogicstobehandlede.g.
lineararithmetic,equalitylogicandsoon (x+y=8^y=2^x
09/20/10 13
OurSolution
ConvertinstructionsequencestoSMTformulae Givesapreciserepresentationofinstruction
semantics ForeachROPshellcodeinstructionbuildanotherformulathatgivesourrequirementse.g.'EAX=[ECX]andEDXisnotmodified'
Tofindagadgetweappendourrequirementsandcheckforsatisfiability/validityusingasolver
09/20/10 14
x86InstructionsasSMTFormulae
ForeachinstructioninagadgetweneedtoconvertittoanSMTformula
addeax,ebx> regs['eax']=solver.addExpr(regs['EAX'],
regs['EBX']) flags['_CF']=...
09/20/10 15
GadgetsasSMTFormulae
Atanalysistimeweiterateovertheinstructionsandbuildtheconjunctionofeachsubformula
addeax,ebxsubeax,[ecx]
solver.subExpr(solver.addExpr(regs['EAX'],regs['EBX']),mem[regs['ECX'])
(Accountingforflagsaswell)
09/20/10 16
FindingGadgetsUsingaSolver
Whatdefinesausefulgadget? Itssemanticsmeetsomecriteriae.g.'Iwantthe
valueEAX+4tobeinESP.Pleasedon'tmangleEDXwhileyou'reatit'
TheserequirementsareeasilyexpressedasSMTformula
ESP_after=EAX_before+4^EDX_after=EDX_before
UsingasolverwecanthenquerythestatusofGADGET_FORMULA^REQUIREMENTS
09/20/10 17
Satisfiability&Validity
Asolvercantellusifaformulaissatisfiableorvalid
SatisfiabilityThereexistsatleastonevariableassignmentthatmakestheformulaTRUE
ValidityThereexistsnovariableassignmentthatmakestheformulafalse
09/20/10 18
Generic&ContextSpecificGadgets
Aformulathatisvalidimpliesthatregardlessofmemory/registercontextitmeetsourrequirements
Thegadgetwillalwaysdowhatwewant Aformulathatissatisfiablebutnotvalidwillmeetourrequirementsundercertainconditions
Itwilldowhatwewantgivencertainpreconditionsonregistersandmemory
09/20/10 19
Workflow
Findcandidategadgets FromeachgadgetbuildanSMTformulaG ForeachROPprimitivebuildaSMTformulaR
Moreonthislater(miniasm) ForeveryrinRandginGbuild(r^g)andcheckforsatisfiabilityorvalidity(dependingonyourrequirements)
09/20/10 20
Implementation
09/20/10 21
FindGadgetCandidates
SearchRETNopcodes(0xC2or0xC3)intheentireDLLmemory
Disassemblebackwarduntilitfindsanunsupported/invalidopcode
Generateallpossibledisassemblies(moveabyteandmagiccanoccur)
Finally,itreturnslistsofopcodesforeachRETNendedsequence
09/20/10 22
CandidatesExample
7C91990D 66 83 26 00 66 83 66 f&.ff7C919915 02 00 83 66 04 00 5E 5D .f.^]7C91991D C2 04 00 .
Binary Data
Possible Disassemblies7C91991A 005E 5D | ADD BYTE PTR DS:[ESI+5D],BL7C91991D C2 0400 | RETN 4
7C919919 04 00 | ADD AL,07C91991B 5E | POP ESI7C91991C 5D | POP EBP7C91991D C2 0400 | RETN 4
7C91990E 668326 00 | AND WORD PTR DS:[ESI],07C919912 668366 02 00 | AND WORD PTR DS:[ESI+2],07C919917 8366 04 00 | AND DWORD PTR DS:[ESI+4],07C91991B 5E | POP ESI7C91991C 5D | POP EBP7C91991D C2 0400 | RETN 4
09/20/10 23
SequenceAnalyzer
Emulateeachinstruction GeneratearesultingCPU/Memorycontext SupportinteractionsbetweenCPUandMemory UseSMTExpressionsfortheemulation Supportabstractmemoryaddressing
MOVEAX,DWORDPTRDS:[EDX](givenwedon'tknowthefinalvalueofEDX)
It'seasytoaddnewarchitectures(x64,arm,etc).
09/20/10 24
SequenceAnalyzer0100739D > 33C0 XOR EAX,EAX0100739F 03C2 ADD EAX,EDX010073A1 3BC2 CMP EAX,EDX010073A3 74 05 JE SHORT 010073AA010073A9 33C0 XOR EAX,EAX010073AA 03C3 ADD EAX,EBX
09/20/10 25
GadgetProperties
Wecalculateasetofpropertieslike:whatregisterswereread,writtenordereferenced.
Thispropertiesareusedasafirstcriteriaforgadgetsearching.
Thesmarterwearediscoveringthisproperties,thefasterwe'regoingtofindausefulgadget.
09/20/10 26
GadgetComplexityIndex
Howcomplexisthisgadget? howmanyregistersdoesitmodify? howmanymemoryoperationsdoesithave? howmuchhasthestackpointermoved?
MOV EDI,EAXPOP EAXPOP EBXRETN 4
MOV EAX,[EBX]POP ECXRETN 0C
XOR EDI,[EBX+ECX*4]MOV [EDI], EAXXOR EAX,EAXPOP ECXRETN 30
MOV EDI,EDIRETN
COMPLEXITY
09/20/10 27
Usecasesandmoredetails...
09/20/10 28
Stackswapping
Whatdoesthatmeans?
1)ESP=ControlledMemoryAddress2)EIP=ControlledMemoryContent
1)XCHG EAX,ESPMOV EAX, [EAX]MOV [ESP], EAXRETN
2)MOV ESI, [EAX]CALL ESI
1 & 2)XCHG EAX,ESPRETN
09/20/10 29
Stackswapping
1)ESP=ControlledMemoryAddress2)EIP=ControlledMemoryContent
OnaSMTformula:(EAX=addresscontrolledmem)
1)eqExpr(ESP,EAX+4) 2)eqExpr(EIP,mem(EAX)) 1&2)boolAndExpr(1,2)
09/20/10 30
Stackswapping
09/20/10 31
ROPfromminiASM
WeneedakindofROPcompiler Someofitsresponsibilities:
Alloc/Releaseregisters Preservestackmemoryfromaccidental
overwrites. Satisfygadgetpreconditions FindthebestwayofperformingaminiASM
instruction. Bypassbadchars CreatethefinalROPchain
09/20/10 32
ROPfromminiASM
Wecanusemanytrickstoimplementaninstruction!
LetssaywewanttoMOVEAX,0x1234
POPEAXRETN
POPEAXRETNPOPECXRETNSUBEAX,ECXRETN
MOVEAX,1234RETN
EBXpointstosomeplaceinourROPchainMOVEAX,[EBX]RETN
09/20/10 33
ROPfromminiASM
Letssaywehave4tricksforstoringavalueinregister.
InDEPLIBweassociatehandlersforeachinstruction,whereweimplementthesetricks.
Also,eachtrickhasapreference,soweusetheshortercasesfirst.
09/20/10 34
ROPfromminiASM
FromaSMTformulaperspective,wejustappendallourgadgetrequirementsandourguardconditions(regs/mem/flagsthatmustbeguarded)
AsktheSolverifthere'sagadgetthatsatisfyourquery.
09/20/10 35
ROPfromminiASMAminiASMexample:va_addr=solveImport(kernel32!VirtualAlloc)args=(0,0x1000,0x3000,0x40)allocated_buf=call(va_addr, args, callconv=stdcall)jmp_addr=VAR()mov(jmp_addr, allocated_buf)
shellcode_ptr=endofROP()shell_dword=VAR()shell_dword.bind(mem, shellcode_ptr)
label(decrypt_loop)xor(shell_dword, 0xdeadbeef)mov(allocated_buf, shell_dword)add(allocated_buf, 4)add(shellcode_ptr, 4)ifne(shell_dword, 0xcafecafe, decrypt_loop)
jmp(jmp_addr)
09/20/10 36
Summary Weemulatethex86instructionsetusingaSMTSolver(noFPU/SSE/etc.)
ThenwestoreaSMTrepresentationofallregisters,flagsandmemoryaccesses.
Thismeanswecapturethesemanticsofasequenceofinstructions.
OursolverofchoicewasCVC3Solver.
09/20/10 37
Summary
Thisallowsustoanswersomenonobviousquestions.ex:
IsthereagadgetthatsetsESP=EAX+4ANDEIP=[EAX]?
STACKSWAPPING
09/20/10 38
Summary
IsthereagadgetthatsetsEAX=value,withouttouchingESI,EDI?
RETURNORIENTEDPROGRAMMING
09/20/10 39
Summary
Butalsosolvethingslike: IsthereavalueforEAXthattakesagivenbranch?(andwhatisthatvalue):
IMUL EAX,ECX,4SUB EAX, [EBP+10]CMP EAX, 100JL allowed
SYMBOLICEXECUTION
09/20/10 40
Conclusions DEPLIB2.0isgoingtobepartofthereleaseofImmunityDebugger2.0onDecember2010.
Lotsofdifferenttoolscanbemadefromtheworkpresentedhere.
ROPonlyshellcodeonx86ispossibleusingDEPLIB.
ConceptsofROPcanbeextendedtoothercodereusetechniques:
Chaingadgetsusingjumps Chaingadgetsusingcalls
09/20/10 41
Thankyouforyourtime
Contactmeat:[email protected]
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41