1 / 30

Agenda

Agenda. Exploit basics A defense basic ROP Review. Exploit basics. There are lots of ways to think about exploits. I (like most) like to break them down into 3 sections: Vulnerability Exists Vector Used, delivered (points control to the payload) Payload Delivered, does something.

keon
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Agenda • Exploit basics • A defense basic • ROP • Review

  2. Exploit basics • There are lots of ways to think about exploits. • I (like most) like to break them down into 3 sections: • Vulnerability • Exists • Vector • Used, delivered (points control to the payload) • Payload • Delivered, does something

  3. Vulnerabilities are bugs • Who creates the vulnerability? • What “uses” the vulnerability? • To do what?

  4. Vectors • So, in the traditional view, we overwrote some program and into memory. • In that overwrite, we have to write values that get the machine to do something. • Depending on the machine, we overwrite structures it needs to do stuff. • At the highest level, we poison tables needed for operation. We poison them to divert operation *into* our paylod.

  5. Oldest Schools

  6. Payload • The part that does something. • The vector diverts execution to the payload. • Machine language code. • Normally we use the term “arbitrary code” to describe a working paylaod.

  7. Oldest Schooly • In a traditional stack overflow, we overwrite an address on the stack that the Operating System needs to navigate. • So the program was taking in data, and storing it in a buffer. • It takes in to much input and allows that input to overwrite a memory address needed for the OS. • The OS isn’t smart, it will blindly follow the instructions.

  8. Oldest Schools

  9. Defensive Measures • Operating system writers took on the challenge of stopping the vectors. Followed by CPU manufacturers. • Mitigation can solve lots of vulnerabilities… • NX, DX, DEP, non executable stack • W OR X

  10. Oldest Schools

  11. But first, whats a dll (or .so)?

  12. Ret2Libc

  13. Enter the ROP • From an academic paper by Hovav Shacham “The Geometry of Innocent Flesh on the Bone” • And a lesser known paper by Sebastian Krahmer “x86-64 buffer overflow exploits and borrowed code chunks exploitation technique” • Extra credit mention to Dino Dai Zovi and Vincenzo Iozzo. • Lots of people have contributed since then (I am not one of them) ( I didn’t even come up with the ransom note thing, I just thought it was too useful not to be re-used)

  14. So, what do I need to run a program? • Instructions… • What makes up other programs? • Instructions? • Do I need my own instructions? • Can I use your instructions? • What are “gadgets” ?

  15. Gadgets Pop eax pop ebx ret mov edi, [eax] ret Sub [ebx], edi ret

  16. Gadgets pop edi pop edi Pop eax ret Pop ebx pop eax ret ret Pop edi pop ebx Pop eax ret Ret Pop ebx Ret

  17. C3-PO • At least on x86…. • C3 • 85 f2 7E 9c 3a 77 • Null bytes… xor %eax, %eax

  18. So… how does it move? • So, our shellcode is NOT the assembly commands. • What does our shellcode consist of? • ESP gets incremented…

  19. NP Complete • There is always a polynomial-time algorithm for transforming an instance of any NP-complete problem into an instance of any other NP-complete problem. So if you could solve one you could solve any other by transforming it to the solved one. • But what is this bound by?

  20. So, non executable stacks • Whose code is running on the stack? • We could mention some functions, like VirtualProtect() here… • Windows vista and 7 permanent DEP….

  21. Code signing? • Where is the code coming from?

  22. ASLR? • How many gadgets in a library? • What if a library or driver is left out of ASLR? • Address independent gadgets?

  23. What could we do to stop this?

  24. Can you make it easier? • So some really smart guys (Shacham, Dai Zovi, Sotirov) came up with the idea of making a macro tool. • Rather than figure out the ROP gadgets, the programmer writes in terms of macros and intermediate code turns them into gadgets. (BISC) • Shacham has a compiler back end… • I think the Canvas guys have a tool… • Msfpescan can be used to find gadgets. • Expect more of this. • **note: BISC is not public

  25. Quick review • Exploit basics • Overwriting memory structures the OS relies on… • To poison a structure to steer it to our payload • A defensive mitigation • W OR X • ROP • Assembly instructions ending in a ret type instruction called a gadget • Gadgets chained together to do… well… anything bounded by size.

  26. Doggie Bags… • Notice that these major contributors are not your kid/criminal/virusWriter. These are legitimate computer science guys… what does that mean? • There is a back-and-forth between attackers and designers. • Is ROP hard or easy? Will it get harder or easier?

More Related