DEP & ROP

Modern Binary Exploitation

CSCI 4968 - Spring 2015
Markus Gaasedelen

MBE - 03/10/15 DEP & ROP 1

Lecture Overview

1. Introducing DEP
2. The History of DEP
3. Bypassing DEP with ROP
4. Stack Pivoting

MBE - 01/27/2015 Syllabus and Review 2

Class up until Now
• Reverse Engineering
• Basic memory corruption
• Shellcoding
• Format strings
• Classical exploitation, few
protections, pretty eZ
• Time to add some ‘modern’
to the binary exploitation
madness

MBE - 03/24/15 Data Execution Prevention 3

Modern Exploit Mitigations
• Theres a number of modern exploit mitigations that we’ve
generally been turning off for the labs and exercises
• DEP
• ASLR
• Stack Canaries
• …?

MBE - 03/10/15 DEP & ROP 4

Modern Exploit Mitigations
• Theres a number of modern exploit mitigations that we’ve
generally been turning off for the labs and exercises
• DEP
• ASLR
• Stack Canaries
• …?

• Today we turn one back on for the remainder of the course

• no more silly -z execstack in our gcc commands

MBE - 03/10/15 DEP & ROP 5

Course Terminology
• Data Execution Prevention
• An exploit mitigation technique used to ensure that only
code segments are ever marked as executable
• Meant to mitigate code injection / shellcode payloads
• Also known as DEP, NX, XN, XD, W^X

MBE - 03/10/15 DEP & ROP 6

Runtime Process Without DEP
0x00000000 – Start of memory
Runtime Memory
Like an ELF, multiple segments
Libraries (libc) R-X
R-- ...
ELF Executable
R-X (Read, Execute)
.text segment
R-- (Read)
.rodata segment

RWX (Read, Write, Execute)

Heap
RWX (Read, Write, Execute)
Stack
0xFFFFFFFF – End of memory
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Process Without DEP
0x00000000 – Start of memory
Runtime Memory
Like an ELF, multiple segments
Libraries (libc) R-X
R-- ...
ELF Executable
R-X (Read, Execute)
.text segment
R-- (Read)
.rodata segment

RWX (Read, Write, Execute)

Heap
RWX (Read, Write, Execute)
Stack
0xFFFFFFFF – End of memory
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Process Without DEP
0x00000000 – Start of memory
Runtime Memory
Like an ELF, multiple segments
Libraries (libc) R-X
R-- ...
ELF Executable
R-X (Read, Execute)
.text segment
R-- (Read)
.rodata segment

RW- (Read, Write, Execute)

Heap
RW- (Read, Write, Execute)
Stack
0xFFFFFFFF – End of memory
RPISEC - 10/17/2014 Intro to Binary Exploitation
Runtime Process With DEP
0x00000000 – Start of memory
Runtime Memory
Like an ELF, multiple segments
Libraries (libc) R-X
R-- ...
ELF Executable
R-X (Read, Execute)
.text segment
R-- (Read)
.rodata segment

RW- (Read, Write)

Heap
RW- (Read, Write)
Stack
0xFFFFFFFF – End of memory
RPISEC - 10/17/2014 Intro to Binary Exploitation
DEP Basics
• No segment of memory should ever be Writable and
Executable at the same time, ‘W^X’

• Common data segments

• Stack, Heap
• .bss
• .ro
• .data

• Common code segments

• .text
• .plt

MBE - 03/10/15 DEP & ROP 11

DEP in Action
• Data should never be
executable, only code

• What happens if we stack

smash, inject shellcode, and
try to jump onto the stack?

MBE - 03/10/15 DEP & ROP 12

DEP in Action
• Data should never be
executable, only code

• What happens if we stack

smash, inject shellcode, and
try to jump onto the stack?

MBE - 03/10/15 DEP & ROP 13

DEP in Action
• Data should never be
executable, only code

• What happens if we stack

smash, inject shellcode, and SEGFAULT
try to jump onto the stack? at 0xbffffc04

yay mitigation technologies!

MBE - 03/10/15 DEP & ROP 14

Lecture Overview

1. Introducing DEP
2. The History of DEP
3. Bypassing DEP with ROP
4. Stack Pivoting

MBE - 01/27/2015 Syllabus and Review 15

History of DEP
• When was DEP implemented?

MBE - 03/10/15 DEP & ROP 16

History of DEP
• When was DEP implemented?
• August 14th, 2004 - Linux Kernel 2.6.8

MBE - 03/10/15 DEP & ROP 17

History of DEP
• When was DEP implemented?
• August 14th, 2004 - Linux Kernel 2.6.8
• August 25th, 2004 - Windows XP SP2

MBE - 03/10/15 DEP & ROP 18

History of DEP
• When was DEP implemented?
• August 14th, 2004 - Linux Kernel 2.6.8
• August 25th, 2004 - Windows XP SP2
• June 26th, 2006 - Mac OSX 10.5

MBE - 03/10/15 DEP & ROP 19

History of DEP
• When was DEP implemented?
• August 14th, 2004 - Linux Kernel 2.6.8
• August 25th, 2004 - Windows XP SP2
• June 26th, 2006 - Mac OSX 10.5

about 10 years ago

MBE - 03/10/15 DEP & ROP 20

2004 in Perspective
• Facebook is created
• G-Mail launches as beta
• Ken Jennings begins his 74 win streak on Jeopardy
• Halo 2 is released, as is Half Life 2
• LOST airs its first episode

MBE - 03/10/15 DEP & ROP 21

Security is Young
• Technologies in modern exploit mitigations are
incredibly young, and the field of computer
security is rapidly evolving

• DEP is one of the of the main mitigation

technologies you must bypass in modern
exploitation

MBE - 03/10/15 DEP & ROP 22

Lecture Overview

1. Introducing DEP
2. The History of DEP
3. Bypassing DEP with ROP
4. Stack Pivoting

MBE - 01/27/2015 Syllabus and Review 23

Bypassing DEP
• DEP stops an attacker from easily executing injected
shellcode assuming they gain control of EIP
• shellcode almost always ends up in a RW- region

• If you can’t inject (shell)code to do your bidding, you

must re-use the existing code!
• This is technique is usually some form of ROP

MBE - 03/10/15 DEP & ROP 24

Course Terminology
• Return Oriented Programming
• A technique in exploitation to reuse existing code
gadgets in a target binary as a method to bypass DEP
• Also known as ROP

• Gadget
• A sequence of meaningful instructions typically followed
by a return instruction
• Usually multiple gadgets are chained together to
compute malicious actions like shellcode does
• These chains are called ROP Chains

MBE - 03/10/15 DEP & ROP 25

Relevant Quotes

“Preventing the introduction of malicious

code is not enough to prevent the
execution of malicious computations”
-Dino Dai Zovi

MBE - 03/10/15 DEP & ROP 26

Gadgets
• ROP Chains are made up of gadgets
• Example gadgets -

xor eax, eax

ret

pop ebx
pop eax
ret

add eax, ebx

ret
MBE - 03/10/15 DEP & ROP 27
$ ropgadget --binary /bin/bash

MBE - 03/10/15 DEP & ROP 28

Understanding ROP
• It is almost always possible to create a logically equivalent
ROP chain for a given piece of shellcode

exit(0) - shellcode exit(0) - ROP chain

xor eax, eax xor eax, eax
xor ebx, ebx ret
inc eax xor ebx, ebx
ret
int 0x80
inc eax
ret
int 0x80
MBE - 03/10/15 DEP & ROP 29
Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 30

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 31

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 32

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 33

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 34

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 35

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 36

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80

MBE - 03/10/15 DEP & ROP 37

Understanding ROP

ROP chain
exit(0) - ROP chain
xor eax, eax
ret
xor ebx, ebx
ret
inc eax
ret
int 0x80
exits ...

MBE - 03/10/15 DEP & ROP 38

Bypassing DEP with ROP
• We called exit(0) without using any sort of shellcode!

• With that said, writing ROP can be difficult and you will
usually have to get creative with what gadgets you find

MBE - 03/10/15 DEP & ROP 39

/levels/lecture/rop/rop_exit
• Play around with ROP on the warzone

• Can you make a ROP chain to set arbitrary exit

values? 0? 200? 64?

MBE - 03/10/15 DEP & ROP 40

Relevant Tips/Tools/Commands
• $ ropgadget --binary ./rop_exit > /tmp/gadgetzXYZ.txt
• $ cat /tmp/gadgetzXYZ.txt | grep “pop eax” | grep …

• $ asm
• easy way to get the bytes for gadgets you’re looking for

• $ gdbpeda
• searchmem, find raw bytes in an executing program
• ropsearch, a crappy rop gadget finder

• python
def q(addr):
return struct.pack(“I”, addr)
MBE - 03/10/15 DEP & ROP 41
Lecture Overview

1. Introducing DEP
2. The History of DEP
3. Bypassing DEP with ROP
4. Stack Pivoting

MBE - 01/27/2015 Syllabus and Review 42

Typical Constraints in ROP
• Typically in modern exploitation you might only get one
targeted overwrite rather than a straight stack smash

• What can you do when you only have one gadget worth of
execution?
• Answer: Stack Pivoting

MBE - 03/10/15 DEP & ROP 43

Stack Pivoting

You control the orange

You have one gadget

before you drop into
arbitrary data on the stack

MBE - 03/10/15 DEP & ROP 44

Stack Pivoting

You control the orange

You have one gadget

before you drop into
arbitrary data on the stack

MBE - 03/10/15 DEP & ROP 45

Stack Pivoting

You control the orange

You have one gadget

before you drop into
arbitrary data on the stack

Use your one gadget to

move ESP into a more
favorable location
(Stack Pivot)

MBE - 03/10/15 DEP & ROP 46

Stack Pivoting
add esp, 0x40c
ret
You control the orange

You have one gadget

before you drop into
arbitrary data on the stack

Use your one gadget to

move ESP into a more
favorable location
(Stack Pivot)

MBE - 03/10/15 DEP & ROP 47

Stack Pivoting
add esp, 0x40c
ret
You control the orange

You have one gadget

before you drop into
arbitrary data on the stack

Use your one gadget to

move ESP into a more
favorable location
(Stack Pivot)

MBE - 03/10/15 DEP & ROP 48

Stack Pivoting Tips
add esp, 0xXXXX
ret

sub esp, 0xXXXX

ret any gadgets that touch esp
will probably be of interest
ret 0xXXXX for a pivot scenario

leave ; (mov esp, ebp)

ret

xchg eXX, esp

ret

MBE - 03/10/15 DEP & ROP 49

Stack Pivoting Tips
• You may not find an exact pivot, or you may need to pivot
multiple times!

• You can always pad your ROP Chains with ROP NOPs which
are simply gadgets that point to ret’s

MBE - 03/10/15 DEP & ROP 50

/levels/lecture/rop/rop_pivot
• Play around with Stack Pivoting on the warzone

MBE - 03/10/15 DEP & ROP 51

ret2libc
• ‘ret2libc’ is a technique of ROP where you return
to functions in standard libraries (libc), rather
than using gadgets

• If you know the addresses of the functions you

want to ROP through in libc (assuming libc
exists), ret2libc is easier than making a ROP
chain with gadgets

MBE - 03/13/15 DEP & ROP 3

Common ret2libc Targets
• system()
• Executes something on the command line
• system(“cat flag.txt”);

• (f) open() / read() / write()

• Open/Read/Write a file contents

MBE - 03/13/15 DEP & ROP 4

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 5

Returning to System
• We want to call system(“cat flag.txt”);

• Because we are ROPing into system rather than

calling it, you have to think about setting up the
stack (to pass arguments) a little bit differently

MBE - 03/13/15 DEP & ROP 6

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 7

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 8

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 9

ret2libc example

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR [esp+0x10]
...

MBE - 03/13/15 DEP & ROP 10

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 11

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 12

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 13

 REWIND

MBE - 03/13/15 DEP & ROP 14

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 15

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 16

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 17

 ret2libc example

0x08045430: ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 18

 ret2libc example

w0w_u_g0t_th3_fl4g_such_h4ck3r
0x08045430:
ret

system()
0xb7e65190: push ebx
0xb7e65191: sub esp, 8
0xb7e65194: mov eax, DWORD PTR
[esp+0x10]
...

MBE - 03/13/15 DEP & ROP 19

Chaining Calls

MBE - 03/13/15 DEP & ROP 20