Upload
uriah-hale
View
15
Download
0
Embed Size (px)
DESCRIPTION
CS457 – Introduction to Information Systems Security Software 2. Elias Athanasopoulos [email protected]. More Jargon. Vulnerability type Stack overflow, heap overflow, integer overflow, use-after-free, formatting bug Vulnerability scope Kernel/user, local/remote Exploit type - PowerPoint PPT Presentation
Citation preview
Elias Athanasopoulos 2
More Jargon
Vulnerability type- Stack overflow, heap overflow, integer overflow,
use-after-free, formatting bugVulnerability scope
- Kernel/user, local/remoteExploit type
- Code execution, privilege escalation, DoS
CS-457
Elias Athanasopoulos 3
Stack
Buffer Overflow
CS-457
StackRetAddress
Local Var. Vulnerable Buffer
NEWRET Shellcode
StackNEWRET Shellcode Sled
Elias Athanasopoulos 4
Defense 1
CS-457
StackRetAddress
Local Var. Vulnerable Buffer
StackRetAddress
Local Var. Vulnerable Buffer
Canary (a random value)
Elias Athanasopoulos 5
Canary Values (stack canaries)
Produced by the compilerChecked at run-timeCan be disclosedCan be brute-forced
CS-457
Elias Athanasopoulos 6
Defense 2
CS-457
StackRetAddress
Local Var. Vulnerable Buffer
StackRetAddress
Local Var. Vulnerable Buffer
Stack Heap Data Text
High Address Low Address
ExecutableExecutable?Executable?Executable?
Elias Athanasopoulos 7
NX-bit
Non Executable bitData Execution Prevention (DEP)W xor X
- Can be either Writable or ExecutableEnforced in the MMU
- Most modern CPUs support this (Intel, ARM, etc.)
CS-457
Elias Athanasopoulos 8
Limitations of NX-bit
JIT and dynamic code- Web browsers
CS-457
Elias Athanasopoulos 9
Bypassing NX-bit
CS-457
Elias Athanasopoulos 10
Return to libc
CS-457
Stack (non-exec)RET Vulnerable Buffer (*f)()
Stack (non-exec)RET Vulnerable Buffer(*f)()
execve(“/bin/sh”, …);
libc code
Elias Athanasopoulos 11
Return Oriented Programming (ROP)
CS-457
mov (%rcx),%rbxtest %rbx,%rbxje 41c523 <main+0x803>mov %rbx,%rdicallq 42ab00mov %rax,0x2cda9d(%rip)cmpb $0x2d,(%rbx)je 41c4ac <main+0x78c>mov 0x2cda8d(%rip),%raxrettest %rbx,%rbxmov $0x4ab054,%eaxcmove %rax,%rbxmov %rbx,0x2cda6a(%rip)test %rdi,%rdije 41c0c2 <main+0x3a2>mov $0x63b,%edxmov $0x4ab01d,%esicallq 46cab0 <sh_xfree>ret
mov %rax,0x2d2945(%rip)mov 0x2cda16(%rip),%raxtest %rax,%raxje 41c112 <main+0x3f2>movzbl (%rax),%edxcallq 41b640 <time@plt>mov 0xb8(%rsp),%r15dcmp 0xc(%rsp),%r15dmov %rax,0x2d2670(%rip)je 41c214 <main+0x4f4>xchg %ax,%axmov (%rsp),%rdxmovslq %r15d,%raxmov (%rdx,%rax,8),%r14retje 41c214 <main+0x4f4>cmpb $0x2d,(%r14)jne 41c214 <main+0x4f4>movzbl 0x1(%r14),%r12dmovl $0x0,0x18(%rsp)
je 41c440 <main+0x720>xor %ebp,%ebpmov $0x4c223a,%ebxadd $0x1,%r14jmp 41c1a3 <main+0x483>cmp (%rbx),%r12bmov %ebp,%r13djne 41c188 <main+0x468>mov %rbx,%rsitest %eax,%eaxxchg %ax,%axjne 41c188 <main+0x468>movslq %ebp,%raxretcmpl $0x1,0x4ab3c8(%rax)je 41c461 <main+0x741>mov (%rsp),%rcxadd $0x1,%r15dmovslq %r15d,%rdxmov (%rcx,%rdx,8),%rdx
Gadget 1
Gadget 2 Gadget 3
Elias Athanasopoulos 12
ROP in action
CS-457
Stack (non-exec)RET Vulnerable Buffer (*f)()
Stack (non-exec)RET ROP Chain(*f)()
Virtual Stack
Elias Athanasopoulos 13
How the ROP chain works? –use esp as the instruction pointer
CS-457
ROP Chain TEXT Section (Code)
Addr. of G1
Addr. of G2
Addr. of G3
Addr. of GN
G1; ret
G2; ret
G3; ret
GN; ret