CS457 – Introduction to Information Systems Security

Software 2

Elias Athanasopouloselathan@ics.forth.gr

Elias Athanasopoulos 2

More Jargon

Vulnerability type- Stack overflow, heap overflow, integer overflow,

use-after-free, formatting bugVulnerability scope

- Kernel/user, local/remoteExploit type

- Code execution, privilege escalation, DoS

CS-457

Elias Athanasopoulos 3

Stack

Buffer Overflow

CS-457

StackRetAddress

Local Var. Vulnerable Buffer

NEWRET Shellcode

StackNEWRET Shellcode Sled

Elias Athanasopoulos 4

Defense 1

CS-457

StackRetAddress

Local Var. Vulnerable Buffer

StackRetAddress

Local Var. Vulnerable Buffer

Canary (a random value)

Elias Athanasopoulos 5

Canary Values (stack canaries)

Produced by the compilerChecked at run-timeCan be disclosedCan be brute-forced

CS-457

Elias Athanasopoulos 6

Defense 2

CS-457

StackRetAddress

Local Var. Vulnerable Buffer

StackRetAddress

Local Var. Vulnerable Buffer

Stack Heap Data Text

High Address Low Address

ExecutableExecutable?Executable?Executable?

Elias Athanasopoulos 7

NX-bit

Non Executable bitData Execution Prevention (DEP)W xor X

- Can be either Writable or ExecutableEnforced in the MMU

- Most modern CPUs support this (Intel, ARM, etc.)

CS-457

Elias Athanasopoulos 8

Limitations of NX-bit

JIT and dynamic code- Web browsers

CS-457

Elias Athanasopoulos 9

Bypassing NX-bit

CS-457

Elias Athanasopoulos 10

Return to libc

CS-457

Stack (non-exec)RET Vulnerable Buffer (*f)()

Stack (non-exec)RET Vulnerable Buffer(*f)()

execve(“/bin/sh”, …);

libc code

Elias Athanasopoulos 11

Return Oriented Programming (ROP)

CS-457

mov (%rcx),%rbxtest %rbx,%rbxje 41c523 <main+0x803>mov %rbx,%rdicallq 42ab00mov %rax,0x2cda9d(%rip)cmpb $0x2d,(%rbx)je 41c4ac <main+0x78c>mov 0x2cda8d(%rip),%raxrettest %rbx,%rbxmov $0x4ab054,%eaxcmove %rax,%rbxmov %rbx,0x2cda6a(%rip)test %rdi,%rdije 41c0c2 <main+0x3a2>mov $0x63b,%edxmov $0x4ab01d,%esicallq 46cab0 <sh_xfree>ret

mov %rax,0x2d2945(%rip)mov 0x2cda16(%rip),%raxtest %rax,%raxje 41c112 <main+0x3f2>movzbl (%rax),%edxcallq 41b640 <time@plt>mov 0xb8(%rsp),%r15dcmp 0xc(%rsp),%r15dmov %rax,0x2d2670(%rip)je 41c214 <main+0x4f4>xchg %ax,%axmov (%rsp),%rdxmovslq %r15d,%raxmov (%rdx,%rax,8),%r14retje 41c214 <main+0x4f4>cmpb $0x2d,(%r14)jne 41c214 <main+0x4f4>movzbl 0x1(%r14),%r12dmovl $0x0,0x18(%rsp)

je 41c440 <main+0x720>xor %ebp,%ebpmov $0x4c223a,%ebxadd $0x1,%r14jmp 41c1a3 <main+0x483>cmp (%rbx),%r12bmov %ebp,%r13djne 41c188 <main+0x468>mov %rbx,%rsitest %eax,%eaxxchg %ax,%axjne 41c188 <main+0x468>movslq %ebp,%raxretcmpl $0x1,0x4ab3c8(%rax)je 41c461 <main+0x741>mov (%rsp),%rcxadd $0x1,%r15dmovslq %r15d,%rdxmov (%rcx,%rdx,8),%rdx

Gadget 1

Gadget 2 Gadget 3

Elias Athanasopoulos 12

ROP in action

CS-457

Stack (non-exec)RET Vulnerable Buffer (*f)()

Stack (non-exec)RET ROP Chain(*f)()

Virtual Stack

Elias Athanasopoulos 13

How the ROP chain works? –use esp as the instruction pointer

CS-457

ROP Chain TEXT Section (Code)

Addr. of G1

Addr. of G2

Addr. of G3

Addr. of GN

G1; ret

G2; ret

G3; ret

GN; ret