-
09/20/10 1
HangingonaROPe
Pablo SolImmunity
-
09/20/10 2
Fromacrashtoaworkingexploit
WhatdoweusedtodoafterEIPwascontrolled? WhydoweneedROP?
ROP101(ortheinfinitewheelofpain...) Problemsofthemanualapproach
Anautomaticanswer GadgetsasSMTformulas ROPfromminiASM Summary
Conclusions
-
09/20/10 3
WhatdoweusedtodoafterEIPwascontrolled?
StackMemory
Buffer..
SavedFrame
ReturnAddress
FuncArgs....
PWN!!!
StackMemory
Buffer..
Garbage
SHELLCODE....
JMPESP
-
09/20/10 4
WhydoweneedROP?DataExecutionPreventionStackMemory
Buffer..
Garbage
SHELLCODE....
JMPESP
stack and heapare not executable
anymore!
-
09/20/10 5
ROP101ortheinfinitewheelofpain...
MOV ECX,DWORD PTR [EAX]LEA EDX,DWORD PTR [EBP+8]PUSH EDXPUSH
DWORD PTR [EBP+10]PUSH DWORD PTR [EBP+C]PUSH EAXCALL DWORD PTR
[ECX+C]
StackSwapping
XCHG EAX,ESPRETN
-
09/20/10 6
ROP101ortheinfinitewheelofpain...
StackMemory
AddrPOPEAX
VALUEforEAX
AddrPOPECX
VALUEforECX
...
...
...
...
...
POPEAXRETN
POPECXRETN
AddrSUBr1,r2 SUBEAX,ECXRETN
-
09/20/10 7
Problemsofthemanualapproach
Findingthecorrectstackswapsequencecanbehard.
Findingthecorrectgadgetsthatweneedcanbehard.
Bypassingbadcharswhileyoutrytofindyourgadgetsisdifficult.
Evenforsimpleexamplescanbeaverytimeconsumingtask.
-
09/20/10 8
PreviousAutomaticApproaches
Scanningforverysimple/knownsequences movedx,[ecx];ret;
Expressiontrees/matching WOOT'10,Dullien,Kornau,Weinmann
-
09/20/10 9
ProblemswithPreviousAutomaticApproaches
Simplescanning Imprecise Falsepositivesandfalsenegatives
Expressiontrees Possiblyitmightmisssomesemanticallyequal
gadgets
-
09/20/10 10
Anautomaticanswer
ProvidedIknowwheremycontrolledbufferisinmemory,whatifIcouldfindastackswapgadgetautomatically?
WhatifIcouldcreateaROPchainfromsomeeasyprogramminglanguage?
Bothproblemscanbesolvedusingthesametool.
-
09/20/10 11
ROPviaSMTFormulaSolving
-
09/20/10 12
SAT&SMT
Booleansatisfiabilityproblem ((x^y)^!(z^y))
Isthereavariableassignmentthatmakesthe
formulaTRUE Solvingthisautomatically
SMTsolvers Allowhigherorderlogicstobehandlede.g.
lineararithmetic,equalitylogicandsoon (x+y=8^y=2^x
-
09/20/10 13
OurSolution
ConvertinstructionsequencestoSMTformulae
Givesapreciserepresentationofinstruction
semantics
ForeachROPshellcodeinstructionbuildanotherformulathatgivesourrequirementse.g.'EAX=[ECX]andEDXisnotmodified'
Tofindagadgetweappendourrequirementsandcheckforsatisfiability/validityusingasolver
-
09/20/10 14
x86InstructionsasSMTFormulae
ForeachinstructioninagadgetweneedtoconvertittoanSMTformula
addeax,ebx> regs['eax']=solver.addExpr(regs['EAX'],
regs['EBX']) flags['_CF']=...
-
09/20/10 15
GadgetsasSMTFormulae
Atanalysistimeweiterateovertheinstructionsandbuildtheconjunctionofeachsubformula
addeax,ebxsubeax,[ecx]
solver.subExpr(solver.addExpr(regs['EAX'],regs['EBX']),mem[regs['ECX'])
(Accountingforflagsaswell)
-
09/20/10 16
FindingGadgetsUsingaSolver
Whatdefinesausefulgadget?
Itssemanticsmeetsomecriteriae.g.'Iwantthe
valueEAX+4tobeinESP.Pleasedon'tmangleEDXwhileyou'reatit'
TheserequirementsareeasilyexpressedasSMTformula
ESP_after=EAX_before+4^EDX_after=EDX_before
UsingasolverwecanthenquerythestatusofGADGET_FORMULA^REQUIREMENTS
-
09/20/10 17
Satisfiability&Validity
Asolvercantellusifaformulaissatisfiableorvalid
SatisfiabilityThereexistsatleastonevariableassignmentthatmakestheformulaTRUE
ValidityThereexistsnovariableassignmentthatmakestheformulafalse
-
09/20/10 18
Generic&ContextSpecificGadgets
Aformulathatisvalidimpliesthatregardlessofmemory/registercontextitmeetsourrequirements
Thegadgetwillalwaysdowhatwewant
Aformulathatissatisfiablebutnotvalidwillmeetourrequirementsundercertainconditions
Itwilldowhatwewantgivencertainpreconditionsonregistersandmemory
-
09/20/10 19
Workflow
Findcandidategadgets FromeachgadgetbuildanSMTformulaG
ForeachROPprimitivebuildaSMTformulaR
Moreonthislater(miniasm)
ForeveryrinRandginGbuild(r^g)andcheckforsatisfiabilityorvalidity(dependingonyourrequirements)
-
09/20/10 20
Implementation
-
09/20/10 21
FindGadgetCandidates
SearchRETNopcodes(0xC2or0xC3)intheentireDLLmemory
Disassemblebackwarduntilitfindsanunsupported/invalidopcode
Generateallpossibledisassemblies(moveabyteandmagiccanoccur)
Finally,itreturnslistsofopcodesforeachRETNendedsequence
-
09/20/10 22
CandidatesExample
7C91990D 66 83 26 00 66 83 66 f&.ff7C919915 02 00 83 66 04
00 5E 5D .f.^]7C91991D C2 04 00 .
Binary Data
Possible Disassemblies7C91991A 005E 5D | ADD BYTE PTR
DS:[ESI+5D],BL7C91991D C2 0400 | RETN 4
7C919919 04 00 | ADD AL,07C91991B 5E | POP ESI7C91991C 5D | POP
EBP7C91991D C2 0400 | RETN 4
7C91990E 668326 00 | AND WORD PTR DS:[ESI],07C919912 668366 02
00 | AND WORD PTR DS:[ESI+2],07C919917 8366 04 00 | AND DWORD PTR
DS:[ESI+4],07C91991B 5E | POP ESI7C91991C 5D | POP EBP7C91991D C2
0400 | RETN 4
-
09/20/10 23
SequenceAnalyzer
Emulateeachinstruction GeneratearesultingCPU/Memorycontext
SupportinteractionsbetweenCPUandMemory
UseSMTExpressionsfortheemulation
Supportabstractmemoryaddressing
MOVEAX,DWORDPTRDS:[EDX](givenwedon'tknowthefinalvalueofEDX)
It'seasytoaddnewarchitectures(x64,arm,etc).
-
09/20/10 24
SequenceAnalyzer0100739D > 33C0 XOR EAX,EAX0100739F 03C2 ADD
EAX,EDX010073A1 3BC2 CMP EAX,EDX010073A3 74 05 JE SHORT
010073AA010073A9 33C0 XOR EAX,EAX010073AA 03C3 ADD EAX,EBX
-
09/20/10 25
GadgetProperties
Wecalculateasetofpropertieslike:whatregisterswereread,writtenordereferenced.
Thispropertiesareusedasafirstcriteriaforgadgetsearching.
Thesmarterwearediscoveringthisproperties,thefasterwe'regoingtofindausefulgadget.
-
09/20/10 26
GadgetComplexityIndex
Howcomplexisthisgadget? howmanyregistersdoesitmodify?
howmanymemoryoperationsdoesithave?
howmuchhasthestackpointermoved?
MOV EDI,EAXPOP EAXPOP EBXRETN 4
MOV EAX,[EBX]POP ECXRETN 0C
XOR EDI,[EBX+ECX*4]MOV [EDI], EAXXOR EAX,EAXPOP ECXRETN 30
MOV EDI,EDIRETN
COMPLEXITY
-
09/20/10 27
Usecasesandmoredetails...
-
09/20/10 28
Stackswapping
Whatdoesthatmeans?
1)ESP=ControlledMemoryAddress2)EIP=ControlledMemoryContent
1)XCHG EAX,ESPMOV EAX, [EAX]MOV [ESP], EAXRETN
2)MOV ESI, [EAX]CALL ESI
1 & 2)XCHG EAX,ESPRETN
-
09/20/10 29
Stackswapping
1)ESP=ControlledMemoryAddress2)EIP=ControlledMemoryContent
OnaSMTformula:(EAX=addresscontrolledmem)
1)eqExpr(ESP,EAX+4) 2)eqExpr(EIP,mem(EAX))
1&2)boolAndExpr(1,2)
-
09/20/10 30
Stackswapping
-
09/20/10 31
ROPfromminiASM
WeneedakindofROPcompiler Someofitsresponsibilities:
Alloc/Releaseregisters Preservestackmemoryfromaccidental
overwrites. Satisfygadgetpreconditions
FindthebestwayofperformingaminiASM
instruction. Bypassbadchars CreatethefinalROPchain
-
09/20/10 32
ROPfromminiASM
Wecanusemanytrickstoimplementaninstruction!
LetssaywewanttoMOVEAX,0x1234
POPEAXRETN
POPEAXRETNPOPECXRETNSUBEAX,ECXRETN
MOVEAX,1234RETN
EBXpointstosomeplaceinourROPchainMOVEAX,[EBX]RETN
-
09/20/10 33
ROPfromminiASM
Letssaywehave4tricksforstoringavalueinregister.
InDEPLIBweassociatehandlersforeachinstruction,whereweimplementthesetricks.
Also,eachtrickhasapreference,soweusetheshortercasesfirst.
-
09/20/10 34
ROPfromminiASM
FromaSMTformulaperspective,wejustappendallourgadgetrequirementsandourguardconditions(regs/mem/flagsthatmustbeguarded)
AsktheSolverifthere'sagadgetthatsatisfyourquery.
-
09/20/10 35
ROPfromminiASMAminiASMexample:va_addr=solveImport(kernel32!VirtualAlloc)args=(0,0x1000,0x3000,0x40)allocated_buf=call(va_addr,
args, callconv=stdcall)jmp_addr=VAR()mov(jmp_addr,
allocated_buf)
shellcode_ptr=endofROP()shell_dword=VAR()shell_dword.bind(mem,
shellcode_ptr)
label(decrypt_loop)xor(shell_dword,
0xdeadbeef)mov(allocated_buf, shell_dword)add(allocated_buf,
4)add(shellcode_ptr, 4)ifne(shell_dword, 0xcafecafe,
decrypt_loop)
jmp(jmp_addr)
-
09/20/10 36
Summary
Weemulatethex86instructionsetusingaSMTSolver(noFPU/SSE/etc.)
ThenwestoreaSMTrepresentationofallregisters,flagsandmemoryaccesses.
Thismeanswecapturethesemanticsofasequenceofinstructions.
OursolverofchoicewasCVC3Solver.
-
09/20/10 37
Summary
Thisallowsustoanswersomenonobviousquestions.ex:
IsthereagadgetthatsetsESP=EAX+4ANDEIP=[EAX]?
STACKSWAPPING
-
09/20/10 38
Summary
IsthereagadgetthatsetsEAX=value,withouttouchingESI,EDI?
RETURNORIENTEDPROGRAMMING
-
09/20/10 39
Summary
Butalsosolvethingslike:
IsthereavalueforEAXthattakesagivenbranch?(andwhatisthatvalue):
IMUL EAX,ECX,4SUB EAX, [EBP+10]CMP EAX, 100JL allowed
SYMBOLICEXECUTION
-
09/20/10 40
Conclusions
DEPLIB2.0isgoingtobepartofthereleaseofImmunityDebugger2.0onDecember2010.
Lotsofdifferenttoolscanbemadefromtheworkpresentedhere.
ROPonlyshellcodeonx86ispossibleusingDEPLIB.
ConceptsofROPcanbeextendedtoothercodereusetechniques:
Chaingadgetsusingjumps Chaingadgetsusingcalls
-
09/20/10 41
Thankyouforyourtime
Contactmeat:[email protected]
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide
9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide
17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide
25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide
33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide
41
