Architect, Kudelski Security Guest lecturer at HEIG-VD & Uni-Biel on software exploitation techniques Guest lecturer at UNIMAIL on malware and incident response Past 6 years : SCRT & ilion Security Penetration tester Incident responder
and x86 assembly Previous course on software exploitation basics Environment Linux with 32bits binaries No Windows, iOS or Android exploitation today :( Examples https://github.com/milkmix-/training/tree/master/rop
enabled it checks for basic vulnerabilities compile time : static array copied using libc functions execution time : ___strcpy_chk -D_FORTIFY_SOURCE=1 -O2
simple instructions already in the memory to execute code simple instructions are called gadgets and are ended by RET pop eax ; ret mov [ebx], ecx ; ret
(used by Intel processors) a list of opcodes doesn’t have only one representation possible to process them at various offsets concept not applicable on RISC architectures (ARM, MIPS, …)
to detect rop chains high ratio of ret instructions per instructions blocks shadow stack that validate that ret is returning to instruction following the right call instruction
stack degrade performance by at least 30% as such most implementations are coarse grained leaving holes that can be exploited fine grained implementations in some academic r&d projects
possibilities set the libc base address to common base brute-force the remaining 16 bits only effective on 32 bits systems or if rebasing is built-into the binary 64bits Linux has 28 bits of entropy
find it my function ? generate pattern that appears only once in the library not present in other ones obviously need a second vulnerability in the code memory disclosure
is the address of the corresponding function filed by the loader when executing the binary unless lazy binding is used, in this case only once function already called
GOT is known in this case read at selected offset to retrieve current address of a function open the libc binary and retrieve offset from this function also extract offsets from the desired functions
Internals The Shellcoder’s handbook The art of software security assessment Fuzzing : brute force vulnerability discovery Practical reverse engineering