Tuesday, August 30, 2011

ROP: ROPME

The finding of gadgets has been from years one of the big issue in writing ROP exploits. Most of the security community knew that it could be automatized, but only few of them started projects on gadget automation. On of the most relevant contribute to "ROP community" has been made by vnSecurity thanks to the ROPME tool. In the paper presented at Black Hat 2010 they show how it could be extended the old advanced return-to-libc techniques to multistage techniques that can bypass NX, ASLR and ASCII-Armor mapping and make ROP/return-to-libc exploitation on modern Linux x86 become easy. In addition, by reusing not only codes but also data from the binary itself, they can build any chained ret2libc calls or ROP calls to bypass ASLR protection.




As you see from the picture, ROPME is organized as a python shell (something like the Metasploit shell) which few but relevant commands: "generate", "load", "search" and "shell". A particular important feature is the "Search" for ROP. "Search pop ?" will search for ROPped pop instructions in the loaded binary. That's great since you don't need anymore to search gadgets manually, by using OllyDB or IDA Pro, but, from now, it's an automatic process which will make easy and fast the way to build ROP Exploits.

If you want to download the ROPME's code you might find it here. If you are interested on the slides are downloadable here, if you are interested on know more about ROPME, take a look to the original paper from here.

Enjoy ROPping !

Sunday, August 28, 2011

Contagio: malware Dump

During some of the past months I've been seeking a Malware repository. As you might know there are tons of such repositories but often they aren't frequently updated and many of them seem outdated. Well, Contagio blog wraps out a good and upgraded Malware collection. Composed as follows:

1) COLLECTION 1 - 251 files (70 MB) - Email attachments from targeted attacks

2) COLLECTION 2 - 10 files (3 MB) - Zero day files Collection of files that were original 0-day files .
3) COLLECTION 3 (from Stephan Chenette) - 118 Files (5MB) - Web exploit pdf files .

4) COLLECTION 4 (from Stephan Chenette) - 10,980 Files (243 MB) - Web exploit pdf files
Awesome and huge collection of files (COLLECTION 3 and 4) kindly provided by Stephan the Great ;), creator of the Fireshark, the web analysis tool.
5) COLLECTION 5 Non-Malicious PDF Collection (from Stephan Chenette) - 6,052 clean files (1.4GB) to make sure your product does not detect them as bad (There is no password on the zip with clean PDFs)

6) COLLECTION 6 - http://contagiodump.blogspot.com/2011/03/request-for-samples.html - a few targeted attack samples there.

That's great, now we now how to find "research young Malware"
Enjoy your Malware hunting

A Week in Delft, Netherlands

I've been in Delft for 10 days or so last year (see here), actually I would never though after one year to be exactly at the same place :P. Well, I do like Delft, it's a pretty town and full of young people, so I am happy to be here for a second time. To me Delft is a pretty "mixture", the city conformation seems like a sort-of Venice while the building houses are pretty close to New England, USA. Even some neighborhoods reminds me my home in D.C.

Anyway, I will be in Delft for the next 6 days, if someone of you are here (or close to here) and wanna have a beer with me talking about our favorite topics please let me know (by sending me emails or directly commenting the post). For the sake of curiosity today I'll have dinner at "La Cantina". See you there !

Monday, August 22, 2011

ROP: RETN + Offest Stack Compensation

Hi Folks,
this time I am just commenting (and quoting) example made by the corelan team present on their forum. Personally I've never used Gadgets ending up with RETN + Offset, so I've never had the necessity to find out a way to pad the stack in this way. After all it seems pretty logic the way the stack needs to be padded, but lets see how they justified it.

Let’s say we have the following gadgets :

77C1E842 : PUSH EDI / POP EAX / POP EBP / RETN + 4
77C1D7F5: ADD EAX,20 / POP EBP / RETN + 8
71AA2526 : XOR EAX,EAX / INC ESI / RET

The first gadget ends with RETN+4. The second gadget ends with RETN+8. How does this impact the stack layout ?

ESP 77C1E842 <- first gadget. PUSH EDI/POP EAX is followed by POP EBP and RETN + 4

ESP+4 DAC0FF33 <- will be popped into EBP by gadget above. These 4 bytes need to be on the stack to make sure RET will land at next pointer (at ESP+8)

ESP+8 77C1D7F5 <- second gadget. POP EBP will pick up next 4 bytes. This gadget ends with RETN + 8

ESP+C 41414141 <- these are the 4 bytes needed to compensate for RET+4 in the first gadget. As you can see, the 4 bytes compensation need to be placed after the next RET instruction (so after the next gadget).
ESP+10 DAC0FF33 <- will be popped into EBP by gadget 77C1D7F5. RET will then land at next pointer (at ESP+10)

ESP+14 71AA2526 <- third gadget. No additional bytes are needed because nothing will be picked up from stack by this gadget.

ESP+18 41414141 4 bytes of padding – compensate for the first 4 bytes in RET+8 (gadget 2)

ESP+1C 41414141 4 bytes of padding – compensate for the second 4 bytes in RET + 8 (gadget 2)

ESP+20 <- 4th gadget must be placed here

Conclusion : the offset to RET must be accounted for on the stack after the next gadget pointer, and not after the current gadget pointer.

A great example of what written above is the exploit made by sickness : a Buffer Overflow in WM Downloader 3.1.2.2 available here. Following a piece of exploit (click on it to make it bigger) commented showing both padding procedures: POP padding (as explained here) and RETN + Offset as explained above.

In red you see the "common" stack compensation used to compensate POP instructions, Green the stack compensation due to RETN + Offset Gadgets. Following another piece of exploit commented and explained using the same notation.


Great ! That's all folks. For any comments and/or doubts feel free to send me email (or comment), as usually ! ;)

ROP : Stack Compensation

Hi folks,
today I want to write another quick 'n dirty post on how to compensate the stack during Return Oriented Programming. Gadgets come with some PUSH/POP operations that shift %ESP blocking the ROP chain.

Lets make this (fake) example:

Gadget 1: 77C5E842 : PUSH EDI / POP EAX / POP EBP / RET
Gadget 2: 77C5D7F5: ADD EAX,20 / POP EBP / RET
Gadget 3: 71AC2528 : XOR EAX,EAX / INC ESI / RET

Gadget 1, makes PUSH %EDI which decrements %ESP, POP %EAX which increments %ESP (so far %ESP is not modified from the original value) but then it makes another POP %EBP which increments %ESP. Finally it RETurns. Gadget 1 does not RET at %ESP + 4 but at %ESP +8 (%ESP + 4 need to be filled up since it is moved to %EBP). At this point the attacker needs to fill in 4 bytes between addresses 77C1E842 and 77C1D7F5.

Gadget 2, makes an arithmetic operation (ADD) which does not modify %ESP but then it POPs %EBP. This increments %ESP. %ESP + C is popped into %EBP. The attacker needs to fill up 4 bytes between addresses 77C1D7F5 and 71AA2526

Gadget 3, maxes only arithmetic operations, it does not need padding.

Finally we come up with the following Stack:

%ESP 77C1E842
%ESP+4 41414141
%ESP+8 77C5D7F5
%ESP+C 41414141
%ESP+10 71AC2528
%ESP+14 Eventually another Gadget

This post covered how to pad the stack when Gadgets uses an odd number of sequences PUSH/POP.

Saturday, August 6, 2011

ROP: Conditional Jumps

Hi folks,
another quick 'n dirty post before leaving for a sequence of security conferences around the Globe... One of the most interesting things to understand on ROP is how to make conditional jumps. We have already seen how to make comparisons (here), very useful for making conditional changes on the stack (ESP). Now let's see the main strategy behind the conditional jumps is the following:
  1. Move flags to general-purpose registers. Flags are important because they are the result of comparison (here)
  2. "Do something" if flag is set up or do nothing if flag is not set up (or vice-versa)
  3. Modify ESP in the "do something" function
Since we know how to make comparisons lets see how we can use the 1 or 0 (the flag) saved into the memory. Let's assume we used the CF (carry flag) from a sub or a neg command. We need something that puts the flags into general-purposes registers: lahf is our instruction ! ;). It stores the five arithmetic flags (SF, ZF, AF, PF, CF) into %ah. Unfortunately lahf function is not very common (I'll post something on probability of gadgets later on this blog). Another great way to move flags to registers is by using pushf much more common. It pushes a word containing %eflags into the stack. Another good way is to use a function which keeps as input a CF like for example the "rotate with carry functions" ( rcl, rcr) and add with carry too, adc. A pretty common gadget is the following one:

adc %cl, %cl // ret

The above gadget computes the sum of its two operands and the carry flag, which is useful in multiword addition algorithms. If we take the two operands to be zero, the result is 1 or 0 depending on whether the carry flag is set ... it's exactly what we need. (NOTE: it should be pretty clear that we can evaluate complicated boolean expressions by collecting CF values of multiple tests and combining them with logical operands.)

Ok now comes the most complicated part: the ESP modification. Right now we have a word containing 1 or 0 depending of the CF, we want to transform it to ESP_delta or 0. Where the ESP_delta is the offset to give to ESP if the above condition is true. One way to obtain the ESP_delta is by using the two's complemet. negl of 1 is all-1 pattern and the negl of 0 is all-0 pattern. Then taking bitwise and of the result and ESP_delta gives a word containing ESP_delta or 0 (for more details on that please read this paper titled "The Geometry of Innocent Flesh on the Bon: Return-to-libc without Function Calls"). Now we need to modify ESP. The following gadget is what we need (or what we need to build).


addl (%eax), %esp addb %al, (%eax) addb %cl, 0(%eax) addb %al, (%eax) //ret

%eax is pointing to the ESP_delta. The follow instructions destroy it, but it has already been used, so no problem at all. The following picture sums up what we said till here.


Here we go! We've just been Jumping conditionally ;)


Wednesday, August 3, 2011

ROP: Stack Pivoting

During the past few days I saw people complaining about Stack Overflow. The main argument was that Stack based overflow is the perfect way to control the program execution BUT not so common as it was in the past. I totally agree with this argument. Nowadays the most common overflows are in the memory HEAP. So the question comes easy: how can I control the attacked program control flow if I control the HEAP ? The answer is int he "stack pivoting" techniques.

The goal of these techniques is to put ESP to the attacker controlled memory area. There are many ways to perform stack pivoting but one of my favorite one is by using ROP gadgets:

  1. mov %esp, %eax // ret
  2. xchg %eax, %esp // ret
  3. add esp, // ret
xchg exchanges values between two operands and it's pretty common to find out into "ropped libraries" after all.

Summing up, this post is about telling you a simple ROP sequence useful to pivoting your stack (pointer).

ROP: How to make comparisons ?

Folks, a quick and dirty post on how to compare using Return Oriented Programming.
Lets say we simply want to compare two operands:

cmp %ax, %cx


Doing it by using a simple compare is pretty easy, but when we are dealing with ROP it's pretty rare having a straight cmp %ax, %cx. So what is the alternative ? cmp (like many other commands) once compared the two operands sets a number of flags in the EFLAGS register. Luckily many other instructions set flags as side effect !!

For example we can use an instruction called neg. neg %ax calculates two's complements and sets a carry flag (CF) is the argument is not zero. So, do you want test for equality ? neg is your guy ! Another great example comes from the function sub. sub %ax, %cx subtraces the source (%cx) operator from the destiny (%ax) and sets the Carry Flag once destiny is bigger then source. You might use it to compare if a number is greater then another.

Of course these are only a couple of ways to perform comparisons but are the most frequent ones. By searching on the imported libraries you will find a lot of neg and/or sub. Now you know how to use them ;).