Hacking Blind

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Buffer Overflows

• Attacker sends data bigger than the buffer, the excess data overwrites memory beyond the buffer

• Stack buffer overflows are the easiest attack to succeed with because return addresses are implicitly close in memory

• Code Injection Attack - the attacker includes malicious code as a part of the payload then simply sets the return address to the code that was injected as part of the payload

• Modern OS’s though mark data memory pages as non-executable (NX on X86)

Address Space Layout Randomization

• Randomizes the location of code and data memory segments in the process address space

• Makes it hard to predict the location of code or even the stack in advance

• On 32 bit platforms usually only 16 bits for randomization

• Easy to Brute force attack it• 64-bit systems have too many random bits to

effectively brute force

• Canaries – A secret value is determined in advance and placed before each saved frame pointer and return address

• When a function is returned the canaries are checked, if it has changed an attacked has been detected and the program terminates

• Canaries are guessed one byte at a time• If canaries rerandom after every crash then

ROP attacks are impossible

Return-Oriented Programming (ROP)

• Developed to defeat NX memory• Relies on collecting gadgets • Gadgets are machine instruction sequences

already on the machine • Return into Library – A high level library function

such as system() is set as the return address • 64 bit systems arguments are passed in registers

so gadgets are need to populate registers

• To defeat NX the attacker must know of where gadgets reside in the program executable

• To defeat ASLR the attacker must derandomize the location at which the executable’s text segment is actually loaded into memory

• The first requirement generally means you need to have a binary available for 64 bit

• If Position Independent Executables (PIE) is enabled on a linux device the entire address space is randomized

• Registers rdi and rsi control the first 2 arguments of to systems calls

• Register rax controls controls the system call number

• Registers can be controlled by using pop gadgets and placing the value to load on the stack

Blind Remote Oriented Programming (BROP)

• We assume a stack vulnerability and knowledge of how to trigger it

• A server application that restarts after a crash• Phases of a BROP attack– Stack Reading: read the stack to leak canaries and a return

address to defeat ASLR– Blind ROP: Find enough gadgets to invoke write and control

its arguments you can now transfer the binary– Build the exploit: Dump enough of the binary to find

enough gadgets to build a shellcode, and launch the exploit

Finding Gadgets

• Remotely scan the applications text segment bye overwriting the saved return address

• The program will either crash or continue running, if it continues running you have found a gadget

• A stop gadget is a gadget which suspends program execution but keeps the connection running – like sleep or an infinite loop

• Stop gadgets are placed after the adress you are scanning, 2 are needed to keep pop from crashing

• Probe – the address being scanned • Stop – The address of a stop gadget that will not

crash• Trap – The address of non-executable memory that

will cause a crash• The idea is to vary the position of stops and traps

on the stack to deduce what the gadget being probed is– Probe, stop, trap, trap ….. Will find gadgets that do not

pop the stack like ret or xor – Probe, trap, stop, trap, trap…. Will find gadgets that pop

exactly one thing off the stack like pop rax; ret or pop rdi; ret

Finding the PLT

• Each entry is 16 bytes apart• Most PLT entries will not cause a crash since

they are system calls • The PLT is found by scanning from the

programs origin • The PLT can be verified by setting a prode stop

trap and also by using offsets of six bytes to use the PLT slowpath

• To control the third argument one needs to find a call to strcmp which sets rdx to the length of the string compared

• To identify PLT entries we control the first two arguments using the gadgets we found earlier and we see how the function responds– Strcmp(bad, bad): Crash– Strcmp(bad, readable): Crash– Strcmp(readable, bad): Crash– Strcmp(readable, readable): No Crash

• Now that we can control the first three arguments finding write is trivial because we just scan through the PLT entries and force a write to the socket, if a write occurs the location has been found

Summary

• Find where the executable is loaded. Either 0x400000 for non-PIE executables or stack read a saved return address

• Find a stop gadget. Like sleep or read. The attacker also finds the PLT at this point

• Find the BROP gadget. • Find strcmp in the PLT. • Find write in the PLT. Dump the binary to find more

gadgets• Build a shell code and exploit the server

• If there is no BROP gadget or PLT the attack instead goes:– Find all pop x; ret gadgets– Find a syscall gadget– Identify the pop gadgets