a single gadget weird machine
play

a single gadget weird machine Framing Signals a return to portable - PowerPoint PPT Presentation

Dec 28, 2022 •750 likes •1.65k views

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

  1. a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos

  2. stack buffer overflow stack return addr buffer sp 1

  3. stack buffer overflow stack return addr buffer sp 1

  4. stack buffer overflow stack return addr buffer sp 1

  5. stack buffer overflow stack sp return addr buffer 1

  6. stack buffer overflow stack sp return addr buffer 1

  7. stack buffer overflow stack sp return addr buffer 1

  8. stack sp return addr buffer 2

  9. stack sp return addr buffer code 2

  10. return oriented programming / ret2libc stack return addr buffer code 2

  11. return addr return addr return addr buffer code 2

  12. Return Oriented Programming - dependent on available gadgets - chains may differ greatly between different binaries - non-trivial to program - ASLR makes it harder to guess gadgets without an info-leak 3

  13. Sigreturn Oriented Programming - minimal number of gadgets - constructing shellcode by chaining system calls - easy to change functionality of shellcode - gadgets are always present 4

  14. unix signals stack sp 5

  15. unix signals stack sp 5

  16. unix signals stack ucontext sp 5

  17. unix signals stack ucontext siginfo sp 5

  18. unix signals stack ucontext siginfo sp sigreturn 5

  19. unix signals stack good: kernel agnostic about signal handlers ucontext siginfo sp sigreturn 5

  20. unix signals stack bad: kernel agnostic about signal handlers ucontext (we can fake 'em) siginfo sp sigreturn 5

  21. two gadgets - call to sigreturn - syscall & return 6

  22. forged signal frame sigreturn 7

  23. program counter forged signal frame sigreturn 7

  24. program counter stack pointer forged signal frame sigreturn 7

  25. program counter stack pointer RAX ... RDI RSI RDX R10 R8 R9 ... sigreturn 7

  26. program counter stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 7

  27. syscall & return stack pointer syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 7

  28. syscall & return next sigframe syscall number ... arg1 arg2 arg3 arg4 arg5 arg6 ... sigreturn 7

  29. next syscall(...) 8

  30. socket() bind() listen() accept() execve() 9

  31. parent clone(...) 10

  32. parent clone(...) child 10

  33. clone() (wait) 11

  34. usage scenarios - stealthy backdoor - code signing circumvention - generic shellcode for exploitation 12

  35. usage scenarios stealthy backdoor - - code signing circumvention - generic shellcode for exploitation 12

  36. stealthy backdoor basic idea: - use the inotify API to wait for a file to be read - when this file is read: open a listen socket to spawn a shell - terminate the listening socket quickly if nobody connects 13

  37. backdoor close() inotify_init() inotify_add_watch() read() clone() 14

  38. backdoor close() alarm() listen() inotify_init() close() accept() inotify_add_watch() close() dup2() read() socket() alarm() clone() setsockopt() execve() bind() 14

  39. usage scenarios - stealthy backdoor - code signing circumvention - generic shellcode for exploitation 15

  40. code signing circumvention - serialize system calls over a socket - write into our own signal frames useful to bypass code-signing restrictions 16

  41. system call proxy read() read() read() read() 17

  42. system call proxy read() read() syscall nr arg1 ???() arg2 ... read() read() 18

  43. and... It's turing complete 19

  44. usage scenarios - stealthy backdoor - code signing circumvention - generic shellcode for exploitation 20

  45. SROP exploit on x86-64 we have: - a stack buffer overflow - not a single gadget from the binary assumption: - we can guess/leak the location of a writable address (any address!) - we have some control over RAX (function's return value) 21

  46. two gadgets - call to sigreturn - syscall & return 22

  47. two gadgets - call to sigreturn: RAX = 15 + syscall - syscall & return 22

  48. one gadget - RAX = 15 - syscall & return 22

  49. [vsyscall] 23

  50. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 24

  51. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 24

  52. [vsyscall] ffffffffff600000 48 c7 c0 60 00 00 00 0f 05 c3 cc cc cc cc cc cc gettimeofday() fffffffffff60010 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600400 48 c7 c0 c9 00 00 00 0f 05 c3 cc cc cc cc cc cc time() ffffffffff600410 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff600800 48 c7 c0 35 01 00 00 0f 05 c3 cc cc cc cc cc cc getcpu() ffffffffff600810 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc * ffffffffff601000 0f05 syscall c3 return 24

  53. syscall(arg1, arg2, arg3, ...) = result 24

  54. execve("/bin/sh", ["/bin/sh", "-c", "...", NULL], NULL) 24

  55. execve("/bin/sh", ["/bin/sh", "-c", "...", NULL], NULL) 24

  56. syscall(arg1, arg2, arg3, ...) = result 24

  57. read(fd, addr, ...) = result 24

  58. read(fd, stack_addr, ...) = result 24

  59. read(fd, stack_addr, 306) = 306 24

  60. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs 24

  61. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return 24

  62. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = ... 24

  63. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 24

  64. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return 24

  65. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = ... 24

  66. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 24

  67. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 RAX == 15 == __NR_rt_sigreturn top of stack points to syscall & return 24

  68. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 RAX == 15 == __NR_rt_sigreturn top of stack points to syscall & return mprotect(stack_addr, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC) 24

  69. read(fd, stack_addr, 306) = 306 RAX == 306 == __NR_syncfs top of stack points to syscall & return syncfs(fd) = 0 RAX == 0 == __NR_read top of stack points to syscall & return read(fd, stack_addr, 306) = 15 RAX == 15 == __NR_rt_sigreturn top of stack points to syscall & return mprotect(stack_addr, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC) top of stack points to our code 24

  70. CVE-2012-5976 (asterisk) 25

  71. On some systems SROP gadgets are randomised, on others, they are not Operating system Gadget Memory map Linux i386 sigreturn [vdso] Linux < 3.11 ARM sigreturn [vectors] 0x ffff 0000 Linux < 3.3 x86-64 syscall & return [vsyscall] 0x ffffffffff 600000 Linux ≥ 3.3 x86-64 syscall & return Libc Linux x86-64 sigreturn Libc FreeBSD 9.2 x86-64 sigreturn 0x7 ffffffff 000 Mac OSX x86-64 sigreturn Libc iOS ARM sigreturn Libsystem iOS ARM syscall & return Libsystem 26

Recommend

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos memory corruption, the problem that just won't go away 25+ years after the morris worm and

879 views • 62 slides
Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB Linux USB Terminology Brief history of USB gadget subsystem Other filesystem-based gadget interfaces Using USB gadget configfs

439 views • 21 slides
Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of

DM204 , 2010 SCHEDULING, TIMETABLING AND ROUTING Lecture 18 Single Machine Models, Branch and Bound Parallel Machines, PERT Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Single Machine

439 views • 43 slides
Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as:

Pipelining Drawbacks of the Single Cycle Imp A single cycle machine has disadvantages such as: All instructions take the same time (CPI = 1), but some instructions are shorter than others: ADD uses Instruction Memory, Register File, ALU,

95 views • 5 slides
Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020 https://tinyurl.com/fosdem-gadget Hi, Im Alban Alban Crequy CTO, Kinvolk Github: alban Twitter: albcr Email: alban@kinvolk.io Kinvolk Driving

426 views • 30 slides
Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows Christopher Olston and Benjamin Reed Yahoo! Research Web Scale problems Lots of servers, users, and data Fun to have power at your fingertip

505 views • 33 slides
Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules

Dispatching Rules Outline Single Machine Models DMP204 SCHEDULING, TIMETABLING AND ROUTING 1. Dispatching Rules Lecture 10 Single Machine Models 2. Single Machine Models Marco Chiarandini 2 Dispatching Rules Dispatching Rules Outline

417 views • 7 slides
Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting)

Why the British constitution is weird (and interesting) Dr Mark Ellio+ Reader in Public Law, University of Cambridge Fellow &amp; Director of

426 views • 14 slides
Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of

Monchai Sopitkamon, Ph.D. Computer Engineering Department Kasetsart University An example of single queue systems includes an ATM machine ATM machine. A single line of people waiting to get money forms in front of the machine. in front of

401 views • 21 slides
Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine

Schwiegelshohns Proof of the Kawaguchi-Kyan Bound Martin Skutella TU Berlin Single Machine Scheduling to Minimize w j C j Given: n jobs j = 1 , . . . , n , processing times p j &gt; 0, weights w j &gt; 0 Task: schedule jobs on a single

393 views • 20 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides
Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

Some Weird Things Poll #1: Who in here has taken a MOOC? Going On Poll #2: Are you happy or

2/9/2019 Talk Outline Fostering Self-Directed Learning in MOOCs: 1. MOOC Weird Stuff One Modest Little Study to 2. MOOC Systematic Literature Review Help Save the Planet 3. MOOC ID Considerations and Challenges 4. MOOC ID for Self-directed

386 views • 16 slides
T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr. Yuan, Co-Director of MIST Daniel Gibney CpE research center at UCF. Leaphar Castro EE Motivation With the ever expanding use of IoT sensor

740 views • 46 slides
On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H

On the performance of Smiths rule in single-machine scheduling with nonlinear cost Wiebke H ohn Technische Universit at Berlin Tobias Jacobs NEC Laboratories Europe 18th Combinatorial Optimization Workshop Aussois 2014 Generalized

1.06k views • 89 slides
From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning

From Python to PySpark and Back Again - Unifying Single-host and Distributed Machine Learning with Maggy Moritz Meister, @morimeister Software Engineer, Logical Clocks Jim Dowling, @jim_dowling Associate Professor, KTH Royal Institute of

505 views • 33 slides
Batch Processing Natacha Crooks - CS 6453 Data (usually) doesnt fit on a single machine

Batch Processing Natacha Crooks - CS 6453 Data (usually) doesnt fit on a single machine

Batch Processing Natacha Crooks - CS 6453 Data (usually) doesnt fit on a single machine CoinGraph (900GB) LiveJournal (1.1GB) Orkut (1.4GB) Twitter (between 5 and 20GB) Netflix Recommendation (2.5BGB) Sources: Musketer (Eurosys15),

1k views • 32 slides
MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND

MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND

MILLIONS OF TRANSACTIONS PER SECOND ON A SINGLE MACHINE CASE FOR A VIRTUALIZED DATABASE AND SCALE-IN ROGER JOHANSSON Who am I? Roger Johansson Actor Model, Scalability, Distributed Systems, C#, Senior Solution Architect Starcounter Go,

683 views • 37 slides
Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes Gkta - Elias Athanasopoulos - Michalis Polychronakis Herbert Bos - Georgios Portokalidis presented by: Flora Karniavoura Katerina Karagiannaki

376 views • 23 slides
Portability Problems Modularity Stick as much machine dependent code into a single module. When

Portability Problems Modularity Stick as much machine dependent code into a single module. When

Chapter - &lt;added&gt; Portability Problems Modularity Stick as much machine dependent code into a single module. When you change machines replace the module. Word Size The following works on 32-bit UNIX but fails on MS-DOS: int zip; zip

1.15k views • 11 slides
Cray XMT Scalable, multithreaded, shared memory machine Designed for single word

Cray XMT Scalable, multithreaded, shared memory machine Designed for single word

Cray XMT Scalable, multithreaded, shared memory machine Designed for single word random global access patterns Very good at large graph problems Next Generation Cray XMT Goals Memory System Improvements Improve

336 views • 31 slides
Desktop on the Linux (and *BSD of course) . . . youre doing it confused? weird? strange? wrong?

Desktop on the Linux (and *BSD of course) . . . youre doing it confused? weird? strange? wrong?

Desktop on the Linux (and *BSD of course) . . . youre doing it confused? weird? strange? wrong? Who? Wolfgang datenwolf Draxinger When? 27c3, 2010-12-27 DISCLAIMER This talk is: highly opinionated biased born out of frustration .

1.85k views • 169 slides
Constricting the Web Offensive Python for Web Hackers Yes, We are Weird Marcin Wielgoszewski

Constricting the Web Offensive Python for Web Hackers Yes, We are Weird Marcin Wielgoszewski

Constricting the Web Offensive Python for Web Hackers Yes, We are Weird Marcin Wielgoszewski Security Engineer Nathan Hamiel Principal Consultant Associate Professor at UAT This is Important Reliance on

683 views • 67 slides
R's weirdnesses are fun &amp; useful richfitz Rich FitzJohn R is a really weird language

R's weirdnesses are fun &amp; useful richfitz Rich FitzJohn R is a really weird language

R's weirdnesses are fun &amp; useful richfitz Rich FitzJohn R is a really weird language There are people who think of it as a statistical package - a free version of stata perhaps. Like stata, R includes lots of useful things Statistics

1.15k views • 95 slides

More recommend