SlideShare a Scribd company logo

Modern Exploit Techniques: Return Oriented Programming

A
Alexandre Moneger

Buffer overflow exploitation without operating system protections is a well understood subject. But how does one achieve the same results with all protections enabled (N/X, ASLR, …). Hint: re-use what the vulnerable binary offers you.

Engineering
1 of 15
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 “Mind the Gap” Security Briefings + Training May 6th-8th, 2014 Alex Moneger, Security Engineer ROP ‘n’ ROLL, a peak into modern exploits May 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 1. Why BoF exploitation doesn’t work anymore 2. OS defenses 3. Return Oriented Programming concepts 4. Attack flow 5. Mitigations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 • Short buffer, long string • Overflow into the stack management zones • Take control of execution flow • Return into buffer and execute shellcode NOP sled Shellcode SC Add ress
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 • Reliably know the buffer’s address • Be able to execute code in a data section • Needs to overwrite return address
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 • ASLR => buffer address is non-predictable • NX => Can’t execute shellcode on the stack • Other compiler level protections I wont mention • Attacker objective => Bypass ASLR and NX: Find a spot which uses predictable addresses (bypass ASLR) Build in memory payload (bypass NX) • Hard but hard enough?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 • Stands for Return Oriented Programming • Uses your code to get execution • Control stack pointer register instead of instruction pointer • Only way to exploit a modern OS • Used in recent exploits since a few years • No good mitigation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 • ASLR does not randomize .text section • .text section holds the code of the binary • Use the target to execute code for us • Find asm instructions (gadgets) from target to build payload • Use multiple “stages”
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Looking for gadgets we can re-use • These come from the target binary itself • Examples: # Load a value in register 0x8048502L: pop ebx ; pop ebp ; ret; # Move a value from register and put it in memory 0x80484feL: add [ebx+0x5d5b04c4] eax ; ret; # Call function in 0x804c244L: call edx ; leave ; ret;
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 • Needs gadgets at predictable locations • Uses the binary itself to execute code • At first ROP does not execute anything, your code does • Turn off/change OS protections • Then execute payload
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • Control the stack/heap (as usual) • Locate a fake stack location • Use the gadgets previously found to build our payload on the fake stack • Transfer control to the fake stack • Execute payload
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Attacker controlled memory Fake Stack Code section
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 • Position independent code (GCC => -pie -fpie): Randomizes code section (full ASLR) More expensive at runtime (all addresses are relative) • No other “real world” mitigations
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 • Modern attacks can bypass OS protections • A security bug in your code can be exploited • Catch and fix security bugs early • Again: OS protections are not a silver bullet, but they make life harder for the attacker • Make them work!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Thank you.

Recommended

Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Install dev stack
Install dev stackInstall dev stack
Install dev stackBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 

Recommended

Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Custom Rules & Broken Tools
Custom Rules & Broken ToolsCustom Rules & Broken Tools
Custom Rules & Broken ToolsNotSoSecure Global Services
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Install dev stack
Install dev stackInstall dev stack
Install dev stackBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Cloud Native Day Tel Aviv
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecuritySkeeve Stevens
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Presentation hybrid cloud
Presentation hybrid cloudPresentation hybrid cloud
Presentation hybrid cloudKaran Chhabra
 
Being Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterBeing Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterOPNFV
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundaryPatrick Fussell
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
BEST REST in OpenStack
BEST REST in OpenStackBEST REST in OpenStack
BEST REST in OpenStackVikram G Hosakote
 
Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HashiCorp User Group
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...OPNFV
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Cloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationCloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationVikram G Hosakote
 
Moving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecMoving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecOpenStack
 
OpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsOpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsKota Tsuyuzaki
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security MmanagementSuresh Thivanka Rupasinghe
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 

More Related Content

What's hot

Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secretsCameron More
 
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Cloud Native Day Tel Aviv
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Presentation hybrid cloud
Presentation hybrid cloudPresentation hybrid cloud
Presentation hybrid cloudKaran Chhabra
 
Being Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterBeing Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterOPNFV
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundaryPatrick Fussell
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月VirtualTech Japan Inc.
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...OPNFV
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
Cloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationCloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationVikram G Hosakote
 
Moving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecMoving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecOpenStack
 
OpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsOpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsKota Tsuyuzaki
 

What's hot (20)

Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
 
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
Kafka Mirror Tester: Go and Kubernetes Powered Test Suite for Kafka Replicati...
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Presentation hybrid cloud
Presentation hybrid cloudPresentation hybrid cloud
Presentation hybrid cloud
 
Being Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from MasterBeing Brave: Deploying OpenStack from Master
Being Brave: Deploying OpenStack from Master
 
Between you me and the network security boundary
Between you me and the network security boundaryBetween you me and the network security boundary
Between you me and the network security boundary
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with Trivy
 
BEST REST in OpenStack
BEST REST in OpenStackBEST REST in OpenStack
BEST REST in OpenStack
 
Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013Puppet for Production in WebEx - PuppetConf 2013
Puppet for Production in WebEx - PuppetConf 2013
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
OPNFV Doctor - OpenStack最新情報セミナー 2017年7月
 
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
Demo how to efficiently evaluate nf-vi performance by leveraging opnfv testi...
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Cloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test AutomationCloud-based Virtualization for Test Automation
Cloud-based Virtualization for Test Automation
 
Moving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTecMoving to Cloud for Good: Alexander Tsirel, HiveTec
Moving to Cloud for Good: Alexander Tsirel, HiveTec
 
OpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorletsOpenStack Swiftの最新機能とStorlets
OpenStack Swiftの最新機能とStorlets
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 

Similar to Modern Exploit Techniques: Return Oriented Programming

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudMark Voelker
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldKernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldAnne Nicolas
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Mysql performance tuning
Mysql performance tuningMysql performance tuning
Mysql performance tuningPhilip Zhong
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudAll Things Open
 

Similar to Modern Exploit Techniques: Return Oriented Programming (20)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Considerations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack CloudConsiderations for Operating An OpenStack Cloud
Considerations for Operating An OpenStack Cloud
 
Directors scrum review
Directors scrum reviewDirectors scrum review
Directors scrum review
 
OpenDataPlane Project
OpenDataPlane ProjectOpenDataPlane Project
OpenDataPlane Project
 
MySQL NoSQL APIs
MySQL NoSQL APIsMySQL NoSQL APIs
MySQL NoSQL APIs
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason DonenfeldKernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
Kernel Recipes 2018 - Zinc: minimal lightweight crypto API - Jason Donenfeld
 
Managers monthly review
Managers monthly reviewManagers monthly review
Managers monthly review
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
Mysql performance tuning
Mysql performance tuningMysql performance tuning
Mysql performance tuning
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
Considerations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack CloudConsiderations for Operating an OpenStack Cloud
Considerations for Operating an OpenStack Cloud
 

More from Alexandre Moneger

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 

More from Alexandre Moneger (9)

Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 

Recently uploaded

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Recently uploaded (20)

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 

Modern Exploit Techniques: Return Oriented Programming

  • 1. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 “Mind the Gap” Security Briefings + Training May 6th-8th, 2014 Alex Moneger, Security Engineer ROP ‘n’ ROLL, a peak into modern exploits May 2014
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 1. Why BoF exploitation doesn’t work anymore 2. OS defenses 3. Return Oriented Programming concepts 4. Attack flow 5. Mitigations
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 • Short buffer, long string • Overflow into the stack management zones • Take control of execution flow • Return into buffer and execute shellcode NOP sled Shellcode SC Add ress
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 • Reliably know the buffer’s address • Be able to execute code in a data section • Needs to overwrite return address
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 • ASLR => buffer address is non-predictable • NX => Can’t execute shellcode on the stack • Other compiler level protections I wont mention • Attacker objective => Bypass ASLR and NX: Find a spot which uses predictable addresses (bypass ASLR) Build in memory payload (bypass NX) • Hard but hard enough?
  • 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 • Stands for Return Oriented Programming • Uses your code to get execution • Control stack pointer register instead of instruction pointer • Only way to exploit a modern OS • Used in recent exploits since a few years • No good mitigation
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 • ASLR does not randomize .text section • .text section holds the code of the binary • Use the target to execute code for us • Find asm instructions (gadgets) from target to build payload • Use multiple “stages”
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Looking for gadgets we can re-use • These come from the target binary itself • Examples: # Load a value in register 0x8048502L: pop ebx ; pop ebp ; ret; # Move a value from register and put it in memory 0x80484feL: add [ebx+0x5d5b04c4] eax ; ret; # Call function in 0x804c244L: call edx ; leave ; ret;
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 • Needs gadgets at predictable locations • Uses the binary itself to execute code • At first ROP does not execute anything, your code does • Turn off/change OS protections • Then execute payload
  • 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 • Control the stack/heap (as usual) • Locate a fake stack location • Use the gadgets previously found to build our payload on the fake stack • Transfer control to the fake stack • Execute payload
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Attacker controlled memory Fake Stack Code section
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 • Position independent code (GCC => -pie -fpie): Randomizes code section (full ASLR) More expensive at runtime (all addresses are relative) • No other “real world” mitigations
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 • Modern attacks can bypass OS protections • A security bug in your code can be exploited • Catch and fix security bugs early • Again: OS protections are not a silver bullet, but they make life harder for the attacker • Make them work!
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Thank you.