Blind Return Oriented Programming (BROP) Attack-Attack Principle

Blind Return Oriented Programming (BROP) Attack-Attack Principle
0x00 Preface

The first time I posted an article in WooYun, I don't know whether it matches the taste of the audience.

This article is translated to my blog and mainly introduces a type of attack called BROP. This article mainly introduces the principle part. You can refer to my other blog to reproduce the attack.

BROP attacks are based on a paper published in Oakland 2014Hacking BlindThe author is Andrea Bittau from Standford. The following is a link to paper and slide:

Paper

Slide.

And BROP's original website address:

Blind Return Oriented Programming (BROP) Website

It can be said that this paper is one of the most exciting papers I have seen this year (none). If you want to use one word to describe it, then only "cannot be more handsome" can I express my love for it!

This article assumes that the reader has already understood the basic concepts of Return-Oriented Programming (ROP), so he just introduced the implementation principle of BROP. If you still don't know what a drop object is, please go out and turn left first, let's take a look at the Wiki introduction.

The implementation of BROP is really "cool" and "smart", and I hope to make it clear through this article.

 

0x01 BROP attack targets and prerequisites

Objective: To remotely attack an application by using the drop-down method and hijack the control flow of the application. We do not need to know the source code or any binary code of the application. The application can be protected by existing protection mechanisms such as NX, ASLR, PIE, and stack canaries, the server where the application is located can be a 32-bit or 64-bit system.

It seems very difficult to achieve this goal at first glance. In fact, this attack has two prerequisites:

• A known stack overflow vulnerability must exist first, and the attacker knows how to trigger the vulnerability;
• The server process will be revived after the crash, and the Resurrected process will not be re-rand (although ASLR is protected, but the address randomization of the Resurrected process is the same as that of the previous process ). This requirement is actually reasonable, because currently server applications such as nginx, MySQL, Apache, OpenSSH, and Samba all comply with this feature.

0x10 BROP Attack Process 1-remote dump memory

Because we do not know the memory layout of the attacked program, the first thing we need to do is to dump the program memory from the remote server to the local machine in some way, to do this, we need to call a system call.write, Input a socket file descriptor, as shown below:

Write (int sock, void * buf, int len)

Convert this system call into four assembly commands ,:

Therefore, from the perspective of the ROP attack, we only need to find four corresponding gadget, and then construct the memory addresses of these four gadget on the stack, and call them sequentially.

But the problem is that we don't even know the memory distribution. How can we find these four gadgets in the memory? Especially when the system deploys protection mechanisms such as ASLR and stack canaries, it seems that this is even harder.

So let's put this problem aside, remember this goal in our head, and make some preparations first.

Attack the Stack Canaries Protection

If you do not know what isstack canariesLet's take a look at this. In short, it is on the stack.return addressThe following shows a randomly generated number (as canary), which is checked when the function returns. If this canary is found to have been modified (possibly because the attacker overwrites the canary through buffer overflow and other attack methods ), then an error is reported.

So how can we break this layer of protection? One method is brute-force brute force cracking, but this is very inefficient. Here the author proposes a method called "stack reading:

Suppose this is the layout of the stack for overflow:

We can try multiple times to determine the overflow length (until the process is crash due to canary destruction, here it is4096+8=4104Bytes), then we fill in any value for the 4096 bytes, and try to restore the real canary one byte in sequence. For example, we fill in the 4,097th bytesx, IfxIf it is the same as the first byte in the original canary, the process will not crash, otherwise we will try the nextxIn this case, because there are only 256 possibilities for a single byte, we only need to try a maximum of 256 times to find a correct byte of canary, the process is as follows:

We can also use this method to saveframe pointerAndreturn address.

Search stop gadget

So far, we have obtained the appropriate canary to bypass the stack canary protection. The next goal is to find the four gadgets mentioned earlier.

Before looking for these specific gadgets, we need to first introduce a special gadget type:stop gadget.

Normallyreturn addressIf we overwrite some memory addresses that we randomly select, the program will probably be suspended (for example,return addressPointing to a code area, there will be some access to the NULL pointer, causing the program crash, so that the attacker's connection is closed ). However, there is another situation:return addressPointing to a code area, when the execution flow of the program jumps to that area, the program does not crash, but enters an infinite loop. At this time, the program is only hang there, attackers can keep their connections. Therefore, we convert this type of gadgetstop gadgetThis kind of gadget plays a vital role in finding other gadgets.

Find available (potentially useful) gadgets

Suppose we have found a program that can block the block.stop gadgetFor example, an infinite loop or a blocking system call (sleep), Then how do we find otheruseful gadgetsWhat about it? (Here "useful" refers to a gadget with some features, rather than a crash gadget ).

So far, we can only operate on stacks, and only overridereturn addressTo perform subsequent operations. Assume that we guessuseful gadgetFor examplepop rdi; retBut the process will jump to the next address on the stack after executing this gadget. If this address is an invalid address, the process will finally crash, in this process, attackers do not actually know thisuseful gadgetExecuted (because the final result is a process crash in the attacker's opinion), the attacker will think that nouseful gadgetTo discard it, as shown in this step:

However, if we havestop gadgetThe entire process will be very different.return addressThen fill in enoughstop gadgets, As shown in:

Then any gadget that will cause the process crash will eventually cause the process crash, and thoseuseful gadgetThe block status is displayed. Even so, there is a special case, that is, the gadget we need to try is alsostop gadgetAs described above, it will also be markeduseful gadget. However, this does not matter, because we still need to checkuseful gadgetWhether it is the gadget we want.

Last step: Remote dump memory

So far, it seems that the preparations have been completed. We can bypass canary protection and get a lot of "potential useful gadget" that will not cause crash, then, how can we find the four gadgets we mentioned earlier?

As shown in, to find the first two gadgets:pop %rsi; retAndpop %rdi; ret, We only need to find a so-calledBROP gadgetThis kind of gadget is very common. What it does is to restorecallee saved registersAnd an offset can be generated for it.pop %rdiAndpop %rsiThese two gadgets.

Unfortunatelypop %rdx; retThis gadget is not easy to find, and rarely appears in the Code. Therefore, the author proposes a method, comparedpop %rdxCommand, which he thinks can be usedstrcmpThis function call will assign the length of the string%rdxTo achieve the same effect. In additionstrcmpAndwriteThe call can be found in the Procedure Linking Table (PLT) of the program.

The following task is:

• Find the so-calledBROP Gadget;
• Find the corresponding PLT item.

Search BROP Gadget

In factBROP gadgetsThis is especially special because it needs to be sequential from the stackpopSix values and then executeret. So if we usestop gadgetYou can easily find this special gadget.stop gadgetFill in 6 addresses that may cause crash:

If anyuseful gadgetIf this condition is met and crash is not met, it is basicallyBROP gadgets.

Find PLT items

PLT is a jump table, which is generally located at the beginning of an executable program. This mechanism is mainly used to call external functions (such as libc) for applications ), for details, refer to the relevant Wiki. It has a unique signature: each item is 16 bytes aligned, and the address starting from 0th bytes points to the fast path of the function corresponding to the change item, the address starting from 6th bytes points to the slow path of the corresponding function:

In addition, most of the PLT items won't be crash due to the passed parameters, because many of them are system calls and will check the parameters. If there is a mistake, the EFAULT will be returned, does not cause crash. Therefore, attackers can use the following method to find the PLT: if the attacker finds many 16-byte consecutive alignment addresses, it will not cause the process crash, in addition, the crash process will not be caused by the 6 addresses, so it is likely that this is the corresponding item of a PLT.

How can we determine whether a PLT item is obtained?strcmpOrwriteWhat about it?

ForstrcmpFor example, the method proposed by the author is to pass in different parameter combinations and use this method to call the returned results for judgment. BecauseBROP gadget, We can easily control the first two parameters,strcmpThe following possibilities may occur:

arg1 | arg2 | result:--: | :--: | :--:readable | 0x0 | crash0x0 | readable | crash0x0 | 0x0 | crashreadable | readable | nocrash

Based on this signature, we can findstrcmpThe corresponding PLT item.

ForwriteCall, although it does not have this similar signature, we can check all the PLT items, and then trigger it to write data to a socket to checkwriteWhether it is called. IfwriteAfter being called, we can see the uploaded content locally.

The last step is how to confirm the transferwriteThe number of socket file descriptors. There are two methods: 1. call write several times at the same time, concatenate them, and pass in different file descriptors; 2. open multiple connections at the same time, and then use a relatively large file descriptor number to increase the possibility of matching.

By this step, attackers can.textThe segment is written to the local device through the socket in the memory, and then it can be decompiled to find more gadgets. At the same time, attackers can also dump information such as the symbol table, find other corresponding function items in PLT, as shown indup2Andexecve.

0x11 BROP attack process 2-attack implementation

So far, the most challenging part has been solved, and we can now get the entire memory space of the attacked process. Next we will do it step by step (translated from the paper ):

• Redirects the socket to standard input/output ). Attackers can usedup2Orclose, Keep updupOrfcntl(F_DUPFD). These can be found in PLT.
• Find in memory/bin/sh. One effective method is to find a writable memory region from the symbol table, suchenviron, And then/bin/shRead from attackers.
• execveShell. IfexecveIf it is not on PLT, attackers Need To Findpop rax; retAndsyscall.

In summary, the entire BROP attack process is as follows:

• Use a known stack overflow Vulnerability and stack reading to bypass the protection of stack canary and try out an available return address;
• Searchstop gadget: Generally, this is the address (sleep, etc.) called by the blocking system in the PLT. In this step, attackers can also find the legal item of the PLT;
• SearchBROP gadget: Attackers can control this step.writeThe first two parameters are called by the system;
• FindstrcmpAnd then control the length of the string%rdxAssign values, which can be controlled by attackers.writeThe third parameter of the system call;
• FindwriteItem: After this step, attackers can dump the entire memory from the remote end to the local end to find more gadgets;
• With the above information, you can create a shellcode to implement the attack.

0x100 postscript

The above is the principle of BROP attacks. This attack is reproduced in this blog post. If you are interested, go and have a look.

In fact, the coolest part of the attack process is the first step: How to dump the memory, and the subsequent steps are actually traditional drop-down attacks. After understanding the principle, the best way to understand the attack is to read the source code, which will be of great help to understand the entire ROP.