Using ROP Attack technology

Background

The RET2LIBC and RET2PLT are described earlier, and the common point of the two attack techniques is that the function parameters are passed through the stack, which is also the calling convention of the i386 architecture. However, with the popularity of 64-bit servers, and then more and more widespread, almost all servers are upgraded to 64-bit hardware.

X86_64 is inherently free

According to the calling convention of the x86_64 ABI, the transfer parameters between functions are no longer in the form of a stack, but instead are passed as registers, and the first 6 parameters are transmitted sequentially by RDI, RSI, RDX, RCX, R8, and R9.

On a Linux system, the 64-bit architecture uses only 48-bit virtual address space, which means that each address has a height of 16 bits all 0, so the address is naturally 64 on the 0-bit system.

The attack method described earlier seems to be useless overnight, and soon security personnel, based on the Ret2plt attack method, made an upgrade of the tablet attack method, called the ROP (Return-oriented programming) method.

What is ROP

ROP, as the name implies, is a programming method for return statements , which borrows a piece of instruction from a libc code snippet before it is made into an effective logic to achieve the target of the attack.

Why is RETQ, because the RETQ command returns to where it was executed, determined by the content on the stack, which is an easily controlled address by the attacker.

How to control the parameter is to use the pop reg instruction before the retq execution, to bounce the contents of the stack onto the register of instructions to achieve the expected

A RETQ instruction may not be able to complete the precondition of attacking the target, that can control the RETQ instruction on the stack to jump to another section of the RETQ instruction table, if it does not reach the target, then jumps to another retq until the target is implemented.

In the Ret2plt attack method, we use the PPR (pop, pop, ret) instruction sequence to implement multiple strcpy function calls sequentially, which is actually one of the simplest uses of ROP. ROP is an upgraded version of RET2PLT.

Is the ROP method very skillful, and can it be fully capable of all attacks? Does the instruction before the return statement fail to implement the intended attack target because it is functionally single? The industry Daniel has fully researched and proved that the ROP method is Turing-complete, in other words, ROP can use LIBC's instructions to implement any logic function.

Attack instances

Here omit the alignment EIP and vulnerability Code analysis, go straight to the topic, how to construct the ROP directive to implement the attack logic.

Simply put, the target of the attack is to implement system ("echo Success") this function call.

First, the parameter of the call system is the address of the "echo Success" string, and the string is the content of the stack injection, and its address should be RSP + offset. When a function is called, the first parameter is placed inside the RDI. Therefore, it is necessary to find the command sequence of RDI = RSP + offset logic equivalent from libc inside, before the RETQ or call *reg instruction, and find the following two instructions:

0x7ffff7a610a3      0x120(%rsp),%rdi0x7ffff7a610ab      call    %rax

This allows the "echo success" string to be arranged in the location of the RSP + 0x120. But the next instruction is to command call%rax, so it is necessary to control the value of Rax before the instruction segment must be the address of the system function.

Then, want to put the system address to rax quite easy, just need to retq instruction order, find the pop Rax instructions, from the libc inside find, found as follows:

0x7ffff7a3b076    pop %rax0x7ffff7a3b077    pop %rbx0x7ffff7a3b078    pop %rbp0x7ffff7a3b0f9    retq

Then, build the following order of execution:

Pop%rax <-here pops up the system function address
Pop%RBX
Pop%RBP
Retq <-here jumps from the stack to the next instruction

Lea 0X120 (ESP),%rdi <– need to arrange the "echo success" position so that the RSP + 0x120 at this time is exactly a string address
Call *%rax <– calls system with exactly the parameters.

View the address of the system function through GDB:

system$4 = {<textvariable0x7ffff7a61310 <system>

So it's easy to inject content into the stack:
0x7fffff7a3b076 + Address of system + DUMMY1 + dummy2 + 0x7ffff7a610a3 +dummy (0x120) + "echo Success"

Attack diagram

In the above attack instance, the instruction executes and the stack is injected into the memory layout as shown.

ROP can do whatever it wants

As mentioned above, some researchers say that the sequence of code fragments borrowed by ROP attacks is Turing-complete, that is, the program contains sequential execution statements (this is nonsense), branching statements, and even looping statements.

A little anti-compilation or reverse engineering experience, or the C language generated by the assembly structure familiar with know that the retq instruction is the function of the return instruction, before the instruction is the stack instructions (such as pop Rax, pop RBX, etc.), how can appear branch refers to only (BNE, etc.), or even circular instructions?

Yes, it's true, but it's not the whole truth. If you reverse-engineer the GLIBC, you will find that the RETQ directive is full of exclusively pop instructions, but in fact the attackers always do not follow the regular cards.

The X86 instruction set is a CISR instruction set with a high degree of density, part of an instruction, or a new directive.

The attacker is using this as a non-regular card. The RETQ instruction has only one byte, which is C3. By writing the tool, the glibc is scanned, the contents of the C3 instructions are found, and then the various possible instructions are decoded forward to form a command table. These instruction tables will be very rich, with operational instructions, jump commands, and a visit instruction. Using them can form Turing's complete computational logic.

Copyright NOTICE: This article is the original article of Bo Master, please indicate the author and source by the courtesy reprint

Using ROP Attack technology