![BUT IT WON’T WORKS ON X64
• On x64 Linux, code section and data section are not adjacent
• Code at 0x400000, data at 0x600000
• Symbol version check is enabled by default
• Fail to find VERSYM and raise SEGV
• We need to read the pointer link_map@got and overwrite
[link_map+0x1c8] to 0
13](https://image.slidesharecdn.com/20160427lightningtalks-160427155735/85/Self-Introduction-The-Story-that-I-Tried-to-Make-Sayonara-ROP-Chain-in-Linux-13-320.jpg)
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
- 1. SELF INTRODUCTION & THE STORY THAT I TRIED TO MAKE SAYONARA ROP CHAIN IN LINUX 2016/04/27 Lightning Talks inaz2
- 2. ABOUT ME • inaz2 • http://twitter.com/inaz2 • Security engineer & Python programmer • AVTOKYO 2014 & 2015 speaker • Weblog: Momoiro Technology • http://inaz2.hatenablog.com/ • Written in Japanese but Google Translate will help us 2
- 3. LOW LAYER AND ME • Got in touch at Plaid CTF 2013 (year of ropasaurusrex) • Tried to understand exploitation for 3 years • “ROP Illmatic: Exploring Universal ROP on glibc x86-64” (AVTOKYO 2014) • Introduced Return-to-dl-resolve technique • Introduced JIT-ROP techniques in Linux • Wrote “roputils” library for writing stable exploit codes • “Abusing Interrupts for Reliable Windows Kernel Exploitation” (AVTOKYO 2015) • Verified IDT overwrite techniques still work in 32 bit Windows 3
- 4. 4
- 5. LOW LAYER AND ME • Got in touch at Plaid CTF 2013 (year of ropasaurusrex) • Tried to understand exploitation for 3 years • “ROP Illmatic: Exploring Universal ROP on glibc x86-64” (AVTOKYO 2014) • Introduced Return-to-dl-resolve technique • Introduced JIT-ROP techniques in Linux • Wrote “roputils” library for writing stable exploit codes • “Abusing Interrupts for Reliable Windows Kernel Exploitation” (AVTOKYO 2015) • Verified IDT overwrite techniques still work in 32 bit Windows 5
- 6. 6
- 7. LOW LAYER AND ME • Got in touch at Plaid CTF 2013 (year of ropasaurusrex) • Tried to understand exploitation for 3 years • “ROP Illmatic: Exploring Universal ROP on glibc x86-64” (AVTOKYO 2014) • Introduced Return-to-dl-resolve technique • Introduced JIT-ROP techniques in Linux • Wrote “roputils” library for writing stable exploit codes • “Abusing Interrupts for Reliable Windows Kernel Exploitation” (AVTOKYO 2015) • Verified IDT overwrite techniques still work in 32 bit Windows 7
- 8. 8
- 9. SAYONARA ROP CHAIN • https://www.corelan.be/index.php/2011/07/03/universal- depaslr-bypass-with-msvcr71-dll-and-mona-py/ • Universal ASLR & NX/DEP bypass in Windows x86 • Use gadgets in non-ASLR DLLs • Metasploit also generates its variant by generate_rop_payload() 9
- 10. 10
- 11. TRYING TO MAKE LINUX VERSION • Return-to-dl-resolve technique works in x86 Linux (w/o PIE) 1. Send crafted symbol structure to fixed address (bss section etc.) 2. Call it by dl-resolve@plt with adjusted arguments • We don’t have to do stack pivot 11
- 12. 12
- 13. BUT IT WON’T WORKS ON X64 • On x64 Linux, code section and data section are not adjacent • Code at 0x400000, data at 0x600000 • Symbol version check is enabled by default • Fail to find VERSYM and raise SEGV • We need to read the pointer link_map@got and overwrite [link_map+0x1c8] to 0 13
- 14. 14
- 15. RECAP • I tried to make universal ROP chain for Linux • For x86, succeeded by return-to-dl-resolve technique • But for x64, we have to traverse link_map and patch • Heavy task for ROP… Game Over \(^o^)/ 15
- 16. REFERENCE • Advanced return-into-lib(c) exploits (PaX case study) (Phrack 58) • http://phrack.org/issues/58/4.html • Return to Dynamic Linker (Codegate 2014 Junior) • http://www.codegate.org/content/board/post_list.php?bid=48&q=Retu rn+to+Dynamic+Linker • How the ELF Ruined Christmas (USENIX Security 2015) • https://www.usenix.org/conference/usenixsecurity15/technical- sessions/presentation/di-frederico 16