1 / 44

ARM Exploitation ropmap

ARM Exploitation ropmap. Long Le – Thanh Nguyen {longld, thanh }@ vnsecurity.net. PacSec 2011. ABOUT US. VNSECURITY.NET CLGT CTF team

tia
Download Presentation

ARM Exploitation ropmap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARM Exploitation ropmap Long Le – Thanh Nguyen {longld, thanh}@vnsecurity.net PacSec 2011

  2. ABOUT US • VNSECURITY.NET • CLGT CTF team Disclaimer: The opinions and research presented here are solely VNSECURITY research group and do not represent the opinions and research of any other organization / company ARM EXPLOITATION ROPMAP

  3. Motivation • There is no public ARM ROP toolkit • objdump/otool + grep • ROP shellcode/payload are hardcoded • Simple gadgets beat complex automation • comex’sjailbreakme ARM EXPLOITATION ROPMAP

  4. In this talk • Extending x86 ROP toolkit to ARM • Intermediate Language for ROP shellcode • Implementing ROP automation for ARM • ROP shellcode to gadget chains • Gadget chains to payload ARM EXPLOITATION ROPMAP

  5. AT the end ARM EXPLOITATION ROPMAP

  6. Extending x86 ROP toolkit to ARM ARM EXPLOITATION ROPMAP

  7. x86 to arm: registers ARM EXPLOITATION ROPMAP

  8. x86 to arm: ASSEMBLY ARM EXPLOITATION ROPMAP

  9. x86 to arm: SHELLCODE ARM EXPLOITATION ROPMAP

  10. x86 to arm: ROP gadgets ARM EXPLOITATION ROPMAP

  11. Finding gadgets • Search for “RET” • pop {…, pc} • “.\x80\xbd\xe8” (ARM) • “.\xbd” (THUMB) • bx Rm / blxRm • “.\xff\x2f\xe1” (ARM) • “.\x47” (THUMB) • Disassemble backward • Every 2-byte or 4-bytes • Use your own ARM disassembly library ARM EXPLOITATION ROPMAP

  12. QUICK Demo ARM EXPLOITATION ROPMAP

  13. Intermediate languageFOR rop shellcode ARM EXPLOITATION ROPMAP

  14. ROP SHELLCODE • Common payloads • Chain library calls • Disable DEP/NX • Transfer and execute normal shellcode • Common operations • Registers assignment • Data movement • Make function call or syscall source: comex’s star_ framework ARM EXPLOITATION ROPMAP

  15. rop intermediate LANGUAGE • Simple pseudo-assembly language • 6 instructions • Native registers • Easy to read / write / implement ARM EXPLOITATION ROPMAP

  16. ROP IL INSTRUCTION LHS RHS • ROP instructions • LOAD • STORE • ADJUST • CALL • SYSCALL • NOP • LHS/RHS types • REG: register • VAL: value • REF: register reference • MEM: memory reference • NON ARM EXPLOITATION ROPMAP

  17. ROP IL: LOAD • Load value to register ARM EXPLOITATION ROPMAP

  18. ROP IL: STORE • Store value to memory ARM EXPLOITATION ROPMAP

  19. ROP IL: ADJUST • Add/subtract value to/from register ARM EXPLOITATION ROPMAP

  20. ROP IL: CALL • Call/jump to function ARM EXPLOITATION ROPMAP

  21. ROP IL: SYSCALl • System call ARM EXPLOITATION ROPMAP

  22. Sample shellCode (1) • mprotect(writable, size, flag) • LOAD r0, #writable • LOAD r1, #size • LOAD r2, #flag • LOAD r7, #0x7d • SYSCALL • execve(“/bin/sh”, 0, 0): known “/bin/sh” address • LOAD r0, #binsh_address • LOAD r1, #0 • LOAD r2, #0 • LOAD r7, #0xb • SYSCALL ARM EXPLOITATION ROPMAP

  23. Sample shellcode (2) • execve(“/bin/sh”, 0, 0): use known writable data region to store “/bin/sh” • STORE [#writable], #0x6e69622f ; “/bin” • STORE [#writable+0x4], #0x68732f ; “/sh” • LOAD r0, #writable • LOAD r1, #0 • LOAD r2, #0 • LOAD r7, #0xb • SYSCALL ARM EXPLOITATION ROPMAP

  24. sample HIGH level wrapper (1) • syscall(sysnum, *args) • LOAD r0, #arg1 • LOAD r1, #arg2 • LOAD r2, #arg3 • LOAD r3, #arg4 • LOAD r4, #arg5 • LOAD r5, #arg6 • LOAD r7, #sysnum • SYSCALL ARM EXPLOITATION ROPMAP

  25. Sample HIGH level wrapper (2) • funcall(address, *args) • LOAD r0, #arg1 • LOAD r1, #arg2 • LOAD r2, #arg3 • LOAD r3, #arg4 • $arg5 • … • CALL #address ARM EXPLOITATION ROPMAP

  26. Sample HIGH level wrapper (3) • save_result(target) • STORE [#target], r0 • write4_with_offset(reference, value, offset) • LOAD r0, [#reference] • ADJUST r0, #offset • STORE [r0], #value ARM EXPLOITATION ROPMAP

  27. IMPLEMETATION:THE ROPMAP ARM EXPLOITATION ROPMAP

  28. ROP automation • Automation is expensive • Instructions formulation • SMT/STP Solver • Known toolkits • DEPLib • Mini ASM language • No ARM support • Roppery (WOLF) • REIL • Not public ARM EXPLOITATION ROPMAP

  29. the ropmap • ROPMAP • Direct mapping ROP instructions to ASM gadgets • LHS/RHS type is available in ASM gadgets • Primitive gadgets • CHAINMAP • Indirect mapping ROP instructions to ROP chains • LHS/RHS type is not available in ASM gadgets • Engine to search and chain gadgets together • Payload generator ARM EXPLOITATION ROPMAP

  30. SAMPLE ROPMAP: LOAD mov Rm, #value mov Rm, Rn pop {Rm, …, pc} add Rm, Rn LOAD Rm, #value LOAD Rm, Rn ldr Rm, [sp …] sub Rm, Rn LOAD Rm, [Rn] ldr Rm, [Rn …] LOAD Rn, #addr LOAD Rm, [Rn] LOAD Rm, [#addr] ARM EXPLOITATION ROPMAP

  31. SAMPLE ROPMAP: STORE STORE [Rm], Rn str Rn, [Rm …] LOAD Rn, #value STORE [Rm], Rn STORE [Rm], #value LOAD Rn, [#addr] STORE [Rm], Rn STORE [Rm], [#addr] LOAD Rn, [#target] STORE [Rn], Rm STORE [#target], Rm LOAD Rm, #value STORE [#target], Rm STORE [#target], #value LOAD Rn, [#addr] STORE [#target], Rn STORE [#target], [#addr] ARM EXPLOITATION ROPMAP

  32. ASSEMBLER ENGINE • Assumptions • Binary has enough primitive gadgets • Chaining primitive gadgets is easier than finding complex gadgets • Approach • Search for gadget candidates • Sort gadgets (simple scoring) • Chain gadgets by pair matching • LHS vs RHS • LHS vs LHS • Apply basic validation rules • Operands matching • Tainted registers checking ARM EXPLOITATION ROPMAP

  33. Pair matching pop {r4 pc} MATCHED MATCHED MATCHED ldr r0 [r4 #4] ; pop {r4 r5 r6 r7 pc} STORE [#target], [#addr] pop {r4 pc} str r0 [r4 #16] ; mov r0 r3 ; pop {r1 r2 r3 r4 r5 pc} ARM EXPLOITATION ROPMAP

  34. Gadget validation ldr r6 [r5 #4] ; sub r0 r0 r6 ; pop {r4 r5 r6 pc} LOAD r6, [r5] TAINTED TAINTED ldr r1 [r5 #36] ; ldr r5 [r4 #36] ; sub r0 r1 r5 ; add sp sp #36 ; pop {r4 r5 r6 r7 pc} STORE [r1], [r5] ARM EXPLOITATION ROPMAP

  35. ROP SHELLCODE to gadget chains • execve(“/bin/sh”, 0, 0) # ROP code: load r0, #0xdeadbeef --------------------------------------------------------------------0xdc68L : pop {r0 pc} ;; --------------------------------------------------------------------# ROP code: load r1, #0 ------------------------------------------------------------------- 0x16a6dL : pop {r1 r7 pc} ;; -------------------------------------------------------------------- # ROP code: load r2, #0 -------------------------------------------------------------------- 0x30629L : pop {r2 r3 r6 pc} ;; --------------------------------------------------------------------# ROP code: load r7, #0xb --------------------------------------------------------------------0x16a6dL : pop {r1 r7 pc} ;; --------------------------------------------------------------------# ROP code: syscall --------------------------------------------------------------------0xc734L : svc 0x00000000 ; pop {r4 r7} ; bx lr ;; -------------------------------------------------------------------- ARM EXPLOITATION ROPMAP

  36. Payload generator (1) • Input • ROP IL instructions • Gadgets • Constant values • Constraints and values binding • Output • Stack layout • Output can be used for high level ROP wrapper • Not size optimized ARM EXPLOITATION ROPMAP

  37. Payload generator (2) • Approach • Gadgets emulation • Emulate stack related operations • Write back required value to stack position • LHS/RHS reverse matching • Simple math calculation • Feed back values binding to next instructions ARM EXPLOITATION ROPMAP

  38. REVERSE matching r4 = #address - 4 MATCHED (1) MATCHED (2) pop {r4 pc} LOAD r0, [#address] ldr r0 [r4#4] ; pop {r4 r5 r6 r7 pc} r4 = #address - 4 ARM EXPLOITATION ROPMAP

  39. GADGET emulation • Single gadget • Only stack related operations JUNK+4 uninitialized registers JUNK+3 SP = SP+3 JUNK+2 JUNK+2 SP r7 = JUNK+2 JUNK+1 JUNK+1 r3 = JUNK+1 JUNK JUNK r2 = JUNK SP Execute pop {r2 r3 r7 pc} ;; Init state r2 = 0x0 r7 = 0xb value constraints ARM EXPLOITATION ROPMAP

  40. stack Write back • Payload = values on stack SP SP = SP+3 0xb JUNK+2 SP r7 = JUNK+2 JUNK+1 JUNK+1 r3 = JUNK+1 pop {r2 r3 r7 pc} ;; 0x0 JUNK Payload r2 = JUNK r2 = 0x0 r7 = 0xb Write back ARM EXPLOITATION ROPMAP

  41. OUTPUT payload • execve(“/bin/sh”, 0, 0) # ROP code: load r0, #0xdeadbeef # pop {r0 pc} [ BASE+0x2d38, 0xdeadbeef ] # ------------------------------------------------------------------ # ROP code: load r1, #0 # pop {r1 r7 pc} [ BASE+0xbb3d, 0x0, 0x4b4e554b ] # ------------------------------------------------------------------ # ROP code: load r2, #0 # pop {r2 r3 r6 pc} [ BASE+0x256f9, 0x0, 0x4b4e554b, 0x4b4e554c ] # ------------------------------------------------------------------ # ROP code: load r7 # pop {r1 r7 pc} [ BASE+0xbb3d, 0x0, 0xb ] # ------------------------------------------------------------------ # ROP code: syscall # svc 0x00000000 ; pop {r4 r7} ; bx lr [ BASE+0x1804, 0x4b4e554a, 0xb ] # ------------------------------------------------------------------ ARM EXPLOITATION ROPMAP

  42. DEMO ARM EXPLOITATION ROPMAP

  43. FUTURE plan • Optimize output payload • Reduce duplication • Support ARM Thumb-2 • More gadgets • Extend to x86/x86_64 (partial now) • Conditional jump, loop instructions ARM EXPLOITATION ROPMAP

  44. THANK YOUQ &A ARM EXPLOITATION ROPMAP

More Related