DEF CON 31 - Advanced ROP Framework Pushing ROP to Its Limits

DEF CON 31 - Advanced ROP Framework Pushing ROP to Its Limits - Brizendine, Kusuma

Рет қаралды 2,229

9 ай бұрын

This research provides innovative contributions to return-oriented programming (ROP), not seen before. We introduce ROP ROCKET, a cutting-edge ROP framework, to be released at DEF CON. With ROCKET, when attacking 32-bit applications, we can switch between x86 and x64 at will, by invoking a special ROP Heaven's Gate technique, thereby expanding the attack surface. We will discuss the ramifications of this novel approach.
Bypassing DEP via ROP is typically straightforward, using WinAPIs such as VirualProtect and VirtualAlloc. We demonstrate an alternative: using Windows syscalls. In fact, ROCKET provides automatic ROP chain construction to bypass ROP using Windows syscalls. While extremely trendy, Windows syscalls are only very rarely used in ROP.
One problem with automatic chain construction is bad chars or bad bytes. We demonstrate how ROCKET allows us to use virtulally any gadget whose address contains bad bytes. With this approach, automatic ROP chain construction is far less likely to fail. Thus, we overcome one of the major obstacles when creating a ROP chain: bad bytes, which reduces the attack surface needlessly. In fact, if one wanted, they could use ROCKET to "obfuscate" any gadget, obscuring what is being done.
This presentation will do the seemingly impossible - and surprise even veteran users of ROP.

Пікірлер: 2

@TheGuyWhoToldMeToTel 8 ай бұрын

While I appreciated the ease of use the tool provides, it offers little flexibility in terms of customizing the chain or porting to other languages. While this is a fantastic tool for most uses, edge cases do exist and need to be addressed.

@BB-cl7kr 8 ай бұрын

When it automatically generates chains, it does it in two ways. Firstly, for ones using pushad, it will find several variants (maybe as many as a dozen different chains), and those are all given to the user. For some using a the mov deref / sniper style, it will typically just form the first variant possible. The goal here is to provide a chain that can do the specified task. With respect to customization, we will add more options later to vary some of the inputs, via UI and/or config. An example of that is a pointer to a string needeThanks for checking out the tool. :-) When it automatically generates chains, it does it in two ways. Firstly, for ones using pushad, it will find several variants (maybe as many as a dozen different chains), and those are all given to the user. For some ROP chains using a the mov deref / sniper style, rather than using pushad, it will typically just form the first variant possible. The goal here is to provide a chain that can do the specified task. With respect to customization, we will add more options later to vary some of the inputs, via UI and/or config. An example of of such customization is a pointer to a string needed as a parameter. That may influence the resulting chain to differ in some gadgets being used. The intention is not to offer the users different ways to customize the chain themselves (they can do that manually on their own if they wish), but just to again find at least one that works - or if it is using pushad, then it will provide them with several chains. We are continuously working on this and have several new chains being worked on, to be added to the tool at a later time. We are also working on ways to expand the attack surface, by considering more edge cases and alternative ways of doing things, so stay tuned, as this tool is under active development and continuously evolving. There are also other new, unrelated features under active development. d as a parameter. That may influence the resulting chain to differ in some gadgets being used. The intention is not to offer the users different ways to customize the chain themselves (they can do that manually on their own if they wish), but just to again find at least one that works - or if it is using pushad, then it will provide them with several chains. We are continuously working on this and have several new chains being worked on, to be added to the tool at a later time. We are also working on ways to expand the attack surface, by considering more edge cases and alternative ways of doing things, so stay tuned, as this tool is under active development and continuously evolving. There are also other new, unrelated features under active development.