Re: Multipath-ROP: Tools available?

[halfdog <me () halfdog net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Rosenberg wrote:
> On Thu, Jul 21, 2011 at 3:15 AM, halfdog <me () halfdog net> wrote:
> > Out of personal interest, I am currently trying to exploit a 
> > buffer-overflow in apache using ROP. ...
>
> I'm assuming this is an Apache local, where you've got local access 
> as some user and want to gain the privileges of the Apache process 
> (which is often unprivileged anyway?)  ...

You are right, you need something like ftp-access to the data and some
other constraints met first. Only ssl-data or other-user's basic auth
data stealing would be of interest, the other data should be available
to an ftp-like setup anyway.

> > The idea:
> >
> > Let's assume, ....
> >
> > Does someone know about this method? If there are no tools 
> > available for that, I would like to create one, that uses 
> > markov-chains for library analysis and that should support
> > multiple CPU-archs.
>
> It's a good idea, but my first thought is the likelihood of 
> significantly reducing entropy seems pretty low.  Of course, a tool 
> would have far more exhaustive coverage in finding such gadgets as 
> compared to my preliminary manual inspection of a few sample 
> binaries, but depending on the size of the binary, I'd expect you to 
> only find a small handful of instances of parallel ROP gadgets.  And 
> when you only find a few instances, it doesn't really do any good at 
> all, because unless you can find parallel instruction sequences for 
> the entire ROP vocabulary needed for your exploit, you'll still have 
> a dependency on one particular guessed base.

No, I'm not hoping to rebuild the complete vocabulary. I hope that it is
possible, to find some "configurable" vocabulary, that e.g. uses the
content of one register as offset to the library and use the multiple
path technique to fill that configuration register. E.g. consider two
sequences separated by one page

page=a: pop eax; ret
page=b: pop pop esi; pop ebx; pop eax; ret

Stack content: [offset of lib-version a] [return address in version a]
[offset of lib-version b] [return address version b]

These two sequences will initialize eax with the liboffset value and
always jump to the correct next return address. If the next piece
contains a "configurable" words using eax, one could use it there. I
haven't searched for best patterns for "configurable" words, but at the
moment I hope that there might be enough of these.

Using some "add %esp,imm8; ret" words, one can correct the different
stack offsets, e.g. by putting that "correction" word at [return address
in version a]. I found enough of these so far.

> Even if given the benefit of the doubt and you actually manage to 
> find two series of instructions sequences that perform your entire 
> ROP payload, you've only succeeded in reducing entropy by a single 
> bit, which will give you a statistical advantage over not doing it 
> but still leave you with an exploit that is unlikely to succeed on 
> one attempt.  If you have many attempts (such as in Apache, I'm 
> assuming), then it's probably still easier to construct a single ROP 
> payload and brute force the base instead.

I guess, you are right. I'm just thinking a bit more on it and will
attempt to find enough "configurable" words and if found 3 or 4 parallel
pathes in libc.

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFOKGeuxFmThv7tq+4RAp18AJ9O0yq0c6LVHZDWLx/hgqBZU/9mwQCeNDAq
SFHTOTisYKGI+I95+/MawRE=
=KT6W
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/