aslr-brop.md (1775B)
1 +++ 2 title = 'ASLR BROP' 3 +++ 4 # ASLR BROP 5 ## Fine-grained ASLR 6 Randomize even relative addresses 7 - shuffle around (parts of) functions. 8 - rewrite functions: change registers, replace instructions, add random NOPs 9 - only possible at compile time, sharing (e.g. libraries) becomes difficult 10 11 Breaking with JIT-ROP: 12 - suppose attacker can leak single code pointer 13 - then: 14 1. Recursively 15 - use code pointers to read target code page (this is safe) 16 - identify gadgets on that code page 17 - leak code pointers on that page 18 2. "Compile" ROP payload on the fly (Just In Time) 19 20 Side channel: crash/no-crash 21 - requirements: stack vulnerability and knowing how to trigger it, server process that respawns after crash 22 23 Blind Return-Oriented Programming (BROP): 24 1. Break ASLR 25 - stack reading: 26 - overwrite single byte with value X 27 - no crash: stack had value X 28 - crash: guess X was correct 29 - three types of gadgets: 30 - stop gadget: never crashes (always e.g. hangs) 31 - crash gadgets: always crashes 32 - useful gadget: crash depends on return 33 2. Leak binary: 34 - remotely find enough gadgets to call write() 35 - might be a BROP gadget: pop rbx, rbp, r12, r13, r14, r15, ret 36 - at offset 0x7, yields pop rsi 37 - at offset 0x9, yields pop rdi 38 - finding it: a pop gadget will skip a crash gadget. so you can put 6 crash gadgets and a stop gadget on the stack, and the BROP gadget will not crash 39 - `pop rdx; ret` is rare, look instead for strcmp, which sets rdx to length of string 40 - find write and strcmp in PLT -- the jump table to external functions 41 42 - write() binary from memory to network to disassemble and find more gadgets to finish the exploit