Advanced ROP Framework: Pushing ROP to Its Limits

Presented at DEF CON 31 (2023), Aug. 13, 2023, 11 a.m. (45 minutes).

This research provides innovative contributions to return-oriented programming (ROP), not seen before. We introduce ROP ROCKET, a cutting-edge ROP framework, to be released at DEF CON. With ROCKET, when attacking 32-bit applications, we can switch between x86 and x64 at will, by invoking a special ROP Heaven's Gate technique, thereby expanding the attack surface. We will discuss the ramifications of this novel approach. Bypassing DEP via ROP is typically straightforward, using WinAPIs such as VirualProtect and VirtualAlloc. We demonstrate an alternative: using Windows syscalls. In fact, ROCKET provides automatic ROP chain construction to bypass ROP using Windows syscalls. While extremely trendy, Windows syscalls are only very rarely used in ROP. One problem with automatic chain construction is bad chars or bad bytes. We demonstrate how ROCKET allows us to use virtulally any gadget whose address contains bad bytes. With this approach, automatic ROP chain construction is far less likely to fail. Thus, we overcome one of the major obstacles when creating a ROP chain: bad bytes, which reduces the attack surface needlessly. In fact, if one wanted, they could use ROCKET to "obfuscate" any gadget, obscuring what is being done. This presentation will do the seemingly impossible - and surprise even veteran users of ROP. REFERENCES: 1. Brizendine, B., Babcock, A.: A Novel Method for the Automatic Generation of JOP Chain Exploits. In: National Cyber Summit. pp. 77–92 (2021) 2. Min, J.W., Jung, S.M., Lee, D.Y., Chung, T.M.: Jump oriented programming on windows platform (on the x86). Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics). 7335 LNCS, 376–390 (2012). https://doi.org/10.1007/978-3-642-31137-6_29 3. Erdodi, L.: Attacking x86 windows binaries by jump oriented programming. INES 2013 - IEEE 17th Int. Conf. Intell. Eng. Syst. Proc. 333–338 (2013). https://doi.org/10.1109/INES.2013.6632837 4. Brizendine, B., Babcock, A.: Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP. Black Hat Asia. (2021) 5. One, A.: Smashing the stack for fun and profit. Phrack Mag. 7, 14–16 (1996) 6. Designer, S.: “Return-to-libc” attack., https://seclists.org/bugtraq/1997/Aug/63 7. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Proc. ACM Conf. Comput. Commun. Secur. 552–561 (2007). https://doi.org/10.1145/1315245.1315313 8. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-Oriented Programming : Systems , Languages , and Applications. ACM Trans. Inf. Syst. Secur. 15, 1–36 (2012) 9. Buchanan, E., Roemer, R., Savage, S., Shacham, H.: Return-oriented programming: Exploitation without code injection. Black Hat. 8, (2008) 10. PaX, T.: PaX address space layout randomization (ASLR). http//pax. grsecurity. net/docs/aslr. txt. (2003) 11. Mark E, R., Alex, I., others: Windows Internals, Part 2, (2012) 12. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security. pp. 298–307 (2004) 13. Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit. 14. Gawlik, R., Holz, T.: ${$SoK$}$: Make ${$JIT-Spray$}$ Great Again. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18) (2018) 15. Göktas, E., Kollenda, B., Koppe, P., Bosman, E., Portokalidis, G., Holz, T., Bos, H., Giuffrida, C.: Position-independent code reuse: On the effectiveness of aslr in the absence of information disclosure. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P). pp. 227–242 (2018) 16. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. Proc. ACM Conf. Comput. Commun. Secur. 559–572 (2010). https://doi.org/10.1145/1866307.1866370 17. Bletsch, T., Jiang, X., Freeh, V.W.: Jump-oriented programming: a new class of code-reuse attack. Proc. 6th Int. Symp. Information, Comput. Commun. Secur. ASIACCS 2011. (2011) 18. Brizendine, B.: JOP ROCKET repository, https://github.com/Bw3ll/JOP_ROCKET/ 19. Babcock, A.: IcoFX 2.6 - “.ico” Buffer Overflow SEH + DEP Bypass using JOP, https://www.exploit-db.com/exploits/49959 20. Specter: Sony Playstation 4 (PS4) 5.05 - BPF Double Free Kernel Exploit Writeup, https://www.exploit-db.com/exploits/45045 21. Brizendine, B., Babcock, A., Kramer, A.: Move Over, ROP: Towards a Practical Approach to Jump-Oriented Programming. HITBMag. 121–152 (2021) 22. Intel Corporation: Control-flow Enforcement Technology Preview, https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf 23. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In: 2015 IEEE Symposium on Security and Privacy. pp. 745–762 (2015) 24. Brizendine, B. Windows Syscalls in Shellcode: Advanced Techniques for Malicious Functionality. Hack in the Box Amsterdam (2023).

Presenters:

  • Shiva Shashank Kusuma - Master's Student at University of Alabama in Huntsville
    Shiva Shashank Kusuma, a Computer Science Master's student at the University of Alabama in Huntsville, has a deep interest in software engineering and cybersecurity. When not at work, Shiva enjoys reading about Blockchain, Web3, and AI.
  • Bramwell Brizendine - Assistant Professor at University of Alabama in Huntsville   as Bramwell Brizendine, Dr.
    Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations, for which he did his dissertation on Jump-Oriented Programming, a hitherto seldom-studied and poorly understood subset of code-reuse attacks. Bramwell is now an Assistant Professor of Computer Science at the University of Alabama in Huntsville; he previously was an Assistant Professor and the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab) at Dakota State University, specializing in vulnerability research, software exploitation, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. Bramwell has taught numerous undergraduate, graduate and doctoral level courses in software exploitation, reverse engineering, malware analysis and offensive security. Bramwell was a PI on a $300,000 NSA/NCAE research grant, which culminated in the release of a shellcode emulator, SHAREM, in September 2022. Bramwell has been a speaker at many top security conferences, including DEF CON, Hack in the Box Amsterdam, @Hack, Black Hat Middle East, Black Hat Asia, Black Hat Europe, Wild West Hackin’ Fest, and more.

Links:

Similar Presentations: