From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) by sourceware.org (Postfix) with ESMTPS id 2C1A03858D39 for ; Thu, 21 Sep 2023 08:54:15 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2C1A03858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-il1-x134.google.com with SMTP id e9e14a558f8ab-34fe5d0f0ffso2310965ab.1 for ; Thu, 21 Sep 2023 01:54:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695286454; x=1695891254; darn=gcc.gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=wClftkDeTOYhys43wJ46dmpNFcryd2kqZbQBayZwpK4=; b=UJJ398+kIyy00owwASgjH4+fWd96BKMAfknc66gVSrnJ7jLxAWQsLgwnnzBBMY+TPB lusBYZMpQRAa9W5gjhGjErXJ4xZDO5XWUQvT1oYLEYvUCvzk6a1sBiiSk1LiXW+PR9Pp afYUcoK56vlDsnCj5exRFyxlXEKifOQP3mY3CbZ7pPgkRyH37IczO/6WbjhEcPkpGd/i 80rsj7p0hoQ2Y5vBmufwuCEtIMISDZRdttqQT5HAJffZ3DB3kFzVhZNxpJE1R2G0W23S 41ji2yOauNbXqd028ajvBowRo3trjR8iRmCzjURT+fc4ywW6uoJZbejE1zxYVvOCVU53 6B2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695286454; x=1695891254; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wClftkDeTOYhys43wJ46dmpNFcryd2kqZbQBayZwpK4=; b=GXCF3Swusf6YSCsfHqcnlfvqPyTH+8J3UaOpbQGHocGvTJ84aQD2O5m2nXQGl4fgDB 35g3nDNW5WiIxTEUkeKc9dqajR5dk1syQBWtP6WQpjBp4xp+UT8CkEMDAMB3l+K2dOrl ZX1xxeMqha0IjOiE5u4FcqgILNbNMWsXAn+Dbx3+nZPxtsx6e1MaP4/CHoSkbElVhcHO kBwLTQGtPoWXqnfWeduF8fodV6PgZ1i/sMU34OB9BzTnVEQ0AiduqbJjT88SAGIBvfQV NgraDknFxHo02mtztRVWuYtk9sllWiT9Urr39jo5h+i9U+IyxoBW1oP9DWCRVHuUWOMS 0UWg== X-Gm-Message-State: AOJu0YwHfD91v3IGgwnRXFJqF+WydHWn2NRPlUJYun76R4ewRhgKoF+Z DmaX5R5z3PR11b16g2eznGx2ZWsmzEyo3oE3bRrcWGnFxU4a0g== X-Google-Smtp-Source: AGHT+IFW9BVr3vPzrvABXX/Yu0bNJtkb9a2ify9ZPK3AuorQS010+2KZF2Y3GVqN9k07Py8YBxCWqMZVeQWgolSINdo= X-Received: by 2002:a05:6e02:2169:b0:34f:2756:8fd with SMTP id s9-20020a056e02216900b0034f275608fdmr6026877ilv.9.1695286454105; Thu, 21 Sep 2023 01:54:14 -0700 (PDT) MIME-Version: 1.0 From: Nan ZoE Date: Thu, 21 Sep 2023 16:54:01 +0800 Message-ID: Subject: ROP Exploitation in Programs Compiled with -fzero-call-used-regs Parameter To: gcc@gcc.gnu.org Content-Type: multipart/alternative; boundary="000000000000e3bb540605daa29d" X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --000000000000e3bb540605daa29d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, I am using the -fzero-call-used-regs=3Dall parameter in gcc 13.2.0 to compi= le the isc-dhcp project in order to observe its level of protection against ROP attacks. After completing the compilation, we noticed that almost every "pop" instruction following each function has been replaced with "pxor". This effectively reduces the number of alignment gadgets in the form of "pop xxx; ret;". However, we have observed that as long as the program size exceeds approximately 1MB, there are still some unaligned gadgets in X86_64 programs that can be easily exploited by attackers. Here are some examples: *dhcrelay Program* We used ropper to search for gadgets in the dhcrelay program and found a gadget at address 0x5e9e65, which is a "pop rdx; ret;" gadget. This gadget is frequently used for setting the third parameter of functions. As shown in the screenshots from IDA and gdb below, the address 0x5e9e65 is located in the middle of a function, indicating that this gadget is clearly an unaligned gadget. .mytext:00000000005E9E5A 48 8D 4A 18 lea rcx, [rdx+18h] .mytext:00000000005E9E5E 48 89 C2 mov rdx, rax .mytext:00000000005E9E61 48 89 CF mov rdi, rcx .mytext:00000000005E9E64 E8 5A C3 E1 FF call sub_4061C3 .mytext:00000000005E9E69 EB 48 jmp short loc_5E9EB3 .mytext:00000000005E9E6B ; --------------------------------------------------------------------------- .mytext:00000000005E9E6B .mytext:00000000005E9E6B loc_5E9E6B: ; CODE XREF: sub_5E9C2F+206=E2=86=91j .mytext:00000000005E9E6B 0F B7 45 D6 movzx eax, [rbp+var_2A] pwndbg> x /10i 0x5e9e65 0x5e9e65: pop rdx 0x5e9e66: ret 0x5e9e67: loope 0x5e9e68 0x5e9e69: jmp 0x5e9eb3 0x5e9e6b: movzx eax,WORD PTR [rbp-0x2a] *dhcpd and dhclient Programs* Similarly, for the dhcpd and dhclient programs, we found the "pop rdx; ret;" gadget at addresses 0x40f41b and 0x75f833, respectively. As shown in the gdb screenshots below, both of these gadgets are formed by unaligned assembly instructions. In addition, in some other programs, there are also many unaligned gadgets that attackers can use for ROP attacks. Even though they might be challenging to utilize, the capabilities contained within these gadgets are beyond imagination. By precisely combining them through gadgets that include logical operations, conditional branching, arithmetic operations, and data manipulation semantics, one can always achieve some unimaginable operations. pwndbg> x /10i 0x40f41b 0x40f41b: pop rdx 0x40f41c: ret 0x40f41d: add BYTE PTR ds:[rax-0x77],cl 0x40f421: (bad) 0x40f422: mov rdi,rax 0x40f425: call 0x4749da pwndbg> x /10i 0x75f833 0x75f833: pop rdx 0x75f834: ret 0x75f835: add DWORD PTR [rax],eax 0x75f837: mov rax,QWORD PTR [rbp-0x18] 0x75f83b: leave 0x75f83c: fldz 0x75f83e: fldz Sincerely, ZoE 2023.09.20 --000000000000e3bb540605daa29d--