* ROP Exploitation in Programs Compiled with -fzero-call-used-regs Parameter
@ 2023-09-21 8:54 Nan ZoE
0 siblings, 0 replies; only message in thread
From: Nan ZoE @ 2023-09-21 8:54 UTC (permalink / raw)
To: gcc
[-- Attachment #1: Type: text/plain, Size: 3256 bytes --]
Hello,
I am using the -fzero-call-used-regs=all parameter in gcc 13.2.0 to compile
the isc-dhcp <https://github.com/isc-projects/dhcp> project in order to
observe its level of protection against ROP attacks. After completing the
compilation, we noticed that almost every "pop" instruction following each
function has been replaced with "pxor". This effectively reduces the number
of alignment gadgets in the form of "pop xxx; ret;". However, we have
observed that as long as the program size exceeds approximately 1MB, there
are still some unaligned gadgets in X86_64 programs that can be easily
exploited by attackers. Here are some examples:
*dhcrelay Program*
We used ropper <https://github.com/sashs/Ropper> to search for gadgets in
the dhcrelay program and found a gadget at address 0x5e9e65, which is a
"pop rdx; ret;" gadget. This gadget is frequently used for setting the
third parameter of functions. As shown in the screenshots from IDA and gdb
below, the address 0x5e9e65 is located in the middle of a function,
indicating that this gadget is clearly an unaligned gadget.
.mytext:00000000005E9E5A 48 8D 4A 18 lea rcx,
[rdx+18h]
.mytext:00000000005E9E5E 48 89 C2 mov rdx, rax
.mytext:00000000005E9E61 48 89 CF mov rdi, rcx
.mytext:00000000005E9E64 E8 5A C3 E1 FF call sub_4061C3
.mytext:00000000005E9E69 EB 48 jmp short
loc_5E9EB3
.mytext:00000000005E9E6B ;
---------------------------------------------------------------------------
.mytext:00000000005E9E6B
.mytext:00000000005E9E6B loc_5E9E6B:
; CODE XREF: sub_5E9C2F+206↑j
.mytext:00000000005E9E6B 0F B7 45 D6 movzx eax,
[rbp+var_2A]
pwndbg> x /10i 0x5e9e65
0x5e9e65: pop rdx
0x5e9e66: ret
0x5e9e67: loope 0x5e9e68
0x5e9e69: jmp 0x5e9eb3
0x5e9e6b: movzx eax,WORD PTR [rbp-0x2a]
*dhcpd and dhclient Programs*
Similarly, for the dhcpd and dhclient programs, we found the "pop rdx;
ret;" gadget at addresses 0x40f41b and 0x75f833, respectively. As shown in
the gdb screenshots below, both of these gadgets are formed by unaligned
assembly instructions.
In addition, in some other programs, there are also many unaligned gadgets
that attackers can use for ROP attacks. Even though they might be
challenging to utilize, the capabilities contained within these gadgets are
beyond imagination. By precisely combining them through gadgets that
include logical operations, conditional branching, arithmetic operations,
and data manipulation semantics, one can always achieve some unimaginable
operations.
pwndbg> x /10i 0x40f41b
0x40f41b: pop rdx
0x40f41c: ret
0x40f41d: add BYTE PTR ds:[rax-0x77],cl
0x40f421: (bad)
0x40f422: mov rdi,rax
0x40f425: call 0x4749da
pwndbg> x /10i 0x75f833
0x75f833: pop rdx
0x75f834: ret
0x75f835: add DWORD PTR [rax],eax
0x75f837: mov rax,QWORD PTR [rbp-0x18]
0x75f83b: leave
0x75f83c: fldz
0x75f83e: fldz
Sincerely,
ZoE
2023.09.20
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-09-21 8:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-21 8:54 ROP Exploitation in Programs Compiled with -fzero-call-used-regs Parameter Nan ZoE
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).