Rop'n'roll

April 18, 2015

You may have already read this article 8 months ago, but since we changed a lot the ROP-related syntax, we’re quite sure that you won’t mind reading an updated version

As attackers are moving forwards, so does the defense. Since a couple of years, every decent operating system has non-executable stack, defeating the classic ‘put your shellcode on the stack and execute it’ modus operanti.

This is why attackers are now using (among other things) Return Oriented Programming, also known as ROP, to bypass this protection.

Because radare2 (also) aims to be useful to exploits writers and make their life easier, it can:

  • hunt for gadgets, with a configurable depth
  • filter gadgets
  • do this for multiples archs

    [0x08048320]> /R
    Do you want to print 468.9K chars? (y/N)
    

Well, let’s filter.

[0x08048350]> /R call eax
  0x080483a3   0085c0741155  add byte [ebp + 0x551174c0], al
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483a8             55  push ebp
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483ac             ec  in al, dx
  0x080483ad           1468  adc al, 0x68
  0x080483af           24a0  and al, 0xa0
  0x080483b1           0408  add al, 8
  0x080483b3           ffd0  call eax

[0x08048350]> 

You can also display them in a linear manner, à la ROPGadget, you just have to use /Rl:

[0x08048350]> /Rl leave
0x080483b3: call eax; add esp, 0x10; leave; ret;
0x080483b6: les edx, [eax]; leave; ret;
0x080483ed: call ecx; add esp, 0x10; leave; ret;
0x080483f0: les edx, [eax]; leave; ret;
0x0804840f: call 0x8048390; mov byte [0x804a024], 1; leave; ret;
0x08048419: or byte [ecx], al; leave; ret;
0x08048440: call edx; add esp, 0x10; leave; jmp 0x80483c0;
0x08048443: les edx, [eax]; leave; jmp 0x80483c0;
0x080484af: call 0x8048320; add esp, 0x10; mov edi, dword [ebp - 4]; leave; ret;
0x080484b3: inc dword [ebx + 0x7d8b10c4]; cld; leave; ret;
0x080484b5: les edx, [eax]; mov edi, dword [ebp - 4]; leave; ret;
0x080484b8: jge 0x80484b6; leave; ret;
0x080484ee: adc byte [eax], bh; mov ecx, dword [ebp - 4]; leave; lea esp, [ecx - 4]; ret;
0x080484ef: mov eax, 0; mov ecx, dword [ebp - 4]; leave; lea esp, [ecx - 4]; ret;
0x080484f2: add byte [eax], al; mov ecx, dword [ebp - 4]; leave; lea esp, [ecx - 4]; ret;
0x080484f5: dec ebp; cld; leave; lea esp, [ecx - 4]; ret;

If you’re searching for a ret-to-reg gadget, you’re only interested into call reg ones; you can do this with regexp, with /R/

[0x08048350]> /R/ call e[abcd]x
  0x080483a3   0085c0741155  add byte [ebp + 0x551174c0], al
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483a8             55  push ebp
  0x080483a9           89e5  mov ebp, esp
  0x080483ab         83ec14  sub esp, 0x14
  0x080483ae     6824a00408  push 0x804a024
  0x080483b3           ffd0  call eax

  0x080483ac             ec  in al, dx
  0x080483ad           1468  adc al, 0x68
  0x080483af           24a0  and al, 0xa0
  0x080483b1           0408  add al, 8
  0x080483b3           ffd0  call eax

  0x080483e2           89e5  mov ebp, esp
  0x080483e4         83ec10  sub esp, 0x10
  0x080483e7             50  push eax
  0x080483e8     6824a00408  push 0x804a024
  0x080483ed           ffd1  call ecx

  0x080483e5             ec  in al, dx
  0x080483e6         105068  adc byte [eax + 0x68], dl
  0x080483e9           24a0  and al, 0xa0
  0x080483eb           0408  add al, 8
  0x080483ed           ffd1  call ecx

  0x08048434   0085d274f255  add byte [ebp + 0x55f274d2], al
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x08048436       d274f255  sal byte [edx + esi*8 + 0x55], cl
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x08048438           f255  push ebp
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x08048439             55  push ebp
  0x0804843a           89e5  mov ebp, esp
  0x0804843c         83ec14  sub esp, 0x14
  0x0804843f             50  push eax
  0x08048440           ffd2  call edx

  0x0804843b           e583  in eax, -0x7d
  0x0804843d             ec  in al, dx
  0x0804843e           1450  adc al, 0x50
  0x08048440           ffd2  call edx

Well, we only want the call reg part, we don’t care about the previous operands:

[0x08048350]> /R/ call e[abcd]x~call
  0x080483b3           ffd0  call eax
  0x080483b3           ffd0  call eax
  0x080483b3           ffd0  call eax
  0x080483ed           ffd1  call ecx
  0x080483ed           ffd1  call ecx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx
  0x08048440           ffd2  call edx

Ho, by the way, if you want to search for several gadgets, the separator is ;, which also happen to be the one to seperate commands in r2. This is why you need to quote the whole command like this:

[0x08048350]> "/R/ inc *;ret" 
  0x08048413           ffc6  inc esi
  0x08048415     0524a00408  add eax, 0x804a024
  0x0804841a           01c9  add ecx, ecx
  0x0804841c           f3c3  ret

  0x080484b3   ff83c4108b7d  inc dword [ebx + 0x7d8b10c4]
  0x080484b9             fc  cld
  0x080484ba             c9  leave
  0x080484bb             c3  ret

  0x0804867c             41  inc ecx
  0x0804867d             c3  ret

[0x08048350]> 

It’s possible to change the depth of the search, to speed-up the hunt:

[0x08048320]> e search.roplen = 4
[0x08048320]> /R mov ebp,call eax
0x08048386 call eax
  0x0804837a         89e5  mov ebp, esp
  0x0804837c       83ec18  sub esp, 0x18
  0x0804837f c7042420a00408  mov dword [esp], 0x804a020
  0x08048386         ffd0  call eax

0x0804840f call eax
  0x08048403         89e5  mov ebp, esp
  0x08048405       83ec18  sub esp, 0x18
  0x08048408 c70424109f0408  mov dword [esp], 0x8049f10
  0x0804840f         ffd0  call eax

[0x08048320]>

And as always, you can append j to get a JSON output.

The next step might be ROP chain assembling and manipulation, and why not automatic-construction, à la mona.py? Or maybe a semantic search powered by ESIL?

Anyway, contributions are welcome, and if you’re using radare2 to pop somes shells, we’ll be delighted to know about it!