full-disclosure-uk July 2011 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Multipath-ROP: Tools a

Re: [Full-disclosure] Multipath-ROP: Tools available?

From: Dan Rosenberg <dan.j.rosenberg_at_nospam>
Date: Thu Jul 21 2011 - 12:04:18 GMT
To: Stefan Esser <stefan.esser@sektioneins.de>, halfdog <me@halfdog.net>

On Thu, Jul 21, 2011 at 3:37 AM, Stefan Esser
<stefan.esser@sektioneins.de> wrote:
> Hello,
>> Does someone know about this method? If there are no tools available for
>> that, I would like to create one, that uses markov-chains for library
>> analysis and that should support multiple CPU-archs.
> As far as I know there are no tools available for this.
>
> However I submitted a talk to HITB2011KUL about exactly this technique
> applied to iPhone exploitation. So there should be a tool for this in
> October.
> Not only covering exploiting ASLR but also ROP payloads that work
> against different devices (different library load offset by device
> class/firmware version).
>

Stefan - care to comment on how effective this is? It seems like a
good idea, but my first thought is the likelihood of significantly
reducing entropy seems pretty low. Of course, a tool would have far
more exhaustive coverage in finding such gadgets as compared to my
preliminary manual inspection of a few sample binaries, but depending
on the size of the binary, I'd expect you to only find a small handful
of instances of parallel ROP gadgets. And when you only find a few
instances, it doesn't really do any good at all, because unless you
can find parallel instruction sequences for the entire ROP vocabulary
needed for your exploit, you'll still have a dependency on one
particular guessed base.

Even if given the benefit of the doubt and you actually manage to find
two parallel series of instructions sequences that perform your entire
ROP payload, you've only succeeded in reducing entropy by a single
bit, which will give you a statistical advantage over not doing it but
still leave you with an exploit that is unlikely to succeed on one
attempt. If you have many attempts (such as in Apache, I'm assuming),
then it's probably still easier to construct a single ROP payload and
brute force the base instead.

On the other hand, I'd be very interested in looking at an implementation.

Regards,
Dan

> Regards,
> Stefan Esser
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/