| With the rapid development of the Internet, modern applications become more likely to be exploited by adversaries. Utilizing the entry point provided by the network, they can always find a way to demonstrate exploitation to execute code of their choice with mali-cious purposes. Return Oriented Programming (ROP) is one of the most powerful code reuse technique dealing with DEP. In face of the threat brought by ROP, a series of miti-gations have been proposed, such as randomization, runtime behavioral monitoring and control flow integrity (CFI). CFI is thought to be the most effective defensing strategy so far, stopping ROP from diverting from the original control flow. Parallel shadow stack is a lat-est proposed and practical implementation of CFI’s return-address-protection strategy, providing strong defending ability and efficient checking mechanism. At the same time, there emerges a vast of ROP exploiting approaches. Just-in-time ROP (JIT-ROP) lauches attacks just from when it starts its preparation. It makes use of information leakage to collect critical memory information in a script environment and then executes ROP gad-gets successfully.We propose a novel ROP schema to bypass parallel shadow stack by constructing fake stacks. By analyzing the defense strategy, we find that there exists an exploitable flaw. On one hand, we construct a fake runtime stack and a fake parallel shadow stack, where data are in control representing addresses of gadgets. The ROP exploitation can be performed successfully without any violation to the shadow stack strategy. On the other hand, utilizing the mechanism to allocate object in the heap and the strategy to invoke virtural function, we can modify vulnerable object’s virtual table pointer. Then we replace object’s destructor’s entry point with dedicatedly prepared gadget address. In this way, we can maintain the control flow after we hijack the original benign one to execute our gad-gets.Moreover, we devise a framework to perform semi-JIT ROP attacks using the ex-ploitation technique. We adjust the original concepts by accomplishing the preparation step offline, which effectively improves the exploitation performance. Also, instead of pure code-reuse, we utilize the composite form where payload is consisted of ROP gadget and shellcode. In this way, we speed up the exploitation and decrease the possibility to be inspected.We demonstrate a simi-JIT experiment targeting 32-bit Internet Explorer on Windows 7. Taking the advantage of real-world information leakage vulnerability, we select gadgets from libraries in advance and disclose their virtural addresses in the memory space at runtime. Then we leverage these existing code sequences to construct ROP gadgets. Using these gadgets we are able to successfully change the memory pages’access permission and make the page holding the injected shellcode executable. The results show that our exploitation technique is effective and our framework is applicable. |
PDF Full Text Request