Where to Start with ROP

Discussion in 'Wii U - Hacking & Backup Loaders' started by gudenau, Dec 12, 2015.

  1. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    I understand the basics of a rop chain, you put stuff in the heap and get the SP to point to your data so functions return to the "wrong" places to create new execution paths. What I would like to know is how one would go about finding the "pop pc" instructions for gadgets and how I would go about finding a stack pivot. I would prefer PPC information, as that is the primary CPU on the Wii U.
     
  2. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Any help?
     
  3. palantine

    palantine Advanced Member

    Newcomer
    84
    165
    Oct 5, 2014
    Italy
    Sometimes you're able to leak information with the initial exploit which allows you to slowly gain understanding for the contents of the stack frame. (like leaking via prints or return values etc) There are probably exercises online somewhere that might teach you how to do it on your own computer to gain understanding of how to repeat it in a real scenario.

    -palantine
     
  4. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,714
    9,585
    Nov 21, 2005
    United Kingdom
    Worth having a scan through
    http://wiibrew.org/wiki/Assembler_Tutorial

    There are three main approaches to gadgets.
    Some seem to want to replicate an almost full instruction set.
    Some seem to want to do a baseline instruction set, may not technically even be Turing complete but if your only goal is to do something like set an area of memory as executable (presumably for more conventional buffer overflow type attacks) then who cares.
    Some seem to just want to get it done and will take a somewhat abstract approach to get there > mov r1, r4, mov r4, r8 (or I guess it would be mr 4,1, mr 8,4 in rough powerpc equivalent) will get the contents of register 1 into register 8 just as happily as a straight mov r1,r8 or mr 8,1 if we are doing powerpc). The previous example would be an elementary one but if you have a gadget that sticks things in r1 but your next needs them in r8 you can see how things like that get to be useful, even if no sane programmer/compiler attempting to write remotely optimised code would do that in the real world. Aspects of this get blended into the others often enough.

    You do also have the return to library/compiler extras thing -- if the code compiles with (and has privileges for) nice function calls then you might not need to bother constructing things piecemeal but this was more easily mitigated and so it has fallen out of favour ever so slightly. What Nintendo's security team have done in this instance I have no idea, half the time they seem to do pretty functional security and other times they make all the kinds of mistakes of someone that read a book and did not quite get it but tried anyway.

    The basic approach is get a plaintext dump of the executable section of memory and feed it to a disassembler. You then get to consider what alignment you might use -- if you have 32 bit instructions but can execute on a 16 bit alignment for whatever reason then you potentially have a whole new world of stuff available to you. Otherwise you are more limited to the base encoding stuff, any non executable data in the executable memory section (arrays that might be loaded in, assuming you have not got strings or something in there that you might also play with) and anything related to the instructions -- you might have 32 bit instruction sets but some processors/instruction sets allow for 32 bit instruction and followed by a 32 bit payload, if you can jump to the payload and have the processor instead interpret that as an instruction then fantastic.
    Though a nice processor specific gadget finder is useful you can generate this with something basic like objdump (in fact the fewer brains your disassembler has or clever things it tries to do the better), give or take annoyances in the payload sort of things, easily enough. Though basic objdump and getting things to end in a return can make that method annoying, though you can try working backwards and start with seeing all the returns/jumps/branches and what they might do.
    You might also have the option to get a bit more dynamic and rewrite small sections of code (assuming you are not up against encrypted memory or some of the aspects of signing/executable modification detection), though by this point you probably have execution at the level you need so not many delve into this, if however a gadget would be perfect but for an 8 bit change to the instruction then this gets easier than trying to load your full executable from a SD card.

    Afraid I do not know the wii u stack setup well enough (or at all really) to go into details like I might be able to for X86 for the stack pivot side of things. Depending upon the security setup this can be the chicken and the egg problem, especially if you are trying to do all software rather than some fancy hardware. All this said I am not sure I would want to start out on the wii u if you are only getting to grips with things. There are loads of nice worked examples for X86 and probably quite a few for ARM as well.
     
  5. EclipseSin

    EclipseSin FullMental Trollemist

    Member
    1,813
    1,287
    Apr 1, 2015
    United States
    Vegeta's Hyrule
    Thank you Fast. It's nice to see someone posting something to inspire, teach, or instill some knowledge on others.

    Cool to see you're interest gudenaurock. Good luck with your research and learning!
     
  6. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    It's the chicken and egg problem is my main problem here, I didvstate that I understood the basics. :-) Does look like return to libc style attacks are possible.
     
  7. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Any ideas on how I could locate a buffer when I can not view the memory?
     
  8. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,966
    3,249
    Nov 18, 2012
    United States
    Las Vegas
    Guess and check.
     
  9. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    That could take years. :-/
     
  10. MassExplosion213

    MassExplosion213 .

    Member
    1,432
    960
    Feb 15, 2015
    United States
    Nah. Metasploit has something for that.
     
  11. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Could you point me to some docs?
     
  12. MassExplosion213

    MassExplosion213 .

    Member
    1,432
    960
    Feb 15, 2015
    United States
    Net-KILLER and deleterrrr like this.
  13. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
  14. MassExplosion213

    MassExplosion213 .

    Member
    1,432
    960
    Feb 15, 2015
    United States
    Good point. However, you should be able to dump memory, allowing you to find a heap and/or buffer.
     
  15. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    I can not. I am on 5.5.0U, hence this entire thing.
     
  16. MassExplosion213

    MassExplosion213 .

    Member
    1,432
    960
    Feb 15, 2015
    United States
    If you have a working entry point, you can.
     
  17. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    That is what I am attempting to make. :-/

    Edit:
    Err, use. I have the entry point, working on an exploit.

    — Posts automatically merged - Please don't double post! —

    That is a clever trick, I am using a MP4 vuln; so I have no JS though.
     
  18. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    Comex initial WebKit entry-point allowed leaking memory from a javascript buffer. You can then dump the systems RAM chunk by chunk. Once you have a RAM dump you can search for RPL header magic and extract the system libraries. Once you have the libraries you can use a dissembler. Searching for ROP gadgets is easy. You just do a find all for the specific instruction you are looking for and then narrow it down to functions that return after (i.e. right at the end of the subroutine as opposed to early on). To start execution of our ROP payload we fake an object vtable and spray the heap with it's address. In the case of the Wii U we build a ROP chain to call an OS library function which switches a memory page used for Javascript JIT from X to RW, write our payload, switch back memory permissions to X, then call gadget which pivots execution to our new stack to bypass DEP and start execution on bare-metal.
     
    Last edited by Relys, Dec 20, 2015
    gudenau likes this.
  19. Relys

    Relys Master of Computer Science

    Member
    863
    788
    Jan 5, 2007
    United States
    You do not need the javascript memory leak anymore though. Comex only needed to be able to leak memory from a javascript object to get the initial binary dump. The systems RPLs can be downloaded from NUS or extracted from a WUD and decrypted with the common key. :)
     
    Last edited by Relys, Dec 20, 2015
  20. gudenau
    OP

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,286
    1,252
    Jul 7, 2010
    United States
    /dev/random
    Ok, so back to the main question: how do I figure out where in memory my buffer gets stored? I am using the stsc bug.