Elvis Collado
This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey to known exploitation techniques. This talk will go over the thought process, failures, and road-blocks that were encountered and how they were overcame.
100. Exodus Intelligence
Exploit Dev
⚫ Gadget 1
⚫ Grants the ability to call a function with 2 arguments
⚫ Gadget 2
⚫ Cheap stack pivot + control of R4-R7
⚫ Gadget 3
⚫ Move the value of R7 [IAT table ptr to strtoul()-4] into R0
⚫ Control of R3-R7
⚫ Gadget 4
⚫ Deref R0+4 into R0. [R0 is now in libc]
⚫ Control of R3-R7
101. Exodus Intelligence
Exploit Dev
⚫ Gadget 5
⚫ Add R3 and R0 and store the result in R0
⚫ R0 now points to popen()
⚫ Control of R4
⚫ Gadget 6
⚫ Store the value of R0 into the heap
⚫ Gadget 7 (aka 1 again)
⚫ Pick up the stored popen() value and call it.
⚫ First arg = cmd to execute
⚫ Second arg = “r”
114. Exodus Intelligence
Exploit Dev
⚫ Putting it all together
⚫ Spray the heap
⚫ Save the SIDs
⚫ Do not free() the last SID that was saved (roof)
⚫ Free and Replace blocks via UNSUBSCRIBE and
SOAP. [b64(Fake struct + ROPChain + Command)]
⚫ Free 5, Re-occupy 5, Free them again, next 5.
⚫ Watch for multicast traffic and if there’s traffic, occupy
25, free 25, ret.
⚫ Trigger Vulnerability
⚫ Win?