Static PIEHow and Why

Adam Cammack and Brent CookRapid7

About US

Adam Cammack

MetasploitErlang

Musician

Brent CookProgrammer: 30 years

Father: 13 yearsOpenBSD: 3 yearsMetasploit: 2 years

@busterbcook

The ABCs of Executable File Formats

A is for a.out"Assembler output" – 1968

Ken ThompsonThe file header is literally PDP-7 machine code

C is for.COMDEC -> CP/M -> MS-DOS

Just code + data, no headers

E is for EXEMS-DOS to Windows 10, everything in between

Many different things over timeMostly PE/COFF these days

M is for Mach-ONeXTStep, iOS, OS X (aka Mac OS :)

Covers libraries, core dumps,and executablesMulti-architecture

E is also for ELFAlso used for executables, libraries and core dumpsThe standard (almost) file format for Unix systems

and Clones

$(CC) -o hello hello.cOf file formats and dynamic linkers

Stages of compilation and goals of ELF• Flexible [1]• Orthogonal segments and sections• Arbitrary sections and data• Configurable element widths for

standard arrays• Each binary explicitly says how it

should be loaded and run• Universal• Lots of version fields• Lots of machine-dependent fields• Big and little endian modes

[1] https://www.linuxjournal.com/node/1060/print

Flavor of ELF: static, dynamic, shared libraries

• Insert Diagrams here

Magic: -fPIC & runtime (re-)linking

• .dynamic section/DYNAMIC segment• Everything a linker could want• Mostly duplicates info from the section headers• Includes helpful info like needed libraries and dynamic object type

• Offset and procedure linking tables galore• All symbols resolve to the linker for the first call• Lazy lookup

Securing ELF

Address Space Layout Resolution (ASLR)

• Buffer overflows require jumping to known offsets• ASLR randomizes executable layout, making offsets _less_ predictable• Implemented to varying degrees on many operating systems• BSD Linux Windows Solaris

• Catch – only works with Dynamic executables (shared libraries)

Breaking security without even trying

#include <stdio.h>

int main(){ printf("%p\n", printf); return 0;}

Breaking security without even trying

bcook@toaster:~$ uname -aLinux toaster 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

bcook@toaster:~$ gcc hello .c -o hellobcook@toaster:~$ ./hello0x400400bcook@toaster:~$ ./hello 0x400400

Position Independent Executables (PIE)

• We want to solve 2 problems• Code can be relocated for security (Position independent code)• Code can be relocated to avoid conflicts (no MMU)

This is easy, until...

bcook@toaster:~$ gcc hello.c -o hello -fPICbcook@toaster:~$ ./hello0x7f10c8aca7b0bcook@toaster:~$ ./hello0x7f8a8a1cd7b0

bcook@toaster:~$ gcc hello. c -o hello -fPIC -staticbcook@toaster:~$ ./hello0x40f300bcook@toaster:~$ ./hello0x40f300

This is easy, until...

bcook@toaster:~$ gcc hello.c -o hello -fPICbcook@toaster:~$ ./hello0x7f10c8aca7b0bcook@toaster:~$ ./hello0x7f8a8a1cd7b0

bcook@toaster:~$ gcc hello. c -o hello -fPIC -staticbcook@toaster:~$ ./hello0x40f300bcook@toaster:~$ ./hello0x40f300

Binaries for offensive use

Position independent shellcode 

• Often unpredictable and uncontrollable injection addresses• Often can’t rely on specifics of target system• Hand written out of necessity• All jumps and memory operations relative to instruction pointer or

allocated memory

Static Position-dependent Executables

• No dependencies on target libraries• Straightforward to build• Requires specific memory addresses to be allocable or clobbered

Static Position-independent Executables

• Would remove memory dependency• Great for embedded/NOMMU• Simplifies shellcode• Simplifies payload generation

• Possible??????

Static Position-independent Executables

• Yes!!! Static PIE is implemented in:• OpenBSD 5.7 (on by default on x86/x64)• Musl libc on Linux with a custom toolchain (2012)

Prior Work in Metasploit

Reflective DLL injection & Windows Meterpreter

• From Stephen Fewer: https://github.com/stephenfewer/ReflectiveDLLInjection

• TL; DR: Inject a small loader thread that identifies library functions from kernel32, use these to further load dependent libraries and the target library image.

Linux Meterpreter custom linker & loader

• From Philip Sanderson• Uses an embedded copy of Android Bionic plus custom linker scripts

and compiler magic to embed shared libraries as zip archives• Not fully Position Independent, leading to loading issues• At runtime, the loader unpacks and links shared libraries in memory to

bootstrap the PIE part of the payload

Pedal to the mettleA new POSIX meterpreter

Utilizing out-of-tree dependencies

• With our powers combined…• curl• libdnet• libev• libeio• libsigar• mbedtls

• Reliable code we don’t have to write• We need a toolchain that takes arbitrary libraries and spits out payloads

Generating ELF process images

• It’s simple, just do whatever it is the kernel does• Ok, so we just mmap(2) these segments…• And then do some stack magic• Reference docs to the rescue [1]

[1] http://c9x.me/compile/bib/abi-x64.pdf

Minimizing setup in shellcode

• read(2) the process image• Push the stack• Jump• …• Profit?

Minimum Stack Layout

Deep magic: -shared -Bstatic -Bsymbolic

• -shared• Generate a useful dynamic section• Suppress generation of PT_INTERP segment

• -Bstatic• Pull in all symbols instead of linking• Make sure all symbols are resolved

• -Bsymbolic• Generate self-contained relocations• Self-interpreting executable (with special crt.o)

Flexible multi-architecture support

• Cross-compile ALL THE THINGS• Lots of embedded developers interested in building cross-compilers• Liberal use of endian.h

export QEMU_STRACE=1

• User-mode qemu doesn’t have man pages• qemu supports strace-like format (see title)• It can also host a gdb server for all your favorite tools (-g <port>)• We can also compile for native Linux and OSX targets to use even more

tools

It’s a *NIX system, I know this!

• Portable RAT• Works on OS X, Linux, Android• Memory footprint is < 500K• supports SOHO routers to large servers with minimal disruption

Future WorkFreeBSD / OpenBSD / Solaris support

WindowsFoothold for other payloads

https://github.com/rapid7/mettle

Demo & QA