How to-catch-a-chameleon-steven seeley-ruxcon-2012

  • 1,999 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,999
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
53
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. How to catch a chameleon Steven Seeley steven@immunityinc.com @net__ninja Steven Seeley – Ruxcon 2012
  • 2. C:> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team ● ruby python developer ● reverse engineering ● exploit developer Steven Seeley – Ruxcon 2012
  • 3. Disclaimer(s)No zerodays were hurt during themaking of this presentationSorry but some windows heapknowledge is assumed Steven Seeley – Ruxcon 2012
  • 4. Agenda● What is heaper ?● Development motivators● Meta data attack techniques● Functional design● Installation● Using heaper● Demo analysing a heap overflow● Limitations● Future work● Conclusion Steven Seeley – Ruxcon 2012
  • 5. But first.An entomologists lesson. Steven Seeley – Ruxcon 2012
  • 6. Definition of a chameleon?Chameleon (n) A small slow-moving Old World lizardwith a prehensile tail, long extensibletongue, protruding eyes that rotateindependently, and a highly developedability to change color Steven Seeley – Ruxcon 2012
  • 7. Definition of a chameleon?Chameleon (n) A small slow-moving Old World lizardwith a prehensile tail, long extensibletongue, protruding eyes that rotateindependently, and a highly developedability to change color Steven Seeley – Ruxcon 2012
  • 8. A chameleons diet Steven Seeley – Ruxcon 2012
  • 9. Similarities Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*Protruding, rotating eyes Symptoms of long debugging sessionsAbility to change color Ability to change its state rapidlyrapidlyKills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation* Some, such as implementations on mobile platforms, example: WebKit Steven Seeley – Ruxcon 2012
  • 10. What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool: ● Visualize the heap layout ● Determine exploitable conditions using meta-data ● Find application specific heap primitives ● Find application specific function pointers ● Modify heap structures on the fly for simulation Steven Seeley – Ruxcon 2012
  • 11. Development motivators Steven Seeley – Ruxcon 2012
  • 12. Meta data attack techniquesTechnique Platform Difficulty* Reliability* SupportedCoalesce unlink() NT 5.[0/1] 10% 100% YesVirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown NoLookaside head overwrite NT 5.2 50-60% Unknown YesFreelist insert/search/relink NT 5.2 Unknown Unknown YesBitmap flip NT 5.2 50-60% Unknown YesHeap cache desycronisation NT 5.2 90% Unknown NoCritical section unlink() NT 5.2 50% 70% NoFreeEntryOverwrite NT 6.[0/1] 50% 60% YesSegment Offset NT 6.[0/1] 50% 80% YesDepth De-sync NT 6.[0/1] 50% 70% YesUserBlocks Overwrite NT 6.2 90% 40% NoApplication data ANY Unknown Unknown Yesdifficulty/reliability* - estimated based specific testing, will vary largely depending on context Steven Seeley – Ruxcon 2012
  • 13. Functional design ● Object oriented design ● Easily extend-able ● Chunk validation based on allocator ordering & categorization ● General heuristics check per allocator Steven Seeley – Ruxcon 2012
  • 14. Functional designchunk validation:Full unlink() macro validation! Steven Seeley – Ruxcon 2012
  • 15. Functional design chunk validation:● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets: ● 0x0026fee8+0x0 is the size ● 0x0026fee8+0x2 is the previous chunks size ● 0x0026fee8+0x4 is the cookie ● 0x0026fee8+0x8 is the Flink/Blink Therefore, we can validate the chunk based on its positioning and by reading memory Steven Seeley – Ruxcon 2012
  • 16. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  • 17. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  • 18. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  • 19. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  • 20. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  • 21. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  • 22. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  • 23. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  • 24. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  • 25. Functional designChunk validation on FreeList[0]:-> Windows 2000/XP FreeList[0] Steven Seeley – Ruxcon 2012
  • 26. Functional designChunk validation on FreeList[0]:-> Windows 2000/XP FreeList[0] size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012
  • 27. Functional designChunk validation on FreeList[n]:-> Windows 2000/XP FreeList[n] Steven Seeley – Ruxcon 2012
  • 28. Functional designChunk validation on FreeList[n]:-> Windows 2000/XP FreeList[n]size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012
  • 29. Functional designGraphing:We all know that littlegreen men in the debuggercan be hard to understand Steven Seeley – Ruxcon 2012
  • 30. Functional designGraphing:visualiz e the heap Steven Seeley – Ruxcon 2012
  • 31. Functional design Easy to use:● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesnt exist● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size● n-4 byte write simulation on function pointers with the ability to restore the said function pointers● The ability to modify a single BIT in the FreeListInUse struct● update command for easily updating heaper.● config command to configure the output directory of logs and graphs● Everything is logged in a new “heaper” window Steven Seeley – Ruxcon 2012
  • 32. Installation● Prerequisites: ● Immunity Debugger v1.85 and above ● Graphviz v2.28.0 and above -http://www.graphviz.org/ ● Pyparsing - http://sourceforge.net/projects/pyparsing/ ● PyDot - http://code.google.com/p/pydot/1. Install Immunity Debugger :->2. Add c:python27 to your path environment3. Run the Graphviz MSI packaged installer4. Navigate into your pydot and pyparsing directories and execute pythonsetup install4. Copy heaper to the C:Program FilesImmunity IncImmunityDebuggerPyCommands directory Steven Seeley – Ruxcon 2012
  • 33. Using heaperSteven Seeley – Ruxcon 2012
  • 34. Usage and help menuRun !heaper help <cmd> to learnabout the cmd and its options Steven Seeley – Ruxcon 2012
  • 35. Analyzing windows structsDisplay the PEB structure Steven Seeley – Ruxcon 2012
  • 36. Analyzing windows structsDisplay the TEBs for the process (nostruct) – No TEB struct boo Steven Seeley – Ruxcon 2012
  • 37. Analyzing windows structsAnalyze a _heap struct Steven Seeley – Ruxcon 2012
  • 38. Analyzing the FreelistInUse bitmask Steven Seeley – Ruxcon 2012
  • 39. Analyzing the FreelistInUse bitmaskBit flipping Steven Seeley – Ruxcon 2012
  • 40. Analyzing the FreelistInUse bitmaskBit flipping Steven Seeley – Ruxcon 2012
  • 41. Dumping function pointers● Finds function pointers despite if they are writable or not● Depreciated and will be removed in the next major release Steven Seeley – Ruxcon 2012
  • 42. Finding writable pointers Steven Seeley – Ruxcon 2012
  • 43. Finding writable pointers● Similar to the dump function pointers routine but executes the action across the whole module● This can be executed against all modules● As the name states, only writable function pointers to facilitate a write 4 condition● Dont be fooled, it doesnt just dump the IAT● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers. Steven Seeley – Ruxcon 2012
  • 44. Finding writable pointersUse any of these to transfer code execution Steven Seeley – Ruxcon 2012
  • 45. Analyzing the allocator state NT 5.xLookaside - chunk analysis Steven Seeley – Ruxcon 2012
  • 46. Analyzing the allocator state NT 5.x Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first byte in the chunk header (size)● If userdata == flink, possible exploitation Steven Seeley – Ruxcon 2012
  • 47. Analyzing the allocator state NT 5.xLookaside with verbose mode (-v) Steven Seeley – Ruxcon 2012
  • 48. Analyzing the allocator state NT 5.x Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been overwritten● Much like dt _general_lookaside_list <addr> in windbg Steven Seeley – Ruxcon 2012
  • 49. Analyzing the allocator state NT 5.xLookaside - graphing Steven Seeley – Ruxcon 2012
  • 50. Analyzing the allocator state NT 5.x Lookaside - vuln analysis●● Set a (Function pointer-0x8) to equal the new Lookaside chunk address Steven Seeley – Ruxcon 2012
  • 51. Analyzing the allocator state NT 5.xLookaside - vuln analysis Steven Seeley – Ruxcon 2012
  • 52. Analyzing the allocator state NT 5.xFreeList - chunk analysis Steven Seeley – Ruxcon 2012
  • 53. Analyzing the allocator state NT 5.xFreeList with verbose mode (-v) Steven Seeley – Ruxcon 2012
  • 54. Analyzing the allocator state NT 5.xFreeList - graphing Steven Seeley – Ruxcon 2012
  • 55. Analyzing the allocator state NT 5.xFreeList - vuln analysis Steven Seeley – Ruxcon 2012
  • 56. Analyzing the allocator state NT 5.xFreeList - vuln analysis Steven Seeley – Ruxcon 2012
  • 57. Analyzing the allocator state NT 6.xLFH - UserBlocks analysis Steven Seeley – Ruxcon 2012
  • 58. Analyzing the allocator state NT 6.xLFH - UserBlocks analysis Steven Seeley – Ruxcon 2012
  • 59. Analyzing the allocator state NT 6.xLFH - UserBlocksCache analysis0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY +0x000 UserBlocks : _SLIST_HEADER +0x008 AvailableBlocks : Uint4B Steven Seeley – Ruxcon 2012
  • 60. Analyzing the allocator state NT 6.xLFH - buckets0:004> dt _heap_bucketntdll!_HEAP_BUCKET +0x000 BlockUnits : Uint2B +0x002 SizeIndex : Uchar +0x003 UseAffinity : Pos 0, 1 Bit +0x003 DebugFlags : Pos 1, 2 Bits Steven Seeley – Ruxcon 2012
  • 61. Analyzing the allocator state NT 6.xLFH - graphing UserBlocks Steven Seeley – Ruxcon 2012
  • 62. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  • 63. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  • 64. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  • 65. Analyzing the allocator state NT 6.xListHint - analysis Steven Seeley – Ruxcon 2012
  • 66. Analyzing the allocator state NT 6.xListHint - analysis Steven Seeley – Ruxcon 2012
  • 67. Analyzing the allocator state NT 6.xFreeList - analysis Steven Seeley – Ruxcon 2012
  • 68. Analyzing the allocator state NT 6.xFreeList - analysis Steven Seeley – Ruxcon 2012
  • 69. Analyzing the allocator state NT 6.xFreeList - graphing Steven Seeley – Ruxcon 2012
  • 70. Analyzing the allocator state NT 6.xFreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012
  • 71. Analyzing the allocator state NT 6.xFreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012
  • 72. Hooking the heap manager Steven Seeley – Ruxcon 2012
  • 73. Hooking the heap manager Hard hooking● HeapAlloc/HeapFree● Can be extended for other heap functions● Discover primitives Steven Seeley – Ruxcon 2012
  • 74. Hooking the heap managerSoft hookingUse only for testing, not designed to be used with large applications Steven Seeley – Ruxcon 2012
  • 75. Patching Patching - PEB● A binary may be compiled in debug mode● What if we are trying to execute a function pointer that assumes the process is not being debugged ? Steven Seeley – Ruxcon 2012
  • 76. UpdatingUpdate to the latest version with easeThe update function just generates a git hash and compares digests. Thereis no version tracking yet. Steven Seeley – Ruxcon 2012
  • 77. ConfiguringConfigure the home directory on where tostore graphs and logs Steven Seeley – Ruxcon 2012
  • 78. Detecting exploitable conditions Steven Seeley – Ruxcon 2012
  • 79. Detecting exploitable conditions● Detecting exploitable conditions can be very difficult and prone to many false positives.● If you overwrite a specific chunk, then just due to the amount of data you overwrote with, it may/may not be deemed exploitable● Therefore understanding the limitations of each of the conditions is required for accurate analysis. Steven Seeley – Ruxcon 2012
  • 80. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012
  • 81. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012
  • 82. Detecting exploitable conditions FreeList/ListHint – No technique suggestion*● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far. Steven Seeley – Ruxcon 2012
  • 83. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012
  • 84. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012
  • 85. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012
  • 86. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012
  • 87. Demo - MS12-037 Steven Seeley – Ruxcon 2012
  • 88. Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data attacks for now● Does not log analysis findings external to the debugger● Needs a decent heap search function● Need to support other heap implementations Steven Seeley – Ruxcon 2012
  • 89. Future work● Support LFH analysis on Windows 8● Support other heap manager implementations (jemalloc)● Support more meta-data attacks● Perform log analysis● Detect interesting application data on the heap● Add a decent search function● Improve the heuristics engine Steven Seeley – Ruxcon 2012
  • 90. Conclusion● Run-time analysis of the heap to detect meta- data attack conditions is complex● Some form of solver maybe more applicable to this type of analysis :->● Whilst heaper is not turing complete, it will solve many corner cases.● Immunity will continue to be a leader in the development and application of heap exploitation techniques Steven Seeley – Ruxcon 2012
  • 91. Thanks!You know who you are ;-) Steven Seeley – Ruxcon 2012
  • 92. Code design/improvements/patches/ideas are very welcome :> steventhomasseeley@gmail.comFor more information please execute:$ git clone https://github.com/mrmee/heaper.git$ wget -r http://net-ninja.net/ Steven Seeley – Ruxcon 2012
  • 93. MIAMI Steven Seeley – Ruxcon 2012