SlideShare a Scribd company logo
1 of 84
Download to read offline
Post Memory Corruption
     Memory Analysis

                  Jonathan Brossard
               CEO – Toucan System




jonathan@
toucan-system.com
Who am I ?
             (a bit of self promotion ;)


- Security Research Engineer, CEO @ Toucan
  System (French Company).
- Known online as endrazine (irc, twitter...)
- Met some of you on irc.
- Currently lives in Sydney (pentester for CBA).
- Speaker at several conferences :
  Defcon/HITB/HES/Ruxcon/h2hc...
- Organiser of the Hackito Ergo Sum conference
  (Paris).
I don't reverse plain text
Agenda

   A few basics



       Being environment aware



        PMCMA Design



       Extending Pmcma



   •Stack desynchronization
What's pmcma ?


It's a debugger, for Linux (maybe one day *NIX) ptrace() based.

Pmcma allows to find and test exploitation scenarios.

Pmcma's output is a roadmap to exploitation, not exploit code.

Tells you if a given bug triggering an invalid memory access is
   a vulnerability, if it is exploitable with the state of the art,
   and how to exploit it.
What's pmcma ?



     DEMO
Tool available on September 1st 2011 at
          http://www.pmcma.org
A FEW BASICS
How do applications
          crash ?

* Stack corruptions -> stack overflows,
  usually now detected because of SSP |
  studied a LOT
* Signal 6 -> assert(),abort():
  unexpected execution paths (assert()
  in particular), heap corruptions
* Segfault (Signal 11) -> Invalid
  memory access
Invalid memory access



- trying to read a page not readable.
  often not mapped at all.
- trying to write to a page not writable.
  often not mapped at all.
- trying to execute a page not
  executable. often not mapped at all.
Why do they happen ?

Because of any kind of miscomputation, really :

- integer overflows in loop counters or destination registers when
   copying/initializing data, casting errors when extending
   registers or
- uninitialised memory, dangling pointers
- variable misuse
- heap overflows (when inadvertently overwriting a function ptr)
- missing format strings
- overflows in heap, .data, .bss, or any other writable section
   (including shared libraries).
- stack overflows when no stack cookies are present...
Exploiting invalid exec


     Trivial, really. Eg :

           call eax

 with eax fully user controled
Invalid memory reads (1/2)


               Eg :

        CVE-2011-0761 (Perl)

  cmp    BYTE PTR [ebx+0x8],0x9
Invalid memory reads (2/2)


                 Eg :

          CVE-2011-0764 (t1lib)

    fld    QWORD PTR [eax+0x8]
Exploiting invalid memory
           reads ?

- usually plain not exploitable
- won't allow us to modify the memory
   of the mapping directly
- in theory : we could perform a user
   controled read, to trigger a second
   (better) bug.
Invalid memory writes


              Eg :

      CVE-2011-1824 (Opera)

mov   DWORD PTR [ebx+edx*1],eax
How to...


To exploit invalid writes, we need to find
   ways to transform an arbitray write
           into an arbitrary exec.

 The most obvious targets are function
              pointers.
Exploiting invalid memory
     writes : scenario

- Target a known function pointer
  (typically : .dtors, GOT entry...).
Can be prevented at compile time :
  no .dtors, static GOT...
- Target function pointers in the whole
  binary ?
- Overwrite a given location to trigger
  an other bug (eg : stack overflow)
Being environment aware
Problems to take into
           account

- Kernel : ASLR ? NX ?
- Compilation/linking : RELRO
  (partial/full) ? no .dtors section ? SSP ?
  FORTIFY_SOURCE ?

=> Pmcma needs to mesure/detect
 those features
ASLR



Major problem when chosing an
      exploitation strategy.
ASLR : not perfect



- Prelinking (default on Fedora) breaks ASLR
- All kernels don't have the same
  randomization strength.
- Non PIE binaries

=> Truth is : we need better tools to test it !
Testing ASLR


-Run a binary X times (say X=100)
  -Stop execution after loading
-Record mappings.

   => Compare mappings, deduce
          randomization
DEMO : being environment aware
PMCMA DESIGN
GOALS


- We want to test overwriting different
  memory locations inside a process
  and see if they have an influence over
  the flow of execution
- We want to scale to big applications
  (web browsers, network deamons...)
- We want a decent execution time
mk_fork()


               The idea :

-We start analysing after a SEGFAULT
-We make the process fork() (many
  many times)
-Inside each offspring, we overwrite a
  different memory location
mk_fork() : benefits


Mapping looks « just like » it will when
     actually exploiting a binary

 No ASLR/mapping replication problem

     Exhaustive and hopefully fast
How to force a process to
            fork ?

1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject fork() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for both original process and
  offspring.
7) Restore bytes in both processes.
8) Restore registers in both processes.
Forking shellcode



;forking shellcode:
00000000 6631C0       xor eax,eax
00000003 B002         mov al,0x2
00000005 CD80         int 0x80
Offspring 2


mk_fork()                             Executable


                                      Writable


                                      Executable
Original process
                   Offspring 1
                                           …
   Executable
                      Executable

   Writable
                      Writable

   Executable
                      Executable

        …
                           …
mk_fork()

            Offspring 1

            Executable


            Writable


            Executable


                …
mk_fork()


            Offspring 2

            Executable


            Writable


            Executable


                …
mk_fork()

            Offspring n

            Executable


            Writable


            Executable


                …
mk_fork() : PROS


- allows for multiple tests out of a single
  process
- fast, efficient (no recording of memory
  snapshots)
- no need to use breakpoints
- no single stepping
mk_fork() : CONS


- Dealing with offsprings termination ?
  (Zombie processes)
- I/O, IPC, network sockets will be in
  unpredictable state
- Hence syscalls will get wrong too (!!)
Zombie reaping


- Avoid the wait() for a SIGCHILD in the
  parent process.
- Kill processes after a given timeout,
  including all of their children.
Zombie reaping : the
   SIGCHILD problem

If we can have the parent process
 ignore SIGCHILD signals, we won't
          create Zombies.

=> We inject a small shellcode to
   perform this via sigaction()
Zombie reaping : the
       SIGCHILD problem

1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject sigaction() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for the process while executing
  shellcode.
7) Restore bytes in +X location.
8) Restore registers in the process.
Force process grouping :
                shellcode
; Sigaction shellcode: // Zombie reaper
; struct sigaction sa = {.sa_handler = SIG_IGN};
; sigaction(SIGCHLD, &sa, NULL);
_start:
      nop
      nop
      nop
      nop
      call fake
fake:
      pop ecx
      add ecx,0x18    ; delta to sigaction structure

     xor eax,eax
     mov al,0x43  ; sigaction
     mov ebx,0x11 ; SIGCHLD
     xor edx,edx ; 0x00
     int 0x80

     db 0xcc, 0xcc,0xcc,0xcc

; struct sigaction sa = {.sa_handler = SIG_IGN};
      db 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
      db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00,   00,   00,   00
Zombie reaping : killing
the offsprings and their
        children

Fortunatly, this is possible using
     « process grouping »...
Process grouping


setpgid() sets the PGID of the process specified by pid to pgid. If
pid is zero, then the process ID of the calling process is used. If
pgid is zero, then the PGID of the process specified by pid is made the
same as its process ID. If setpgid() is used to move a process from
one process group to another (as is done by some shells when creating
pipelines), both process groups must be part of the same session (see
setsid(2) and credentials(7)). In this case, the pgid specifies an
existing process group to be joined and the session ID of that group
must match the session ID of the joining process.
Zombie reaping : forcing
      process grouping

1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject setpgid() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for the process while executing
  shellcode.
7) Restore bytes in +X location.
8) Restore registers in the process.
Force process grouping...
;
; setpgid(0,0); shellcode
;

_start:
   nop
   nop
   nop
   nop
   mov eax,0x39 ; setpgid
   xor ebx,ebx
   xor ecx,ecx
   int 0x80

  db 0xcc, 0xcc
Zombie reaping :
          final details

From now on, to kill a process and all of
  its children :

           kill (-pid, SIGTERM) ;
IPC, I/O, invalid syscalls


One possibility is to recode correct
 execution on the original process
 (after clearing signals and ignoring
 the SEGFAULT).
Then replay/fake the syscalls on the
 offsprings.

=> Minimal userland « virtualization ».
PMCMA : FEATURES
Exploiting invalid memory
writes via function pointers

We now want to find all the function
pointers called by the application from
  the instruction which triggered the
    SEGFAULT until it actually halts.

(including pointers in shared libraries!!)
Finding all the function
    pointers actually called

1) Parse all the +W memory, look for possible
  pointers to any section
1 bis) optionally disassemble the destination
  and see if it is a proper prologue.
2) use mk_fork() to create many children
3) in each children, overwrite a different possible
  function pointer with a canari value
  (0xf1f2f3f4).
4) Monitor execution of the offsprings
Finding all the function
    pointers actually called



Overwritten pointer leads to execution of
 canari address 0xf1f2f3f4

 <=> We found a called function pointer.
Finding all the function
pointers actually called



         DEMO
So what can we test now ?


 Invalid write anything anywhere :

 attacker has full control over data
written and destination where written

         => GAME OVER
So what can we test now ?


Overflows (in any writtable section but
               the stack) :
 Simply limit the results of pmcma to
              this section.
So what can we test now ?



What if the attacker has little or no
     control over the data being
written (arbitrary write non controled
          data, anywhere) ?
Partial overwrites and
     pointers truncation


If we can't properly overwrite a function
    pointer, maybe we can still truncate
    one (with the data we don't control)
     so that it transfers execution to a
         controled memory zone ?
Exemple :


--[ Function pointers exploitable by truncation with 0x41424344:
At 0xb70ce070 : 0xb70c63c2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW)
At 0xb70e40a4 : 0xb70ca8f2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW)
At 0xb70ec080 : 0xb70e5e02 will become 0xb70e4142 (lower truncated by 16 bits, dest perms:RW)
At 0xb731a030 : 0xb7315da2 will become 0xb7314142 (lower truncated by 16 bits, dest perms:RW)
At 0xb73230a4 : 0xb732003a will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
At 0xb732803c : 0xb7325a36 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
At 0xb76a80d8 : 0xb7325bf0 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
One more situation...


Sometimes, an attacker has limited
 control over the destination of the
 write (wether he controls the data
        being written or not).

  Eg : 4b aligned memory writes.
Exploiting 4b aligned
    memory writes

We can't attack a function pointer
directly, unless it is unaligned (rare
  because of compiler internals).

Pmcma will still let you know if this
            happens ;)
Exploiting 4b aligned
memory writes : plan B


Find all « normal » variables we can
 overwrite/truncate, and attempt to
trigger a second bug because of this
              overwrite.
Finding all unaligned
     memory accesses



  Setting the unaligned flag in the
EFLAGS register will trigger a signal 7
   uppon next access of unaligned
        memory (read/write).
Finding all unaligned
  memory accesses



        DEMO
Finding all unaligned
  memory accesses



     DEMO x86_64
Defeating ASLR : Automated
 memory mapping leakage

How does WTFuzz did it at CansecWest
  2010 to win the pwn2own contest
       against IE8/Windows 7 ?

  Overwrite the null terminator of a JS
  string to perform a mem leak uppon
          usage (trailing bytes).
Defeating ASLR with an
      arbitrary write ?

In the original process :
- use ptrace() PTRACE_SYSCALL
- record the calls to sys_write() and
  sys_socketall() (wrapper to sys_send()
  or sys_sendto()...), including : where
  is the data sent ? How many bytes ?
Defeating ASLR with an
      arbitrary write ?


Create many offsprings using mk_fork().
-In each of them : overwrite a different
  location with dummy data.
-Follow execution using PTRACE_SYSCALL
-Monitor differences : a different address or a
  bigger size means a memory leak :)
Extending Pmcma
Means of modifying the
flow of execution without
    function pointers

           Call tables.
     Calling [Offset+register]

 => This is also already performed
   automatically using pmcma.
Pointers and ASLR


If overwritting a given function pointer
   isn't practical because of ASLR : is it
   possible to overwrite a pointer (in an
        other section) to a structure
     containing this function pointer ?
    Would this « other section » be less
               randomised ?
Finding pointers to structures
 containing function pointers
        Executable

       Writable (no
       ASLR)

          Executable


        Writable (high
                         Complex structure
        ASLR)
                         …
          Executable     void* f(a,b,c)


               …
Finding pointers to structures
 containing function pointers

   We'd like to have the debugged process
  create a new section, with a given mapping
                (to ease identify).
  Modify a possible pointer per offspring (use
                    mk_fork()).
  Monitor execution : is the offspring calling a
       function pointer from our custom
                    mapping ?
Forcing a process to create
     a new mapping :

1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject mmap() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for the process while executing
  shellcode.
7) Restore bytes in +X location.
8) Restore registers in the process.
;
; old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, 0, 0) shellcode:
;

_start:
          nop
          nop
          nop
          nop

          xor   eax, eax
          xor   ebx, ebx
          xor   ecx, ecx
          xor   edx, edx
          xor   esi, esi
          xor   edi, edi

          mov bx, 0x1000            ; 1 page
          mov cl, 0x3         ; PROT_READ|PROT_WRITE
          mov dl, 0x21        ; MAP_SHARED|MAP_ANON

          push   eax
          push   eax
          push   edx
          push   ecx
          push   ebx
          push   eax

          mov ebx, esp
          mov al, 0x5a        ; sys_mmap
          int 0x80

          ; eax contains address of new mapping

          db 0xcc, 0xcc, 0xcc, 0xcc
Testing exhaustively
   arbitrary writes


In case all of the above failed...

Can we trigger secondary bugs by
  overwritting specific memory
            locations ?
Testing exhaustively
    arbitrary writes

       Complexity is huge !

  Still doable with Pmcma, with no
guaranty over the time of execution.
Testing exhaustively
       arbitrary reads

In the same veine, attacker controled
  invalid reads can trigger secondary
     bugs, which will be exploitable.

=> We can test the whole 4+ billions
   search space (under x86 Intel
 architecture), or just a few evenly
           chosen ones.
Stack desynchronization


       W^X is a problem.

  Even if we can overwrite fully a
function pointer and modify the flow
 of execution... what do we want to
         execute in 2011 ?
Stack desynchronization


Instead of returning directly to shellcode in
  +W section (hence probably not +X) :

-Return to a function epilogue chosen so that
   esp will be set to user controled data in the
   stack.
- Fake stack frames in the stack itself.
- Use your favorite ROP/ret2plt shellcode
Stack desynchronization :
      Exemple : sudo

- stack is ~1000 big (at analysis time)
- we find a function pointer to
  overwrite (at 0x0806700c)
- we overwrite it with a carefully chosen
  prologue (inc esp by more than 1000)
Stack desynchronization :
       Exemple : sudo

jonathan@blackbox:~$ objdump -Mintel -d
    /usr/bin/sudo
...
 805277a:       81 c4 20 20 00 00   add esp,0x2020
 8052780:        5b             pop ebx
 8052781:        5e             pop esi
 8052782:        5d             pop ebp
 8052783:        c3             ret
Stack desynchronization :
     Exemple : sudo

We can control the destination where
 esp is going to point : simply use an
         environment variable

         TOTO=mydata sudo
Stack desynchronization :
       Exemple : sudo

We then forge fake stack frames in the stack itself

- « Nop sled » : any pointer to 'ret'
Eg :804997b: c3 ret
- Then copy shellcode to .bss byte per byte using
   memcpy via ret2plt
- Use GOT overwrite to get pointer to mprotect() in
   the GOT (ROP)
- call mprotect to make .bss +X via ret2plt
- return to shellcode in .bss
DEMOS
Future Work


- port to more architectures (Linux
  x86_64 on the way, arm...)
- port to more OS (Mac OSX, *BSD)
- port to Windows (hard)
- add tests for other bug classes
Thank you for coming
    Questions ?

More Related Content

What's hot

Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6While42
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]RootedCON
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Shuo Chen
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Charles Nutter
 
Антон Нонко, Классические строки в C++
Антон Нонко, Классические строки в C++Антон Нонко, Классические строки в C++
Антон Нонко, Классические строки в C++Sergey Platonov
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...Area41
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matterDawid Weiss
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoTMark Carney
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортSergey Platonov
 
Kernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtKernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtDavid Evans
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developerssluge
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 

What's hot (20)

Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6Bugs from Outer Space | while42 SF #6
Bugs from Outer Space | while42 SF #6
 
Sysprog 11
Sysprog 11Sysprog 11
Sysprog 11
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap Dumps
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++
 
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
Øredev 2011 - JVM JIT for Dummies (What the JVM Does With Your Bytecode When ...
 
Антон Нонко, Классические строки в C++
Антон Нонко, Классические строки в C++Антон Нонко, Классические строки в C++
Антон Нонко, Классические строки в C++
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
sizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may mattersizeof(Object): how much memory objects take on JVMs and when this may matter
sizeof(Object): how much memory objects take on JVMs and when this may matter
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
Random thoughts on IoT
Random thoughts on IoTRandom thoughts on IoT
Random thoughts on IoT
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репорт
 
Kernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtKernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring Naught
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
Secure coding for developers
Secure coding for developersSecure coding for developers
Secure coding for developers
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
Sysprog 14
Sysprog 14Sysprog 14
Sysprog 14
 

Similar to [Kiwicon 2011] Post Memory Corruption Memory Analysis

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelVitaly Nikolenko
 
6. processes and threads
6. processes and threads6. processes and threads
6. processes and threadsMarian Marinov
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit TestingDmitry Vyukov
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarMaarten Balliauw
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreKim Phillips
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...tutorialsruby
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...Maarten Balliauw
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETMaarten Balliauw
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Let's Talk Locks!
Let's Talk Locks!Let's Talk Locks!
Let's Talk Locks!C4Media
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2ice799
 

Similar to [Kiwicon 2011] Post Memory Corruption Memory Analysis (20)

NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Exploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernelExploitation of counter overflows in the Linux kernel
Exploitation of counter overflows in the Linux kernel
 
6. processes and threads
6. processes and threads6. processes and threads
6. processes and threads
 
Fuzzing: The New Unit Testing
Fuzzing: The New Unit TestingFuzzing: The New Unit Testing
Fuzzing: The New Unit Testing
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
 
Exploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinarExploring .NET memory management - JetBrains webinar
Exploring .NET memory management - JetBrains webinar
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Austin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectreAustin c-c++-meetup-feb2018-spectre
Austin c-c++-meetup-feb2018-spectre
 
Process management
Process managementProcess management
Process management
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NET
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Let's Talk Locks!
Let's Talk Locks!Let's Talk Locks!
Let's Talk Locks!
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2Infrastructure as code might be literally impossible part 2
Infrastructure as code might be literally impossible part 2
 

More from Moabi.com

[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet ExplorerMoabi.com
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against JavaMoabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #WhitepaperMoabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
 
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用Moabi.com
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practicalMoabi.com
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writesMoabi.com
 
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 modeMoabi.com
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...Moabi.com
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords  by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords  by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
 

More from Moabi.com (13)

[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
 
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practical
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes
 
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords  by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords  by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
 

Recently uploaded

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Alexander Turgeon
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024Valere | Digital Solutions & AI Transformation Portfolio | 2024
Valere | Digital Solutions & AI Transformation Portfolio | 2024
 

[Kiwicon 2011] Post Memory Corruption Memory Analysis

  • 1. Post Memory Corruption Memory Analysis Jonathan Brossard CEO – Toucan System jonathan@ toucan-system.com
  • 2. Who am I ? (a bit of self promotion ;) - Security Research Engineer, CEO @ Toucan System (French Company). - Known online as endrazine (irc, twitter...) - Met some of you on irc. - Currently lives in Sydney (pentester for CBA). - Speaker at several conferences : Defcon/HITB/HES/Ruxcon/h2hc... - Organiser of the Hackito Ergo Sum conference (Paris).
  • 3. I don't reverse plain text
  • 4. Agenda A few basics Being environment aware PMCMA Design Extending Pmcma •Stack desynchronization
  • 5. What's pmcma ? It's a debugger, for Linux (maybe one day *NIX) ptrace() based. Pmcma allows to find and test exploitation scenarios. Pmcma's output is a roadmap to exploitation, not exploit code. Tells you if a given bug triggering an invalid memory access is a vulnerability, if it is exploitable with the state of the art, and how to exploit it.
  • 7. Tool available on September 1st 2011 at http://www.pmcma.org
  • 9. How do applications crash ? * Stack corruptions -> stack overflows, usually now detected because of SSP | studied a LOT * Signal 6 -> assert(),abort(): unexpected execution paths (assert() in particular), heap corruptions * Segfault (Signal 11) -> Invalid memory access
  • 10. Invalid memory access - trying to read a page not readable. often not mapped at all. - trying to write to a page not writable. often not mapped at all. - trying to execute a page not executable. often not mapped at all.
  • 11. Why do they happen ? Because of any kind of miscomputation, really : - integer overflows in loop counters or destination registers when copying/initializing data, casting errors when extending registers or - uninitialised memory, dangling pointers - variable misuse - heap overflows (when inadvertently overwriting a function ptr) - missing format strings - overflows in heap, .data, .bss, or any other writable section (including shared libraries). - stack overflows when no stack cookies are present...
  • 12. Exploiting invalid exec Trivial, really. Eg : call eax with eax fully user controled
  • 13. Invalid memory reads (1/2) Eg : CVE-2011-0761 (Perl) cmp BYTE PTR [ebx+0x8],0x9
  • 14. Invalid memory reads (2/2) Eg : CVE-2011-0764 (t1lib) fld QWORD PTR [eax+0x8]
  • 15. Exploiting invalid memory reads ? - usually plain not exploitable - won't allow us to modify the memory of the mapping directly - in theory : we could perform a user controled read, to trigger a second (better) bug.
  • 16. Invalid memory writes Eg : CVE-2011-1824 (Opera) mov DWORD PTR [ebx+edx*1],eax
  • 17. How to... To exploit invalid writes, we need to find ways to transform an arbitray write into an arbitrary exec. The most obvious targets are function pointers.
  • 18. Exploiting invalid memory writes : scenario - Target a known function pointer (typically : .dtors, GOT entry...). Can be prevented at compile time : no .dtors, static GOT... - Target function pointers in the whole binary ? - Overwrite a given location to trigger an other bug (eg : stack overflow)
  • 20. Problems to take into account - Kernel : ASLR ? NX ? - Compilation/linking : RELRO (partial/full) ? no .dtors section ? SSP ? FORTIFY_SOURCE ? => Pmcma needs to mesure/detect those features
  • 21. ASLR Major problem when chosing an exploitation strategy.
  • 22. ASLR : not perfect - Prelinking (default on Fedora) breaks ASLR - All kernels don't have the same randomization strength. - Non PIE binaries => Truth is : we need better tools to test it !
  • 23. Testing ASLR -Run a binary X times (say X=100) -Stop execution after loading -Record mappings. => Compare mappings, deduce randomization
  • 26. GOALS - We want to test overwriting different memory locations inside a process and see if they have an influence over the flow of execution - We want to scale to big applications (web browsers, network deamons...) - We want a decent execution time
  • 27. mk_fork() The idea : -We start analysing after a SEGFAULT -We make the process fork() (many many times) -Inside each offspring, we overwrite a different memory location
  • 28. mk_fork() : benefits Mapping looks « just like » it will when actually exploiting a binary No ASLR/mapping replication problem Exhaustive and hopefully fast
  • 29. How to force a process to fork ? 1) Find a +X location mapped in memory. 2) Save registers 3) Use ptrace() to inject fork() shellcode. 4) Modify registers so eip points to shellcode. 5) Execute shellcode. 6) Wait() for both original process and offspring. 7) Restore bytes in both processes. 8) Restore registers in both processes.
  • 30. Forking shellcode ;forking shellcode: 00000000 6631C0 xor eax,eax 00000003 B002 mov al,0x2 00000005 CD80 int 0x80
  • 31. Offspring 2 mk_fork() Executable Writable Executable Original process Offspring 1 … Executable Executable Writable Writable Executable Executable … …
  • 32. mk_fork() Offspring 1 Executable Writable Executable …
  • 33. mk_fork() Offspring 2 Executable Writable Executable …
  • 34. mk_fork() Offspring n Executable Writable Executable …
  • 35. mk_fork() : PROS - allows for multiple tests out of a single process - fast, efficient (no recording of memory snapshots) - no need to use breakpoints - no single stepping
  • 36. mk_fork() : CONS - Dealing with offsprings termination ? (Zombie processes) - I/O, IPC, network sockets will be in unpredictable state - Hence syscalls will get wrong too (!!)
  • 37. Zombie reaping - Avoid the wait() for a SIGCHILD in the parent process. - Kill processes after a given timeout, including all of their children.
  • 38. Zombie reaping : the SIGCHILD problem If we can have the parent process ignore SIGCHILD signals, we won't create Zombies. => We inject a small shellcode to perform this via sigaction()
  • 39. Zombie reaping : the SIGCHILD problem 1) Find a +X location mapped in memory. 2) Save registers 3) Use ptrace() to inject sigaction() shellcode. 4) Modify registers so eip points to shellcode. 5) Execute shellcode. 6) Wait() for the process while executing shellcode. 7) Restore bytes in +X location. 8) Restore registers in the process.
  • 40. Force process grouping : shellcode ; Sigaction shellcode: // Zombie reaper ; struct sigaction sa = {.sa_handler = SIG_IGN}; ; sigaction(SIGCHLD, &sa, NULL); _start: nop nop nop nop call fake fake: pop ecx add ecx,0x18 ; delta to sigaction structure xor eax,eax mov al,0x43 ; sigaction mov ebx,0x11 ; SIGCHLD xor edx,edx ; 0x00 int 0x80 db 0xcc, 0xcc,0xcc,0xcc ; struct sigaction sa = {.sa_handler = SIG_IGN}; db 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 db 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00
  • 41. Zombie reaping : killing the offsprings and their children Fortunatly, this is possible using « process grouping »...
  • 42. Process grouping setpgid() sets the PGID of the process specified by pid to pgid. If pid is zero, then the process ID of the calling process is used. If pgid is zero, then the PGID of the process specified by pid is made the same as its process ID. If setpgid() is used to move a process from one process group to another (as is done by some shells when creating pipelines), both process groups must be part of the same session (see setsid(2) and credentials(7)). In this case, the pgid specifies an existing process group to be joined and the session ID of that group must match the session ID of the joining process.
  • 43. Zombie reaping : forcing process grouping 1) Find a +X location mapped in memory. 2) Save registers 3) Use ptrace() to inject setpgid() shellcode. 4) Modify registers so eip points to shellcode. 5) Execute shellcode. 6) Wait() for the process while executing shellcode. 7) Restore bytes in +X location. 8) Restore registers in the process.
  • 44. Force process grouping... ; ; setpgid(0,0); shellcode ; _start: nop nop nop nop mov eax,0x39 ; setpgid xor ebx,ebx xor ecx,ecx int 0x80 db 0xcc, 0xcc
  • 45. Zombie reaping : final details From now on, to kill a process and all of its children : kill (-pid, SIGTERM) ;
  • 46. IPC, I/O, invalid syscalls One possibility is to recode correct execution on the original process (after clearing signals and ignoring the SEGFAULT). Then replay/fake the syscalls on the offsprings. => Minimal userland « virtualization ».
  • 48. Exploiting invalid memory writes via function pointers We now want to find all the function pointers called by the application from the instruction which triggered the SEGFAULT until it actually halts. (including pointers in shared libraries!!)
  • 49. Finding all the function pointers actually called 1) Parse all the +W memory, look for possible pointers to any section 1 bis) optionally disassemble the destination and see if it is a proper prologue. 2) use mk_fork() to create many children 3) in each children, overwrite a different possible function pointer with a canari value (0xf1f2f3f4). 4) Monitor execution of the offsprings
  • 50. Finding all the function pointers actually called Overwritten pointer leads to execution of canari address 0xf1f2f3f4 <=> We found a called function pointer.
  • 51. Finding all the function pointers actually called DEMO
  • 52. So what can we test now ? Invalid write anything anywhere : attacker has full control over data written and destination where written => GAME OVER
  • 53. So what can we test now ? Overflows (in any writtable section but the stack) : Simply limit the results of pmcma to this section.
  • 54. So what can we test now ? What if the attacker has little or no control over the data being written (arbitrary write non controled data, anywhere) ?
  • 55. Partial overwrites and pointers truncation If we can't properly overwrite a function pointer, maybe we can still truncate one (with the data we don't control) so that it transfers execution to a controled memory zone ?
  • 56. Exemple : --[ Function pointers exploitable by truncation with 0x41424344: At 0xb70ce070 : 0xb70c63c2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW) At 0xb70e40a4 : 0xb70ca8f2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW) At 0xb70ec080 : 0xb70e5e02 will become 0xb70e4142 (lower truncated by 16 bits, dest perms:RW) At 0xb731a030 : 0xb7315da2 will become 0xb7314142 (lower truncated by 16 bits, dest perms:RW) At 0xb73230a4 : 0xb732003a will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW) At 0xb732803c : 0xb7325a36 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW) At 0xb76a80d8 : 0xb7325bf0 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
  • 57. One more situation... Sometimes, an attacker has limited control over the destination of the write (wether he controls the data being written or not). Eg : 4b aligned memory writes.
  • 58. Exploiting 4b aligned memory writes We can't attack a function pointer directly, unless it is unaligned (rare because of compiler internals). Pmcma will still let you know if this happens ;)
  • 59. Exploiting 4b aligned memory writes : plan B Find all « normal » variables we can overwrite/truncate, and attempt to trigger a second bug because of this overwrite.
  • 60. Finding all unaligned memory accesses Setting the unaligned flag in the EFLAGS register will trigger a signal 7 uppon next access of unaligned memory (read/write).
  • 61. Finding all unaligned memory accesses DEMO
  • 62. Finding all unaligned memory accesses DEMO x86_64
  • 63. Defeating ASLR : Automated memory mapping leakage How does WTFuzz did it at CansecWest 2010 to win the pwn2own contest against IE8/Windows 7 ? Overwrite the null terminator of a JS string to perform a mem leak uppon usage (trailing bytes).
  • 64. Defeating ASLR with an arbitrary write ? In the original process : - use ptrace() PTRACE_SYSCALL - record the calls to sys_write() and sys_socketall() (wrapper to sys_send() or sys_sendto()...), including : where is the data sent ? How many bytes ?
  • 65. Defeating ASLR with an arbitrary write ? Create many offsprings using mk_fork(). -In each of them : overwrite a different location with dummy data. -Follow execution using PTRACE_SYSCALL -Monitor differences : a different address or a bigger size means a memory leak :)
  • 67. Means of modifying the flow of execution without function pointers Call tables. Calling [Offset+register] => This is also already performed automatically using pmcma.
  • 68. Pointers and ASLR If overwritting a given function pointer isn't practical because of ASLR : is it possible to overwrite a pointer (in an other section) to a structure containing this function pointer ? Would this « other section » be less randomised ?
  • 69. Finding pointers to structures containing function pointers Executable Writable (no ASLR) Executable Writable (high Complex structure ASLR) … Executable void* f(a,b,c) …
  • 70. Finding pointers to structures containing function pointers We'd like to have the debugged process create a new section, with a given mapping (to ease identify). Modify a possible pointer per offspring (use mk_fork()). Monitor execution : is the offspring calling a function pointer from our custom mapping ?
  • 71. Forcing a process to create a new mapping : 1) Find a +X location mapped in memory. 2) Save registers 3) Use ptrace() to inject mmap() shellcode. 4) Modify registers so eip points to shellcode. 5) Execute shellcode. 6) Wait() for the process while executing shellcode. 7) Restore bytes in +X location. 8) Restore registers in the process.
  • 72. ; ; old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, 0, 0) shellcode: ; _start: nop nop nop nop xor eax, eax xor ebx, ebx xor ecx, ecx xor edx, edx xor esi, esi xor edi, edi mov bx, 0x1000 ; 1 page mov cl, 0x3 ; PROT_READ|PROT_WRITE mov dl, 0x21 ; MAP_SHARED|MAP_ANON push eax push eax push edx push ecx push ebx push eax mov ebx, esp mov al, 0x5a ; sys_mmap int 0x80 ; eax contains address of new mapping db 0xcc, 0xcc, 0xcc, 0xcc
  • 73. Testing exhaustively arbitrary writes In case all of the above failed... Can we trigger secondary bugs by overwritting specific memory locations ?
  • 74. Testing exhaustively arbitrary writes Complexity is huge ! Still doable with Pmcma, with no guaranty over the time of execution.
  • 75. Testing exhaustively arbitrary reads In the same veine, attacker controled invalid reads can trigger secondary bugs, which will be exploitable. => We can test the whole 4+ billions search space (under x86 Intel architecture), or just a few evenly chosen ones.
  • 76. Stack desynchronization W^X is a problem. Even if we can overwrite fully a function pointer and modify the flow of execution... what do we want to execute in 2011 ?
  • 77. Stack desynchronization Instead of returning directly to shellcode in +W section (hence probably not +X) : -Return to a function epilogue chosen so that esp will be set to user controled data in the stack. - Fake stack frames in the stack itself. - Use your favorite ROP/ret2plt shellcode
  • 78. Stack desynchronization : Exemple : sudo - stack is ~1000 big (at analysis time) - we find a function pointer to overwrite (at 0x0806700c) - we overwrite it with a carefully chosen prologue (inc esp by more than 1000)
  • 79. Stack desynchronization : Exemple : sudo jonathan@blackbox:~$ objdump -Mintel -d /usr/bin/sudo ... 805277a: 81 c4 20 20 00 00 add esp,0x2020 8052780: 5b pop ebx 8052781: 5e pop esi 8052782: 5d pop ebp 8052783: c3 ret
  • 80. Stack desynchronization : Exemple : sudo We can control the destination where esp is going to point : simply use an environment variable TOTO=mydata sudo
  • 81. Stack desynchronization : Exemple : sudo We then forge fake stack frames in the stack itself - « Nop sled » : any pointer to 'ret' Eg :804997b: c3 ret - Then copy shellcode to .bss byte per byte using memcpy via ret2plt - Use GOT overwrite to get pointer to mprotect() in the GOT (ROP) - call mprotect to make .bss +X via ret2plt - return to shellcode in .bss
  • 82. DEMOS
  • 83. Future Work - port to more architectures (Linux x86_64 on the way, arm...) - port to more OS (Mac OSX, *BSD) - port to Windows (hard) - add tests for other bug classes
  • 84. Thank you for coming Questions ?