Hacking Windows IPC


Published on

Published in: Technology
1 Comment
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hacking Windows IPC

  1. 1. Hacking Windows Internals <ul><ul><li>Cesar Cerrudo </li></ul></ul><ul><ul><li>Argeniss </li></ul></ul>
  2. 2. Hacking Shared Sections <ul><li>Shared Section definition </li></ul><ul><li>Using Shared Sections </li></ul><ul><li>Tools </li></ul><ul><li>Problems </li></ul><ul><li>Searching for holes </li></ul><ul><li>Exploitation </li></ul><ul><li>Microsoft vulnerabilities </li></ul><ul><li>Other vendors vulnerabilities </li></ul><ul><li>Solutions </li></ul><ul><li>Conclusions </li></ul><ul><li>References </li></ul>
  3. 3. Shared Section <ul><li>Basically a Shared Section is a portion of memory shared by a process, mostly used as an IPC (Inter Process Communication) mechanism. </li></ul><ul><ul><li>Shared Memory. </li></ul></ul><ul><ul><li>File Mapping. </li></ul></ul><ul><ul><li>Named or Unnamed. </li></ul></ul>
  4. 4. Using Shared Sections <ul><li>Loading binary images by OS. </li></ul><ul><ul><li>Process creation. </li></ul></ul><ul><ul><li>Dll loading. </li></ul></ul><ul><li>Mapping kernel mode memory into user address space !?. </li></ul><ul><ul><li>Used to avoid kernel transitions. </li></ul></ul><ul><li>Sharing data between processes. </li></ul><ul><ul><li>GDI and GUI data, pointers !?, counters, any data. </li></ul></ul>
  5. 5. Using Shared Sections <ul><li>Creating a shared section </li></ul><ul><li>HANDLE CreateFileMapping ( </li></ul><ul><li>HANDLE hFile, // handle to file ( file mapping ) </li></ul><ul><li>//or 0xFFFFFFFF ( shared memory ) </li></ul><ul><li>LPSECURITY_ATTRIBUTES lpAttributes, // security </li></ul><ul><li>DWORD flProtect, // protection </li></ul><ul><li>DWORD dwMaximumSizeHigh, // high-order DWORD of size </li></ul><ul><li>DWORD dwMaximumSizeLow, // low-order DWORD of size </li></ul><ul><li>LPCTSTR lpName // object name ( named ) </li></ul><ul><li> //or NULL ( unnamed ) </li></ul><ul><li>);// returns a shared section handle </li></ul>
  6. 6. Using Shared Sections <ul><li>Opening an existing shared section </li></ul><ul><li>HANDLE OpenFileMapping ( </li></ul><ul><li>DWORD dwDesiredAccess , // access mode ( FILE_MAP_WRITE // FILE_MAP_READ , etc.) </li></ul><ul><li>BOOL bInheritHandle, // inherit flag </li></ul><ul><li>LPCTSTR lpName // shared section name </li></ul><ul><li>);// returns a shared section handle </li></ul>
  7. 7. Using Shared Sections <ul><li>Mapping a shared section </li></ul><ul><li>LPVOID MapViewOfFile ( </li></ul><ul><li>HANDLE hFileMappingObject , // handle to created/opened // shared section </li></ul><ul><li>DWORD dwDesiredAccess , // access mode( FILE_MAP_WRITE // FILE_MAP_READ , etc.) </li></ul><ul><li>DWORD dwFileOffsetHigh, // high-order DWORD of offset </li></ul><ul><li>DWORD dwFileOffsetLow, // low-order DWORD of offset </li></ul><ul><li>SIZE_T dwNumberOfBytesToMap // number of bytes to map </li></ul><ul><li>); // returns a pointer to begining of shared section memory </li></ul>
  8. 8. Using Shared Sections <ul><li>Ntdll.dll Native API </li></ul><ul><ul><li>NtCreateSection() Creates a new section </li></ul></ul><ul><ul><li>NtOpenSection() Opens an existing section </li></ul></ul><ul><ul><li>NtMapViewOfSection() Map a section on memory </li></ul></ul><ul><ul><li>NtUnmapViewOfSection() Unmap a section from memory </li></ul></ul><ul><ul><li>NtQuerySection() Returns section size </li></ul></ul><ul><ul><li>NtExtendSection() Change section size </li></ul></ul>
  9. 9. Using Shared Sections <ul><li>Mapping unnamed Shared Sections. </li></ul><ul><ul><li>Need to know shared section handle on target process. </li></ul></ul><ul><ul><li>Need permissions on target process. </li></ul></ul><ul><ul><li>OpenProcess(PROCESS_DUP_HANDLE,...) </li></ul></ul><ul><ul><li>DuplicateHandle(...) </li></ul></ul><ul><ul><li>MapViewOfFile(...) </li></ul></ul>
  10. 10. Using Shared Sections <ul><li>Demo </li></ul>
  11. 11. Tools <ul><li>Process Explorer </li></ul><ul><ul><li>Shows information about processes (dlls, handles, etc.). </li></ul></ul><ul><li>WinObj </li></ul><ul><ul><li>Shows Object Manager Namespace information (objects info, permissions, etc.) </li></ul></ul><ul><li>ListSS </li></ul><ul><ul><li>Lists Shared Sections names (local and TS sessions). </li></ul></ul><ul><li>DumpSS </li></ul><ul><ul><li>Dumps Shared Section data. </li></ul></ul><ul><li>TestSS </li></ul><ul><ul><li>Overwrites Shared Section data (to detect bugs) </li></ul></ul>
  12. 12. Problems <ul><li>Input validation </li></ul><ul><li>Weak permissions </li></ul><ul><li>Synchronization </li></ul>
  13. 13. Problems <ul><li>Input validation </li></ul><ul><ul><li>Applications don't perform data validation before using the data. </li></ul></ul><ul><ul><ul><li>Applications trust data on shared sections. </li></ul></ul></ul><ul><ul><li>When applications read modified data from shared sections </li></ul></ul><ul><ul><ul><li>They will crash. </li></ul></ul></ul><ul><ul><ul><li>They will perform unexpected actions. </li></ul></ul></ul>
  14. 14. Problems <ul><li>Weak permissions </li></ul><ul><ul><li>Low privileged users can access (read/write/change permissions) shared sections on high privileged processes (services). </li></ul></ul><ul><ul><li>Terminal Services (maybe Citrix) users can access (read/write/change permissions) shared sections on local logged on user processes, services and also on other user sessions. </li></ul></ul>
  15. 15. Problems <ul><li>Synchronization </li></ul><ul><ul><li>Not built-in synchronization. </li></ul></ul><ul><ul><li>Synchronization must be done by processes in order to not corrupt data. </li></ul></ul><ul><ul><li>There isn't a mechanism to force processes to synchronize or to block shared section access. </li></ul></ul><ul><ul><li>Any process (with proper rights) can alter a shared section data while another process is using it. </li></ul></ul>
  16. 16. Problems <ul><li>Synchronization </li></ul><ul><ul><li>Communication between Process A and B </li></ul></ul>Process A Process B Process C Shared Section 2- Write data. 3- Data ready. 4- Replace data. 5- Read data. 1- Send me data.
  17. 17. Searching for holes <ul><li>Look for shared sections using Process Explorer, WinObj or ListSS. </li></ul><ul><li>Attach a process using the shared section to a debugger. </li></ul><ul><li>Run TestSS on shared section. </li></ul><ul><li>Interact with process in order to make it use (read/write) the shared section. </li></ul><ul><li>Look at debugger for crashes :). </li></ul>
  18. 18. Searching for holes <ul><li>Windows HTML Help </li></ul><ul><ul><li>Demo. </li></ul></ul>
  19. 19. Exploitation <ul><li>Elevating privileges. </li></ul><ul><ul><li>Reading data. </li></ul></ul><ul><ul><li>Altering data. </li></ul></ul><ul><ul><li>Shared section exploits. </li></ul></ul><ul><li>Using shared sections on virus/rootkits/etc. </li></ul>
  20. 20. Exploitation <ul><li>Reading data. </li></ul><ul><ul><li>From high privileged processes (services). </li></ul></ul><ul><ul><li>From local logged on user processes, services and other sessions on Terminal Services. </li></ul></ul><ul><ul><li>This leads to unauthorized access to data. </li></ul></ul>
  21. 21. Exploitation <ul><li>Altering data. </li></ul><ul><ul><li>On high privileged processes (services). </li></ul></ul><ul><ul><li>On local logged on user processes, services and other sessions on Terminal Services. </li></ul></ul><ul><ul><li>This leads to arbitrary code execution, unauthorized access, processes or kernel crashing (DOS). </li></ul></ul>
  22. 22. Exploitation <ul><li>Shared section exploits. </li></ul><ul><ul><li>When overwriting shared section data allow us to take control of code execution. </li></ul></ul><ul><ul><li>Some shared sections start addresses are pretty static on same OS and Service Pack. </li></ul></ul><ul><ul><li>Put shellcode on shared section. </li></ul></ul><ul><ul><li>Build exploit to jump to shellcode on shared section at static location. </li></ul></ul>
  23. 23. Exploitation <ul><li>Shared section exploits. </li></ul><ul><ul><li>MS05-012 - COM Structured Storage Vulnerability </li></ul></ul><ul><ul><ul><li>Weak permission on shared section. </li></ul></ul></ul><ul><ul><ul><li>Structures saved on shared section can be overwriten. </li></ul></ul></ul><ul><ul><ul><ul><li>By overwriting these structures is possible to execute arbitrary code. </li></ul></ul></ul></ul><ul><ul><ul><li>POC Exploit Demo. </li></ul></ul></ul>
  24. 24. Exploitation <ul><li>Using shared sections on virus/rootkits/etc. </li></ul><ul><ul><li>Some shared sections are used by many processes (InternatSHData used for Language Settings on W2k) others sections are used by all processes :). </li></ul></ul><ul><ul><li>Write code to shared section and the code will be instantly mapped on processes memory and also on new created processes. </li></ul></ul><ul><ul><ul><li>Use SetThreadContext() or CreateRemoteThread() to start executing code. </li></ul></ul></ul><ul><ul><ul><li>Similar to WriteProcessMemory() - SetThreadContext() technique or DLL Injection. </li></ul></ul></ul>
  25. 25. Exploitation <ul><li>Using shared sections on virus/rootkits/etc. </li></ul><ul><ul><li>Some shared sections have execute access. </li></ul></ul><ul><ul><ul><li>It would be possible to avoid WinXP sp2 NX and third party protections. </li></ul></ul></ul>
  26. 26. Microsoft vulnerabilities <ul><li>Vulnerabilities on next Microsoft products have been reported and are being fixed: </li></ul><ul><ul><li>Internet Explorer vulnerability. </li></ul></ul><ul><ul><li>Office vulnerabilities. </li></ul></ul><ul><ul><li>Windows 2k and Windows XP sp2 Kernel vulnerability. </li></ul></ul><ul><ul><li>IIS 5 vulnerabiliity. </li></ul></ul><ul><ul><li>Windows COM vulnerability. </li></ul></ul>
  27. 27. Other vendors vulnerabilities <ul><li>NOD32 antivirus vulnerability. </li></ul><ul><li>Norton Antivirus (old versions) vulnerability. </li></ul><ul><li>Veritas software vulnerabilities. </li></ul><ul><li>Etc. </li></ul>
  28. 28. Solutions <ul><li>Set proper permissions </li></ul><ul><ul><li>Set only current user (also service account if application running as service) permissions on shared sections unless another user should access them. </li></ul></ul><ul><li>Use some synchronization mechanism </li></ul><ul><ul><li>Remember that when working with shared sections there isn't built in synchronization. </li></ul></ul><ul><li>Validate the data before using it </li></ul><ul><ul><li>Data on shared sections can be easily manipulated. </li></ul></ul>
  29. 29. Conclusions <ul><li>Windows and 3rd. party applications have a bunch of Shared Section related holes. </li></ul><ul><li>These kind of holes will lead to new kind of attacks “SSAtacks” (Shared Section Attacks) ;) </li></ul><ul><li>Microsoft forgot to include a Shared Sections audit on the trustworthy computing initiative :). </li></ul><ul><li>Windows guts seem rotten:). </li></ul>
  30. 30. References <ul><li>MSDN </li></ul><ul><li>Programming Applications for MS Windows - Fourth Edition </li></ul><ul><li>Process Explorer ( www.sysinternals.com ) </li></ul><ul><li>WinObj ( www.sysinternals.com ) </li></ul><ul><li>Rattle - Using Process Infection to Bypass Windows Software Firewalls (PHRACK #62) </li></ul><ul><li>Crazylord - Playing with Windows /dev/(k)mem (PHRACK #59) </li></ul><ul><li>http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx </li></ul>
  31. 31. FIN <ul><li>Questions? </li></ul><ul><li>Thanks. </li></ul><ul><li>Contact: cesar>at<argeniss>dot<com </li></ul><ul><li>Argeniss – Information Security </li></ul><ul><ul><li>Get vulnerability information before anyone! </li></ul></ul><ul><ul><li>http://www.argeniss.com/services.html </li></ul></ul>