Bh dc09

799 views
734 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
799
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Bh dc09

  1. 1. Let your Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
  2. 2. 03/08/2010 Who am I? • Student at Politecnico di Milano. • Security Consultant at Secure Network srl. • Reverse Engineer at Zynamics GmbH. 2
  3. 3. 03/08/2010 Goal of the talk In-memory execution of arbitrary binaries on a Mac OS X machine. 3
  4. 4. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 4
  5. 5. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 5
  6. 6. 03/08/2010 Mach-O file • Header structure: information on the target architecture and options to interpret the file. • Load commands: symbol table location, registers state. • Segments: define region of the virtual memory, contain sections with code or data. 6
  7. 7. 03/08/2010 Segment and Sections segment section Virtual Virtual address Address 0x1000 0x1d54 Virtual Virtual memory size memory size 0x1000 0x275 File Offset File Offset 0x0 0xd54 File Size 0x1000 7
  8. 8. 03/08/2010 Important segments • __PAGEZERO, if a piece of code accesses NULL it lands here. no protection flags. • __TEXT, holds code and read-only data. RX protection. • __DATA, holds data. RW protection. • __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 8
  9. 9. 03/08/2010 Mach-O representation 9
  10. 10. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 10
  11. 11. 03/08/2010 Binary execution • Conducted by the kernel and the dynamic linker. • The kernel, when finishes his part, jumps to the dynamic linker entry point. • The dynamic linker is not randomized. 11
  12. 12. 03/08/2010 Execution steps Kernel Dynamic linker • Maps the dynamic linker • Retrieves base address in the process address of the binary. space. • Resolves symbols. • Parses the header • Resolves library structure and loads all dependencies. segments. • Jumps to the binary entry • Creates a new stack. point. 12
  13. 13. 03/08/2010 Stack • Mach-O file base address. • Command line arguments. • Environment variables. • Execution path. • All padded. 13
  14. 14. 03/08/2010 Stack representation 14
  15. 15. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 15
  16. 16. 03/08/2010 Proposed attack • Userland-exec attack. • Encapsulate a shellcode, aka auto- loader, and a crafted stack in the injected binary. • Execute the auto-loader in the address space of the attacked process. 16
  17. 17. 03/08/2010 WWW • Who: an attacker with a remote code execution in his pocket. • Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. • Why: later in this talk. 17
  18. 18. 03/08/2010 What kind of binaries? Any Mach-O file, from ls to Safari 18
  19. 19. 03/08/2010 A nice picture 19
  20. 20. 03/08/2010 Infected binary • We need to find a place to store the auto-loader and the crafted stack. • __PAGEZERO infection technique. • Cavity infector technique. 20
  21. 21. 03/08/2010 __PAGEZERO INFECTION • Change __PAGEZERO protection flags with a custom value. • Store the crafted stack and the auto- loader code at the end of the binary. • Point __PAGEZERO to the crafted stack. • Overwrite the first bytes of the file with the auto-loader address. 21
  22. 22. 03/08/2010 Binary layout 22
  23. 23. 03/08/2010 Auto-loader • Impersonates the kernel. • Un-maps the old binary. • Maps the new one. 23
  24. 24. 03/08/2010 Auto-loader description • Parses the binary. • Reads the virtual addresses of the injected binary segments. • Unloads the attacked binary segments pointed by the virtual addresses. • Loads the injected binary segments. 24
  25. 25. 03/08/2010 Auto-loader description(2) • Maps the crafted stack referenced by __PAGEZERO. • Cleans registers. • Cleans some libSystem variables. • Jumps to dynamic linker entry point. 25
  26. 26. 03/08/2010 We do like pictures, don’t we? Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N 26
  27. 27. 03/08/2010 libSystem variables • _malloc_def_zone_state • _NXArgv_pointer • _malloc_num_zones • __keymgr_global 27
  28. 28. 03/08/2010 Why are those variables important? • They are used in the initialization of malloc. • Two of them are used for command line arguments parsing. • Not cleaning them will result in a crash. 28
  29. 29. 03/08/2010 Hunts the variables • Mac OS X Leopard has ASLR for libraries. • Those variables are not exported. • Cannot use dlopen()/dlsym() combo. 29
  30. 30. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 30
  31. 31. 03/08/2010 Defeat ASLR • Retrieve libSystem in-memory base address. • Read symbols from the libSystem binary. • Adjust symbols to the new address. 31
  32. 32. 03/08/2010 How ASLR works in Leopard • Only libraries are randomized. • The randomization is performed whenever the system or the libraries are updated. • Library segments addresses are saved in dyld_shared_cache_arch.map. 32
  33. 33. 03/08/2010 Retrieve libSystem address • Parse • Adopt functions dyld_shared_cache exported by the _i386.map and dynamic linker and search for libSystem perform the whole entry. task in-memory. 33
  34. 34. 03/08/2010 Dyld functions • _dyld_image_count() used to retrieve the number of linked libraries of a process. • _dyld_get_image_header() used to retrieve the base address of each library. • _dyld_get_image_name() used to retrieve the name of a given library. 34
  35. 35. 03/08/2010 Find ‘em • Parse dyld load commands. • Retrieve __LINKEDIT address. • Iterate dyld symbol table and search for the functions name in __LINKEDIT. 35
  36. 36. 03/08/2010 Back to libSystem • Non-exported symbols are taken out from the symbol table when loaded. • Open libSystem binary, find the variables in the symbol table. • Adjust variables to the base address of the in-memory __DATA segment. 36
  37. 37. 03/08/2010 Put pieces together • Iterate the header structure of libSystem in-memory and find the __DATA base address. – __DATA base address 0x2000 – Symbol at 0x2054 – In-memory __DATA base address 0x4000 – Symbol in-memory at 0x4054 37
  38. 38. 03/08/2010 Results • Run a binary into an arbitrary machine. • No traces on the hard-disk. • No execve(), the kernel doesn’t know about us. • It works with every binary. • It is possible to write payloads in a high level language. 38
  39. 39. 03/08/2010 Demo description • Run a simple piece of code which acts like a shellcode and retrieve the binary. • Execute the attack with nmap and Safari. • Show network dump. • Show memory layout before and after the attack. 39
  40. 40. 03/08/2010 DEMO 40
  41. 41. 03/08/2010 Future developments • Employ encryption to avoid NIDS detection. • Using cavity infector technique. • Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 41
  42. 42. 03/08/2010 Thanks, questions? 42

×