Adv. Exploitation in win32                  20 November 2012                  Moscow, RUSSIA                  by Alexey Si...
author.getBackground();• Senior Security Engineer at• Writer at• Co-Founder of• Ideology and co-organizer of
workshop = new Workshop(); • Smashing the stack (classic BoF) • Use-After-Free • Heap Spray • DEP • ASLR • GS/SafeSEH/SEHO...
workshop.getAgenda();1.    BoF2.    HeapSpray3.    DEP/ROP – Exploit_14.    /GS5.    SafeSeh6.    SEHOP7.    vTable …8.   ...
workshop.getExcluded();•   Shellcode dev.•   Metasploit (btw, there was workshop by Rick!)•   Sandboxing•   EMET bypass
environment.getItems();Target ?• IE9• Windows 7Tools ?• Immunity Debugger• mona.py• Notepad(++) / vi http://immunityinc.c...
workshop.loadLab();ie_lib_v2.zip• part_x  – bin     •   Ex1 -> DEP/ASLR_1     •   Ex2 -> GS/DEP/ASLR_1     •   Ex3 -> vTab...
Hey! Ho! Let’s go!
theory.getList();       Bug                     Impact        PayloadBoF in the stack     • RET              • Stack      ...
theory.getList().getMitig()[0];                       Bug                     Impact        Payload              BoF in th...
theory.getList().getMitig()[1];                       Bug                     Impact                Payload              B...
theory.getList().getMitig()[2];                       Bug                     Impact                   Payload            ...
theory.getList().getMitig()[2].agenda;                       Bug                   Impact                   Payload       ...
theory.getBof();char* func(char *input){   Ex1. func():  Stack forchar buff[255];           memcpy(buff,input,strlen(buff)...
theory.Target[‘IE6’].howto();•   Shellcode•   HeapSpray•   Ret/Jmp to Heap•   Profit
theory.getShellcode();• Assembler instructions• Program• Shell 8-)EIP ---------> Asm Code that doing something bad
theory.getHeap();0x0c0c0c0c                                 -   Process Memory                                 -   Modules...
theory.getHeap(‘IE9’);• Array of strings (substring()…)…Header(0x10)   0061 0061 0061 0061 0061 0061 0061 0061   00 00
theory.getAntiHeap();      Task 1:Nozzle       1) part1exercisesex2heap.htm- If block_parts contains asm_parts/NOP_sleds  ...
theory.getAnotherSpray();ActionScript (Flash)ImagesHTML5 …
workshop.getMitigation(‘DEP’);            Question: what pages still E?RW-         ---------------------------------------...
theory.getBypass(‘DEP’);                                retn2libcPush command:    • WinExecDisable DEP by call:    • NtSet...
workshop.getMitigation(‘ASLR’);                         Where is VP?             APP.DLL                     NTDLL.DLL    ...
workshop.getBypass(‘ASLR’)[0];                                   retn2libc   System libs, like kernel32, urlmon, ntdll and...
theory.getROP()[0];R P    •   Find VirtualProtect(VP) address   (static pointer to VP)    •   Find shellcode in memory    ...
theory.getROP()[1];BoF with ROP:                Buff             Blah       RET ROP ROP ROP ROP ROP                       ...
theory.getROP()[2];                               StackPivot•   You do not control stack•   You do not know addresses in s...
workshop.getROP()[3];    Task 3:•    part1exercisesex3exploit.htm    !mona noaslr               ROP_NOP_SLED = 0x414445ab ...
workshop.pause();
workshop.continue();      • GS      • SEHOP      • safeSEH
theory.getMitigation(‘GS’)[0];                                  C                           buff       blah   RET1) Calc v...
theory.getMitigation(‘GS’)[1];                                  C                           buff       blah   RET1) Calc v...
theory.getMitigation(‘GS’)[2];                                  C                           buff       blah   C   RET1) Ca...
theory.getMitigation(‘GS’)[3];                                    C                             buff       blah   C   RET1...
theory.getMitigation(‘GS’)[4];                                            C     !=   C                          buff      ...
theory.getBypass(‘GS’);Bypass:    • Entropy / static cookie    • Rewrite cookie in .data              mov [ecx], edx  CRA...
theory.getSEH();Before BoF:              Buff              blah     C   RET                     Next SEH          SEH     ...
workshop.callSEH();Task:4--------------------------------------------------------------------------------part1exercisesex4...
theory.getMitigation(‘SEHOP’);        Next SEH    SEH    handler1        Next SEH    SEH    handler2        Next SEH    SE...
theory.getBypass(‘SEHOP’);      Bypass:                                                           Also /GS          • vTab...
theory.getMitigation(‘safeSEH’);                                                     SafeSEH table for                    ...
theory.getBypass(‘safeSEH’);Bypass:Task 5:--------------------------------------------------------------------------------...
workshop.loadFull();GS/SEHOP/SafeSEH/DEP/ASLR• part1binEx4.bat• Now nptest2 support ASLR too!• !mona noaslrWe can’t build...
workshop.getBypass(‘ASLR’)[1];  Modules without ASLR         • static base address – call functions from modules with unk...
workshop.exploitVTable();Task 7: part1exercisesex5final.htm•   Exploit Leak!•   Build ROP by leaked nptest2 address•   Mak...
workshop.pause();
workshop.continue();    • Use-After-Free
theory.getUAF()[0];                                                  -   Process Memory                                   ...
theory.getUAF()[1];                              - Some objects                              - Object with pointer        ...
workshop.getUAF();1. part2binuaf.bat2. part2exercisesFig1demo.htm          vulnPlugin2.InitRed(31337,0x31333331);    Taskv...
theory.getLeak()[0];Obj1 , Freed…                                   - Data                                   - PointerObj2...
theory.getLeak()[1]; Obj1 , Freed…                                                                                - DataTa...
workshop.exploitUAF();Task 11: part2exercisesFig2final.htm•   Exploit Leak!•   Build ROP by leaked address•   Make pwning ...
delete workshop;twitter.com/asintsov                   alexey.sintsov@nokia.com                www.defcon-russia.ru       ...
Upcoming SlideShare
Loading in …5
×

Sintsov advanced exploitation in win32

3,336 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,336
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
131
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Sintsov advanced exploitation in win32

  1. 1. Adv. Exploitation in win32 20 November 2012 Moscow, RUSSIA by Alexey Sintsov NOKIA Security, Privacy and Continuity @asintsov
  2. 2. author.getBackground();• Senior Security Engineer at• Writer at• Co-Founder of• Ideology and co-organizer of
  3. 3. workshop = new Workshop(); • Smashing the stack (classic BoF) • Use-After-Free • Heap Spray • DEP • ASLR • GS/SafeSEH/SEHOP => calc.exe
  4. 4. workshop.getAgenda();1. BoF2. HeapSpray3. DEP/ROP – Exploit_14. /GS5. SafeSeh6. SEHOP7. vTable …8. ASLR by leak – Exploit_2 (DEP/ASLR/GS/safeSEH/SEHOP)9. UAF10. Exploit_3 (DEP/ASLR/GS/safeSEH/SEHOP)
  5. 5. workshop.getExcluded();• Shellcode dev.• Metasploit (btw, there was workshop by Rick!)• Sandboxing• EMET bypass
  6. 6. environment.getItems();Target ?• IE9• Windows 7Tools ?• Immunity Debugger• mona.py• Notepad(++) / vi http://immunityinc.com/products-immdbg.shtml http://redmine.corelan.be/projects/mona/repository/raw/trunk/1.8/mona.py
  7. 7. workshop.loadLab();ie_lib_v2.zip• part_x – bin • Ex1 -> DEP/ASLR_1 • Ex2 -> GS/DEP/ASLR_1 • Ex3 -> vTable/ASLR_TRUE • Ex4 -> UAF/FULL Ex0. – Exercises 1) Install nptest2 Ex.1 plugin (part_1/bin/ex1.bat) 2) Open in IE /part1/exercises/ex0/demo.htm) – Bin 3) See sources… – Exploits
  8. 8. Hey! Ho! Let’s go!
  9. 9. theory.getList(); Bug Impact PayloadBoF in the stack • RET • Stack • SEH • HeapBoF in the Heap • Flink • HeapFormat strings • RET • Stack • SEH • HeapMemory • Bad pointer • Heapcorruption/Use afterfree/etc
  10. 10. theory.getList().getMitig()[0]; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc• Stack cookies • Save unlinking • Heap cookies
  11. 11. theory.getList().getMitig()[1]; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc• Stack cookies • Save unlinking • SEH handler validation • Heap cookies • SEH chain validation
  12. 12. theory.getList().getMitig()[2]; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc• Stack cookies • Save unlinking • SEH handler validation • Heap cookies • SEH chain validation • DEP • ASLR
  13. 13. theory.getList().getMitig()[2].agenda; Bug Impact Payload BoF in the stack • RET • Stack • SEH • Heap BoF in the Heap • Flink • Heap Format strings • RET • Stack • SEH • Heap Memory • Bad pointer • Heap corruption/Use after free/etc • Stack cookies • SEH handler validation • SEH chain validation • DEP • ASLR
  14. 14. theory.getBof();char* func(char *input){ Ex1. func(): Stack forchar buff[255]; memcpy(buff,input,strlen(buff)*sizeof(char)); 1) Open in IE /part1/exercises/crash.html return buff; buff blah C RET 2) Wait for alert();} 3) Attach to IE tab (Message) BoF (memcpy): buff blah C RET
  15. 15. theory.Target[‘IE6’].howto();• Shellcode• HeapSpray• Ret/Jmp to Heap• Profit
  16. 16. theory.getShellcode();• Assembler instructions• Program• Shell 8-)EIP ---------> Asm Code that doing something bad
  17. 17. theory.getHeap();0x0c0c0c0c - Process Memory - Modules - Vuln. module. - System modules - Heap pages - Nop slice - Shellcode
  18. 18. theory.getHeap(‘IE9’);• Array of strings (substring()…)…Header(0x10) 0061 0061 0061 0061 0061 0061 0061 0061 00 00
  19. 19. theory.getAntiHeap(); Task 1:Nozzle 1) part1exercisesex2heap.htm- If block_parts contains asm_parts/NOP_sleds then No_Allocation! This HeapSpray doesnt work in IE9 because of ‘bubble’. Change the code and bypass it!Bubble- If next_block_parts eq prev_block_parts then No_Allocation!
  20. 20. theory.getAnotherSpray();ActionScript (Flash)ImagesHTML5 …
  21. 21. workshop.getMitigation(‘DEP’); Question: what pages still E?RW- -------------------------------------------------------------------------------- Add to ex2 (heap.htm) RET to 0x0C0C0C0C…. • Stack – not E • Heap – not E • RET  ???
  22. 22. theory.getBypass(‘DEP’); retn2libcPush command: • WinExecDisable DEP by call: • NtSetinformationProcess • SetProcessDEPPolicy RETNCreate/change access: • VirtualAlloc • VirtualProtect • MapViewOfFile Permanent DEP (IE)Copy payload into thread: ASLR • WriteProcessMemory
  23. 23. workshop.getMitigation(‘ASLR’); Where is VP? APP.DLL NTDLL.DLL APP2.DLL KERNEL32.DLL KERNEL32.DLL APP2.DLL NTDLL.DLL APP.DLL Before reboot After reboot
  24. 24. workshop.getBypass(‘ASLR’)[0]; retn2libc System libs, like kernel32, urlmon, ntdll and etc at unknown address (ASLR) And we can’t use it for retn2libc, because we need to know address of functions, Task 2: like VirtualAlloc. … but, our lib DOES NOT support ASLR! Find static pointer to VirtualProtect
  25. 25. theory.getROP()[0];R P • Find VirtualProtect(VP) address (static pointer to VP) • Find shellcode in memory (HeapSPray) • Prepare params for VP (ROP) • Calllllllllll (ROP) • Give control to shellcode (JMP ESP) All this can be done by Return Oriented Programming
  26. 26. theory.getROP()[1];BoF with ROP: Buff Blah RET ROP ROP ROP ROP ROP «Write at 0x0A0A0A0A value 0x10» CODE CPU STACKPOP EDI 0x7C010102: RETN 0x8C010103MOV EAX, 0x10 0x8C010103: POP EDI 0x0A0A0A0AMOV [EDI], EAX 0x8C010104: RETN 0x8C020104 R 0x8C020105: POP EAX 0xFFFFFFF0 O 0x8C020106: RETN 0x8C030105 P 0x8C030107: NEG EAX 0x8C040106MOV EAX, 0x10 0x8C030108: RETN 0x8C040109: MOV [EDI], EAX 0x8C05010B: RETN
  27. 27. theory.getROP()[2]; StackPivot• You do not control stack• You do not know addresses in stack• Yours ROP is in the Heap• You exploiting SEHIn those cases you should change ESP. It must point on page which is controlled . Useful gadgets: • ADD EBP, xxx / LEAVE / RETN • MOV ESP, xxx / RETN • ADD or SUB ESP, xxx / RETN • XCHG ESP, xxx / RETN • etc
  28. 28. workshop.getROP()[3]; Task 3:• part1exercisesex3exploit.htm !mona noaslr ROP_NOP_SLED = 0x414445ab # RETN• !mona rop –m nptest2 (do not HeapSpray (line in: /part_1/rop/ex1/*.txt) 1. Fix run, results are 44).• HeapSpray with ROP (line shellcode 2. Build stackPivot and 80) by using:• 1. 0x41461605 : # MOV ESP,EBP # POP EBP # RETN Notepad roxXx 2 (for stack pivot)• Build BoF string (call:VirtualProtect/Alloc) 2. 0x414619AF # POP EBP # RETN 8 ROP• Exploit it! ESP=0x0c0c0c0c  ROP_NOP_SLED address 3. Make 4. Get calc.exe! ShellcodeHEAP SPRAY
  29. 29. workshop.pause();
  30. 30. workshop.continue(); • GS • SEHOP • safeSEH
  31. 31. theory.getMitigation(‘GS’)[0]; C buff blah RET1) Calc value C (cookie)
  32. 32. theory.getMitigation(‘GS’)[1]; C buff blah RET1) Calc value C (cookie)2) Save C in the .data
  33. 33. theory.getMitigation(‘GS’)[2]; C buff blah C RET1) Calc value C (cookie)2) Save C in the .data3) Place C before RET
  34. 34. theory.getMitigation(‘GS’)[3]; C buff blah C RET1) Calc value C (cookie)2) Save C in the .data3) Place C before RET4) Strcpy
  35. 35. theory.getMitigation(‘GS’)[4]; C != C buff blah C RET + /GS. 1) Install nptest2 Ex.2 plugin (/part1/bin/ex2.bat)1) Calc value C (cookie) 2) Run exploit…2) Save C in the .data …3) Place C before RET4) Strcpy5) Before RET – check C from stack with C from .data
  36. 36. theory.getBypass(‘GS’);Bypass: • Entropy / static cookie • Rewrite cookie in .data mov [ecx], edx  CRASH • vTable rewrite call [ecx]  CRASH • SEH Rewrite and CRASH
  37. 37. theory.getSEH();Before BoF: Buff blah C RET Next SEH SEH Handler’s code
  38. 38. workshop.callSEH();Task:4--------------------------------------------------------------------------------part1exercisesex4seh.htm Before:Trigger SEH before /GS check… Buff ns seh C RET After: Buff ns seh C RET Re-write SEH!
  39. 39. theory.getMitigation(‘SEHOP’); Next SEH SEH handler1 Next SEH SEH handler2 Next SEH SEH handler3 Next SEH SEH handler4 0xFFFFFFFF SEH ntdll!FinalExceptionHandler
  40. 40. theory.getBypass(‘SEHOP’); Bypass: Also /GS • vTable rewrite bypass call [ecx + x]  CRASH • Leak ntdll/origStack addr and use it in heapSpray/nSEH: 0xFFFFFFFF ntdll!FinalExceptHandlernSEHSEH ROP/Shellcode
  41. 41. theory.getMitigation(‘safeSEH’); SafeSEH table for nptest2: Next SEH SEH1 handler1 SEH1 Next SEH SEH2 handler2 SEH2 Next SEH SEH3 handler3 SEH3 SEH4 Next SEH SEH4 handler4 0xFFFFFFFF SEH ntdll!FinalExceptionHandler
  42. 42. theory.getBypass(‘safeSEH’);Bypass:Task 5:-------------------------------------------------------------------------------- and Also /GS • vTable rewrite SEHOP bypass call vTable Find how to trigger[ecx + x]call ? CRASH • Pointer on module without SafeSEH
  43. 43. workshop.loadFull();GS/SEHOP/SafeSEH/DEP/ASLR• part1binEx4.bat• Now nptest2 support ASLR too!• !mona noaslrWe can’t build ROP, we do not know any address…
  44. 44. workshop.getBypass(‘ASLR’)[1];  Modules without ASLR • static base address – call functions from modules with unknown address Task 6: What about Ex0 ? What can we do? --------------------------------------------------------------------------------  Memory leakage bugz  Rewrites low bytes  Brute force high bytes  Spraying : • javascript Heap Spray • java heap spray • .NET • JIT Spray • e.t.cGood examples: http://www.vupen.com/blog/
  45. 45. workshop.exploitVTable();Task 7: part1exercisesex5final.htm• Exploit Leak!• Build ROP by leaked nptest2 address• Make pwning ESP (stack pivot) ESP -> HeapSpray -> ROP• Make heap executable• Run shellcode!
  46. 46. workshop.pause();
  47. 47. workshop.continue(); • Use-After-Free
  48. 48. theory.getUAF()[0]; - Process Memory - Modules - Object with pointer - System modules - Heap pages CALL 0x0C0C0C0CObject *obj = (Object *)malloc(sizeof(Object));obj->callMethod();free(obj);HeapSpray(0x0c0c0c0c);obj->callMethod();
  49. 49. theory.getUAF()[1]; - Some objects - Object with pointer - Attacker’s blocks1) Free();2) Spray(); SIZE MATTERS
  50. 50. workshop.getUAF();1. part2binuaf.bat2. part2exercisesFig1demo.htm vulnPlugin2.InitRed(31337,0x31333331); Taskvar a = vulnPlugin2.CallRed(); 8: Find UAF -------------------------------------------------------------------------------- alert(a); //a=31337 Task 9: Rewrite object by using InitString(); Full armored: ALSR/DEP/GS/SEH/SEHOP vulnPlugin2.FreeRed(); -------------------------------------------------------------------------------- vulnPlugin2.InitGreen(666,0x31333331); var b = vulnPlugin2.CallRed(); alert(b); //b= ??? Useless ROP
  51. 51. theory.getLeak()[0];Obj1 , Freed… - Data - PointerObj2, same size…Obj2.ReadData() ---- ???
  52. 52. theory.getLeak()[1]; Obj1 , Freed… - DataTask 10: Get leak by using InitOther(); - Pointer-------------------------------------------------------------------------------- Obj2, same size… Obj1.ReadData() ---- ???
  53. 53. workshop.exploitUAF();Task 11: part2exercisesFig2final.htm• Exploit Leak!• Build ROP by leaked address• Make pwning ESP (stack pivot) ESP -> HeapSpray -> ROP• Make heap executable• Run shellcode!
  54. 54. delete workshop;twitter.com/asintsov alexey.sintsov@nokia.com www.defcon-russia.ru www.zeronights.ru

×