owasp lithuania chapter - exploit vs anti-exploit
•Download as PPTX, PDF•
0 likes•309 views
Exploit techniques, mitigation techniques, bypasses, product tests
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to owasp lithuania chapter - exploit vs anti-exploit
Similar to owasp lithuania chapter - exploit vs anti-exploit (20)
Recently uploaded
Recently uploaded (20)
owasp lithuania chapter - exploit vs anti-exploit
- 1. Exploit vs. Anti-Exploit Kestutis Meskonis 2017-06-07
- 2. Slide subject structure • Exploit: - popular exploitation technique • Mitigation: - anti-exploit (mitigation) technique • Bypass: - anti-anti-exploit (anti-mitigation) evasion technique • Test : - test to check mitigation in action or to bypass it a bypass mitigation exploit
- 3. Exploit == DoS or Code Exec?
- 4. Exploit == DoS or Code Exec?
- 5. Web-infection kill chain Gate Web landing Exploit Malware pre-execution Malware on-execution Malware post-execution
- 6. Exploit-kits as a service • Anti-Exploit Fingerprint Block • Exploit Kit Fingerprinting Protection
- 7. TOP Exploit-Kit activity 2017 WINTER • RIG • KaiXin • Neutrino • Terror • Magnitude KaiXin: JAVA, Adobe Flash, SilverLight 2016 FALL • Neutrino • RIG • KaiXin • Sundown • Angler (inactive) • Nuclear (inactive) Neutrino: Adobe Flash CVE-2016-4117 Internet Explorer CVE-2016-0189
- 8. Angler EK 0-day or CVE ? ANGLER EK 2015 july analysis Adobe Flash CVE-2015-5119 CVE-2015-5122 Internet Explorer CVE-2014-6332
- 9. 0-day street pricelist • Hacking Team leak (3 Adobe Flash 0days) • Shadow brokers (Eternalblue)
- 10. Memory management • STACK • HEAP • PROGRAM MEMORY
- 12. Crash control hijack in the stack
- 13. Exploit: RET address overwrite • RET address overwrite MEMORY CORRUPTIONS HEAPSTACK RET OVERWRITE SEH OVERWRITE
- 14. Exploit: RET Overwrite to CodeExec
- 15. Exploit: RET Overwrite to CodeExec
- 16. Exploit: SEH address overwrite • RET address overwrite (saved return pointer) • SEH address overwrite MEMORY HEAPSTACK RET OVERWRITE SEH OVERWRITE
- 17. SEH – structured exception handler
- 18. SEH chain SEH chain concept
- 19. Exploit: SEH address overwrite example
- 20. Exploit: SEH Overwrite to CodeExec
- 21. TOP exploit mitigations (3 kings) SEHOP DEP ASLR
- 22. Mitigation: SEH style mitigations • XOR • SafeSEH (4) • SEHOP (dynamic SafeSEH) (4)
- 24. Bypass: Anti-XOR and Anti-SafeSEH • Overwrite SEH and nSEH • Avoid SafeSEH • Avoid SafeSEH (use RET overwrite instead of SEH overwrite)
- 25. Mitigation: King nr. 1 – SEHOP MEMORY HEAP STACK RET OVERWRITE SEH OVERWRITE ASLRDEP SEHOP
- 26. Mitigation: SEHOP - Structured Exception Handler Overwrite Protection
- 27. Bypass: Anti-SEHOP (limited cases)
- 28. Test: SEH overwrite • Execute shellcode over SEH overwrite (pop-pop-ret) A B C D
- 29. Mitigation: King nr. 2 – DEP
- 30. Mitigation: DEP – Data Execution Prevention MEMORY HEAP STACK RET OVERWRITE SEH OVERWRITE ASLRDEP SEHOP
- 31. Mitigation: DEP
- 32. Mitigation: DEP • Hardware-enforced DEP NX /NXCOMPAT flag • Software-enforced DEP • Dynamic DEP (4) • Stack Exec (2) • DEP turnoff (1) AlwaysON flag – MUST!!!
- 33. Bypass: Anti-DEP API’s • NtSetInformationProcess() • SetProcessDEPPolicy() • VirtualProtect() • VirtualAlloc() • NtProtectVirtualMemory() • WriteProcessMemory() • LoadLibrary() • MapViewOfFile() • WinExec()
- 34. Bypass: Anti-DEP • Return-into-libc attack • Disable DEP for a process • Mark memory area as executable • Allocate new executable area and copy shellcode • DLL load • Code reuse (ROP)
- 35. Tests: generic DEP and DEP bypass • Execute shellcode from PAGE_READWRITE heap memory area • Marks the stack memory executable: PAGE_EXECUTE_READWRITE via VirtualProtect() A B crash C D A B C D
- 38. PE loading...
- 39. Mitigation: ASLR
- 40. Mitigation: ASLR • ASLR (4) /DYNAMICBASE flag • Mandatory ASLR a.k.a UASLR (3) • Bottom-Up ASLR a.k.a Bottom-Up randomization (4)
- 41. Bypass: Anti-ASLR nr. 1 • Avoid ASLR
- 42. Bypass: Anti-ASLR nr. 2 • Avoid ASLR • Partial overwrite (limited cases)
- 43. Bypass: Anti-ASLR nr. 3 • Avoid ASLR • Partial overwrite (limited cases) • Bruteforce (limited cases)
- 44. Bypass: Anti-ASLR nr. 4 • Avoid ASLR • Partial overwrite (limited cases) • Bruteforce (limited cases) • Memory Leak / Info disclosure
- 45. Bypass: Anti-ASLR nr. 4 (2) Memory Leak techniques: • Heap Overflow Info Leak • Use after free (“double free”) • Type confusion • Controlled Read/Write
- 46. Bypass: Anti-ASLR nr. 5 • Avoid ASLR • Partial overwrite (limited cases) • Bruteforce (limited cases) • Memory Leak / Info disclosure • Randomization prediction (very hard or impossible)
- 47. Bypass: Memory leak MEMORY CORRUPTIONS HEAP OVERFLOWSSTACK OVERFLOWS RET OVERWRITE SEH OVERWRITE SEHOPASLRDEP ROP MEMORY LEAK
- 48. Bypass (DEP+ASLR): ROP CHAINS + MEMORY LEAK SEHOP DEP ASLR
- 49. HEAP
- 50. HEAP MEMORY CORRUPTIONS HEAP BASED STACK BASED Programs can implement their own heap manager or use Windows Heap Manager!
- 51. HEAP layout Process virtual memory Heap 1 Base (default heap) Heap 2 Base Heap N Base Segment 1 Header (default segment) Segment 2 Header Segment N Header chunk1 chunk N chunk2
- 52. HEAP memory: segments (nodes), chunks (blocks)
- 53. Exploit: HEAP metadata overwrite BEFORE HEAP OVERFLOW AFTER HEAP OVERFLOW
- 54. Mitigations: Anti-Heap overflow • Safe unlinking during coalesce • Heap Cookies • Heap chunk header encryption • Heap Corruption Mitigation (proprietary) - DEPRECATED
- 55. ASLR(HEAP) – HELL, where is my shellcode??? Base of default ProcessHeap is ASLR’ed (randomized)!!!
- 56. Windows Heap Manager predictable behavior Low fragmentation heap – LFH (turned off by default), memory chunks are the same size and at predictable locations
- 57. Payload delivery: Heap Spray – Payload • PAYLOAD-1 = NOP’s sled + SHELLCODE • PAYLOAD-2 = ROP + SHELLCODE NOP’s SHELLCODE
- 58. Payload delivery: Heap Spray – Spraying payload
- 59. Payload delivery: Heap Spray – Spraying payload NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE NOP’s SHELLCODE • HeapSpraying may not work 100% of the time!!!
- 60. Payload delivery: Heap Spray – offset to payload
- 61. Mitigations: Anti-HeapSpray • HeapSpray Allocations (pseudo) a.k.a. • Shellcode pre-allocations (pseudo)
- 62. Mitigations: Anti-HeapSpray • HeapSpray Allocations (pseudo) a.k.a. • Shellcode pre-allocations (pseudo) (4) CODE SHELLCODE SHELLCODE SHELLCODE SHELLCODE SHELLCODE SHELLCODE SHELLCODE CODE 01 01 01 01 01 01 01 01 01 01 01 01 ALLOCATED 01 01 01 01 01 01 01 01 01 01 01 01
- 63. Mitigations: Anti-HeapSpray other • Dynamic Anti-HeapSpray (common name) (2) • Exception Heap Spray Check (1) • Memory Limit Heap Spray Check (proprietary) (1) • Periodic Heap Spray Check – DEPRECATED (1) • 1 - deprecated, 2 - turned off by default
- 64. Test: Heap spraying in action • Execute shellcode via single byte NOP sled • Execute shellcode via multi-byte (polymorphic) NOP sled • Fill heap with prepared Javascript ArrayBuffer objects B CA B CA B C Caller Check A D Memory Limit HeapSpr Check TEST FAILED D
- 65. ROP
- 66. Bypass: Code Reuse concept • Overflow using code injection is difficult nowadays! • Let’s reuse code from victim process itself!!! • Setup function arguments on the stack using instructions from loaded modules. CALL <API function> and bypass DEP. Get shellcode execution after function ends.
- 67. Bypass: ROP Chains • ROP Gadget – a set of instructions • ROP Chain – many ROP gadgets chained together Gadget chaining types: • RETN ROP gadget • CALL/JMP ROP gadget
- 68. Mitigations: Anti-ROP • Load library checks (3) • Memory protection checks (1) • Caller Checks (3) • Simulate execution flow/SysExit/ROP mitigation (3) • Stack Pivot (3) • Hot Patch Protection/banned functions (2) • JIT mitigation/SysCall/DeepHooks (3) • Wow64 (1)
- 69. Tests: ROP tests VirtualProtect() • Create memory page, copies shellcode, make executable using VirtualProtect() and jmp to shellcode • Create memory page, copies shellcode, make executable using CALL-ROP-gadget from DLLs to use VirtualProtect() and jmp to shellcode • Create memory page, copies shellcode, make executable using chain Jump to the legitimate code where a call to VirtualProtect() is located and jmp to shellcode B C A Caller check D B C Caller check A Caller check D B C Caller check A D
- 70. Tests: ROP tests NtProtectVirtualMemory() • Chain that create memory page, copies shellcode, make executable using NtProtectVirtualMemory() and jmp to shellcode • Wow64 bypass NtProtectVirtualMemory() • Exploit Wow64 NtProtectVirtualMemory() B C A Caller check D B CA B CA D D
- 71. Tests: Stack Pivot / Stack Unpivot • Point stack pointer to heap new allocated memory with shellcode • Executes ROP-chain on both pivoted and native stack A B C D ROP A B C D
- 73. Mitigations: other • Null deference protection a.k.a. Null page allocation (pseudo) • EAT - Export Address Table Access Filtering (EAF) (pseudo) • EAT - Export Address Table Access Filtering Plus (EAF+) • IAT - Import Address Table Filtering (IAF)
- 74. Mitigations: other (2) • Kernel Privilege Escalation Protection • Shellcode detection • Exploit kit fingerprint protection • Control Panel Protection • Untrusted font mitigation • Anti DLL hijacking
- 75. Recommendations • Patch (early, prioritize, often) • Update • Remove unused software, browser plugins... • Avoid clicking suspicious advertisements • Use anti-exploit technology • Be ready for false positives • Be ready to be bypassed • Use multi-layer defense approach (whitelisting, blacklisting and etc.)