Successfully reported this slideshow.
Your SlideShare is downloading. ×

Introduction to Memory Exploitation (Meeting C++ 2021)

Loading in …3

Check these out next

1 of 68 Ad

Introduction to Memory Exploitation (Meeting C++ 2021)

Download to read offline

Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.

Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.


More Related Content

Similar to Introduction to Memory Exploitation (Meeting C++ 2021) (20)

More from Patricia Aas (20)


Recently uploaded (20)

Introduction to Memory Exploitation (Meeting C++ 2021)

  1. 1. TurtleSec @pati_gallardo 1 Turtle Sec @pati_gallardo
  2. 2. TurtleSec @pati_gallardo 2 “Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it. "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.”
  3. 3. TurtleSec @pati_gallardo 3 Heartbleed @pati_gallardo 3 TurtleSec
  4. 4. TurtleSec @pati_gallardo 4 What was the bug? - Buffer over-read - Attacker controlled buffer size
  5. 5. TurtleSec @pati_gallardo 5 What made it bad? - Remote attack - High value memory - Wide deploy
  6. 6. TurtleSec @pati_gallardo 6 Introduction to Memory Exploitation Meeting C++ 2021 Patricia Aas Turtle Sec
  7. 7. TurtleSec @pati_gallardo 7 “The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read” CVE-2014-0160 Description
  8. 8. TurtleSec @pati_gallardo 8 Heartbleed is a prime example of an Information Leak
  9. 9. TurtleSec @pati_gallardo 9 Heartbleed is famous for how devastating it was But it also became the poster child for fuzzing
  10. 10. TurtleSec @pati_gallardo 10 Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/they Turtle Sec
  11. 11. TurtleSec @pati_gallardo 11 Fuzzing @pati_gallardo 11 TurtleSec
  12. 12. TurtleSec @pati_gallardo 12 Corpus Fuzzer Instrumented Target Valid Inputs Crash Crashing Inputs Coverage Feedback
  13. 13. TurtleSec @pati_gallardo 13 Now that’s is all nice and good But most memory errors don’t cause us to crash At least not right away
  14. 14. TurtleSec @pati_gallardo 14 Sanitizers @pati_gallardo 14 TurtleSec
  15. 15. TurtleSec @pati_gallardo 15 compiler instrumentation run-time library Address Sanitizer terminal $ clang++ -fsanitize=address overflow.cpp $ ./a.out ERROR: AddressSanitizer: stack-buffer-overflow @pati_gallardo Clang GCC VS
  16. 16. TurtleSec @pati_gallardo 16 Address Sanitizer provokes crash-like behavior for many memory bugs Supercharges fuzzing Makes it possible to find “hidden” bugs
  17. 17. TurtleSec @pati_gallardo 17 Debugger Fuzzer Sanitizers Make application crashy Provoke weird behavior Analyze
  18. 18. TurtleSec @pati_gallardo 18 So you found a bug. What now? @pati_gallardo 18 TurtleSec
  19. 19. TurtleSec @pati_gallardo 19 Exploitation @pati_gallardo 19 TurtleSec
  20. 20. TurtleSec @pati_gallardo 20 Secret: Access Granted Operation complete Launching missiles Access Denied The Programmers Mental State Machine “David” “Joshua” Weird State “globalthermonuclearwar” Terminate
  21. 21. TurtleSec @pati_gallardo 21 The Target The Shellcode @halvarflake Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
  22. 22. TurtleSec @pati_gallardo 22 Shellcode Piece of code, typically in machine code, that is delivered and executed as a part of an exploit. Called “shellcode” because a traditional use was to start a shell, for example sh. In real exploits it will deliver some kind of mechanism for further (remote) compromise of the system.
  23. 23. TurtleSec @pati_gallardo 23 Exploit Write Memory Read Memory Execute Code Information Leaks Running of Shellcode Planting of Shellcode The Anatomy of an Exploit
  24. 24. TurtleSec @pati_gallardo 24 To run your shellcode you need the instruction pointer to jump to your shellcode. The instruction pointer jumps in many different scenarios - goal here is to control where it jumps to, examples: return from a function virtual function call function pointer Code Execution
  25. 25. TurtleSec @pati_gallardo 25 A vulnerability or a capability in the application that can be used as a part of a wider exploit is often referred to as a “primitive”- examples: Arbitrary Read Primitive Write-What-Where Primitive Read-Where Primitive “Primitives”
  26. 26. TurtleSec @pati_gallardo 26 Mitigations @pati_gallardo 26 TurtleSec
  27. 27. TurtleSec @pati_gallardo 27 Exploit Write Memory Read Memory Execute Code ASLR Limit interesting info? Non executable memory Stack Canaries Address Space Layout Randomization (ASLR) Platform and Compiler Mitigations
  28. 28. TurtleSec @pati_gallardo 28 Cleaning Memory? @pati_gallardo 28 TurtleSec
  29. 29. TurtleSec @pati_gallardo 29 The Case Of The Disappearing Memset Dead Store Elimination The compiler is allowed to optimize away stores that cannot be detected Meaning memset’ing of memory that is never read can be removed @pati_gallardo 29
  30. 30. TurtleSec @pati_gallardo 30 The Heap @pati_gallardo 30 TurtleSec
  31. 31. TurtleSec @pati_gallardo 31 Allocators @pati_gallardo 31 TurtleSec
  32. 32. TurtleSec @pati_gallardo 32 Simple Pool Allocator
  33. 33. TurtleSec @pati_gallardo 33 Empty Pool
  34. 34. TurtleSec @pati_gallardo 34 Initial allocations
  35. 35. TurtleSec @pati_gallardo 35 Free An allocation is freed - what now?
  36. 36. TurtleSec @pati_gallardo 36 Free Another allocation is freed - what now?
  37. 37. TurtleSec @pati_gallardo 37 Free Another allocation is freed - what now?
  38. 38. TurtleSec @pati_gallardo 38 Free link? coalesce?
  39. 39. TurtleSec @pati_gallardo 39 So… how can we exploit this behavior? We can allocate!
  40. 40. TurtleSec @pati_gallardo 40 Heap Spraying @pati_gallardo 40 TurtleSec
  41. 41. TurtleSec @pati_gallardo 41 Fill memory with a certain byte sequence possibly shellcode so that a “random” jump might hit it Heap Spraying
  42. 42. TurtleSec @pati_gallardo 42 Typical Heap Spray Shellcode No-ops Payload Noop-sled Shellcode string
  43. 43. TurtleSec @pati_gallardo 43 Normal Allocation Heap Spraying Initial state
  44. 44. TurtleSec @pati_gallardo 44 Normal Allocation Shellcode Heap Spraying Fill memory with shellcode
  45. 45. TurtleSec @pati_gallardo 45 This is a bit scattershot Can we have more control?
  46. 46. TurtleSec @pati_gallardo 46 (Heap Feng Shui) Heap Grooming @pati_gallardo 46 TurtleSec
  47. 47. TurtleSec @pati_gallardo 47 Create predictable memory patterns Trick the allocator to allocate a specific chunk A chunk you can control Let’s see it in action
  48. 48. TurtleSec @pati_gallardo 48 Putting it all together @pati_gallardo 48 TurtleSec
  49. 49. TurtleSec @pati_gallardo 49 “The Shadow Brokers” Hacking group behind a leak in 2016-17 The leaked exploits and tools are believed to be NSAs The Shadow Brokers are suspected to be Russian The leak was done in several batches Most famous is the Eternal Blue exploit
  50. 50. TurtleSec @pati_gallardo 50 Very Light Background: Windows SMBv1 Request Response Client Server SMB messages Aside: This is the diagram of all things computer
  51. 51. TurtleSec @pati_gallardo 51 EternalBlue Eternal Exploits @pati_gallardo 51 TurtleSec
  52. 52. TurtleSec @pati_gallardo 52 DoublePulsar EternalBlue EternalRomance EternalChampion EternalSynergy
  53. 53. TurtleSec @pati_gallardo 53 EternalBlue Write-What-Where Primitive and Remote Code Execution Linear Buffer Overrun, Heap Spray / Heap Grooming
  54. 54. TurtleSec @pati_gallardo 54 “When updating the length of the list, the size is written to as if it were a 16-bit ushort, when it is actually a 32-bit ulong. This means that the upper 16-bits are not updated when the list gets truncated.” Microsoft Defender Security Research Team Main bug
  55. 55. TurtleSec @pati_gallardo 55 55 @pati_gallardo Main bug and the fix ULONG FEALIST.cbList; #define SmbPutUshort(DestAddress, Value) { ((PUCHAR)(DestAddress))[0] = BYTE_0(Value); ((PUCHAR)(DestAddress))[1] = BYTE_1(Value); } SmbPutUshort(&FeaList->cbList, PTR_DIFF_SHORT(fea, FeaList)); ULONG FEALIST.cbList; #define SmbPutUlong(DestAddress, Value) { ((PUCHAR)(DestAddress))[0] = BYTE_0(Value); ((PUCHAR)(DestAddress))[1] = BYTE_1(Value); ((PUCHAR)(DestAddress))[2] = BYTE_2(Value); ((PUCHAR)(DestAddress))[3] = BYTE_3(Value); } SmbPutUlong(&FeaList->cbList, PTR_DIFF_LONG(fea, FeaList)); Before After [0] [1] [2] [3] [0] [1] [2] [3] LODWORD HIDWORD
  56. 56. TurtleSec @pati_gallardo 56 - Primes the heap - Fills with blocks ready for shellcode - Makes room for buffer that will overrun - Overrun will prepare code execution - Hopes to overrun into one of the prepared blocks Heap Grooming and Spray
  57. 57. TurtleSec @pati_gallardo 57 Heap Grooming Initial state
  58. 58. TurtleSec @pati_gallardo 58 Heap Grooming Grooming Packet Filling gaps to make allocations predictable
  59. 59. TurtleSec @pati_gallardo 59 Heap Grooming Grooming Packet Grooming Packet Prefill before making pattern
  60. 60. TurtleSec @pati_gallardo 60 Make room for your objects Heap Grooming Free up holes Grooming Packet Grooming Packet
  61. 61. TurtleSec @pati_gallardo 61 Heap Grooming Overflow Packet Grooming Packet Grooming Packet
  62. 62. TurtleSec @pati_gallardo 62 Heap Grooming Grooming Packet Ready for Execution Grooming Packet Overflow Packet
  63. 63. TurtleSec @pati_gallardo 63 Heap Grooming Grooming Packet Grooming Packet shellcode Ready for Execution
  64. 64. TurtleSec @pati_gallardo 64 When connection is closed the shellcode is executed in the block(s) that have been overrun Installs the DoublePulsar backdoor implant Code Execution
  65. 65. TurtleSec @pati_gallardo 65 How does that affect me? @pati_gallardo 65 TurtleSec
  66. 66. TurtleSec @pati_gallardo 66 There is no magic here These are bugs you can find The tools they use are tools you can use Basically: Fix Bugs
  67. 67. TurtleSec @pati_gallardo 67 Turtle Sec @pati_gallardo
  68. 68. TurtleSec @pati_gallardo 68 Questions? Photos from Patricia Aas, TurtleSec Turtle Sec