How to-catch-a-chameleon-steven seeley-ruxcon-2012

2,504 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,504
On SlideShare
0
From Embeds
0
Number of Embeds
113
Actions
Shares
0
Downloads
61
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

How to-catch-a-chameleon-steven seeley-ruxcon-2012

  1. 1. How to catch a chameleon Steven Seeley steven@immunityinc.com @net__ninja Steven Seeley – Ruxcon 2012
  2. 2. C:> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team ● ruby python developer ● reverse engineering ● exploit developer Steven Seeley – Ruxcon 2012
  3. 3. Disclaimer(s)No zerodays were hurt during themaking of this presentationSorry but some windows heapknowledge is assumed Steven Seeley – Ruxcon 2012
  4. 4. Agenda● What is heaper ?● Development motivators● Meta data attack techniques● Functional design● Installation● Using heaper● Demo analysing a heap overflow● Limitations● Future work● Conclusion Steven Seeley – Ruxcon 2012
  5. 5. But first.An entomologists lesson. Steven Seeley – Ruxcon 2012
  6. 6. Definition of a chameleon?Chameleon (n) A small slow-moving Old World lizardwith a prehensile tail, long extensibletongue, protruding eyes that rotateindependently, and a highly developedability to change color Steven Seeley – Ruxcon 2012
  7. 7. Definition of a chameleon?Chameleon (n) A small slow-moving Old World lizardwith a prehensile tail, long extensibletongue, protruding eyes that rotateindependently, and a highly developedability to change color Steven Seeley – Ruxcon 2012
  8. 8. A chameleons diet Steven Seeley – Ruxcon 2012
  9. 9. Similarities Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*Protruding, rotating eyes Symptoms of long debugging sessionsAbility to change color Ability to change its state rapidlyrapidlyKills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation* Some, such as implementations on mobile platforms, example: WebKit Steven Seeley – Ruxcon 2012
  10. 10. What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool: ● Visualize the heap layout ● Determine exploitable conditions using meta-data ● Find application specific heap primitives ● Find application specific function pointers ● Modify heap structures on the fly for simulation Steven Seeley – Ruxcon 2012
  11. 11. Development motivators Steven Seeley – Ruxcon 2012
  12. 12. Meta data attack techniquesTechnique Platform Difficulty* Reliability* SupportedCoalesce unlink() NT 5.[0/1] 10% 100% YesVirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown NoLookaside head overwrite NT 5.2 50-60% Unknown YesFreelist insert/search/relink NT 5.2 Unknown Unknown YesBitmap flip NT 5.2 50-60% Unknown YesHeap cache desycronisation NT 5.2 90% Unknown NoCritical section unlink() NT 5.2 50% 70% NoFreeEntryOverwrite NT 6.[0/1] 50% 60% YesSegment Offset NT 6.[0/1] 50% 80% YesDepth De-sync NT 6.[0/1] 50% 70% YesUserBlocks Overwrite NT 6.2 90% 40% NoApplication data ANY Unknown Unknown Yesdifficulty/reliability* - estimated based specific testing, will vary largely depending on context Steven Seeley – Ruxcon 2012
  13. 13. Functional design ● Object oriented design ● Easily extend-able ● Chunk validation based on allocator ordering & categorization ● General heuristics check per allocator Steven Seeley – Ruxcon 2012
  14. 14. Functional designchunk validation:Full unlink() macro validation! Steven Seeley – Ruxcon 2012
  15. 15. Functional design chunk validation:● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets: ● 0x0026fee8+0x0 is the size ● 0x0026fee8+0x2 is the previous chunks size ● 0x0026fee8+0x4 is the cookie ● 0x0026fee8+0x8 is the Flink/Blink Therefore, we can validate the chunk based on its positioning and by reading memory Steven Seeley – Ruxcon 2012
  16. 16. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  17. 17. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  18. 18. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  19. 19. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  20. 20. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  21. 21. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  22. 22. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  23. 23. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  24. 24. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  25. 25. Functional designChunk validation on FreeList[0]:-> Windows 2000/XP FreeList[0] Steven Seeley – Ruxcon 2012
  26. 26. Functional designChunk validation on FreeList[0]:-> Windows 2000/XP FreeList[0] size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012
  27. 27. Functional designChunk validation on FreeList[n]:-> Windows 2000/XP FreeList[n] Steven Seeley – Ruxcon 2012
  28. 28. Functional designChunk validation on FreeList[n]:-> Windows 2000/XP FreeList[n]size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012
  29. 29. Functional designGraphing:We all know that littlegreen men in the debuggercan be hard to understand Steven Seeley – Ruxcon 2012
  30. 30. Functional designGraphing:visualiz e the heap Steven Seeley – Ruxcon 2012
  31. 31. Functional design Easy to use:● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesnt exist● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size● n-4 byte write simulation on function pointers with the ability to restore the said function pointers● The ability to modify a single BIT in the FreeListInUse struct● update command for easily updating heaper.● config command to configure the output directory of logs and graphs● Everything is logged in a new “heaper” window Steven Seeley – Ruxcon 2012
  32. 32. Installation● Prerequisites: ● Immunity Debugger v1.85 and above ● Graphviz v2.28.0 and above -http://www.graphviz.org/ ● Pyparsing - http://sourceforge.net/projects/pyparsing/ ● PyDot - http://code.google.com/p/pydot/1. Install Immunity Debugger :->2. Add c:python27 to your path environment3. Run the Graphviz MSI packaged installer4. Navigate into your pydot and pyparsing directories and execute pythonsetup install4. Copy heaper to the C:Program FilesImmunity IncImmunityDebuggerPyCommands directory Steven Seeley – Ruxcon 2012
  33. 33. Using heaperSteven Seeley – Ruxcon 2012
  34. 34. Usage and help menuRun !heaper help <cmd> to learnabout the cmd and its options Steven Seeley – Ruxcon 2012
  35. 35. Analyzing windows structsDisplay the PEB structure Steven Seeley – Ruxcon 2012
  36. 36. Analyzing windows structsDisplay the TEBs for the process (nostruct) – No TEB struct boo Steven Seeley – Ruxcon 2012
  37. 37. Analyzing windows structsAnalyze a _heap struct Steven Seeley – Ruxcon 2012
  38. 38. Analyzing the FreelistInUse bitmask Steven Seeley – Ruxcon 2012
  39. 39. Analyzing the FreelistInUse bitmaskBit flipping Steven Seeley – Ruxcon 2012
  40. 40. Analyzing the FreelistInUse bitmaskBit flipping Steven Seeley – Ruxcon 2012
  41. 41. Dumping function pointers● Finds function pointers despite if they are writable or not● Depreciated and will be removed in the next major release Steven Seeley – Ruxcon 2012
  42. 42. Finding writable pointers Steven Seeley – Ruxcon 2012
  43. 43. Finding writable pointers● Similar to the dump function pointers routine but executes the action across the whole module● This can be executed against all modules● As the name states, only writable function pointers to facilitate a write 4 condition● Dont be fooled, it doesnt just dump the IAT● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers. Steven Seeley – Ruxcon 2012
  44. 44. Finding writable pointersUse any of these to transfer code execution Steven Seeley – Ruxcon 2012
  45. 45. Analyzing the allocator state NT 5.xLookaside - chunk analysis Steven Seeley – Ruxcon 2012
  46. 46. Analyzing the allocator state NT 5.x Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first byte in the chunk header (size)● If userdata == flink, possible exploitation Steven Seeley – Ruxcon 2012
  47. 47. Analyzing the allocator state NT 5.xLookaside with verbose mode (-v) Steven Seeley – Ruxcon 2012
  48. 48. Analyzing the allocator state NT 5.x Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been overwritten● Much like dt _general_lookaside_list <addr> in windbg Steven Seeley – Ruxcon 2012
  49. 49. Analyzing the allocator state NT 5.xLookaside - graphing Steven Seeley – Ruxcon 2012
  50. 50. Analyzing the allocator state NT 5.x Lookaside - vuln analysis●● Set a (Function pointer-0x8) to equal the new Lookaside chunk address Steven Seeley – Ruxcon 2012
  51. 51. Analyzing the allocator state NT 5.xLookaside - vuln analysis Steven Seeley – Ruxcon 2012
  52. 52. Analyzing the allocator state NT 5.xFreeList - chunk analysis Steven Seeley – Ruxcon 2012
  53. 53. Analyzing the allocator state NT 5.xFreeList with verbose mode (-v) Steven Seeley – Ruxcon 2012
  54. 54. Analyzing the allocator state NT 5.xFreeList - graphing Steven Seeley – Ruxcon 2012
  55. 55. Analyzing the allocator state NT 5.xFreeList - vuln analysis Steven Seeley – Ruxcon 2012
  56. 56. Analyzing the allocator state NT 5.xFreeList - vuln analysis Steven Seeley – Ruxcon 2012
  57. 57. Analyzing the allocator state NT 6.xLFH - UserBlocks analysis Steven Seeley – Ruxcon 2012
  58. 58. Analyzing the allocator state NT 6.xLFH - UserBlocks analysis Steven Seeley – Ruxcon 2012
  59. 59. Analyzing the allocator state NT 6.xLFH - UserBlocksCache analysis0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY +0x000 UserBlocks : _SLIST_HEADER +0x008 AvailableBlocks : Uint4B Steven Seeley – Ruxcon 2012
  60. 60. Analyzing the allocator state NT 6.xLFH - buckets0:004> dt _heap_bucketntdll!_HEAP_BUCKET +0x000 BlockUnits : Uint2B +0x002 SizeIndex : Uchar +0x003 UseAffinity : Pos 0, 1 Bit +0x003 DebugFlags : Pos 1, 2 Bits Steven Seeley – Ruxcon 2012
  61. 61. Analyzing the allocator state NT 6.xLFH - graphing UserBlocks Steven Seeley – Ruxcon 2012
  62. 62. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  63. 63. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  64. 64. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  65. 65. Analyzing the allocator state NT 6.xListHint - analysis Steven Seeley – Ruxcon 2012
  66. 66. Analyzing the allocator state NT 6.xListHint - analysis Steven Seeley – Ruxcon 2012
  67. 67. Analyzing the allocator state NT 6.xFreeList - analysis Steven Seeley – Ruxcon 2012
  68. 68. Analyzing the allocator state NT 6.xFreeList - analysis Steven Seeley – Ruxcon 2012
  69. 69. Analyzing the allocator state NT 6.xFreeList - graphing Steven Seeley – Ruxcon 2012
  70. 70. Analyzing the allocator state NT 6.xFreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012
  71. 71. Analyzing the allocator state NT 6.xFreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012
  72. 72. Hooking the heap manager Steven Seeley – Ruxcon 2012
  73. 73. Hooking the heap manager Hard hooking● HeapAlloc/HeapFree● Can be extended for other heap functions● Discover primitives Steven Seeley – Ruxcon 2012
  74. 74. Hooking the heap managerSoft hookingUse only for testing, not designed to be used with large applications Steven Seeley – Ruxcon 2012
  75. 75. Patching Patching - PEB● A binary may be compiled in debug mode● What if we are trying to execute a function pointer that assumes the process is not being debugged ? Steven Seeley – Ruxcon 2012
  76. 76. UpdatingUpdate to the latest version with easeThe update function just generates a git hash and compares digests. Thereis no version tracking yet. Steven Seeley – Ruxcon 2012
  77. 77. ConfiguringConfigure the home directory on where tostore graphs and logs Steven Seeley – Ruxcon 2012
  78. 78. Detecting exploitable conditions Steven Seeley – Ruxcon 2012
  79. 79. Detecting exploitable conditions● Detecting exploitable conditions can be very difficult and prone to many false positives.● If you overwrite a specific chunk, then just due to the amount of data you overwrote with, it may/may not be deemed exploitable● Therefore understanding the limitations of each of the conditions is required for accurate analysis. Steven Seeley – Ruxcon 2012
  80. 80. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012
  81. 81. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012
  82. 82. Detecting exploitable conditions FreeList/ListHint – No technique suggestion*● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far. Steven Seeley – Ruxcon 2012
  83. 83. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012
  84. 84. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012
  85. 85. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012
  86. 86. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012
  87. 87. Demo - MS12-037 Steven Seeley – Ruxcon 2012
  88. 88. Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data attacks for now● Does not log analysis findings external to the debugger● Needs a decent heap search function● Need to support other heap implementations Steven Seeley – Ruxcon 2012
  89. 89. Future work● Support LFH analysis on Windows 8● Support other heap manager implementations (jemalloc)● Support more meta-data attacks● Perform log analysis● Detect interesting application data on the heap● Add a decent search function● Improve the heuristics engine Steven Seeley – Ruxcon 2012
  90. 90. Conclusion● Run-time analysis of the heap to detect meta- data attack conditions is complex● Some form of solver maybe more applicable to this type of analysis :->● Whilst heaper is not turing complete, it will solve many corner cases.● Immunity will continue to be a leader in the development and application of heap exploitation techniques Steven Seeley – Ruxcon 2012
  91. 91. Thanks!You know who you are ;-) Steven Seeley – Ruxcon 2012
  92. 92. Code design/improvements/patches/ideas are very welcome :> steventhomasseeley@gmail.comFor more information please execute:$ git clone https://github.com/mrmee/heaper.git$ wget -r http://net-ninja.net/ Steven Seeley – Ruxcon 2012
  93. 93. MIAMI Steven Seeley – Ruxcon 2012

×