Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Modern Exploits, Mitigations,
And Bypass Techniques
CHRIS HERNANDEZ
$whoami
• Chris Hernandez
• Red Teamer
• Former:
• Pentester / Redteamer @Veris Group
• Exploit / Bug Research
• Blog= Nop...
Topics
• Brief overview motivation behind exploit development
• Background of the history of exploits
• Examples of signif...
Overview – Motivations
• 0-day sales and bug bounty programs are gaining popularity and can
be quite lucrative
• Mitigatio...
Exploits 101 - What's an exploit?
• It all starts with poorly written/compiled (vulnerable) code.
• Code might not check f...
A Brief History of Exploits
• Earliest malicious example was Morris Worm 1988 (exploited finger
daemon on Unix systems)
• ...
What can be done to defend my poor weak insecure
application?
Enter Exploit mitigations
Controls exist to mitigate the exploitation
of software vulnerabilities
Primary categories of co...
Notable Exploit Mitigations Timeline
Windows 10 (2015)
Control Flow Guard
Windows 8 (2012)
Guard Pages Null Ptr Deref Prot...
Stack Canary Exploit Mitigation Example
……
ESP ( top of stack)
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA
Save EBP
Saved EIP
Ptr ...
Canary Bypass
CVE-2013-2028
Example Canary Bypass
CVE-2013-2028
The ngx_http_parse_chunked function in http/ngx_http_parse.c in
nginx 1.3.9 through 1....
ASLR & DEP Exploit Mitigation
• Data Execution Prevention (DEP): DEP is a Windows feature that enables the system to
mark ...
ASLR Example – Memory “shuffle”
Process Address
Space on Boot
User32
Ntdll
Kernel32
…
GDI32
MSVCRT
…
RCPRT4
Process Addres...
EIP
DEP Bypass example
• Winapi VirtualProtect
• “Changes the protection on a region of committed pages in
the virtual address...
ASLR & DEP
Bypass
MS14-035 Use After Free in MSHTMLCInput
First, a bit about “use after free”
• C, and C++ vulnerability class
• Popular vulnerability class for exploit writers
• C...
Kind of like…
ASLR & DEP
Bypass
MS14-035 Use After Free in MSHTMLCInput
DEMO
DEMO
Full exploitation requires an info leak bug
CVE-2012-0769
DEMO
Meet EMET
• What is the Enhanced Mitigation Experience Toolkit?
• EMET is utility that helps prevent vulnerabilities in so...
EMET
EMET Example
Next Steps
• Consider deploying EMET to high risk & high value windows
systems
• Ensure compile time controls are turned o...
Tying it all together
• The Technologies behind exploit development and exploit
mitigations are important concepts to unde...
Q & A
@piffd0s
Secure 360 - Exploit Techniques
Secure 360 - Exploit Techniques
Secure 360 - Exploit Techniques
Upcoming SlideShare
Loading in …5
×

Secure 360 - Exploit Techniques

2,360 views

Published on

The popularity of bug bounty programs and the sale and use of exploits are at an all-time high. Microsoft is continually releasing new security patches, bug fixes, and exploit mitigations at a furious pace. Yet new exploits are uncovered almost daily. This talk is intended to help you learn how attackers can bypass exploit mitigations with live demonstrations and easy to understand examples.

Attendees will learn about the technologies behind exploit development and exploit mitigations, how these technologies affect more than just the researchers and exploit developers, and finally, understanding how an attack works helps in reducing attack surface in today’s modern networks.

Published in: Technology
  • Be the first to comment

Secure 360 - Exploit Techniques

  1. 1. Modern Exploits, Mitigations, And Bypass Techniques CHRIS HERNANDEZ
  2. 2. $whoami • Chris Hernandez • Red Teamer • Former: • Pentester / Redteamer @Veris Group • Exploit / Bug Research • Blog= Nopsled.ninja • @piffd0s
  3. 3. Topics • Brief overview motivation behind exploit development • Background of the history of exploits • Examples of significant exploit mitigations • Examples of significant mitigation bypass • Next steps
  4. 4. Overview – Motivations • 0-day sales and bug bounty programs are gaining popularity and can be quite lucrative • Mitigation Bypass Bounty –Microsoft will payout $100K for a bypass and an additional $100K for a bypass defense • At Pwn2Own 2016 $85K was awarded for a MS edge exploit • Zerodium Paid out $1m for RCE on IOS • Greymarket $$$ • Ethical, and non-ethical researchers are working hard to find and exploit vulnerabilities
  5. 5. Exploits 101 - What's an exploit? • It all starts with poorly written/compiled (vulnerable) code. • Code might not check for edge cases, or it trusts user input implicitly, or reads input into a buffer without bounds. • In order for an exploit to be written, a software vulnerability must first exist • Someone finds the vulnerability, then writes code to take advantage of (exploit) the vulnerability • A simple example of this is code that uses vulnerable C functions like strcpy • Strcpy has no length argument, and is only null terminated
  6. 6. A Brief History of Exploits • Earliest malicious example was Morris Worm 1988 (exploited finger daemon on Unix systems) • Aleph one wrote “Smashing the stack for fun and profit” 1996 – < Early how to guide for exploiting stack buffer overflows • Code Red 2001 < Exploited buffer overflow in IIS – 359,000 hosts affected • SQL Slammer 2003 < Exploited buffer over flow in MS SQL server ~ 75,000 hosts affected * "Security of the Internet. CERT/CC". Cert.org. 1998-09-01
  7. 7. What can be done to defend my poor weak insecure application?
  8. 8. Enter Exploit mitigations Controls exist to mitigate the exploitation of software vulnerabilities Primary categories of controls are: • OS controls – ASLR, DEP (AlwaysOn) • Compile Time: Stack Canaries, SafeSEH • Application opt-in: Dynamicbase, DEP (App - OptIn) OS - CONTROLS Compile-Time Opt-In
  9. 9. Notable Exploit Mitigations Timeline Windows 10 (2015) Control Flow Guard Windows 8 (2012) Guard Pages Null Ptr Deref Protect Windows 7 (2009) EMET Vista (2007) ASLR Low Fragmentation Heap SEHOP Windows XP SP2 (2004) DEP SafeSEH Safe Unlink /GS Stack canaries Windows XP (2001) None
  10. 10. Stack Canary Exploit Mitigation Example …… ESP ( top of stack) AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA Save EBP Saved EIP Ptr to Argv[1] …. …… ESP ( top of stack) AAAAAAAA AAAAAAAA AAAAAAAA 34095872 [random canary] Save EBP Saved EIP Ptr to Argv[1] ….
  11. 11. Canary Bypass CVE-2013-2028
  12. 12. Example Canary Bypass CVE-2013-2028 The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow. BUT! There is a stack canary
  13. 13. ASLR & DEP Exploit Mitigation • Data Execution Prevention (DEP): DEP is a Windows feature that enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for exploits involving buffer overruns to succeed. • Address Space Layout Randomization (ASLR): In older versions of Windows, core processes tended to be loaded into predictable memory locations upon system startup. Some exploits work by targeting memory locations known to be associated with particular processes. ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process. The combination of ASLR and DEP creates a fairly formidable barrier for attackers to overcome in order to achieve reliable code execution when exploiting vulnerabilities. Source: http://www.microsoft.com/security/sir/strategy/default.aspx#!section_3_3
  14. 14. ASLR Example – Memory “shuffle” Process Address Space on Boot User32 Ntdll Kernel32 … GDI32 MSVCRT … RCPRT4 Process Address Space Boot 2 GDI32 … … Kernel32 GDI32 User32 NTDLL
  15. 15. EIP
  16. 16. DEP Bypass example • Winapi VirtualProtect • “Changes the protection on a region of committed pages in the virtual address space of the calling process” - MSDN
  17. 17. ASLR & DEP Bypass MS14-035 Use After Free in MSHTMLCInput
  18. 18. First, a bit about “use after free” • C, and C++ vulnerability class • Popular vulnerability class for exploit writers • Complex vulnerability class • Exploitable because “freed” memory can be written to before a function calls it again. The victim function mistakenly still has a reference to memory. • Difficult to detect via static analysis
  19. 19. Kind of like…
  20. 20. ASLR & DEP Bypass MS14-035 Use After Free in MSHTMLCInput
  21. 21. DEMO
  22. 22. DEMO
  23. 23. Full exploitation requires an info leak bug CVE-2012-0769
  24. 24. DEMO
  25. 25. Meet EMET • What is the Enhanced Mitigation Experience Toolkit? • EMET is utility that helps prevent vulnerabilities in software from being successfully exploited.* • EMET 5.2 released for Vista – Win 8.1, Server 2008 – 2012R2 • EMET 5.5 in beta for Win 10 • Heavily focused on mitigating modern attacker techniques • ROP, Heapspray, SEH overwrite, Export Address Table, Stack Pivot, etc.
  26. 26. EMET
  27. 27. EMET Example
  28. 28. Next Steps • Consider deploying EMET to high risk & high value windows systems • Ensure compile time controls are turned on • Audit vendor software for effective use of exploit mitigation controls • Many major security vendors have poor mitigation controls • Ensure server and workstation environments are using OS level controls.
  29. 29. Tying it all together • The Technologies behind exploit development and exploit mitigations are important concepts to understand • Because of the marketplace they affect more than just the researchers, exploit developers and defenders • Understanding how an attack works, helps in reducing attack surface • Awareness of modern exploit mitigations can significantly reduce attack surface of todays enterprise
  30. 30. Q & A @piffd0s

×