Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hacking Windows Internals <ul><ul><li>Cesar Cerrudo </li></ul></ul><ul><ul><li>Argeniss </li></ul></ul>
Hacking Shared Sections <ul><li>Shared Section definition </li></ul><ul><li>Using Shared Sections </li></ul><ul><li>Tools ...
Shared Section <ul><li>Basically a Shared Section is a portion of memory shared by a process, mostly used as an IPC (Inter...
Using Shared Sections <ul><li>Loading binary images by OS. </li></ul><ul><ul><li>Process creation. </li></ul></ul><ul><ul>...
Using Shared Sections <ul><li>Creating a shared section </li></ul><ul><li>HANDLE  CreateFileMapping ( </li></ul><ul><li>HA...
Using Shared Sections <ul><li>Opening an existing shared section </li></ul><ul><li>HANDLE  OpenFileMapping ( </li></ul><ul...
Using Shared Sections <ul><li>Mapping a shared section </li></ul><ul><li>LPVOID  MapViewOfFile ( </li></ul><ul><li>HANDLE ...
Using Shared Sections <ul><li>Ntdll.dll Native API </li></ul><ul><ul><li>NtCreateSection()  Creates a new section </li></u...
Using Shared Sections <ul><li>Mapping unnamed Shared Sections. </li></ul><ul><ul><li>Need to know shared section handle on...
Using Shared Sections <ul><li>Demo </li></ul>
Tools <ul><li>Process Explorer </li></ul><ul><ul><li>Shows information about processes (dlls, handles, etc.). </li></ul></...
Problems <ul><li>Input validation </li></ul><ul><li>Weak permissions </li></ul><ul><li>Synchronization </li></ul>
Problems <ul><li>Input validation </li></ul><ul><ul><li>Applications don't perform data validation before using the data. ...
Problems <ul><li>Weak permissions </li></ul><ul><ul><li>Low privileged users can access (read/write/change permissions) sh...
Problems <ul><li>Synchronization </li></ul><ul><ul><li>Not built-in synchronization. </li></ul></ul><ul><ul><li>Synchroniz...
Problems <ul><li>Synchronization </li></ul><ul><ul><li>Communication between Process A and B </li></ul></ul>Process A Proc...
Searching for holes <ul><li>Look for shared sections using Process Explorer, WinObj or ListSS. </li></ul><ul><li>Attach a ...
Searching for holes <ul><li>Windows HTML Help </li></ul><ul><ul><li>Demo. </li></ul></ul>
Exploitation <ul><li>Elevating privileges. </li></ul><ul><ul><li>Reading data. </li></ul></ul><ul><ul><li>Altering data. <...
Exploitation <ul><li>Reading data. </li></ul><ul><ul><li>From high privileged processes (services). </li></ul></ul><ul><ul...
Exploitation <ul><li>Altering data. </li></ul><ul><ul><li>On high privileged processes (services). </li></ul></ul><ul><ul>...
Exploitation <ul><li>Shared section exploits. </li></ul><ul><ul><li>When overwriting shared section data allow us to take ...
Exploitation <ul><li>Shared section exploits. </li></ul><ul><ul><li>MS05-012 - COM Structured Storage Vulnerability </li><...
Exploitation <ul><li>Using shared sections on virus/rootkits/etc. </li></ul><ul><ul><li>Some shared sections are used by m...
Exploitation <ul><li>Using shared sections on virus/rootkits/etc. </li></ul><ul><ul><li>Some shared sections have execute ...
Microsoft vulnerabilities <ul><li>Vulnerabilities on next Microsoft products have been reported and are being fixed: </li>...
Other vendors vulnerabilities <ul><li>NOD32 antivirus vulnerability. </li></ul><ul><li>Norton Antivirus (old versions) vul...
Solutions <ul><li>Set proper permissions </li></ul><ul><ul><li>Set only current user (also service account if application ...
Conclusions <ul><li>Windows and 3rd. party applications have a bunch of Shared Section related holes. </li></ul><ul><li>Th...
References <ul><li>MSDN </li></ul><ul><li>Programming Applications for MS Windows - Fourth Edition </li></ul><ul><li>Proce...
FIN <ul><li>Questions? </li></ul><ul><li>Thanks. </li></ul><ul><li>Contact: cesar>at<argeniss>dot<com </li></ul><ul><li>Ar...
Upcoming SlideShare
Loading in …5
×

Hacking Windows IPC

3,049 views

Published on

Published in: Technology
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here : http://gg.gg/setupexe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Hacking Windows IPC

  1. 1. Hacking Windows Internals <ul><ul><li>Cesar Cerrudo </li></ul></ul><ul><ul><li>Argeniss </li></ul></ul>
  2. 2. Hacking Shared Sections <ul><li>Shared Section definition </li></ul><ul><li>Using Shared Sections </li></ul><ul><li>Tools </li></ul><ul><li>Problems </li></ul><ul><li>Searching for holes </li></ul><ul><li>Exploitation </li></ul><ul><li>Microsoft vulnerabilities </li></ul><ul><li>Other vendors vulnerabilities </li></ul><ul><li>Solutions </li></ul><ul><li>Conclusions </li></ul><ul><li>References </li></ul>
  3. 3. Shared Section <ul><li>Basically a Shared Section is a portion of memory shared by a process, mostly used as an IPC (Inter Process Communication) mechanism. </li></ul><ul><ul><li>Shared Memory. </li></ul></ul><ul><ul><li>File Mapping. </li></ul></ul><ul><ul><li>Named or Unnamed. </li></ul></ul>
  4. 4. Using Shared Sections <ul><li>Loading binary images by OS. </li></ul><ul><ul><li>Process creation. </li></ul></ul><ul><ul><li>Dll loading. </li></ul></ul><ul><li>Mapping kernel mode memory into user address space !?. </li></ul><ul><ul><li>Used to avoid kernel transitions. </li></ul></ul><ul><li>Sharing data between processes. </li></ul><ul><ul><li>GDI and GUI data, pointers !?, counters, any data. </li></ul></ul>
  5. 5. Using Shared Sections <ul><li>Creating a shared section </li></ul><ul><li>HANDLE CreateFileMapping ( </li></ul><ul><li>HANDLE hFile, // handle to file ( file mapping ) </li></ul><ul><li>//or 0xFFFFFFFF ( shared memory ) </li></ul><ul><li>LPSECURITY_ATTRIBUTES lpAttributes, // security </li></ul><ul><li>DWORD flProtect, // protection </li></ul><ul><li>DWORD dwMaximumSizeHigh, // high-order DWORD of size </li></ul><ul><li>DWORD dwMaximumSizeLow, // low-order DWORD of size </li></ul><ul><li>LPCTSTR lpName // object name ( named ) </li></ul><ul><li> //or NULL ( unnamed ) </li></ul><ul><li>);// returns a shared section handle </li></ul>
  6. 6. Using Shared Sections <ul><li>Opening an existing shared section </li></ul><ul><li>HANDLE OpenFileMapping ( </li></ul><ul><li>DWORD dwDesiredAccess , // access mode ( FILE_MAP_WRITE // FILE_MAP_READ , etc.) </li></ul><ul><li>BOOL bInheritHandle, // inherit flag </li></ul><ul><li>LPCTSTR lpName // shared section name </li></ul><ul><li>);// returns a shared section handle </li></ul>
  7. 7. Using Shared Sections <ul><li>Mapping a shared section </li></ul><ul><li>LPVOID MapViewOfFile ( </li></ul><ul><li>HANDLE hFileMappingObject , // handle to created/opened // shared section </li></ul><ul><li>DWORD dwDesiredAccess , // access mode( FILE_MAP_WRITE // FILE_MAP_READ , etc.) </li></ul><ul><li>DWORD dwFileOffsetHigh, // high-order DWORD of offset </li></ul><ul><li>DWORD dwFileOffsetLow, // low-order DWORD of offset </li></ul><ul><li>SIZE_T dwNumberOfBytesToMap // number of bytes to map </li></ul><ul><li>); // returns a pointer to begining of shared section memory </li></ul>
  8. 8. Using Shared Sections <ul><li>Ntdll.dll Native API </li></ul><ul><ul><li>NtCreateSection() Creates a new section </li></ul></ul><ul><ul><li>NtOpenSection() Opens an existing section </li></ul></ul><ul><ul><li>NtMapViewOfSection() Map a section on memory </li></ul></ul><ul><ul><li>NtUnmapViewOfSection() Unmap a section from memory </li></ul></ul><ul><ul><li>NtQuerySection() Returns section size </li></ul></ul><ul><ul><li>NtExtendSection() Change section size </li></ul></ul>
  9. 9. Using Shared Sections <ul><li>Mapping unnamed Shared Sections. </li></ul><ul><ul><li>Need to know shared section handle on target process. </li></ul></ul><ul><ul><li>Need permissions on target process. </li></ul></ul><ul><ul><li>OpenProcess(PROCESS_DUP_HANDLE,...) </li></ul></ul><ul><ul><li>DuplicateHandle(...) </li></ul></ul><ul><ul><li>MapViewOfFile(...) </li></ul></ul>
  10. 10. Using Shared Sections <ul><li>Demo </li></ul>
  11. 11. Tools <ul><li>Process Explorer </li></ul><ul><ul><li>Shows information about processes (dlls, handles, etc.). </li></ul></ul><ul><li>WinObj </li></ul><ul><ul><li>Shows Object Manager Namespace information (objects info, permissions, etc.) </li></ul></ul><ul><li>ListSS </li></ul><ul><ul><li>Lists Shared Sections names (local and TS sessions). </li></ul></ul><ul><li>DumpSS </li></ul><ul><ul><li>Dumps Shared Section data. </li></ul></ul><ul><li>TestSS </li></ul><ul><ul><li>Overwrites Shared Section data (to detect bugs) </li></ul></ul>
  12. 12. Problems <ul><li>Input validation </li></ul><ul><li>Weak permissions </li></ul><ul><li>Synchronization </li></ul>
  13. 13. Problems <ul><li>Input validation </li></ul><ul><ul><li>Applications don't perform data validation before using the data. </li></ul></ul><ul><ul><ul><li>Applications trust data on shared sections. </li></ul></ul></ul><ul><ul><li>When applications read modified data from shared sections </li></ul></ul><ul><ul><ul><li>They will crash. </li></ul></ul></ul><ul><ul><ul><li>They will perform unexpected actions. </li></ul></ul></ul>
  14. 14. Problems <ul><li>Weak permissions </li></ul><ul><ul><li>Low privileged users can access (read/write/change permissions) shared sections on high privileged processes (services). </li></ul></ul><ul><ul><li>Terminal Services (maybe Citrix) users can access (read/write/change permissions) shared sections on local logged on user processes, services and also on other user sessions. </li></ul></ul>
  15. 15. Problems <ul><li>Synchronization </li></ul><ul><ul><li>Not built-in synchronization. </li></ul></ul><ul><ul><li>Synchronization must be done by processes in order to not corrupt data. </li></ul></ul><ul><ul><li>There isn't a mechanism to force processes to synchronize or to block shared section access. </li></ul></ul><ul><ul><li>Any process (with proper rights) can alter a shared section data while another process is using it. </li></ul></ul>
  16. 16. Problems <ul><li>Synchronization </li></ul><ul><ul><li>Communication between Process A and B </li></ul></ul>Process A Process B Process C Shared Section 2- Write data. 3- Data ready. 4- Replace data. 5- Read data. 1- Send me data.
  17. 17. Searching for holes <ul><li>Look for shared sections using Process Explorer, WinObj or ListSS. </li></ul><ul><li>Attach a process using the shared section to a debugger. </li></ul><ul><li>Run TestSS on shared section. </li></ul><ul><li>Interact with process in order to make it use (read/write) the shared section. </li></ul><ul><li>Look at debugger for crashes :). </li></ul>
  18. 18. Searching for holes <ul><li>Windows HTML Help </li></ul><ul><ul><li>Demo. </li></ul></ul>
  19. 19. Exploitation <ul><li>Elevating privileges. </li></ul><ul><ul><li>Reading data. </li></ul></ul><ul><ul><li>Altering data. </li></ul></ul><ul><ul><li>Shared section exploits. </li></ul></ul><ul><li>Using shared sections on virus/rootkits/etc. </li></ul>
  20. 20. Exploitation <ul><li>Reading data. </li></ul><ul><ul><li>From high privileged processes (services). </li></ul></ul><ul><ul><li>From local logged on user processes, services and other sessions on Terminal Services. </li></ul></ul><ul><ul><li>This leads to unauthorized access to data. </li></ul></ul>
  21. 21. Exploitation <ul><li>Altering data. </li></ul><ul><ul><li>On high privileged processes (services). </li></ul></ul><ul><ul><li>On local logged on user processes, services and other sessions on Terminal Services. </li></ul></ul><ul><ul><li>This leads to arbitrary code execution, unauthorized access, processes or kernel crashing (DOS). </li></ul></ul>
  22. 22. Exploitation <ul><li>Shared section exploits. </li></ul><ul><ul><li>When overwriting shared section data allow us to take control of code execution. </li></ul></ul><ul><ul><li>Some shared sections start addresses are pretty static on same OS and Service Pack. </li></ul></ul><ul><ul><li>Put shellcode on shared section. </li></ul></ul><ul><ul><li>Build exploit to jump to shellcode on shared section at static location. </li></ul></ul>
  23. 23. Exploitation <ul><li>Shared section exploits. </li></ul><ul><ul><li>MS05-012 - COM Structured Storage Vulnerability </li></ul></ul><ul><ul><ul><li>Weak permission on shared section. </li></ul></ul></ul><ul><ul><ul><li>Structures saved on shared section can be overwriten. </li></ul></ul></ul><ul><ul><ul><ul><li>By overwriting these structures is possible to execute arbitrary code. </li></ul></ul></ul></ul><ul><ul><ul><li>POC Exploit Demo. </li></ul></ul></ul>
  24. 24. Exploitation <ul><li>Using shared sections on virus/rootkits/etc. </li></ul><ul><ul><li>Some shared sections are used by many processes (InternatSHData used for Language Settings on W2k) others sections are used by all processes :). </li></ul></ul><ul><ul><li>Write code to shared section and the code will be instantly mapped on processes memory and also on new created processes. </li></ul></ul><ul><ul><ul><li>Use SetThreadContext() or CreateRemoteThread() to start executing code. </li></ul></ul></ul><ul><ul><ul><li>Similar to WriteProcessMemory() - SetThreadContext() technique or DLL Injection. </li></ul></ul></ul>
  25. 25. Exploitation <ul><li>Using shared sections on virus/rootkits/etc. </li></ul><ul><ul><li>Some shared sections have execute access. </li></ul></ul><ul><ul><ul><li>It would be possible to avoid WinXP sp2 NX and third party protections. </li></ul></ul></ul>
  26. 26. Microsoft vulnerabilities <ul><li>Vulnerabilities on next Microsoft products have been reported and are being fixed: </li></ul><ul><ul><li>Internet Explorer vulnerability. </li></ul></ul><ul><ul><li>Office vulnerabilities. </li></ul></ul><ul><ul><li>Windows 2k and Windows XP sp2 Kernel vulnerability. </li></ul></ul><ul><ul><li>IIS 5 vulnerabiliity. </li></ul></ul><ul><ul><li>Windows COM vulnerability. </li></ul></ul>
  27. 27. Other vendors vulnerabilities <ul><li>NOD32 antivirus vulnerability. </li></ul><ul><li>Norton Antivirus (old versions) vulnerability. </li></ul><ul><li>Veritas software vulnerabilities. </li></ul><ul><li>Etc. </li></ul>
  28. 28. Solutions <ul><li>Set proper permissions </li></ul><ul><ul><li>Set only current user (also service account if application running as service) permissions on shared sections unless another user should access them. </li></ul></ul><ul><li>Use some synchronization mechanism </li></ul><ul><ul><li>Remember that when working with shared sections there isn't built in synchronization. </li></ul></ul><ul><li>Validate the data before using it </li></ul><ul><ul><li>Data on shared sections can be easily manipulated. </li></ul></ul>
  29. 29. Conclusions <ul><li>Windows and 3rd. party applications have a bunch of Shared Section related holes. </li></ul><ul><li>These kind of holes will lead to new kind of attacks “SSAtacks” (Shared Section Attacks) ;) </li></ul><ul><li>Microsoft forgot to include a Shared Sections audit on the trustworthy computing initiative :). </li></ul><ul><li>Windows guts seem rotten:). </li></ul>
  30. 30. References <ul><li>MSDN </li></ul><ul><li>Programming Applications for MS Windows - Fourth Edition </li></ul><ul><li>Process Explorer ( www.sysinternals.com ) </li></ul><ul><li>WinObj ( www.sysinternals.com ) </li></ul><ul><li>Rattle - Using Process Infection to Bypass Windows Software Firewalls (PHRACK #62) </li></ul><ul><li>Crazylord - Playing with Windows /dev/(k)mem (PHRACK #59) </li></ul><ul><li>http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx </li></ul>
  31. 31. FIN <ul><li>Questions? </li></ul><ul><li>Thanks. </li></ul><ul><li>Contact: cesar>at<argeniss>dot<com </li></ul><ul><li>Argeniss – Information Security </li></ul><ul><ul><li>Get vulnerability information before anyone! </li></ul></ul><ul><ul><li>http://www.argeniss.com/services.html </li></ul></ul>

×