How to-catch-a-chameleon-steven seeley-ruxcon-2012

How to catch a
chameleon
Steven Seeley
steven@immunityinc.com
@net__ninja
Steven Seeley – Ruxcon 2012

C:> whoami /all?
●
mr_me
●
Security Researcher @ Immunity Inc
●
A member of Corelan Security Team
●
ruby python developer
●
reverse engineering
●
exploit developer


Disclaimer(s)

No zerodays were hurt during the
making of this presentation

Sorry but some windows heap
knowledge is assumed


Agenda
●
What is 'heaper' ?
●
Development motivators
●
Meta data attack techniques
●
Functional design
●
Installation
●
Using heaper
●
Demo analysing a heap overflow
●
Limitations
●
Future work
●
Conclusion

But first.
An entomologist's lesson.


Definition of a chameleon?

Chameleon (n)
A small slow-moving Old World lizard
with a prehensile tail, long extensible
tongue, protruding eyes that rotate
independently, and a highly developed
ability to change color


A chameleon's diet


Similarities

Chameleon Heap manager analysis
Slow moving Slow evolution of security in heap managers*

Protruding, rotating eyes Symptoms of long debugging sessions

Ability to change color Ability to change its state rapidly
rapidly
Kills and eats bugs Difficultly leads to disclosure, in hope of
other researchers demonstrating exploitation

* Some, such as implementations on mobile platforms, example: WebKit


What is heaper?
●
A multi platform win32 heap analysis tool
●
A plug-in for Immunity Debugger
●
Developed in python using immlib/heaplib
●
An offensive focused tool:
●
Visualize the heap layout
●
Determine exploitable conditions using meta-data
●
Find application specific heap primitives
●
Find application specific function pointers
●
Modify heap structures on the fly for simulation

Development motivators


Meta data attack techniques
Technique Platform Difficulty* Reliability* Supported
Coalesce unlink() NT 5.[0/1] 10% 100% Yes
VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No
Lookaside head overwrite NT 5.2 50-60% Unknown Yes
Freelist insert/search/relink NT 5.2 Unknown Unknown Yes
Bitmap flip NT 5.2 50-60% Unknown Yes
Heap cache desycronisation NT 5.2 90% Unknown No
Critical section unlink() NT 5.2 50% 70% No
FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes
Segment Offset NT 6.[0/1] 50% 80% Yes
Depth De-sync NT 6.[0/1] 50% 70% Yes
UserBlocks Overwrite NT 6.2 90% 40% No
Application data ANY Unknown Unknown Yes

difficulty/reliability* - estimated based specific testing, will vary largely depending on context

Functional design
●
Object oriented design
●
Easily extend-able
●
Chunk validation based
on allocator ordering &
categorization
●
General heuristics
check per allocator


Functional design

chunk validation:

Full unlink() macro validation!


Functional design

chunk validation:
●
Lets say we have chunk 0x0026fee8 in FreeList[0].
●
We know relative offsets:
●
0x0026fee8+0x0 is the size
●
0x0026fee8+0x2 is the previous chunks size
●
0x0026fee8+0x4 is the cookie
●
0x0026fee8+0x8 is the Flink/Blink
Therefore, we can validate the chunk based on its
positioning and by reading memory

Functional design
Chunk validation on ListHint[{0x7f,0x7ff}]
-> Windows 7 LFH (size is encoded)

-> Checks ListHint[0x7f] and ListHint[0x7ff]


Functional design

Chunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)

-> Checks ListHint[n]


Functional design

Chunk validation on FreeList[0]:
-> Windows 2000/XP FreeList[0]


Functional design

Chunk validation on FreeList[0]:
-> Windows 2000/XP FreeList[0]

size, flink, blink pwned! Chunk overwrite!


Functional design

Chunk validation on FreeList[n]:
-> Windows 2000/XP FreeList[n]


Functional design

Chunk validation on FreeList[n]:
-> Windows 2000/XP FreeList[n]

size, flink, blink pwned! Chunk overwrite!


Functional design

Graphing:
We all know that little
green men in the debugger
can be hard to understand


Functional design

Graphing:

visualiz e the heap


Functional design

Easy to use:
●
Generates a specific menu basic on windows version in use – no
option to analyse the LFH if it doesn't exist
●
Generates graphs for each bin size separately, generally for
exploitation, we target a specific bin size
●
n-4 byte write simulation on function pointers with the ability to
restore the said function pointers
●
The ability to modify a single BIT in the FreeListInUse struct
●
'update' command for easily updating heaper.
●
'config' command to configure the output directory of logs and
graphs
●
Everything is logged in a new “heaper” window

Installation
●
Prerequisites:
●
Immunity Debugger v1.85 and above
●
Graphviz v2.28.0 and above -http://www.graphviz.org/
●
Pyparsing - http://sourceforge.net/projects/pyparsing/
●
PyDot - http://code.google.com/p/pydot/
1. Install Immunity Debugger :->
2. Add 'c:python27' to your path environment
3. Run the Graphviz MSI packaged installer
4. Navigate into your pydot and pyparsing directories and execute 'python
setup install'
4. Copy heaper to the 'C:Program FilesImmunity IncImmunity
DebuggerPyCommands' directory


Using heaper


Usage and help menu
Run '!heaper help <cmd>' to learn
about the cmd and its options


Analyzing windows structs
Display the PEB structure


Display the TEB's for the process (no
struct) – No TEB struct boo


Analyze a _heap struct


Analyzing the FreelistInUse bitmask


Analyzing the FreelistInUse bitmask

Bit flipping


Dumping function pointers
●
Finds function pointers despite if they are writable or not
●
Depreciated and will be removed in the next major release


Finding writable pointers


● Similar to the dump function pointers routine but
executes the action across the whole module
● This can be executed against all modules
● As the name states, only writable function pointers
to facilitate a write 4 condition
● Don't be fooled, it doesn't just dump the IAT
● It can find OS specific function pointers making
your exploit work despite the existence of
application specific function pointers.


Use any of these to transfer code execution


Analyzing the allocator state NT 5.x

Lookaside - chunk analysis



Lookaside - chunk analysis
● Easy to understand layout
● Displays the cookie, chunk size, flink
● Notification of an overwrite using the first
byte in the chunk header (size)
● If userdata == flink, possible exploitation



Lookaside with verbose mode (-v)



Lookaside with verbose mode (-v)
● Displays the _general_lookaside_list struct
● Displays the _slist_header struct
● Instantly determine if a list itself has been
overwritten
● Much like 'dt _general_lookaside_list
<addr>' in windbg



Lookaside - graphing



Lookaside - vuln analysis

●

●
Set a (Function pointer-0x8) to equal the new Lookaside chunk address



Lookaside - vuln analysis



FreeList - chunk analysis



FreeList with verbose mode (-v)



FreeList - graphing



FreeList - vuln analysis



LFH - UserBlocks analysis



LFH - UserBlocksCache analysis

0:004> dt _USER_MEMORY_CACHE_ENTRY
ntdll!_USER_MEMORY_CACHE_ENTRY
+0x000 UserBlocks : _SLIST_HEADER
+0x008 AvailableBlocks : Uint4B



LFH - buckets

0:004> dt _heap_bucket
ntdll!_HEAP_BUCKET
+0x000 BlockUnits : Uint2B
+0x002 SizeIndex : Uchar
+0x003 UseAffinity : Pos 0, 1 Bit
+0x003 DebugFlags : Pos 1, 2 Bits



LFH - graphing UserBlocks



LFH - vuln analysis



ListHint - analysis



FreeList - analysis



FreeList - graphing



FreeList/ListHint - vuln analysis


Hooking the heap manager



Hard hooking

●
HeapAlloc/HeapFree
●
Can be extended
for other heap functions
●
Discover primitives



Soft hooking

Use only for testing, not designed to be used with large applications


Patching

Patching - PEB
●
A binary may be compiled in debug mode
●
What if we are trying to execute a function pointer that assumes the
process is not being debugged ?


Updating

Update to the latest version with ease

The update function just generates a git hash and compares digests. There
is no version tracking yet.


Configuring

Configure the home directory on where to
store graphs and logs


Detecting exploitable conditions


●
Detecting exploitable conditions can be very
difficult and prone to many false positives.
●
If you overwrite a specific chunk, then just due
to the amount of data you overwrote with, it
may/may not be deemed exploitable
●
Therefore understanding the limitations of
each of the conditions is required for accurate
analysis.



LFH – FreeEntryOffset Overwrite



FreeList/ListHint – No technique suggestion*

● No techniques for exploitation against the FreeList/ListHint under windows
NT 6.x have been disclosed publicly so far.


Lookaside – chunk overwrite



FreeList[n] – Bitflip attack


Demo - MS12-037


Limitations
●
Does not analyze LFH on XP
●
Does not analyze LFH on Windows 8
●
Supports only a limited number of meta-data
attacks for now
●
Does not log analysis findings external to the
debugger
●
Needs a decent heap search function
●
Need to support other heap implementations


Future work
●
Support LFH analysis on Windows 8
●
Support other heap manager implementations
(jemalloc)
●
Support more meta-data attacks
●
Perform log analysis
●
Detect 'interesting' application data on the
heap
●
Add a decent search function
●
Improve the heuristics engine

Conclusion
●
Run-time analysis of the heap to detect meta-
data attack conditions is complex
●
Some form of solver maybe more applicable to
this type of analysis :->
●
Whilst heaper is not turing complete, it will
solve many corner cases.
●
Immunity will continue to be a leader in the
development and application of heap
exploitation techniques


Thanks!
You know who you are ;-)


Code design/improvements/patches/ideas
are very welcome :>

steventhomasseeley@gmail.com
For more information please execute:

$ git clone https://github.com/mrmee/heaper.git

$ wget -r http://net-ninja.net/


MIAMI

How to-catch-a-chameleon-steven seeley-ruxcon-2012

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to How to-catch-a-chameleon-steven seeley-ruxcon-2012

Similar to How to-catch-a-chameleon-steven seeley-ruxcon-2012 (20)

Recently uploaded

Recently uploaded (20)

How to-catch-a-chameleon-steven seeley-ruxcon-2012