SlideShare a Scribd company logo

Let your Mach-O fly, Black Hat DC 2009

V
Vincenzo Iozzo

The document discusses an in-memory injection technique for Mac OS X that allows injecting arbitrary binaries into a victim's machine without leaving traces on the hard disk or creating new processes. The technique works by crafting a Mach-O binary with a shellcode that impersonates the kernel and loads the binary, libraries, and dynamic linker into memory to execute code. It also details methods for gathering symbols from libraries to defeat address space layout randomization.

Technology
1 of 8
Download to read offline
Let your Mach-O fly Vincenzo Iozzo vincenzo.iozzo@zynamics.com January 15, 2009 Abstract Mac OS X is starting to spread among users, so new exploitation techniques have to be discovered. Even if a lot of interesting ways of exploitation on OSX were presented in the past, the lack of anti-forensics techniques is clear. The talk is focused on an in-memory injection technique. Specifically, how it is possible to inject into a victim’s machine any kind of binaries ranging from your own piece of code to real applications like Safari. This is accomplished without leaving traces on the hard disk and without creating a new process, since the whole exploitation is performed in memory. If an attacker is able to execute code in the target machine, it is possible to run this attack instead of a classic shellcode and to use it as a trampoline for higher-lever payloads. Other similar payloads like meterpreter or meterpretux[11] exist but none of them is able to run on Mac OS X. Besides, many of these techniques require to run specific crafted binaries, that way precompiled applications are left out from the possible range of payloads. 1 Introduction Mac OS X is constantly attracting new users. Given that fact, in the last few years researchers focused more and more on this topic highlighting a number of security concerns, mainly caused by the lack of modern security counter mea- sures. Nonetheless there is a lack of advanced techniques and tools that are already present and used on other OSes instead. In this paper a technique, rele- vant both for anti-forensics and for penetration testing, is explained. Specifically the proposed technique will address two issues: • Definitive anti-forensics[1] which targets the acquisition phase of a forensics investigation, ruining the evidence or making it impossible to acquire. • Two-stage shellcode injection which allows an attacker to inject a high level payload in the target system. 1
Figure 1: The format of a Mach-O file. (Copyright Apple Inc.) The remainder of this paper is organized as follows. Section 1.1 provides an explanation of the Mach-O file format. Section 1.2 details how OSX kernel executes binaries. Section 2 describes the proposed technique. Section 3 supplies a description of a technique used to gather non-exported symbols from a binary, defeating libraries address space layout randomization. Section 4 briefly draws conclusions and outlines future research perspectives. 1.1 Mach-O file format specification The Mach-O file format is the standard used by Mac OS X ABI[2] to store binaries on the disk. A Mach-O is divided into three major parts, as shown in Figure 1: • Header structure which contains information on the target architecture and specified options needed to interpreter the rest of the file. • Load commands which specify among other information the layout of the file in the virtual memory, the location of the symbol table, and the registers state of the main thread at the beginning of the execution. • Segments which may contain from zero to two hundred fifty-five sec- tions. Each segment defines a region of the virtual memory and its sec- tions represent code or data needed to execute the binary. Each segment contains information on the address range used in the virtual memory and protection attributes for the memory region. All segments must be aligned on virtual memory page size. Some important segments are: 2
Mach-o Stack Pointer Address Argc Argv[] 0 Envp[] 0 exec_path ptr 0 exec_path Argv[] strings Envp[] strings Figure 2: The stack of the binary before calling the dynamic linker. • PAGEZERO which is stored at virtual memory location 0. This seg- ment has no protection flags assigned, therefore accessing this region will result in a memory violation. • TEXT which holds the binary code and read-only data. This segment contains only readable and executable bytes, for this reason the writing protection flag is not present. The first page of this segment also contains the header of the binary. • DATA which contains the binary data. This segment has both reading and writing protection flags set. • LINKEDIT which stores information such as the symbol table, string table, etc etc. for the linker. This segment has both reading and writing protection flags set. Sections inherit protection flags from segments. They are used for defining the content of specific regions within segments virtual memory. 1.2 OSX binaries execution The execution of a binary on Mac OS X is conducted by two entities : the kernel and the dynamic linker[3]. The first part of the execution process is conducted by the kernel, whereas the second by the dynamic linker. When a process is launched the kernel maps the dynamic linker at a fixed address onto the process address space. After that it parses the header structure and all segments of the binary and loads them in the correct virtual memory regions. Before calling the dynamic linker a new stack is created. The stack layout is as it is shown in Figure 2. It should be noticed that the address of the binary is pushed into the stack in order to let the dynamic linker 3
MachoFly loader (1) Exploit code + MachoFly payload ready (2)MachoFly auto-loader + arbitrary Mach-o (3) arbitrary Mach-o response/output Attacker Victim Figure 3: The attack flow graph handle it. During the second phase the dynamic linker parses the binary and resolves symbols, library dependencies and so forth, before jumping to the binary entry point. It must be noticed that all the libraries are recursively loaded by the dynamic linker itself, so the kernel does not play a role in this phase. 2 Proposed technique In the past Ripe and Pluf[4] proposed an attack that is able to use userland- exec[5] on a victim’s machine. Their attack encapsulated a shellcode and a crafted stack into the binary file that it is afterwards sent to the victim. Upon receiving the crafted binary the shellcode is executed and an userland-exec at- tack is performed. Despite its usefulness the attack suffers some problems: • It only works with ELF files on Linux. • It doesn’t work if ASLR is enabled. • Only static binaries can be injected. Although our technique uses a similar method to craft the binary and it is basically an userland-exec attack, it should be considered new because both the target files and the payload construction differ hugely. Figure 3 illustrates the basic flow graph of our attack. In this section we detail how we craft the binary to execute on the victim’s machine and how our shellcode works. 2.1 Crafted binary Nemo[6] and Roy g biv[7] separately explain a technique for inserting ma- licious code in the PAGEZERO segment. This infection attack changes PAGEZERO protection flags and stores some code at the end of the Mach-o file, mapping it at a non-allocated arbitrary address in the virtual memory. We employ this technique to store malicious code inside the injected binary. First we create a crafted stack identical to the one shown in Figure 2. Next we append the stack and our shellcode at the end of the file by using the PAGEZERO infection technique. Finally, we overwrite the first byte of the 4
MODIFIED HEADER INFECTED __PAGEZERO load commands and segments sections and binary data SHELLCODE CRAFTED STACK Figure 4: Injected binary layout. header structure, which usually contains the magic number, with the address of the shellcode. The resulting Mach-O layout is shown in Figure 4. 2.2 Shellcode specification The role of our shellcode is to impersonate the kernel and conduct its tasks. The code parses load commands, when a segment is encountered the virtual memory used by the segment is firstly unmapped to wipe the old data contained in it, then it is mapped again with the correct protection flags, lastly the segment is copied into the right position. A special role plays the PAGEZERO segment, in fact it contains the crafted stack for the binary. When the shellcode encounters this segment it unmaps the old data and copies the new stack into it. Finally the esp pointer is stored in order to be used when the dynamic linker is called. Other load commands are ignored as they are handled by the dynamic linker. When the shellcode is executed in the address space of the process both the libraries allocated by the attacked process and the dynamic linker are present. The latter maintains a list of all allocated libraries; since all binaries rely on libSystem, our injected binary will use the one already allocated. In order to work correctly, libSystem, when allocated, uses some variables to initialize heaps and parse environ and argument variables. If a new process is launched and those variables are set a crash will occur while allocating memory or parsing arguments. For this reason we need to wipe these control variables in our shellcode, before calling the dynamic linker. 5
The last part of the shellcode is in charge of cleaning registers, adjusting the stack pointer so that the address of the binary is the first word on the stack and calling the dynamic linker entry point, which is always at a fixed address. 3 Defeat libraries address space layout random- ization As said in the previous section, one of the tasks of our shellcode is to wipe some non-exported variables used by libSystem. Since they are not exported we cannot easily retrieve addresses for the aforementioned variables by simply us- ing dlopen()/dlsym() calls combination; neither it is possible to calculate their address a priori. In fact since Leopard release Apple has introduced ASLR for libraries. When either the system or a library is updated update dyld shared cache(1) per- forms the randomization[8]. In this section a method for circumventing this problem is detailed. Firstly we retrieve the addresses of some exported functions of the default dynamic linker, dyld. Then we search for libSystem base address and for the base address of the DATA segment. Finally, we open libSystem, which is present on the disk, searching for the symbols we need and we adjust them with the DATA segment base address. Symbol names are hashed using Dan Bernstein algorithm in order to reduce memory occupation. In section 3.1 we provide an explanation on how to gather symbols from the dynamic linker. In section 3.2 we describe how to find non-exported symbols contained in a library mapped in the process address space. 3.1 Gathering dyld functions addresses In order to obtain the randomized base address of a library there are two pos- sibilities: • Parse the file dyld shared cache i386.map and search for library entry. • Use some functions exported by the default dynamic linker, performing the whole task in-memory. We have chosen the second approach as it is cleaner and less error-prone than the first one. Employed functions are: • dyld image count() used to retrieve the number of linked libraries of a process. • dyld get image header() used to retrieve the base address of each li- brary. • dyld get image name() used to retrieve the name of a given library. 6
The symbol table and the string table in Mach-O files are stored in the LINKEDIT segment. To gather addresses of these functions we parse the binary searching for the symbol table and retrieve the addresses of the symbols. 3.2 Retrieve non-exported symbols Having obtained dyld’s functions addresses we can retrieve the base address of libSystem. When a binary is executed non-exported symbols are removed from the symbol table making it impossible to compute their addresses on the fly. For that reason we divided this process into two tasks: • We calculate the base address of the DATA segment where symbols are placed, parsing the header of the libSystem present in the process address space. • We open libSystem binary and parse the symbol tables to retrieve ad- dresses we are interested in. Lastly, we need to relocate symbols by using the calculated address of the DATA segment. For Mac OS X Leopard we need to search for the following symbols: • malloc def zone state • NXArgv pointer • malloc num zones • keymgr global 4 Conclusion In this paper we have shown that it is possible to inject a binary of any sort in a victim’s machine without either leaving traces on the hard disk or calling execve(2). We think this technique is very effective and should be stopped by employing common memory protection counter-measures. Nonetheless it is still possible to detect this kind of attack by using an anomaly based IDS system[9]. Though this attack we have been able to inject a wide range of binaries from simple command line utilities like ls to complex applications like Safari. We have also demonstrated that ASLR adopted only for libraries does not block a common set of attacks. Further developments of this work may include employing encryption to avoid NIDS detection, using cavity infector[10] to store shellcode in the injected binary and porting this technique to iPhones to evade code signing protection. Acknowledgments The author would like to thank, for a number of ideas and discussions Stefano Zanero, Dino Dai Zovi, Charles Miller and Halvar Flake. 7
References [1] Mark Pollitt: Computer Forensics: an approach to evidence in cyberspace. [2] Apple Inc.: Mac OS X ABI Mach-O File Format Reference. [3] Apple Inc.: Introduction to Mach-O Programming Topics. [4] Pluf, Ripe: Advanced Antiforensics SELF. [5] The Grugq: The Design and Implementation of ul exec. [6] Nemo: Infecting the Mach-o Object Format. [7] Roy g biv: Infecting Mach-O Files. [8] Dino Dai Zovi: Mac OS Xploitation. [9] S. Zanero, F. Maggi, V. Iozzo: Seeing the invisible: Forensic uses of Anomaly Detection and Machine Learning. [10] Vincenzo Iozzo: Mach-O reversing and abusing, DeepSec 2008. [11] Samuel Dralet, Julien Tinnes Meterpretux project 8

Recommended

Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows RegistryChandra Pr. Singh
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Summarized of UNIX Time Sharing System
Summarized of UNIX Time Sharing SystemSummarized of UNIX Time Sharing System
Summarized of UNIX Time Sharing SystemShuya Osaki
 
tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3
tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3
tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3WE-IT TUTORIALS
 
Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & FreeTetsuyuki Kobayashi
 

Recommended

Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows RegistryChandra Pr. Singh
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
Summarized of UNIX Time Sharing System
Summarized of UNIX Time Sharing SystemSummarized of UNIX Time Sharing System
Summarized of UNIX Time Sharing SystemShuya Osaki
 
tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3
tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3
tybsc it sem 5 Linux administration notes of unit 1,2,3,4,5,6 version 3WE-IT TUTORIALS
 
Tips of Malloc & Free
Tips of Malloc & FreeTips of Malloc & Free
Tips of Malloc & FreeTetsuyuki Kobayashi
 
Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubDevang Garach
 
Operating System lab
Operating System labOperating System lab
Operating System labSeyed Ehsan Beheshtian
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
C programming session 14
C programming session 14C programming session 14
C programming session 14Vivek Singh
 
IPC mechanisms in windows
IPC mechanisms in windowsIPC mechanisms in windows
IPC mechanisms in windowsVinoth Raj
 
Assembly
AssemblyAssembly
Assemblymanidangi
 
Linux
LinuxLinux
Linuxkeydak11
 
Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperVincenzo Iozzo
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperVincenzo Iozzo
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paperVincenzo Iozzo
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new blackVincenzo Iozzo
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzingVincenzo Iozzo
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Buffer overflow attack
Buffer overflow attackBuffer overflow attack
Buffer overflow attackPrithiviraj Prithiviraj
 
Binary translation
Binary translationBinary translation
Binary translationGFI Software
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksSandun Perera
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmJameel Nabbo
 

More Related Content

What's hot

Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubDevang Garach
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitDharmalingam Ganesan
 
C programming session 14
C programming session 14C programming session 14
C programming session 14Vivek Singh
 
IPC mechanisms in windows
IPC mechanisms in windowsIPC mechanisms in windows
IPC mechanisms in windowsVinoth Raj
 

What's hot (7)

Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and Github
 
Operating System lab
Operating System labOperating System lab
Operating System lab
 
Remote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profitRemote file path traversal attacks for fun and profit
Remote file path traversal attacks for fun and profit
 
C programming session 14
C programming session 14C programming session 14
C programming session 14
 
IPC mechanisms in windows
IPC mechanisms in windowsIPC mechanisms in windows
IPC mechanisms in windows
 
Assembly
AssemblyAssembly
Assembly
 
Linux
LinuxLinux
Linux
 

Viewers also liked

Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperVincenzo Iozzo
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperVincenzo Iozzo
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paperVincenzo Iozzo
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new blackVincenzo Iozzo
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyVincenzo Iozzo
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 

Viewers also liked (8)

Everybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paperEverybody be cool, this is a ROPpery - White paper
Everybody be cool, this is a ROPpery - White paper
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
Stale pointers are the new black - white paper
Stale pointers are the new black - white paperStale pointers are the new black - white paper
Stale pointers are the new black - white paper
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threats
 
Stale pointers are the new black
Stale pointers are the new blackStale pointers are the new black
Stale pointers are the new black
 
Everybody be cool, this is a ROPpery
Everybody be cool, this is a ROPperyEverybody be cool, this is a ROPpery
Everybody be cool, this is a ROPpery
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 

Similar to Let your Mach-O fly, Black Hat DC 2009

Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Binary translation
Binary translationBinary translation
Binary translationGFI Software
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksSandun Perera
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...Toradex
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmJameel Nabbo
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Intel Briefing Notes
Intel Briefing NotesIntel Briefing Notes
Intel Briefing NotesGraham Lee
 
Please do ECE572 requirementECECS 472572 Final Exam Project (W.docx
Please do ECE572 requirementECECS 472572 Final Exam Project (W.docxPlease do ECE572 requirementECECS 472572 Final Exam Project (W.docx
Please do ECE572 requirementECECS 472572 Final Exam Project (W.docxARIV4
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scannersmartacax
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
ECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docxECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docxtidwellveronique
 
ECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docxECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docxtidwellveronique
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 
ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata EvonCanales257
 

Similar to Let your Mach-O fly, Black Hat DC 2009 (20)

Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Buffer overflow attack
Buffer overflow attackBuffer overflow attack
Buffer overflow attack
 
Binary translation
Binary translationBinary translation
Binary translation
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
First Steps Developing Embedded Applications using Heterogeneous Multi-core P...
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Project Jugaad
Project JugaadProject Jugaad
Project Jugaad
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
Intel Briefing Notes
Intel Briefing NotesIntel Briefing Notes
Intel Briefing Notes
 
Please do ECE572 requirementECECS 472572 Final Exam Project (W.docx
Please do ECE572 requirementECECS 472572 Final Exam Project (W.docxPlease do ECE572 requirementECECS 472572 Final Exam Project (W.docx
Please do ECE572 requirementECECS 472572 Final Exam Project (W.docx
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
ECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docxECECS 472572 Final Exam ProjectRemember to check the errat.docx
ECECS 472572 Final Exam ProjectRemember to check the errat.docx
 
ECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docxECECS 472572 Final Exam ProjectRemember to check the err.docx
ECECS 472572 Final Exam ProjectRemember to check the err.docx
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
 
Cao 2012
Cao 2012Cao 2012
Cao 2012
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorial
 
ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata ECECS 472572 Final Exam ProjectRemember to check the errata
ECECS 472572 Final Exam ProjectRemember to check the errata
 

Recently uploaded

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform EngineeringJemma Hussein Allen
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Thierry Lestable
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 

Recently uploaded (20)

The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 

Let your Mach-O fly, Black Hat DC 2009

  • 1. Let your Mach-O fly Vincenzo Iozzo vincenzo.iozzo@zynamics.com January 15, 2009 Abstract Mac OS X is starting to spread among users, so new exploitation techniques have to be discovered. Even if a lot of interesting ways of exploitation on OSX were presented in the past, the lack of anti-forensics techniques is clear. The talk is focused on an in-memory injection technique. Specifically, how it is possible to inject into a victim’s machine any kind of binaries ranging from your own piece of code to real applications like Safari. This is accomplished without leaving traces on the hard disk and without creating a new process, since the whole exploitation is performed in memory. If an attacker is able to execute code in the target machine, it is possible to run this attack instead of a classic shellcode and to use it as a trampoline for higher-lever payloads. Other similar payloads like meterpreter or meterpretux[11] exist but none of them is able to run on Mac OS X. Besides, many of these techniques require to run specific crafted binaries, that way precompiled applications are left out from the possible range of payloads. 1 Introduction Mac OS X is constantly attracting new users. Given that fact, in the last few years researchers focused more and more on this topic highlighting a number of security concerns, mainly caused by the lack of modern security counter mea- sures. Nonetheless there is a lack of advanced techniques and tools that are already present and used on other OSes instead. In this paper a technique, rele- vant both for anti-forensics and for penetration testing, is explained. Specifically the proposed technique will address two issues: • Definitive anti-forensics[1] which targets the acquisition phase of a forensics investigation, ruining the evidence or making it impossible to acquire. • Two-stage shellcode injection which allows an attacker to inject a high level payload in the target system. 1
  • 2. Figure 1: The format of a Mach-O file. (Copyright Apple Inc.) The remainder of this paper is organized as follows. Section 1.1 provides an explanation of the Mach-O file format. Section 1.2 details how OSX kernel executes binaries. Section 2 describes the proposed technique. Section 3 supplies a description of a technique used to gather non-exported symbols from a binary, defeating libraries address space layout randomization. Section 4 briefly draws conclusions and outlines future research perspectives. 1.1 Mach-O file format specification The Mach-O file format is the standard used by Mac OS X ABI[2] to store binaries on the disk. A Mach-O is divided into three major parts, as shown in Figure 1: • Header structure which contains information on the target architecture and specified options needed to interpreter the rest of the file. • Load commands which specify among other information the layout of the file in the virtual memory, the location of the symbol table, and the registers state of the main thread at the beginning of the execution. • Segments which may contain from zero to two hundred fifty-five sec- tions. Each segment defines a region of the virtual memory and its sec- tions represent code or data needed to execute the binary. Each segment contains information on the address range used in the virtual memory and protection attributes for the memory region. All segments must be aligned on virtual memory page size. Some important segments are: 2
  • 3. Mach-o Stack Pointer Address Argc Argv[] 0 Envp[] 0 exec_path ptr 0 exec_path Argv[] strings Envp[] strings Figure 2: The stack of the binary before calling the dynamic linker. • PAGEZERO which is stored at virtual memory location 0. This seg- ment has no protection flags assigned, therefore accessing this region will result in a memory violation. • TEXT which holds the binary code and read-only data. This segment contains only readable and executable bytes, for this reason the writing protection flag is not present. The first page of this segment also contains the header of the binary. • DATA which contains the binary data. This segment has both reading and writing protection flags set. • LINKEDIT which stores information such as the symbol table, string table, etc etc. for the linker. This segment has both reading and writing protection flags set. Sections inherit protection flags from segments. They are used for defining the content of specific regions within segments virtual memory. 1.2 OSX binaries execution The execution of a binary on Mac OS X is conducted by two entities : the kernel and the dynamic linker[3]. The first part of the execution process is conducted by the kernel, whereas the second by the dynamic linker. When a process is launched the kernel maps the dynamic linker at a fixed address onto the process address space. After that it parses the header structure and all segments of the binary and loads them in the correct virtual memory regions. Before calling the dynamic linker a new stack is created. The stack layout is as it is shown in Figure 2. It should be noticed that the address of the binary is pushed into the stack in order to let the dynamic linker 3
  • 4. MachoFly loader (1) Exploit code + MachoFly payload ready (2)MachoFly auto-loader + arbitrary Mach-o (3) arbitrary Mach-o response/output Attacker Victim Figure 3: The attack flow graph handle it. During the second phase the dynamic linker parses the binary and resolves symbols, library dependencies and so forth, before jumping to the binary entry point. It must be noticed that all the libraries are recursively loaded by the dynamic linker itself, so the kernel does not play a role in this phase. 2 Proposed technique In the past Ripe and Pluf[4] proposed an attack that is able to use userland- exec[5] on a victim’s machine. Their attack encapsulated a shellcode and a crafted stack into the binary file that it is afterwards sent to the victim. Upon receiving the crafted binary the shellcode is executed and an userland-exec at- tack is performed. Despite its usefulness the attack suffers some problems: • It only works with ELF files on Linux. • It doesn’t work if ASLR is enabled. • Only static binaries can be injected. Although our technique uses a similar method to craft the binary and it is basically an userland-exec attack, it should be considered new because both the target files and the payload construction differ hugely. Figure 3 illustrates the basic flow graph of our attack. In this section we detail how we craft the binary to execute on the victim’s machine and how our shellcode works. 2.1 Crafted binary Nemo[6] and Roy g biv[7] separately explain a technique for inserting ma- licious code in the PAGEZERO segment. This infection attack changes PAGEZERO protection flags and stores some code at the end of the Mach-o file, mapping it at a non-allocated arbitrary address in the virtual memory. We employ this technique to store malicious code inside the injected binary. First we create a crafted stack identical to the one shown in Figure 2. Next we append the stack and our shellcode at the end of the file by using the PAGEZERO infection technique. Finally, we overwrite the first byte of the 4
  • 5. MODIFIED HEADER INFECTED __PAGEZERO load commands and segments sections and binary data SHELLCODE CRAFTED STACK Figure 4: Injected binary layout. header structure, which usually contains the magic number, with the address of the shellcode. The resulting Mach-O layout is shown in Figure 4. 2.2 Shellcode specification The role of our shellcode is to impersonate the kernel and conduct its tasks. The code parses load commands, when a segment is encountered the virtual memory used by the segment is firstly unmapped to wipe the old data contained in it, then it is mapped again with the correct protection flags, lastly the segment is copied into the right position. A special role plays the PAGEZERO segment, in fact it contains the crafted stack for the binary. When the shellcode encounters this segment it unmaps the old data and copies the new stack into it. Finally the esp pointer is stored in order to be used when the dynamic linker is called. Other load commands are ignored as they are handled by the dynamic linker. When the shellcode is executed in the address space of the process both the libraries allocated by the attacked process and the dynamic linker are present. The latter maintains a list of all allocated libraries; since all binaries rely on libSystem, our injected binary will use the one already allocated. In order to work correctly, libSystem, when allocated, uses some variables to initialize heaps and parse environ and argument variables. If a new process is launched and those variables are set a crash will occur while allocating memory or parsing arguments. For this reason we need to wipe these control variables in our shellcode, before calling the dynamic linker. 5
  • 6. The last part of the shellcode is in charge of cleaning registers, adjusting the stack pointer so that the address of the binary is the first word on the stack and calling the dynamic linker entry point, which is always at a fixed address. 3 Defeat libraries address space layout random- ization As said in the previous section, one of the tasks of our shellcode is to wipe some non-exported variables used by libSystem. Since they are not exported we cannot easily retrieve addresses for the aforementioned variables by simply us- ing dlopen()/dlsym() calls combination; neither it is possible to calculate their address a priori. In fact since Leopard release Apple has introduced ASLR for libraries. When either the system or a library is updated update dyld shared cache(1) per- forms the randomization[8]. In this section a method for circumventing this problem is detailed. Firstly we retrieve the addresses of some exported functions of the default dynamic linker, dyld. Then we search for libSystem base address and for the base address of the DATA segment. Finally, we open libSystem, which is present on the disk, searching for the symbols we need and we adjust them with the DATA segment base address. Symbol names are hashed using Dan Bernstein algorithm in order to reduce memory occupation. In section 3.1 we provide an explanation on how to gather symbols from the dynamic linker. In section 3.2 we describe how to find non-exported symbols contained in a library mapped in the process address space. 3.1 Gathering dyld functions addresses In order to obtain the randomized base address of a library there are two pos- sibilities: • Parse the file dyld shared cache i386.map and search for library entry. • Use some functions exported by the default dynamic linker, performing the whole task in-memory. We have chosen the second approach as it is cleaner and less error-prone than the first one. Employed functions are: • dyld image count() used to retrieve the number of linked libraries of a process. • dyld get image header() used to retrieve the base address of each li- brary. • dyld get image name() used to retrieve the name of a given library. 6
  • 7. The symbol table and the string table in Mach-O files are stored in the LINKEDIT segment. To gather addresses of these functions we parse the binary searching for the symbol table and retrieve the addresses of the symbols. 3.2 Retrieve non-exported symbols Having obtained dyld’s functions addresses we can retrieve the base address of libSystem. When a binary is executed non-exported symbols are removed from the symbol table making it impossible to compute their addresses on the fly. For that reason we divided this process into two tasks: • We calculate the base address of the DATA segment where symbols are placed, parsing the header of the libSystem present in the process address space. • We open libSystem binary and parse the symbol tables to retrieve ad- dresses we are interested in. Lastly, we need to relocate symbols by using the calculated address of the DATA segment. For Mac OS X Leopard we need to search for the following symbols: • malloc def zone state • NXArgv pointer • malloc num zones • keymgr global 4 Conclusion In this paper we have shown that it is possible to inject a binary of any sort in a victim’s machine without either leaving traces on the hard disk or calling execve(2). We think this technique is very effective and should be stopped by employing common memory protection counter-measures. Nonetheless it is still possible to detect this kind of attack by using an anomaly based IDS system[9]. Though this attack we have been able to inject a wide range of binaries from simple command line utilities like ls to complex applications like Safari. We have also demonstrated that ASLR adopted only for libraries does not block a common set of attacks. Further developments of this work may include employing encryption to avoid NIDS detection, using cavity infector[10] to store shellcode in the injected binary and porting this technique to iPhones to evade code signing protection. Acknowledgments The author would like to thank, for a number of ideas and discussions Stefano Zanero, Dino Dai Zovi, Charles Miller and Halvar Flake. 7
  • 8. References [1] Mark Pollitt: Computer Forensics: an approach to evidence in cyberspace. [2] Apple Inc.: Mac OS X ABI Mach-O File Format Reference. [3] Apple Inc.: Introduction to Mach-O Programming Topics. [4] Pluf, Ripe: Advanced Antiforensics SELF. [5] The Grugq: The Design and Implementation of ul exec. [6] Nemo: Infecting the Mach-o Object Format. [7] Roy g biv: Infecting Mach-O Files. [8] Dino Dai Zovi: Mac OS Xploitation. [9] S. Zanero, F. Maggi, V. Iozzo: Seeing the invisible: Forensic uses of Anomaly Detection and Machine Learning. [10] Vincenzo Iozzo: Mach-O reversing and abusing, DeepSec 2008. [11] Samuel Dralet, Julien Tinnes Meterpretux project 8