Let Your Mach-O Fly, Black Hat DC 2009


Published on

Slides from Black Hat DC 2009 given by Vincenzo Iozzo

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 15minuti
  • 30minuti
  • 45minuti
  • 60minuti
  • Let Your Mach-O Fly, Black Hat DC 2009

    1. 1. Letyour Mach-O fly<br />Vincenzo Iozzo<br />snagg@sikurezza.org<br />
    2. 2. Whoam I?<br />Student at Politecnico di Milano.<br />Security Consultant at Secure Network srl.<br />ReverseEngineer at ZynamicsGmbH.<br />2/18/09<br />2<br />
    3. 3. Goal of the talk<br />2/18/09<br />3<br />In-memory execution of arbitrary binaries on a Mac OS X machine.<br />
    4. 4. Talk outline<br />Mach-O file structure<br />XNU binary execution<br />Attack technique<br />Defeat ASLR on libraries to enhance the attack <br />2/18/09<br />4<br />
    5. 5. Talk outline<br />Mach-O file structure<br />XNU binary execution<br />Attack technique<br />Defeat ASLR on libraries to enhance the attack <br />2/18/09<br />5<br />
    6. 6. Mach-O file<br />Header structure: information on the target architecture and options to interpret the file.<br />Load commands: symbol table location, registers state.<br />Segments: define region of the virtual memory, contain sections with code or data.<br />2/18/09<br />6<br />
    7. 7. Segment and Sections<br />2/18/09<br />7<br />
    8. 8. Important segments<br />__PAGEZERO, if a piece of codeaccessesNULL it lands here. no protection flags.<br />__TEXT, holds code and read-only data. RX protection.<br />__DATA, holds data. RW protection. <br />__LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection.<br />2/18/09<br />8<br />
    9. 9. Mach-O representation<br />2/18/09<br />9<br />
    10. 10. Talk outline<br />Mach-O file structure<br />XNU binary execution<br />Attack technique<br />Defeat ASLR on libraries to enhance the attack <br />2/18/09<br />10<br />
    11. 11. Binary execution<br />Conducted by the kernel and the dynamic linker.<br />The kernel, when finishes his part, jumps to the dynamic linker entry point.<br />The dynamic linker is not randomized.<br />2/18/09<br />11<br />
    12. 12. Execution steps<br />Kernel<br />Maps the dynamic linker in the process address space.<br />Parses the header structure and loads all segments.<br />Creates a new stack.<br />Dynamic linker<br />Retrieves base address of the binary.<br />Resolves symbols.<br />Resolves library dependencies.<br />Jumps to the binary entry point.<br />2/18/09<br />12<br />
    13. 13. Stack<br />Mach-O file base address.<br />Command line arguments.<br />Environment variables.<br />Execution path.<br />All padded.<br />2/18/09<br />13<br />
    14. 14. Stack representation<br />2/18/09<br />14<br />
    15. 15. Talk outline<br />Mach-O file structure<br />XNU binary execution<br />Attack technique<br />Defeat ASLR on libraries to enhance the attack <br />2/18/09<br />15<br />
    16. 16. Proposed attack<br />Userland-exec attack.<br />Encapsulate a shellcode, aka auto-loader, and a crafted stack in the injected binary.<br />Execute the auto-loader in the address space of the attacked process.<br />2/18/09<br />16<br />
    17. 17. WWW<br />Who: an attacker with a remote code execution in his pocket.<br />Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary.<br />Why: later in this talk.<br />2/18/09<br />17<br />
    18. 18. What kind of binaries?<br />AnyMach-O file, fromlstoSafari<br />2/18/09<br />18<br />
    19. 19. A nice picture<br />2/18/09<br />19<br />
    20. 20. Infected binary<br />We need to find a place to store the auto-loader and the crafted stack. <br />__PAGEZERO infection technique.<br />Cavity infector technique.<br />2/18/09<br />20<br />
    21. 21. __PAGEZERO INFECTION<br />Change __PAGEZERO protection flags with a custom value.<br />Store the crafted stack and the auto-loader code at the end of the binary.<br />Point __PAGEZERO to the crafted stack.<br />Overwrite the first bytes of the file with the auto-loader address. <br />2/18/09<br />21<br />
    22. 22. Binary layout<br />2/18/09<br />22<br />
    23. 23. Auto-loader<br />Impersonates the kernel.<br />Un-maps the old binary.<br />Maps the new one. <br />2/18/09<br />23<br />
    24. 24. Auto-loader description <br />Parses the binary.<br />Reads the virtual addresses of the injected binary segments. <br />Unloads the attacked binary segments pointed by the virtual addresses.<br />Loads the injected binary segments. <br />2/18/09<br />24<br />
    25. 25. Auto-loader description(2)<br />Maps the crafted stackreferenced by __PAGEZERO.<br />Cleans registers.<br />Cleans some libSystem variables.<br />Jumps to dynamic linker entry point. <br />2/18/09<br />25<br />
    26. 26. We do like pictures, don’t we?<br />2/18/09<br />26<br />Victim’s process address space<br />TEXT<br />DATA<br />LINKEDIT<br />SEGMENT<br />-N<br />TEXT<br />DATA<br />LINKEDIT<br />SEGMENT-N<br />
    27. 27. libSystem variables <br />_malloc_def_zone_state<br />_NXArgv_pointer<br />_malloc_num_zones<br />__keymgr_global<br />2/18/09<br />27<br />
    28. 28. Why are those variables important?<br />They are used in the initialization of malloc. <br />Two of them are used for command line arguments parsing.<br />Not cleaning them will result in a crash.<br />2/18/09<br />28<br />
    29. 29. Hunts the variables<br />Mac OS X Leopard has ASLR for libraries.<br />Those variables are not exported.<br />Cannot use dlopen()/dlsym() combo. <br />2/18/09<br />29<br />
    30. 30. Talk outline<br />Mach-O file structure<br />XNU binary execution<br />Attack technique<br />Defeat ASLR on libraries to enhance the attack <br />2/18/09<br />30<br />
    31. 31. Defeat ASLR<br />Retrieve libSystem in-memory base address.<br />Read symbols from the libSystem binary.<br />Adjust symbols to the new address.<br />2/18/09<br />31<br />
    32. 32. How ASLR works in Leopard<br />Only libraries are randomized. <br />The randomization is performed whenever the system or the libraries are updated. <br />Library segments addresses are saved in dyld_shared_cache_arch.map. <br />2/18/09<br />32<br />
    33. 33. Retrieve libSystem address <br />Parse dyld_shared_cache_i386.map and search for libSystem entry. <br />Adopt functions exported by the dynamic linker and perform the whole task in-memory.<br />2/18/09<br />33<br />
    34. 34. Dyld functions<br />_dyld_image_count() used to retrieve the number of linked libraries of a process.<br />_dyld_get_image_header() used to retrieve the base address of each library.<br />_dyld_get_image_name() used to retrieve the name of a given library.<br />2/18/09<br />34<br />
    35. 35. Find ‘em<br />Parse dyld load commands.<br />Retrieve __LINKEDIT address.<br />Iterate dyld symbol table and search for the functions name in __LINKEDIT.<br />2/18/09<br />35<br />
    36. 36. Back to libSystem<br />Non-exported symbols are taken out from the symbol table when loaded.<br />Open libSystem binary, find the variables in the symbol table.<br />Adjust variables to the base address of the in-memory __DATA segment. <br />2/18/09<br />36<br />
    37. 37. Put pieces together<br />Iterate the header structure of libSystem in-memory and find the __DATA base address.<br />__DATA base address 0x2000 <br />Symbol at 0x2054<br />In-memory __DATA base address 0x4000<br />Symbol in-memory at 0x4054<br />2/18/09<br />37<br />
    38. 38. Results<br />Run a binary into an arbitrary machine.<br />No traces on the hard-disk.<br />No execve(), the kernel doesn’t know about us. <br />It works with every binary.<br />It is possible to write payloads in a high level language.<br />2/18/09<br />38<br />
    39. 39. Demo description<br />Run a simple piece of code which acts like a shellcode and retrieve the binary.<br />Execute the attack with nmap and Safari.<br />Show network dump.<br />Show memory layout before and after the attack. <br />2/18/09<br />39<br />
    40. 40. DEMO<br />2/18/09<br />40<br />
    41. 41. Future developments<br />Employ encryption to avoid NIDS detection.<br />Using cavity infector technique. <br />Port the code to iPhone to evade code signing protection ( Catch you at BH Europe).<br />2/18/09<br />41<br />
    42. 42. Thanks, questions?<br />2/18/09<br />42<br />