Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advanced Windows Exploitation

42 views

Published on

Guest speaker Tim Shelton with HAWK Network Defense, Inc. discusses exploiting wireshark and advanced exploitation for windows (xpsp3/vista/win7)

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Advanced Windows Exploitation

  1. 1. HAWK Network Defense Advanced Windows Exploitation Microsoft Windows XP SP3, Vista and Win7 Tim Shelton V.P. Research & Development HAWK Network Defense, Inc.
  2. 2. Who Are We? • HAWK Network Defense, Inc. Security Solutions Provider • Application and Network Security company incorporated in Texas focused on Security Information & Event Management and other security services.
  3. 3. • Basic Review of Memory Exploitation – Format String Vulnerabilities – Buffer (Stack) Overflows & Underflows – Buffer (Heap) Overflows & Underflows – Integer Overflows & Underflows • Advanced Memory Protection & Additional Security Measures – Address Space Layer Randomization – Non-Executable Memory Regions – Stack & Heap Canaries and more… • Real World Examples – Wireshark 1.2.5 and below LWRES Hostname - stack overflow – Adobe JBIG2 PDF - index integer overflow – MS10-002 Google/Adobe hack (“Operation Aurora”) - heap overflow Overview
  4. 4. • How do we exploit the unknown? – The idea is to get an operation within the targeted application to do something it is not supposed to do. – Memory Corruption • Integer Overflow/Underflow • Memory Index Overflow/Underflow • Buffer Overflow/Underflow • Integer Over/Under leading to a Buffer Over/Under • Etc. Overview
  5. 5. Overview
  6. 6. Overview TotalSize Width Height
  7. 7. Overview
  8. 8. Overview
  9. 9. • Windows Format String Vulnerabilities – 100% Controllable (and somewhat obsolete) – Compiler detects and warns of existing vulnerability – Allow Read Access Anywhere in Memory – Value: Memory discovery for improving accuracy of an existing vulnerability. • Stack Memory Discovery • Heap Memory Discovery Basic Review of Memory Exploitation
  10. 10. • Windows Format String Vulnerabilities void vulnerable(char *arg) { printf(arg); // <-- Vulnerable } arg = “%08X%08X%08X%08X%08X%08X”; Basic Review of Memory Exploitation
  11. 11. • Buffer (Stack) Overflows & Underflows – Mostly Controllable • depends on how far we can write – Value: Code Execution • Microsoft Windows XP SP3, Vista, (sometimes) Win7 and below • Must overwrite to the end of our Structured Exception Handler (SEH) List – Immediate control of EIP Basic Review of Memory Exploitation
  12. 12. • Overflow Example: void vulnerable(char *arg) { char buf[256]; strncpy(buf, arg, strlen(arg)+1); // <-- Vulnerable return; } arg = “A” * 256 + [Overflow of Stack EBP and ESP]; Basic Review of Memory Exploitation
  13. 13. • Structured Exception Handlers (SEH) – What is it? • Your traditional “try” and “catch” • Allows us to have really bad code and still handle the results accordingly • Linked list of SHE handlers through the stack, looks like: struct { void *next_seh; function *handler_code; }; – Where is it? • fs:[0] - file segment offset + 0 Basic Review of Memory Exploitation
  14. 14. • Memory Segmentation “In computing, memory segmentation is one of the most common ways to achieve memory protection; another common one is paging. In a computer system using segmentation, an instruction operand that refers to a memory location includes a value that identifies a segment and an offset within that segment. A segment has a set of permissions, and a length, associated with it. If the currently running process is allowed by the permissions to make the type of reference to memory that it is attempting to make, and the offset within the segment is within the range specified by the length of the segment, the reference is permitted; otherwise, a hardware exception is raised.” Basic Review of Memory Exploitation
  15. 15. • Buffer (Heap) Overflows & Underflows – Mostly Controllable (depends on how far we can write) – Value: Code Execution • Microsoft Windows XP SP3, Vista, Win7 • Must overwrite a valid function pointer existing adjacent on the heap – Immediate control of EIP – Function must be executed before an unlink/free occurs on damaged heap space • Or, overwrite a Single Linked List unlink within adjacent Lookaside List and FreeList. – Controllable 4 byte overwrite within memory. Basic Review of Memory Exploitation
  16. 16. • Overflow Example: char * vulnerable(char *arg) { char *buf = (char *)malloc(256); assert(buf); strncpy(buf, arg, strlen(arg)+1); // <-- Vulnerable return buf; } arg = “A” * 256 + [Overflow of adjacent Heap data]; Basic Review of Memory Exploitation
  17. 17. • Integer Overflows & Underflows – Somewhat Controllable (depends on direction of overflow, and uses of value thereafter within specified code region) – Dependant upon the code for logical uses Basic Review of Memory Exploitation
  18. 18. • Overflow Example: char *vulnerable(char *arg) { int len = (strlen(arg) * 4) + 1; char *buf = (char *)malloc(len); assert(buf); strncpy(buf, arg, len); // <-- Vulnerable return; } arg = “A” * 512MB makes len a negative value Basic Review of Memory Exploitation
  19. 19. • Advanced Memory Protection & Additional Security Measures – Address Space Layer Randomization – Non-Executable Memory Regions – Stack & Heap Canaries and more… Advanced Memory Protection
  20. 20. • Address Space Layer Randomization – Its purpose is to disallow us from gaining execution (since we need a static location to return into) – Enabled by default • Windows Vista • Windows Server 2008 Advanced Memory Protection
  21. 21. • Address Space Layer Randomization – How can we combat this? • Large allocation of memory containing our payload • Static locations still exist! (for now) – Must be enabled within the application – Certain Windows specific regions are also static Advanced Memory Protection
  22. 22. • Non-Executable Memory Regions – Changes within the permissions of memory pages disallows execution under certain instances. – Hardware Data Execution Prevention (DEP) enabled by default with 64-bit processor/operating system. – Software prevention for SEH protection – Enabled by default • Windows XP Service Pack 2 • Windows Server 2003 Service Pack 1 • Windows Vista and Server 2008 • And any current version of Microsoft Windows Advanced Memory Protection
  23. 23. • Non-Executable Memory Regions – How can we combat this? • Return to static functions (don’t forget about ASLR) • Utilize other languages that rely upon JIT (Just-in-time) compilers to create executable pages of memory Advanced Memory Protection
  24. 24. • Stack & Heap Canaries – Creates a unique key (typically 2 or 4 bytes) and places it strategically within memory. – If our canary or cookie is corrupt, then memory corruption has occurred and execution will stop. – Enabled by default • Windows XP Service Pack 2 • Windows Server 2003 Service Pack 1 • Windows Vista and Server 2008 • And any current version of Microsoft Windows Advanced Memory Protection
  25. 25. • Stack & Heap Canaries – How can we combat this? • Certain locations within Heap allow us to continue execution • We can always abuse the data contained within the heap itself • Utilize an existing format string vulnerability to read our cookie ahead of time Advanced Memory Protection
  26. 26. • Real World Examples – Wireshark 1.2.5 and below LWRES Hostname - stack overflow – Adobe JBIG2 PDF - index integer overflow – MS10-002 Google/Adobe hack (“Operation Aurora”) - heap overflow Real World Examples
  27. 27. • Wireshark 1.2.5 and below LWRES Hostname Stack Overflow – Release date: 2010-01-29 – Publisher: babi (bbbbaaaabbbiii@operamail.com) – Details • Author published denial-of-service proof-of-concept only. • Functioning exploit released by metasploit for Debian GNU/Linux • Windows exploitation included after initial creation. – Tuned exploit works on both Windows XP SP3 and Windows Vista – This means we can blindly send our malicious payload out on the network, knowing it will precisely work. Real World Examples
  28. 28. • Wireshark 1.2.5 and below LWRES Hostname Stack Overflow char realname[120]; … realnamelen = tvb_get_ntohs(tvb,LWRES_LWPACKET_LENGTH + 4 + 2); tvb_get_nstringz(tvb, LWRES_LWPACKET_LENGTH + 4 + 2 + 2, realnamelen, (uint8*)realname); realname[realnamelen]='0'; Real World Examples
  29. 29. • Adobe JBIG2 Index Overflow Vulnerability – Release date: 2009-02-20 – Publisher: Sourcefire VRT Blog (0day caught in wild) – Details • Another denial-of-service proof-of-concept only. • Functioning exploit released in the wild prior to detection. • Windows exploitation works against both Adobe 9 Reader & Acrobat. • Later, this turns into a 4-byte overwrite *mostly* anywhere in memory. Real World Examples
  30. 30. • Adobe JBIG2 Index Overflow Vulnerability AcroRd32.dll (ecx+0x1c points to our four bytes): 5d42d889 8b411c mov eax,dword ptr [ecx+0x1c] 5d42d88c 85c0 test eax,eax 5d42d88e 0f84ac020000 je AcroRd32_5cd80000!PDFLTerm+0x235ad0 … 5d42d897 8d0480 lea eax,[eax+eax*4] <-- Index bug (since we control eax) Real World Examples
  31. 31. • MS10-002 Internet Explorer Event Invalid Pointer Heap Corruption – CVE-2010-0249 – Release date: 2010-01-14 – Publisher: Unknown (0day caught in wild) – Details • Functioning exploit released in the wild prior to detection. Real World Examples
  32. 32. Questions & Answers Any Questions? Tim Shelton tshelton@hawkdefense.com V.P. Research & Development HAWK Network Defense, Inc.

×