Bh dc09

zynamics GmbH
zynamics GmbHzynamics GmbH
Let your Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
03/08/2010 Who am I? • Student at Politecnico di Milano. • Security Consultant at Secure Network srl. • Reverse Engineer at Zynamics GmbH. 2
03/08/2010 Goal of the talk In-memory execution of arbitrary binaries on a Mac OS X machine. 3
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 4
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 5
03/08/2010 Mach-O file • Header structure: information on the target architecture and options to interpret the file. • Load commands: symbol table location, registers state. • Segments: define region of the virtual memory, contain sections with code or data. 6
03/08/2010 Segment and Sections segment section Virtual Virtual address Address 0x1000 0x1d54 Virtual Virtual memory size memory size 0x1000 0x275 File Offset File Offset 0x0 0xd54 File Size 0x1000 7
03/08/2010 Important segments • __PAGEZERO, if a piece of code accesses NULL it lands here. no protection flags. • __TEXT, holds code and read-only data. RX protection. • __DATA, holds data. RW protection. • __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 8
03/08/2010 Mach-O representation 9
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 10
03/08/2010 Binary execution • Conducted by the kernel and the dynamic linker. • The kernel, when finishes his part, jumps to the dynamic linker entry point. • The dynamic linker is not randomized. 11
03/08/2010 Execution steps Kernel Dynamic linker • Maps the dynamic linker • Retrieves base address in the process address of the binary. space. • Resolves symbols. • Parses the header • Resolves library structure and loads all dependencies. segments. • Jumps to the binary entry • Creates a new stack. point. 12
03/08/2010 Stack • Mach-O file base address. • Command line arguments. • Environment variables. • Execution path. • All padded. 13
03/08/2010 Stack representation 14
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 15
03/08/2010 Proposed attack • Userland-exec attack. • Encapsulate a shellcode, aka auto- loader, and a crafted stack in the injected binary. • Execute the auto-loader in the address space of the attacked process. 16
03/08/2010 WWW • Who: an attacker with a remote code execution in his pocket. • Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. • Why: later in this talk. 17
03/08/2010 What kind of binaries? Any Mach-O file, from ls to Safari 18
03/08/2010 A nice picture 19
03/08/2010 Infected binary • We need to find a place to store the auto-loader and the crafted stack. • __PAGEZERO infection technique. • Cavity infector technique. 20
03/08/2010 __PAGEZERO INFECTION • Change __PAGEZERO protection flags with a custom value. • Store the crafted stack and the auto- loader code at the end of the binary. • Point __PAGEZERO to the crafted stack. • Overwrite the first bytes of the file with the auto-loader address. 21
03/08/2010 Binary layout 22
03/08/2010 Auto-loader • Impersonates the kernel. • Un-maps the old binary. • Maps the new one. 23
03/08/2010 Auto-loader description • Parses the binary. • Reads the virtual addresses of the injected binary segments. • Unloads the attacked binary segments pointed by the virtual addresses. • Loads the injected binary segments. 24
03/08/2010 Auto-loader description(2) • Maps the crafted stack referenced by __PAGEZERO. • Cleans registers. • Cleans some libSystem variables. • Jumps to dynamic linker entry point. 25
03/08/2010 We do like pictures, don’t we? Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N 26
03/08/2010 libSystem variables • _malloc_def_zone_state • _NXArgv_pointer • _malloc_num_zones • __keymgr_global 27
03/08/2010 Why are those variables important? • They are used in the initialization of malloc. • Two of them are used for command line arguments parsing. • Not cleaning them will result in a crash. 28
03/08/2010 Hunts the variables • Mac OS X Leopard has ASLR for libraries. • Those variables are not exported. • Cannot use dlopen()/dlsym() combo. 29
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 30
03/08/2010 Defeat ASLR • Retrieve libSystem in-memory base address. • Read symbols from the libSystem binary. • Adjust symbols to the new address. 31
03/08/2010 How ASLR works in Leopard • Only libraries are randomized. • The randomization is performed whenever the system or the libraries are updated. • Library segments addresses are saved in dyld_shared_cache_arch.map. 32
03/08/2010 Retrieve libSystem address • Parse • Adopt functions dyld_shared_cache exported by the _i386.map and dynamic linker and search for libSystem perform the whole entry. task in-memory. 33
03/08/2010 Dyld functions • _dyld_image_count() used to retrieve the number of linked libraries of a process. • _dyld_get_image_header() used to retrieve the base address of each library. • _dyld_get_image_name() used to retrieve the name of a given library. 34
03/08/2010 Find ‘em • Parse dyld load commands. • Retrieve __LINKEDIT address. • Iterate dyld symbol table and search for the functions name in __LINKEDIT. 35
03/08/2010 Back to libSystem • Non-exported symbols are taken out from the symbol table when loaded. • Open libSystem binary, find the variables in the symbol table. • Adjust variables to the base address of the in-memory __DATA segment. 36
03/08/2010 Put pieces together • Iterate the header structure of libSystem in-memory and find the __DATA base address. – __DATA base address 0x2000 – Symbol at 0x2054 – In-memory __DATA base address 0x4000 – Symbol in-memory at 0x4054 37
03/08/2010 Results • Run a binary into an arbitrary machine. • No traces on the hard-disk. • No execve(), the kernel doesn’t know about us. • It works with every binary. • It is possible to write payloads in a high level language. 38
03/08/2010 Demo description • Run a simple piece of code which acts like a shellcode and retrieve the binary. • Execute the attack with nmap and Safari. • Show network dump. • Show memory layout before and after the attack. 39
03/08/2010 DEMO 40
03/08/2010 Future developments • Employ encryption to avoid NIDS detection. • Using cavity infector technique. • Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 41
03/08/2010 Thanks, questions? 42
1 of 42

Bh dc09

Download to read offline
zynamics GmbH
zynamics GmbHzynamics GmbH

Recommended

Eusecwest by
EusecwestEusecwest
Eusecwestzynamics GmbH
396 views58 slides
So you want to quit your day job and make a connected product by
So you want to quit your day job and make a connected productSo you want to quit your day job and make a connected product
So you want to quit your day job and make a connected productAlexandra Deschamps-Sonsino
26.2K views42 slides
2015 Ends With Exploding Hoverboards And Growing Ethical Concerns by
2015 Ends With Exploding Hoverboards And Growing Ethical Concerns2015 Ends With Exploding Hoverboards And Growing Ethical Concerns
2015 Ends With Exploding Hoverboards And Growing Ethical ConcernsQIMA
106.7K views14 slides
The Future of Wearables... EXPLAINED! by
The Future of Wearables... EXPLAINED!The Future of Wearables... EXPLAINED!
The Future of Wearables... EXPLAINED!Paul Brown
86.2K views28 slides
Pune-Cocoa: Blocks and GCD by
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPrashant Rane
1.3K views34 slides
Let your Mach-O fly, Black Hat DC 2009 by
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
472 views8 slides

More Related Content

Similar to Bh dc09

Cassandra - An Introduction by
Cassandra - An IntroductionCassandra - An Introduction
Cassandra - An IntroductionMikio L. Braun
3.7K views35 slides
Pyramid: A large-scale array-oriented active storage system by
Pyramid: A large-scale array-oriented active storage systemPyramid: A large-scale array-oriented active storage system
Pyramid: A large-scale array-oriented active storage systemViet-Trung TRAN
768 views25 slides
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009 by
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Vincenzo Iozzo
1.4K views25 slides
Parallel Computing - Lec 3 by
Parallel Computing - Lec 3Parallel Computing - Lec 3
Parallel Computing - Lec 3Shah Zaib
29 views41 slides
Open Stack Cheng Du Swift Alex Yang by
Open Stack Cheng Du Swift Alex YangOpen Stack Cheng Du Swift Alex Yang
Open Stack Cheng Du Swift Alex YangOpenCity Community
971 views33 slides
Roeder posterismb2010 by
Roeder posterismb2010Roeder posterismb2010
Roeder posterismb2010Chris Roeder
282 views1 slide

Similar to Bh dc09(20)

Cassandra - An Introduction by Mikio L. Braun
Cassandra - An IntroductionCassandra - An Introduction
Cassandra - An Introduction
Mikio L. Braun3.7K views
Pyramid: A large-scale array-oriented active storage system by Viet-Trung TRAN
Pyramid: A large-scale array-oriented active storage systemPyramid: A large-scale array-oriented active storage system
Pyramid: A large-scale array-oriented active storage system
Viet-Trung TRAN768 views
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009 by Vincenzo Iozzo
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Fun and Games with Mac OS X and iPhone Payloads White Paper, Black Hat EU 2009
Vincenzo Iozzo1.4K views
Parallel Computing - Lec 3 by Shah Zaib
Parallel Computing - Lec 3Parallel Computing - Lec 3
Parallel Computing - Lec 3
Shah Zaib29 views
Open Stack Cheng Du Swift Alex Yang by OpenCity Community
Open Stack Cheng Du Swift Alex YangOpen Stack Cheng Du Swift Alex Yang
Open Stack Cheng Du Swift Alex Yang
OpenCity Community971 views
Roeder posterismb2010 by Chris Roeder
Roeder posterismb2010Roeder posterismb2010
Roeder posterismb2010
Chris Roeder282 views
C++0x by Vaibhav Bajaj
C++0xC++0x
C++0x
Vaibhav Bajaj560 views
Open stackapac swift_alexyang by OpenCity Community
Open stackapac swift_alexyangOpen stackapac swift_alexyang
Open stackapac swift_alexyang
OpenCity Community384 views
Swift Architecture and Practice, by Alex Yang by Hui Cheng
Swift Architecture and Practice, by Alex YangSwift Architecture and Practice, by Alex Yang
Swift Architecture and Practice, by Alex Yang
Hui Cheng7.6K views
Variables: names, bindings, type, scope by suthi
Variables: names, bindings, type, scopeVariables: names, bindings, type, scope
Variables: names, bindings, type, scope
suthi 497 views
Dynamo 100107092845-phpapp02 by Takefumi MIYOSHI
Dynamo 100107092845-phpapp02Dynamo 100107092845-phpapp02
Dynamo 100107092845-phpapp02
Takefumi MIYOSHI836 views
Millions quotes per second in pure java by Roman Elizarov
Millions quotes per second in pure javaMillions quotes per second in pure java
Millions quotes per second in pure java
Roman Elizarov5.1K views
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft... by Dataconomy Media
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft..."Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
"Source Code Abstracts Classification Using CNN", Vadim Markovtsev, Lead Soft...
Dataconomy Media414 views
Hot sec10 slide-suzaki by Kuniyasu Suzaki
Hot sec10 slide-suzakiHot sec10 slide-suzaki
Hot sec10 slide-suzaki
Kuniyasu Suzaki549 views
Rails Security by Jonathan Weiss
Rails SecurityRails Security
Rails Security
Jonathan Weiss2.2K views
Xavier Lacot: Abstracting Databases Access in Titanium Mobile by Axway Appcelerator
Xavier Lacot: Abstracting Databases Access in Titanium MobileXavier Lacot: Abstracting Databases Access in Titanium Mobile
Xavier Lacot: Abstracting Databases Access in Titanium Mobile
Axway Appcelerator1.4K views
2011 codestrong-abstracting-databases-access-in-titanium-mobile by Axway Appcelerator
2011 codestrong-abstracting-databases-access-in-titanium-mobile2011 codestrong-abstracting-databases-access-in-titanium-mobile
2011 codestrong-abstracting-databases-access-in-titanium-mobile
Axway Appcelerator686 views
Abstracting databases access in Titanium Mobile by Xavier Lacot
Abstracting databases access in Titanium MobileAbstracting databases access in Titanium Mobile
Abstracting databases access in Titanium Mobile
Xavier Lacot2.9K views
Linux one vs x86 by Diego Rodriguez
Linux one vs x86 Linux one vs x86
Linux one vs x86
Diego Rodriguez2.5K views
Linux one vs x86 18 july by Diego Rodriguez
Linux one vs x86 18 julyLinux one vs x86 18 july
Linux one vs x86 18 july
Diego Rodriguez265 views

More from zynamics GmbH

Everybody be cool, this is a roppery! by
Everybody be cool, this is a roppery!Everybody be cool, this is a roppery!
Everybody be cool, this is a roppery!zynamics GmbH
788 views46 slides
Automated Mobile Malware Classification by
Automated Mobile Malware ClassificationAutomated Mobile Malware Classification
Automated Mobile Malware Classificationzynamics GmbH
487 views30 slides
Applications of the Reverse Engineering Language REIL by
Applications of the Reverse Engineering Language REILApplications of the Reverse Engineering Language REIL
Applications of the Reverse Engineering Language REILzynamics GmbH
500 views39 slides
VxClass for Incident Response by
VxClass for Incident ResponseVxClass for Incident Response
VxClass for Incident Responsezynamics GmbH
617 views34 slides
Malware classification by
Malware classificationMalware classification
Malware classificationzynamics GmbH
666 views28 slides
Hitb by
HitbHitb
Hitbzynamics GmbH
489 views42 slides

More from zynamics GmbH(8)

Everybody be cool, this is a roppery! by zynamics GmbH
Everybody be cool, this is a roppery!Everybody be cool, this is a roppery!
Everybody be cool, this is a roppery!
zynamics GmbH788 views
Automated Mobile Malware Classification by zynamics GmbH
Automated Mobile Malware ClassificationAutomated Mobile Malware Classification
Automated Mobile Malware Classification
zynamics GmbH487 views
Applications of the Reverse Engineering Language REIL by zynamics GmbH
Applications of the Reverse Engineering Language REILApplications of the Reverse Engineering Language REIL
Applications of the Reverse Engineering Language REIL
zynamics GmbH500 views
VxClass for Incident Response by zynamics GmbH
VxClass for Incident ResponseVxClass for Incident Response
VxClass for Incident Response
zynamics GmbH617 views
Malware classification by zynamics GmbH
Malware classificationMalware classification
Malware classification
zynamics GmbH666 views
Hitb by zynamics GmbH
HitbHitb
Hitb
zynamics GmbH489 views
Platform-independent static binary code analysis using a meta-assembly language by zynamics GmbH
Platform-independent static binary code analysis using a meta-assembly languagePlatform-independent static binary code analysis using a meta-assembly language
Platform-independent static binary code analysis using a meta-assembly language
zynamics GmbH613 views
Automated static deobfuscation in the context of Reverse Engineering by zynamics GmbH
Automated static deobfuscation in the context of Reverse EngineeringAutomated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineering
zynamics GmbH409 views

Bh dc09

  • 1. Let your Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
  • 2. 03/08/2010 Who am I? • Student at Politecnico di Milano. • Security Consultant at Secure Network srl. • Reverse Engineer at Zynamics GmbH. 2
  • 3. 03/08/2010 Goal of the talk In-memory execution of arbitrary binaries on a Mac OS X machine. 3
  • 4. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 4
  • 5. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 5
  • 6. 03/08/2010 Mach-O file • Header structure: information on the target architecture and options to interpret the file. • Load commands: symbol table location, registers state. • Segments: define region of the virtual memory, contain sections with code or data. 6
  • 7. 03/08/2010 Segment and Sections segment section Virtual Virtual address Address 0x1000 0x1d54 Virtual Virtual memory size memory size 0x1000 0x275 File Offset File Offset 0x0 0xd54 File Size 0x1000 7
  • 8. 03/08/2010 Important segments • __PAGEZERO, if a piece of code accesses NULL it lands here. no protection flags. • __TEXT, holds code and read-only data. RX protection. • __DATA, holds data. RW protection. • __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 8
  • 10. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 10
  • 11. 03/08/2010 Binary execution • Conducted by the kernel and the dynamic linker. • The kernel, when finishes his part, jumps to the dynamic linker entry point. • The dynamic linker is not randomized. 11
  • 12. 03/08/2010 Execution steps Kernel Dynamic linker • Maps the dynamic linker • Retrieves base address in the process address of the binary. space. • Resolves symbols. • Parses the header • Resolves library structure and loads all dependencies. segments. • Jumps to the binary entry • Creates a new stack. point. 12
  • 13. 03/08/2010 Stack • Mach-O file base address. • Command line arguments. • Environment variables. • Execution path. • All padded. 13
  • 15. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 15
  • 16. 03/08/2010 Proposed attack • Userland-exec attack. • Encapsulate a shellcode, aka auto- loader, and a crafted stack in the injected binary. • Execute the auto-loader in the address space of the attacked process. 16
  • 17. 03/08/2010 WWW • Who: an attacker with a remote code execution in his pocket. • Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. • Why: later in this talk. 17
  • 18. 03/08/2010 What kind of binaries? Any Mach-O file, from ls to Safari 18
  • 20. 03/08/2010 Infected binary • We need to find a place to store the auto-loader and the crafted stack. • __PAGEZERO infection technique. • Cavity infector technique. 20
  • 21. 03/08/2010 __PAGEZERO INFECTION • Change __PAGEZERO protection flags with a custom value. • Store the crafted stack and the auto- loader code at the end of the binary. • Point __PAGEZERO to the crafted stack. • Overwrite the first bytes of the file with the auto-loader address. 21
  • 23. 03/08/2010 Auto-loader • Impersonates the kernel. • Un-maps the old binary. • Maps the new one. 23
  • 24. 03/08/2010 Auto-loader description • Parses the binary. • Reads the virtual addresses of the injected binary segments. • Unloads the attacked binary segments pointed by the virtual addresses. • Loads the injected binary segments. 24
  • 25. 03/08/2010 Auto-loader description(2) • Maps the crafted stack referenced by __PAGEZERO. • Cleans registers. • Cleans some libSystem variables. • Jumps to dynamic linker entry point. 25
  • 26. 03/08/2010 We do like pictures, don’t we? Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N 26
  • 27. 03/08/2010 libSystem variables • _malloc_def_zone_state • _NXArgv_pointer • _malloc_num_zones • __keymgr_global 27
  • 28. 03/08/2010 Why are those variables important? • They are used in the initialization of malloc. • Two of them are used for command line arguments parsing. • Not cleaning them will result in a crash. 28
  • 29. 03/08/2010 Hunts the variables • Mac OS X Leopard has ASLR for libraries. • Those variables are not exported. • Cannot use dlopen()/dlsym() combo. 29
  • 30. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 30
  • 31. 03/08/2010 Defeat ASLR • Retrieve libSystem in-memory base address. • Read symbols from the libSystem binary. • Adjust symbols to the new address. 31
  • 32. 03/08/2010 How ASLR works in Leopard • Only libraries are randomized. • The randomization is performed whenever the system or the libraries are updated. • Library segments addresses are saved in dyld_shared_cache_arch.map. 32
  • 33. 03/08/2010 Retrieve libSystem address • Parse • Adopt functions dyld_shared_cache exported by the _i386.map and dynamic linker and search for libSystem perform the whole entry. task in-memory. 33
  • 34. 03/08/2010 Dyld functions • _dyld_image_count() used to retrieve the number of linked libraries of a process. • _dyld_get_image_header() used to retrieve the base address of each library. • _dyld_get_image_name() used to retrieve the name of a given library. 34
  • 35. 03/08/2010 Find ‘em • Parse dyld load commands. • Retrieve __LINKEDIT address. • Iterate dyld symbol table and search for the functions name in __LINKEDIT. 35
  • 36. 03/08/2010 Back to libSystem • Non-exported symbols are taken out from the symbol table when loaded. • Open libSystem binary, find the variables in the symbol table. • Adjust variables to the base address of the in-memory __DATA segment. 36
  • 37. 03/08/2010 Put pieces together • Iterate the header structure of libSystem in-memory and find the __DATA base address. – __DATA base address 0x2000 – Symbol at 0x2054 – In-memory __DATA base address 0x4000 – Symbol in-memory at 0x4054 37
  • 38. 03/08/2010 Results • Run a binary into an arbitrary machine. • No traces on the hard-disk. • No execve(), the kernel doesn’t know about us. • It works with every binary. • It is possible to write payloads in a high level language. 38
  • 39. 03/08/2010 Demo description • Run a simple piece of code which acts like a shellcode and retrieve the binary. • Execute the attack with nmap and Safari. • Show network dump. • Show memory layout before and after the attack. 39
  • 41. 03/08/2010 Future developments • Employ encryption to avoid NIDS detection. • Using cavity infector technique. • Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 41