Date post: | 01-Jun-2018 |
Category: |
Documents |
Upload: | siddas-alzerkavi |
View: | 242 times |
Download: | 0 times |
of 35
8/9/2019 Hostel Exploitation
1/35
Steven SeeleyAssociate consultant at stratsec
stile Expl itati n under
2in
Leveling the playing field
8/9/2019 Hostel Exploitation
2/35
Overview●
Disclaimer(s)● What is DEP?
● What is ASLR?
● DEP bypass techniques
ROP ! Return Oriente" Pr#$rammin$
● ASLR bypass techniques
● %ase stu"y! AOL Des&t#p ES' t# stac& piv#t c#ntr#l
●
%ase stu"y! 'E Aur#ra Ob*ect p#inter t# stac& piv#tc#ntr#l
● %#nclusi#ns
● Re+erences
● ,uesti#ns
8/9/2019 Hostel Exploitation
3/35
Disclaimer(s)
● -y ap#l#$ies in a"vance i+ ' miss thin$s. '#nly have up t# /0 minutes1
● ' "i"n2t invent this stu++3
● S#rry ' "i"n2t use vuln1c. ' try t# &eep itthin$s practical1
● DEP bypasses are n#t new3 't was bein$
"#ne even be+#re -S #++icially intr#"uce"DEP1
8/9/2019 Hostel Exploitation
4/35
What is DEP?●
45 6 5D 4# e5ecute7e5ecute Disable"● 8irst hit the -S scene in Win"#ws 5P SP/
● We are at win7/009 server n#w an" m#st pe#plestill OptOut #+ DEP +#r a l#t #+ c#mm#n thir" party
applicati#ns1
:w# types. s#+tware an" har"ware en+#rce"
A +#cus #n har"ware enable" DEP
● :he 45 +la$ is set in the %P; (win"#ws runs inPAE m#"e by "e+ault n#w)
● :he parent pr#cess enables DEP by usin$ a win
8/9/2019 Hostel Exploitation
5/35
What is DEP?●
-ar&s "ata areas #+ mem#ry t# be n#t e=ecutable such thestac& an" heap
● '+ an attempt is ma"e t# e=ecute c#"e. AS:A:;S>A%%ESS>'OLA:'O4 0=c000000@ will #ccur
●
ways t# set DEP p#licy un"er win
8/9/2019 Hostel Exploitation
6/35
What is ASLR?●
A""ress Space Lay#ut Ran"#miCati#n● Reb##tin$ the OS lea"s t# ran"#miCin$ the
l#wer #+ the tw# m#st si$ni+icant bytes in a
8/9/2019 Hostel Exploitation
7/35
What is ASLR?
● 9 bits #+ entr#py with /@ p#ssible values● When runnin$ tests. appr#=imately. #nly
8/9/2019 Hostel Exploitation
8/35
Wa&e up3 :his is where it
$ets +un3
8/9/2019 Hostel Exploitation
9/35
DEP bypass techniques
● ;sin$ Return #riente" pr#$rammin$. we canreturn int# Win"#ws AP'1
● irtualAll#c()
●
Feap%reate(FEAP>%REA:E>E4AGLE>E5E%;:AGLE)● SetPr#cessDEPP#licy()
● 4tSet'n+#rmati#nPr#cess()
● irtualPr#tect() up"ate mem#ry as e=ecutable
● WritePr#cess-em#ry() c#py payl#a" int# e=ecutablemem#ry1 :echnique! patch &ernel
8/9/2019 Hostel Exploitation
10/35
8/9/2019 Hostel Exploitation
11/35
DEP bypass techniques
3+in"anti"ep shippe" with 'mmunity vB10● Set AL t# B. let nt"ll setup #ur stac& an" call
IWSet'n+#rmati#nPr#cess() an" then return t# a ptr (e$! *mpesp) that +inally parses c#ntr#l t# #ur shellc#"e
●
Per+ect. a $eneric way t# bypass DEP with#ut the 7permanent+la$ set3
● but "#esn2t "e+eat en+#rce" har"ware DEP !(
8/9/2019 Hostel Exploitation
12/35
DEP bypass techniques
4ew(er) sch##l techniques t# bypass har"ware en+#rce"DEP with 7n#e=ecuteJAlwaysOn
● We can use special heap sprays (':. AA)
ROP Return Oriente" Pr#$rammin$
● Return t# #ne #+ many win"#ws AP'
● ROP requires "ynamic $enerati#n #+ ARK values
● %han$es7all#cates7creates new mem#ry as e=ecutable
As Saumil Shah sai". ESP is the new E'P1 '+ y#u piv#tc#ntr#l #+ ESP. then y#u will win1
8/9/2019 Hostel Exploitation
13/35
DEP bypass techniques
S# whats the pr#blem?
● ASLR. We "#n2t &n#w where the ROP $a"$ets arest#re" at3
● Reliability "i++erent m#"ule versi#ns have"i++erent c#"e1
● Reliability pr#$ram state is imp#rtant1 Openin$ a+ile "ial#$ l#a"s a l#t m#re libraries1
● Payl#a" space any#ne?
● E: ulnerability t# E=pl#it :ime is l#n$er. mi$htta&e a +ew "ays instea" #+ a +ew h#urs1
8/9/2019 Hostel Exploitation
14/35
ROP Return Oriente" Pr#$rammin$
“Preventing the introduction of malicious code is notenough to prevent the execution of maliciouscomputations” - Dino A. Dai Zovi
● Return chainin$ via $a"$etsM. a sin$le $a"$et will e=ecute achain #+ instructi#ns that will setup an ar$ument value1
● ;ses b#rr#we" sequences #+ instructi#ns that RE:4M bac& t#the stac&1
● ulnerabilities with heavy character restricti#ns will pr#vi"e +#r avery "i++icult e=pl#itati#n e=perience1
● 's simple in un"erstan"in$ an" #nly bec#mes "i++icult i+ #thermiti$ati#n2s are inv#lve"1
● E=ample $a"$et?
8/9/2019 Hostel Exploitation
15/35
ROP Return Oriente" Pr#$rammin$
POP EAXRETN
ADD EAX,20RETN
ADD EAX,20RETN
MOV DORD PTR DS!"EAX#$%, EDX
RETN
X&'( EDX,EAX
ADD EDX, )RETN
POP 0*++++++++ into EAX
EAX is 0*000000)+
EAX is 0*000000+
EDX is 0*)00)/+EAX is 0*000000+
EAX is eco1es 0*)00)/+EDX is eco1es 0*000000$0
ite into 1e1oy!Re+eence EAX#$ to 3oint to attac4e
contolle5 value 60*000000$07
:he secret t# ROPis t# &eep itsimple3
8/9/2019 Hostel Exploitation
16/35
ROP Return Oriente" Pr#$rammin$
-any instructi#ns can be use" t# piv#t c#ntr#l bac& t# thestac&1
Structure" E=cepti#n han"ler base"!
● ADD ESP. 555N RE:4
● POP R
8/9/2019 Hostel Exploitation
17/35
ASLR bypass techniques●
Grute+#rce the base a""ress i+ the parent pr#cess createschil" pr#cesses1 E=ample! PFP Dev 10 str>transliterate()Gu++er #ver+l#w e=pl#it1
● Lea& a p#inter +r#m the stac&. rebase it. calculate #++set1E=ample! GlaCe DD 1pl+ +ile bu++er #ver+l#w e=pl#it1 (:his is
"epen"ent #n applicati#n state)● -em#ry a""ress "iscl#sure (mem#ry lea&)
-aybe p#inter in+erences such as Acti#n Script "icti#narylea&1
● ': spray with interprete" =#r instructi#ns (patche" an""ea" +#r n#w)1
● One #r tw# byte #verwrite
● 14E: user c#ntr#l l#a"in$ usin$ #b*ect (bl#c&e" +r#m
internet C#ne n#w)
8/9/2019 Hostel Exploitation
18/35
ASLR bypass techniques●
Remember. even i+ y#ur applicati#n #nly has #ne m#"ulethat is n#t ASLR c#mpliment. then y#u "#n2t really haveASLR1
● L#a"
8/9/2019 Hostel Exploitation
19/35
%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w
Alm#st typical stac& #ver+l#w. nice an" easy with +ull E'P c#ntr#l
8/9/2019 Hostel Exploitation
20/35
%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w
L#a" EA5 with a p#inter t# #ur shellc#"e
%#ntr#lle" mem#ry
8/9/2019 Hostel Exploitation
21/35
%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w
Swap ES' +#r ESP. ta&in$ +ull c#ntr#l #+ the stac&
ali" mem#ry written at EA5 s# that we "#n2t +ail here
Kiven this. can any#ne
tell me where we arereturnin$ t## in mem#ry?
8/9/2019 Hostel Exploitation
22/35
%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w
ust t# clari+y. this is h#wthe stac& may l##& li&e.p#inters everywhere1
4#te! :he har"c#"e"irtualPr#tect() call. i+ we were t# bypass ASLR. this
w#ul" have t# be $enerate""ynamically
8/9/2019 Hostel Exploitation
23/35
%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w
Ar$uments in re$isters. rea"y +#rthe +inal pusha"N retn
:he ar$uments t# virtualPr#tect()all setup #n the stac&1
A+ter the call t# virtualpr#tect(). we will be returnin$ this a""resshere (n#p sle")
8/9/2019 Hostel Exploitation
24/35
%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w
Pr#+it
8/9/2019 Hostel Exploitation
25/35
8/9/2019 Hostel Exploitation
26/35
8/9/2019 Hostel Exploitation
27/35
%ase stu"y! 'E Aur#ra 'nternet E=pl#rer use a+ter +ree mem#ry c#rrupti#n (%E/0B00/H)
An o8ect 9:ic: i13le1ents 3oly1o3:is1 6suc: as ou +ee o8ect7 9illcontain a vitual +unction tale 6vtale7 3ointe as t:e +ist 1e1e o+t:e o8ect. e nee5 to c:an;e t:is a55ess to 3oint to a ne9 talecontainin; t:e a55ess o+ ou o3 stu at tale o++set 0*$<
Gase a""ress
#+ the p#inter we are $#in$ t#use
We w#ul" setEA5 t#
BBBB. which w#ul" later bechan$e" t# ap#inter t# theROP stub e$!0=0
8/9/2019 Hostel Exploitation
28/35
%ase stu"y! 'E Aur#ra 'nternet E=pl#rer use a+ter +ree mem#ry c#rrupti#n (%E/0B00/H)
What we w#ul" "# is set the value t# a reliable &n#wn #++set (0=0Bb)a+ter a "ecent spray has #ccure"1 S# simply. we will set EA5 t# the samevalue as E%5 s# that a call EA5
8/9/2019 Hostel Exploitation
29/35
%ase stu"y! 'E Aur#ra 'nternet E=pl#rer use a+ter +ree mem#ry c#rrupti#n (%E/0B00/H)
Lets spray a ROP stub an" call a piv#t t# $ain c#ntr#l #+ ESP1
Our ROP stub.rea"y t#e=ecute +r#m
the stac&
8inal call !)
8/9/2019 Hostel Exploitation
30/35
%ase stu"y! 'E Aur#ra 'nternet E=pl#rer use a+ter +ree mem#ry c#rrupti#n (%E/0B00/H)
Pr#+it
8/9/2019 Hostel Exploitation
31/35
%#nclusi#n! Are we sa+e?
● DEP an" ASLR t#$ether are a p#wer+ul mi=. #nec#mpliments the #ther1
● #u will see less an" less public practicale=pl#itati#n a$ainst win7server /009 as b#thmechanisms are #n by "e+ault1
● :he 0"ay techniques t# bypass these miti$ati#n2sare w#rth m#re than 0"ays themselves1 :hese willbe &ept private +#r sure1
8/9/2019 Hostel Exploitation
32/35
%#nclusi#ns! Are we sa+e?
● G#th the miti$ati#n2s are #n by "e+ault an"will st#p a fair amount of e=pl#itati#n. butn#t all1
●
Speci+ic analysis #n in"ivi"ualplat+#rms7applicati#ns will nee" t# bec#n"ucte" t# "etermine the e=pl#itabilityan" impact1
● :his pr#cess will bec#me e=pensive. s#clients will miss #ut?
● Oh b#y an" ' haven2t even tal&e" ab#ut
Pr#tecte" m#"e #r E-E:1
8/9/2019 Hostel Exploitation
33/35
:han&s 3
tecr0c. wire$h#ul. c#relanc0"
8/9/2019 Hostel Exploitation
34/35
8/9/2019 Hostel Exploitation
35/35
,uesti#ns ?