30
Intro to Windows Exploit Techniques for Linux PWNers Atum
IntrotoWindowsExploitTechniquesforLinuxPWNers
Atum
Aboutme
• Atum• @blue-lotus• @TeaDeliverers• @PekingUniversity
• Keywords• SoftwareSecurity,SystemSecurity• CTFPWNer,WeakChicken
Outline
• Basics• WindowsExploitToolchains• WindowsSecurity Mitigations• LinuxExploitTechniqueson Windows• Windows-onlyExploitTechniques
Basics
PE/COFFFILEFormat• DOSHeader• MZsignature
• PEFILEHEADER• EntryPoint• DataDirectory
• SectionTable• TableofSectionHeaders
Basics
PE/COFFFILEFormat• ImportAddressTable• SimilarasELFGOT• ReadOnly
• ExportAddressTable• ExportedfunctionsofaModule• ReadOnly
Basics
ImportantDLLs• ntdll.dll• Interfaceofuserspaceandkernel• exportstheWindowsNativeAPI• Resideinwrite-protectedpage;shared baseamongprocesses
• kernel32.dll• Importsntdll.dll• exportstheWindowsAPI• Resideinwrite-protectedpage;shared baseamongprocesses
• mscrtxxx.dll• MicrosoftCruntimelibrary(similartoglibc)
WindowsExploitToolchains
GeneralTools• Cygwin• AbashenvironmentonWindows
• Pwintools• Asimplescriptusedtointeractwithexecutableslikepwntools
• ProcessExplorer• Anenhancedversionoftasklist
• VisualStudio• DeveloperCommandPrompt
WindowsExploitToolchains
Debuggers• Windbg• Recommend,verypowerful
• IDAProDebugger• Adebuggerfront-end,supportmulti-backenddebuggersuchasgdb, windbg.
• Ollydbg• Easy&powerful,butcannotdebugx64program
• X64dbg• Similartoollydbg,candebugx64program,butshortofplugins
WindowsSecurity Mitigations
GeneralExploitMitigations• DEP• ASLR• CFG
WindowsSecurity MitigationsDEP• NXonLinux• Bypassedby• ROP• JITpage,VirualProtect etc.
WindowsSecurity Mitigations
ASLR• SlightlydifferentfromPIE&ASLRonLinux
• Imagerandomizationbasechangedeverytimesystembooted
• TEB/PEB/heap/stackrandomizationbasechangedeverytimeprocessstart
• Somekernelrelateddlls (suchasntdll.dllkernel32.dll)sharebaseamongallprocesses
• Bypassedby• Infoleak(crossprocessisOK)• brute-force(win7x64,win10x86)• AttackNon-ASLRimagesortopdownalloc(win7)
ControlFlowGuard• Allindirectcallarecheckedbypredefinedread-onlybitmap• AttackVtableishistorynow.• Bypassedby• OverwriteCFGunprotectedvalue(returnaddress, SEHhandler,etc.).• OverwriteCFGdisabledmodule• COOP++
WindowsSecurity Mitigations
WindowsSecurity MitigationsStackBasedVulnerabilityMitigations• GS• SafeSEH• SEHOP
WindowsSecurity Mitigations
GS• Similartostackcanary• Bypassedby• corruptSEH(x86)• Stackunderflow• nonlinearwrite
WindowsSecurity Mitigations
SafeSEH(x86)• Checkwhetherhandlerisvalidbeforecallingtheexceptionhandler• Bypassedby:• corrupthandlertoanimagewithseh butwithoutsafeseh
WindowsSecurity Mitigations
SEHOP(x86)• CheckwhetherSEHchainendswithntdll!FinalExceptionHandler• Bypassedby• LeakstackaddressandrecovertheSEHchain
WindowsSecurity Mitigations
Heap-basedvulnerabilitymitigations• Metadatacheck&hardening• LFHallocationrandomization• VirtualAllocrandomization
WindowsSecurity Mitigations
Metadatacheck&hardening• Almostimpossibletoattackheapmeta-data
• Safeunlink• ReplacelookasidelistswithLFH• Heapcookies&Guardpages
• Heapcookiesarecheckedinsomeplacessuchasentryfree• ZeroPermissionGuardpagesafterVirtualAllocmemory
• Metadataencoding• Pointerencoding
• AlmostallfunctionpointerareencodedsuchasVEH,UEF,CommitRoutine,etc.
• Bypassedby• OverflowUserdata
WindowsSecurity Mitigations
Metadatacheck&hardening
WindowsSecurity Mitigations
VirtualAllocrandomization• Ptr=VirtualAlloc(size+random),returnptr+randomLFHallocationrandomization• GetNextFreedLFHblock(random_start_index)• Bypassedby• allocateLFHunhandledsize(largerthan0x4000)• allocateLFHdisabledsize(specific-sizedLFHwillenableonlyifallocationtimesexceededsomethreshold)• heapspray• brute-force
LinuxExploitTechniqueson Windows
GeneralExploitTechniques• Heapmetadataattack(off-by-one,houseofxxx,xxxbin attack)• Hard,heapmetadataarewellprotectedonwindows
• Heapmanipulation(heapfengshui orsomething)• AlittlehardduetoLFHallocationrandomization
• Stackcanaryoverwrite• OK,Stackcookieon.datasectionandwriteable
LinuxExploitTechniqueson Windows
GeneralExploitTechniques• Returnorientedprogramming• Sometimehard,indirectcallsareprotectedbyCFG
• DisableDEPviamprotectlikefunction• OK,VirtualProtectonwindows
• Systemcallstyleshellcode• Hard,Windowssystemcallsarenotwell-documentedandvarybyversion
LinuxExploitTechniqueson Windows
InformationLeakTechniques• Non-PIEBinaryFixedbinarybase• Hard,BinaryBasearechangedeverytimesystemreboot
• LeakshareobjectbaseviaGOT/GOT_PLT• OK,IATisstillreadable
• DynamiclinkrelatedtechniquessuchasDYNELF,ret2dlresolve• Nolazybinding,Ret2dlresolverelatedtechniquesareunavailable• IATEATarereadable,DYNELF-likethingsarestillavailable
LinuxExploitTechniqueson Windows
InformationLeakTechniques• Leakstackaddressvianon-stackaddress(suchaslibc environ)• OK,Stackaddresscanbeleakedviaheap,TEB,etc.
• LeakAddressviaFormatStringBug• No$sign,alittlehard
• LeakStack/SO/BinaryBaseAddressviauninitializedstackbuffer(OK)• Leakmemoryviastack_check_failed• Impossible,report_gs_failed don’tprintanything
LinuxExploitTechniqueson Windows
ControlFlowhijackTechniques• GOToverwrite• Impossible,IATonwindowsareread-only
• Internalfunctionpointersoverwrite(IO_FILE_JUMP,freehooketc.)• Hard,somefunctionpointersareencodedorremoved
• UEFVEHencoded,PEBRtlEnterCriticalSection,RtlLeaveCriticalSection Removed.• SomefunctionpointersuchasSEHhandlerarestillavailabletowrite
LinuxExploitTechniqueson Windows
ControlFlowhijackTechniques• Vtableoverwrite• Hard,CFGlimitedtheoverwritevaluetofunctionstart
• Returnaddressnon-linear overwrite(OK)• Userfunctionpointeroverwrite(OK)
Windows-onlyExploitTechniques
BypassGSviaSEH(x86)• WhatisSEH• Forfunctioncontainstry..exceptblock,aVC_EXCEPTION_REGISTRATIONstruct willbepushedintostack• Overwritehandlerandtriggeraexceptiontohijackcontrolflow
Windows-onlyExploitTechniques
BypassGSbyoverwritingSEH• BypassSafeSEH• CorrupthandlertoanimagewithSHEbutwithoutsafeSEH.(onlyway,seentdll.dll!RtlIsValidHandler)
• BypassSEHOP• Leakstackaddress,recoverSEHchains
• Alittlehard
Windows-onlyExploitTechniques
• X86addressbrute-force• Only8bitsrandomizationentropyforx86image&dll base
• CrossBinaryLeak• Somekernelrelateddlls (suchasntdll.dllkernel32.dll)sharebaseamongallprocesses
• CrossSame-BinaryProcessLeak• Imagerandomizationbasechangedeverytimesystembooted
Reference
• http://blog.talosintelligence.com/2014/06/exceptional-behavior-windows-81-x64-seh.html
