proprietary and confidential information – copyright© 2010 – all rights reserved preventing...

Preventing Intrusion PreventionApril 21, 2010

Ryan MacArthur, Labsrmacarthur@isightpartners.com

Quick Intro

• Don’t believe anything I say• Former ISI student (’08)• Worked at Symantec out of the gate– Security Response Team

• Interviewed with iSIGHT at BH Vegas 2009• Started work in October 2009

Outline

• Basics– Some C background

• Exploitation technique evolution

Outline

• Assignment – Hacking a webserver with DEP– Demonstrate understanding of topics discussed

• READ THE STANDARD (c99)– Grep for undefined– ‘sprintf … If copying takes place between objects

that overlap, the behavior is undefined’– ‘free … or if the space has been deallocated by a

call to free or realloc, the behavior is undefined’– ‘exit … a call to the longjump function is made that

would terminate the call to the registered function, the behavior is undefined’

int main(){ int a = 4; int b = 0x40000000; int c = a * b + 1; printf("%d\n", c); return 0;}

(*pf[f1()]) (f2(), f3() + f4())

(t4=f4(), t3=f3(), t2=f2(), t1=f1(), (*pf[t1]) (t2, t3 + t4))

int main(int argc, char** argv){ int glob = atoi(argv[1]); glob = (glob++, glob) + (glob++, glob); printf("%d\n", glob); return 0;}

C –O0• 0x00401085 <main+53>: call 0x40116c <atoi>• 0x0040108a <main+58>: mov %eax,-0x4(%ebp)• 0x0040108d <main+61>: lea -0x4(%ebp),%eax• 0x00401090 <main+64>: incl (%eax)• 0x00401092 <main+66>: lea -0x4(%ebp),%eax• 0x00401095 <main+69>: incl (%eax)• 0x00401097 <main+71>: mov -0x4(%ebp),%edx• 0x0040109a <main+74>: lea -0x4(%ebp),%eax• 0x0040109d <main+77>: add %edx,(%eax)• 0x0040109f <main+79>: mov -0x4(%ebp),%eax• 0x004010a2 <main+82>: mov %eax,0x4(%esp)• 0x004010a6 <main+86>: movl $0x402000,(%esp)• 0x004010ad <main+93>: call 0x40115c <printf>

C –O3

0x00401071 <main+33>: call 0x401140 <atoi>0x00401076 <main+38>: movl $0x402000,(%esp)0x0040107d <main+45>: lea 0x4(%eax,%eax,1),%eax0x00401081 <main+49>: mov %eax,0x4(%esp)0x00401085 <main+53>: call 0x401130 <printf>

int main(){ int x = 4; char y[] = "haberdashery"; printf("%c\n", 4[y]); return 0;}

Basics

void f(int a,int b,char *c){ char buf[2]; strcpy(buf,c);}

int main(){ char z[]="zangief"; f(1,2,z); return 0;}

0x000000010x00000002

“zangief\0”

$esp ->

call f()

0x000000010x00000002

$esp ->

“zangief\0”

return address

push %ebp

0x000000010x00000002

$esp ->

return address

“zangief\0”

frame pointer main() stack frame

mov %esp,%ebp

0x000000010x00000002

$esp ->

return address

“zangief\0”

frame pointer main() stack frame

0x000000010x00000002

0x0040\00feign

0x000000010x00000002

0x004010c0frame pointer

char[2] az

retaddr

“zangief\0”

0x00401068 <f+24>: leave 0x00401069 <f+25>: ret

• The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer is then popped from the stack into the EBP register, restoring the calling procedure’s stack frame.

• RET Transfers program control to a return address located on the top of the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction.

0x000000010x00000002

0x0040\00feignaz

“zangief\0”

$ebp->

0x000000010x00000002

0x0040\00feignaz

$ebp->$esp->

“zangief\0”

0x000000010x00000002

0x0040\00feignaz

$ebp->0x6569676e

$esp->

“zangief\0”

0x000000010x00000002

0x0040\00feignaz

$ebp->0x6569676e

$esp->

$eip->0x00400066 “zangief\0”

Now you’ve owned the stack

• Now what?• Get shellcode into your string buffer• Overwrite eip with address of shellcode

Shellcode

smashed EBPPtr to shellcode

Problems Arise

• How do I know what address my shellcode is at?

Shellcode

smashed EBP??????????

Well you might not

Shellcode

smashed EBPPtr to shellcode

First Abstract defense mechanism

• Why should there ever be a need to execute code off the stack?

• Well then,make the stack non-executable• Boom – screwed.

Where to put our shellcode?

Basics

void f(int a,int b,char *c){ char t[8]; for(;a <= 8; a++) { t[a]=c[a]; }}

int main(){ char z[]="zangief!"; f(0,2,z); return 0;}

Off-by-one

Local buffer

Saved EBPSaved EIP

Local bufferSaved EBPSaved EIP

leave(mov ebp,esp)(pop ebp)

ret(pop eip)

…leaveretowned.

Saved ebp: 0x0022cd28

1 byte overwrite ebp: 0x0022cd00

• -fomit-frame-pointer

Dump of assembler code for function:0x00401130 <g+0>: push %ebp0x00401131 <g+1>: mov %esp,%ebp0x00401133 <g+3>: sub $0x10,%esp0x00401136 <g+6>: mov 0x8(%ebp),%eax0x00401139 <g+9>: mov %eax,-0x4(%ebp)0x0040113c <g+12>: leave 0x0040113d <g+13>: ret

Dump of assembler code for function:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret

Heap Overflows

• Onto Function Pointer

Stack Canaries

• /GS flag in visual studio• Protects against buffer overflows– How?

Stack Canaries

sub esp,20h…add esp20h ret

sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] xor eax,dword ptr [esp+24h] mov dword ptr [esp+20h],eax …mov ecx,dword ptr [esp+20h] xor ecx,dword ptr [esp+24h] add esp,24h jmp __security_check_cookie (4010B2h)

Stack Canaries

• How do you defeat them?• Not all functions get protected• Even if they do….

• Windows Structured Exception Handling

typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

Ptr to next Ptr to Handler

0xffffffff

Abusing SEH

Jmp short Ptr to Handler

bufferSaved ebpSaved eip

pop $x pop $yret

shellcode

Ptr to next

Software DEP

• Safe Structured Exception Handling. (SafeSEH)• Compile time– /SafeSEH option in visual studio

SafeSEH

• IE8 on xpsp3:

• SEH Overwrite Protection• SEHOP is enabled by default on Windows

Server 2008 and disabled by default on Windows Vista SP1.

• Can be turned on via registry

Ptr to next Ptr to final handler Ntdll!FinalExcepion

Memory

• Interview question used at google & msft:– How would you find out if a machine’s stack grows

up or down in memory?

#include <stdio.h>

void sub(int *a) { int b;

if (&b > a) { printf("Stack grows up. a:%p b:%p\n",a,&b); } else { printf("Stack grows down. a:%p b:%p\n",a,&b); }}

main () { int a; sub(&a);}

Memory

• Actual memory isnt top down and is can be all over the place

• Gaps cause problems for us, because we might want some memory layout continuity

Virtual memory

Actual virtual memory:

Filling the gaps

• How?

Heap spray example

• What is a heap spray?– Just fill memory– Was popularized before DEP was implemented– Easy to do with anything:• Flash• Javascript in browser• Script in pdf• Images • Java• html

• Actual spray=>

Hardware DEP

• Included in all newer windows supported processors: (Intel x86/IA-64, AMD amd64, ARM ARMv6). If this bit is set for the page that the CPU is executing code on (for instance mapped as a PAGE_READWRITE) the CPU will generate a STATUS_ACCESS_VIOLATION (0xC0000005) access violation exception.

/noexecute [OptIn | OptOut | AlwaysOn | AlwaysOff ]

• Opt-in: (Default for XPSP2, XPSP3, and Vista) In this mode of operation DEP is enabled only for processes that explicitly opt-in to DEP.

• Opt-Out: (Default for Windows Server 2003 and Windows Server 2008) In this mode of operation DEP is enabled by default for all processes except those that explicitly opt-out of DEP.

• Always On: In this mode of operation DEP is always enabled for all processes regardless of whether the program is compatible with DEP or not.

• Always-Of: In this mode of operation DEP is always disabled for all processes.

DEPKPROCESS struct;

typedef struct _KEXECUTE_OPTIONS{ ULONG ExecuteDisable: 1; ULONG ExecuteEnable: 1; ULONG DisableThunkEmulation: 1; ULONG Permanent: 1; ULONG ExecuteDispatchEnable: 1; ULONG ImageDispatchEnable: 1; ULONG Spare: 2;} KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;

• SetProcessDEPPolicy()• NtSetProcessInformation()

Cant execute code here

Defeating DEP

• Any ideas?

Assigned Reading

• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)

• The Advanced Return-into-lib(c) Exploits: PaX case study

• x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique

Assigned Reading

• Why were these papers good/bad?

Assigned Reading

• Evolutionary exploitation techniques• Hey, its easier to just jmp into .text segments

int system(const char *command);

Ret2libc Fundamentals

Local buffer

Address of system()

“useradd mac –g wheel”

Fake retaddrchar *

Smashed ebp

Local buffer

Address of system()

Fake retaddrarg1

Smashed ebp

$esp->

0x0040108c <main+60>: ret

Local buffer

Address of system()

Fake retaddrarg1

Smashed ebp

$esp->

Now system() does its thing…0x004010db <system+101>: ret

Local buffer

Address of system()

Fake retaddrarg1

Smashed ebp

$esp->

Now we land at fake retAnd $esp points to arg1!

Ret2libc limitations

Local bufferAddress of system()

Nex function() to call

char *

System() stack frame

Same argument as we passed to system()!

So we can only call one func…

• damn

Or can we…

• How can we string together multiple calls?

esp lifting with frame pointers

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

$esp->

0x0040108c <main+60>: ret

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

0x0040108c <setuid+60>: ret

$esp->

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

$esp->

0x100bc0c0: pop

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

0x100bc0c0: ret

$esp->

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

In system()Here system will return into 0xffffffff

$esp->

Advancements…

• If using -fomit-frame-pointers

Dump of assembler code for function g:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret

esp lifting

Local buffer

Address of setuid()

Address of system()

0xffffffff

Address of epilog

setuid() arg

0xffffffff

args+pad = stack adjustment

system() arg

Frame FakingLocal bufferSaved EBPSaved EIP

Local bufferFake ebp0

Addr of leave-ret

Fake ebp1

Addr of setuid()

Addr of leave-ret

Arg to setuid()

Fake ebp2

Addr of system()

Addr of leave-ret

Arg to system()

• Return oriented programming– logical extension of ret2libc– Can use chunks from anywhere

emptyempty

Pop %eaxret

Pop %espret

lcall %gs:0x10(,0)ret

Local buffer

Saved EBPSaved EIP

args Syscall index

Smashed ebp

Smashed buffer

What if …

pop %ebpLeaveret

Defeating DEP

• Might be able to turn it off by jumping to – SetProcessDEPPolicy()

• Allocate some memory that’s executable– VirtualAlloc(),

• Change permissions on already allocated mem– VirtualProtect()

• Write directly to already executable memory– WriteProcessMemory()

Whew..

• So wow, things look pretty bad right?– Welllllll….– What ways can we prevent these type of attacks?

Linux ASLR

• 32 bit address space prevents serious randomization of ‘objects’

• Executables will have 255 possible load address locations, offset from the preferred image base

• The first DLL (NTDLL.DLL) will load in 1 of 256 possible locations, but the order in which following dlls are loaded will be randomized.

• Thread stacks start at a maximum offset of 7FC bytes from the stack base

• Process heap will start at a maximum offset of 2MB from the heap base.

Exploitation Timeline

Exploitation Timline

Windows Security Mechanisms

Mac’s Conjecture

• To own, you must do one of the following: – (1) introduce/execute arbitrary code– (2) execute existing code out of original program

order– (3) execute existing code in original program order

with arbitrary data

Where’s the FEEB

• Instruction Set randomization

Encoded Instruction

Stream

Encoding Key

Take a closer look…

… Weeee

Via Punk Ode: Hiding Shellcode in Plain Sight, Greg MacManus

Assignment

• NIST Configured XP images– Federal desktop core configuration– http://nvd.nist.gov/fdcc/

• Compiled webserver– Coded in C– In C:\project\httpd.exe

• RE/debugging tools already installed• I (should) have DVD’s to hand out

Assignment

• 2 ways to complete it– Figure out the secret (standard) – Own process (advanced)

• Plural of bonus:– Don’t use my exploit.c• Find the vuln yourself, and own the httpd

– Don’t crash the httpd

• This page Intentionally Left Blank

proprietary and confidential information – copyright© 2010 – all rights reserved preventing...

rights reserved c o3

rights reserved outline

int glob

f slide

0x401130 slide

c return

x 0x00401092

x 0x00401097

Documents

intrusion tolerance mete geleŞ. overview ...

macarthur - philippians

macarthur football advert -...

integrated intrusion detection services for z/os...

macarthur beach

macarthur - wordpress.com

moffett rab epa vapor intrusion update, september 9, 2010

macarthur memorial

n map of the federal electoral division of macarthur ... ·...

douglas macarthur high school€¦ · web viewdouglas...

projektgruppe 542 stream mining for intrusion … ·...

douglas macarthur

macarthur park

macarthur - hechos

macarthur news · 10/10/2016 · 2016 macarthur...

global migration - macarthur foundation - macarthur...

cdi macarthur

intrusion detection intrusion detection intrusion detection...

“the ministry of john macarthur has had a worldwide...

douglass macarthur