proprietary and confidential information – copyright© 2010 – all rights reserved preventing...
TRANSCRIPT
![Page 1: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/1.jpg)
Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Preventing Intrusion PreventionApril 21, 2010
Ryan MacArthur, [email protected]
![Page 2: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/2.jpg)
2Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Quick Intro
• Don’t believe anything I say• Former ISI student (’08)• Worked at Symantec out of the gate– Security Response Team
• Interviewed with iSIGHT at BH Vegas 2009• Started work in October 2009
![Page 3: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/3.jpg)
3Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Hi
![Page 4: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/4.jpg)
4Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Outline
• Basics– Some C background
• Exploitation technique evolution
![Page 5: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/5.jpg)
5Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Outline
• Assignment – Hacking a webserver with DEP– Demonstrate understanding of topics discussed
today
![Page 6: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/6.jpg)
6Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
• READ THE STANDARD (c99)– Grep for undefined– ‘sprintf … If copying takes place between objects
that overlap, the behavior is undefined’– ‘free … or if the space has been deallocated by a
call to free or realloc, the behavior is undefined’– ‘exit … a call to the longjump function is made that
would terminate the call to the registered function, the behavior is undefined’
![Page 7: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/7.jpg)
7Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
int main(){ int a = 4; int b = 0x40000000; int c = a * b + 1; printf("%d\n", c); return 0;}
![Page 8: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/8.jpg)
8Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
(*pf[f1()]) (f2(), f3() + f4())
![Page 9: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/9.jpg)
9Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
(t4=f4(), t3=f3(), t2=f2(), t1=f1(), (*pf[t1]) (t2, t3 + t4))
![Page 10: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/10.jpg)
10Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
int main(int argc, char** argv){ int glob = atoi(argv[1]); glob = (glob++, glob) + (glob++, glob); printf("%d\n", glob); return 0;}
![Page 11: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/11.jpg)
11Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C –O0• 0x00401085 <main+53>: call 0x40116c <atoi>• 0x0040108a <main+58>: mov %eax,-0x4(%ebp)• 0x0040108d <main+61>: lea -0x4(%ebp),%eax• 0x00401090 <main+64>: incl (%eax)• 0x00401092 <main+66>: lea -0x4(%ebp),%eax• 0x00401095 <main+69>: incl (%eax)• 0x00401097 <main+71>: mov -0x4(%ebp),%edx• 0x0040109a <main+74>: lea -0x4(%ebp),%eax• 0x0040109d <main+77>: add %edx,(%eax)• 0x0040109f <main+79>: mov -0x4(%ebp),%eax• 0x004010a2 <main+82>: mov %eax,0x4(%esp)• 0x004010a6 <main+86>: movl $0x402000,(%esp)• 0x004010ad <main+93>: call 0x40115c <printf>
![Page 12: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/12.jpg)
12Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C –O3
0x00401071 <main+33>: call 0x401140 <atoi>0x00401076 <main+38>: movl $0x402000,(%esp)0x0040107d <main+45>: lea 0x4(%eax,%eax,1),%eax0x00401081 <main+49>: mov %eax,0x4(%esp)0x00401085 <main+53>: call 0x401130 <printf>
![Page 13: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/13.jpg)
13Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
int main(){ int x = 4; char y[] = "haberdashery"; printf("%c\n", 4[y]); return 0;}
![Page 14: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/14.jpg)
14Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Basics
void f(int a,int b,char *c){ char buf[2]; strcpy(buf,c);}
int main(){ char z[]="zangief"; f(1,2,z); return 0;}
![Page 15: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/15.jpg)
15Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
“zangief\0”
$esp ->
call f()
![Page 16: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/16.jpg)
16Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
$esp ->
“zangief\0”
return address
push %ebp
![Page 17: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/17.jpg)
17Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
$esp ->
return address
“zangief\0”
frame pointer main() stack frame
mov %esp,%ebp
![Page 18: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/18.jpg)
18Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
$esp ->
return address
“zangief\0”
frame pointer main() stack frame
![Page 19: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/19.jpg)
19Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feign
0x000000010x00000002
0x004010c0frame pointer
char[2] az
retaddr
“zangief\0”
![Page 20: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/20.jpg)
20Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x00401068 <f+24>: leave 0x00401069 <f+25>: ret
![Page 21: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/21.jpg)
21Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer is then popped from the stack into the EBP register, restoring the calling procedure’s stack frame.
• RET Transfers program control to a return address located on the top of the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction.
![Page 22: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/22.jpg)
22Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
“zangief\0”
$ebp->
![Page 23: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/23.jpg)
23Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
$ebp->$esp->
“zangief\0”
![Page 24: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/24.jpg)
24Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
$ebp->0x6569676e
$esp->
“zangief\0”
![Page 25: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/25.jpg)
25Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
$ebp->0x6569676e
$esp->
$eip->0x00400066 “zangief\0”
![Page 26: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/26.jpg)
26Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Now you’ve owned the stack
• Now what?• Get shellcode into your string buffer• Overwrite eip with address of shellcode
![Page 27: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/27.jpg)
27Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Shellcode
smashed EBPPtr to shellcode
args
![Page 28: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/28.jpg)
28Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Problems Arise
• How do I know what address my shellcode is at?
Shellcode
smashed EBP??????????
args
![Page 29: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/29.jpg)
29Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Well you might not
guess
Shellcode
smashed EBPPtr to shellcode
args
![Page 30: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/30.jpg)
30Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
First Abstract defense mechanism
• Why should there ever be a need to execute code off the stack?
• Well then,make the stack non-executable• Boom – screwed.
![Page 31: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/31.jpg)
31Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Where to put our shellcode?
Heap
Stack
![Page 32: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/32.jpg)
32Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Basics
void f(int a,int b,char *c){ char t[8]; for(;a <= 8; a++) { t[a]=c[a]; }}
int main(){ char z[]="zangief!"; f(0,2,z); return 0;}
![Page 33: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/33.jpg)
33Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Off-by-one
Local buffer
Saved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
leave(mov ebp,esp)(pop ebp)
ret(pop eip)
…leaveretowned.
Saved ebp: 0x0022cd28
1 byte overwrite ebp: 0x0022cd00
![Page 34: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/34.jpg)
34Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• -fomit-frame-pointer
Dump of assembler code for function:0x00401130 <g+0>: push %ebp0x00401131 <g+1>: mov %esp,%ebp0x00401133 <g+3>: sub $0x10,%esp0x00401136 <g+6>: mov 0x8(%ebp),%eax0x00401139 <g+9>: mov %eax,-0x4(%ebp)0x0040113c <g+12>: leave 0x0040113d <g+13>: ret
Dump of assembler code for function:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret
![Page 35: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/35.jpg)
35Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Heap Overflows
• Onto Function Pointer
![Page 36: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/36.jpg)
36Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Stack Canaries
• /GS flag in visual studio• Protects against buffer overflows– How?
![Page 37: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/37.jpg)
37Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Stack Canaries
sub esp,20h…add esp20h ret
sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] xor eax,dword ptr [esp+24h] mov dword ptr [esp+20h],eax …mov ecx,dword ptr [esp+20h] xor ecx,dword ptr [esp+24h] add esp,24h jmp __security_check_cookie (4010B2h)
![Page 38: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/38.jpg)
38Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Stack Canaries
• How do you defeat them?• Not all functions get protected• Even if they do….
![Page 39: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/39.jpg)
39Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEH
• Windows Structured Exception Handling
typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
![Page 40: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/40.jpg)
40Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEH
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
0xffffffff
![Page 41: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/41.jpg)
Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Abusing SEH
Jmp short Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
bufferSaved ebpSaved eip
pop $x pop $yret
shellcode
Ptr to next
![Page 42: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/42.jpg)
42Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Software DEP
• Safe Structured Exception Handling. (SafeSEH)• Compile time– /SafeSEH option in visual studio
![Page 43: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/43.jpg)
43Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SafeSEH
• IE8 on xpsp3:
![Page 44: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/44.jpg)
44Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEHOP
• SEH Overwrite Protection• SEHOP is enabled by default on Windows
Server 2008 and disabled by default on Windows Vista SP1.
• Can be turned on via registry
![Page 45: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/45.jpg)
45Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEHOP
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to final handler Ntdll!FinalExcepion
![Page 46: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/46.jpg)
46Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Memory
• Interview question used at google & msft:– How would you find out if a machine’s stack grows
up or down in memory?
![Page 47: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/47.jpg)
47Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
#include <stdio.h>
void sub(int *a) { int b;
if (&b > a) { printf("Stack grows up. a:%p b:%p\n",a,&b); } else { printf("Stack grows down. a:%p b:%p\n",a,&b); }}
main () { int a; sub(&a);}
![Page 48: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/48.jpg)
48Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Memory
• Actual memory isnt top down and is can be all over the place
• Gaps cause problems for us, because we might want some memory layout continuity
![Page 49: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/49.jpg)
49Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Virtual memory
stack
heap
![Page 50: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/50.jpg)
50Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Actual virtual memory:
![Page 51: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/51.jpg)
51Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Filling the gaps
• How?
![Page 52: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/52.jpg)
52Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Heap spray example
• What is a heap spray?– Just fill memory– Was popularized before DEP was implemented– Easy to do with anything:• Flash• Javascript in browser• Script in pdf• Images • Java• html
![Page 53: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/53.jpg)
53Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• Actual spray=>
![Page 54: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/54.jpg)
54Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Hardware DEP
• Included in all newer windows supported processors: (Intel x86/IA-64, AMD amd64, ARM ARMv6). If this bit is set for the page that the CPU is executing code on (for instance mapped as a PAGE_READWRITE) the CPU will generate a STATUS_ACCESS_VIOLATION (0xC0000005) access violation exception.
![Page 55: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/55.jpg)
55Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
DEP
/noexecute [OptIn | OptOut | AlwaysOn | AlwaysOff ]
• Opt-in: (Default for XPSP2, XPSP3, and Vista) In this mode of operation DEP is enabled only for processes that explicitly opt-in to DEP.
• Opt-Out: (Default for Windows Server 2003 and Windows Server 2008) In this mode of operation DEP is enabled by default for all processes except those that explicitly opt-out of DEP.
• Always On: In this mode of operation DEP is always enabled for all processes regardless of whether the program is compatible with DEP or not.
• Always-Of: In this mode of operation DEP is always disabled for all processes.
![Page 56: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/56.jpg)
56Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
DEPKPROCESS struct;
typedef struct _KEXECUTE_OPTIONS{ ULONG ExecuteDisable: 1; ULONG ExecuteEnable: 1; ULONG DisableThunkEmulation: 1; ULONG Permanent: 1; ULONG ExecuteDispatchEnable: 1; ULONG ImageDispatchEnable: 1; ULONG Spare: 2;} KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;
![Page 57: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/57.jpg)
57Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
DEP
• SetProcessDEPPolicy()• NtSetProcessInformation()
![Page 58: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/58.jpg)
58Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
stack
heap
Cant execute code here
Cant execute code here
![Page 59: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/59.jpg)
59Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Defeating DEP
• Any ideas?
![Page 60: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/60.jpg)
60Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assigned Reading
• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
• The Advanced Return-into-lib(c) Exploits: PaX case study
• x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique
![Page 61: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/61.jpg)
61Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assigned Reading
• Why were these papers good/bad?
![Page 62: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/62.jpg)
62Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assigned Reading
• Evolutionary exploitation techniques• Hey, its easier to just jmp into .text segments
![Page 63: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/63.jpg)
63Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
int system(const char *command);
![Page 64: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/64.jpg)
64Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Ret2libc Fundamentals
Local bufferSaved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
“useradd mac –g wheel”
Fake retaddrchar *
Smashed ebp
![Page 65: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/65.jpg)
65Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
Fake retaddrarg1
Smashed ebp
“useradd mac –g wheel”
$esp->
0x0040108c <main+60>: ret
![Page 66: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/66.jpg)
66Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
Fake retaddrarg1
Smashed ebp
$esp->
“useradd mac –g wheel”
Now system() does its thing…0x004010db <system+101>: ret
![Page 67: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/67.jpg)
67Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
Fake retaddrarg1
Smashed ebp
$esp->
Now we land at fake retAnd $esp points to arg1!
“useradd mac –g wheel”
![Page 68: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/68.jpg)
68Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Ret2libc limitations
Local bufferAddress of system()
Nex function() to call
char *
System() stack frame
Same argument as we passed to system()!
![Page 69: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/69.jpg)
69Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
So we can only call one func…
• damn
![Page 70: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/70.jpg)
70Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Or can we…
• How can we string together multiple calls?
![Page 71: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/71.jpg)
71Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
esp lifting with frame pointers
Local bufferSaved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
![Page 72: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/72.jpg)
72Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
$esp->
0x0040108c <main+60>: ret
![Page 73: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/73.jpg)
73Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
0x0040108c <setuid+60>: ret
$esp->
![Page 74: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/74.jpg)
74Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
$esp->
0x100bc0c0: pop
![Page 75: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/75.jpg)
75Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
0x100bc0c0: ret
$esp->
![Page 76: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/76.jpg)
76Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
In system()Here system will return into 0xffffffff
$esp->
![Page 77: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/77.jpg)
77Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Advancements…
• If using -fomit-frame-pointers
Dump of assembler code for function g:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret
![Page 78: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/78.jpg)
78Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
esp lifting
78
Local bufferSaved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
Local buffer
Address of setuid()
PAD
PAD
Address of system()
0xffffffff
Address of epilog
setuid() arg
0xffffffff
args+pad = stack adjustment
system() arg
![Page 79: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/79.jpg)
79Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Frame FakingLocal bufferSaved EBPSaved EIP
args
Local bufferFake ebp0
Addr of leave-ret
Fake ebp1
Addr of setuid()
Addr of leave-ret
Arg to setuid()
Fake ebp2
Addr of system()
Addr of leave-ret
Arg to system()
![Page 80: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/80.jpg)
80Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
ROP!
• Return oriented programming– logical extension of ret2libc– Can use chunks from anywhere
![Page 81: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/81.jpg)
81Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
ROP!
args
emptyempty
Pop %eaxret
Pop %espret
lcall %gs:0x10(,0)ret
Local buffer
Saved EBPSaved EIP
args Syscall index
Smashed ebp
Smashed buffer
![Page 82: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/82.jpg)
82Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
What if …
pop %ebpLeaveret
![Page 83: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/83.jpg)
83Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Defeating DEP
• Might be able to turn it off by jumping to – SetProcessDEPPolicy()
• Allocate some memory that’s executable– VirtualAlloc(),
• Change permissions on already allocated mem– VirtualProtect()
• Write directly to already executable memory– WriteProcessMemory()
![Page 84: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/84.jpg)
84Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Whew..
• So wow, things look pretty bad right?– Welllllll….– What ways can we prevent these type of attacks?
![Page 85: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/85.jpg)
85Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Linux ASLR
![Page 86: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/86.jpg)
86Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
ASLR
• 32 bit address space prevents serious randomization of ‘objects’
• Executables will have 255 possible load address locations, offset from the preferred image base
• The first DLL (NTDLL.DLL) will load in 1 of 256 possible locations, but the order in which following dlls are loaded will be randomized.
• Thread stacks start at a maximum offset of 7FC bytes from the stack base
• Process heap will start at a maximum offset of 2MB from the heap base.
![Page 87: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/87.jpg)
87Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Exploitation Timeline
![Page 88: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/88.jpg)
88Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Exploitation Timline
![Page 89: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/89.jpg)
89Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Windows Security Mechanisms
![Page 90: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/90.jpg)
90Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Mac’s Conjecture
• To own, you must do one of the following: – (1) introduce/execute arbitrary code– (2) execute existing code out of original program
order– (3) execute existing code in original program order
with arbitrary data
![Page 91: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/91.jpg)
91Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Where’s the FEEB
• Instruction Set randomization
Encoded Instruction
Stream
Encoding Key
CPU
![Page 92: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/92.jpg)
92Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Take a closer look…
![Page 93: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/93.jpg)
93Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
… Weeee
Via Punk Ode: Hiding Shellcode in Plain Sight, Greg MacManus
![Page 94: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/94.jpg)
94Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assignment
• NIST Configured XP images– Federal desktop core configuration– http://nvd.nist.gov/fdcc/
• Compiled webserver– Coded in C– In C:\project\httpd.exe
• RE/debugging tools already installed• I (should) have DVD’s to hand out
![Page 95: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/95.jpg)
95Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assignment
• 2 ways to complete it– Figure out the secret (standard) – Own process (advanced)
• Plural of bonus:– Don’t use my exploit.c• Find the vuln yourself, and own the httpd
– Don’t crash the httpd
![Page 96: Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs rmacarthur@isightpartners.com](https://reader035.vdocuments.net/reader035/viewer/2022062713/56649cc35503460f9498bcbe/html5/thumbnails/96.jpg)
96Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• This page Intentionally Left Blank