View
229
Download
0
Category
Preview:
Citation preview
8/3/2019 Exploitation 102
1/21
Exploitation 102
Alexander Sotirovalex@sotirov.net
8/3/2019 Exploitation 102
2/21
Overview
Exploiting stack overflows Exploitation mitigations in depth (GS and
SafeSEH)
Practical exploitation of Internet Explorer
8/3/2019 Exploitation 102
3/21
Exploiting basic stack overflows
Part I
8/3/2019 Exploitation 102
4/21
Exploiting stack overflows
Single-threaded applications with a staticstack base address:
NOPNOPNOPNOPNOPNOPNOP shellcode retaddr
bufferoverflow
8/3/2019 Exploitation 102
5/21
Exploiting stack overflows
Multi-threaded applications, ntdll.dll loadedat a static base address:
retaddrbuffer
bufferoverflow
shellcode
ntdll.dll
jmpesp
8/3/2019 Exploitation 102
6/21
Diving into
Internet Explorer
8/3/2019 Exploitation 102
7/21
Exploitation Mitigations
Part II
8/3/2019 Exploitation 102
8/21
GS stack cookies
GS prevents the attacker from using anoverwritten return addresses on the stack:
adds a stack cookie between the localvariables and the return address
checks the cookie at the end of thefunction
8/3/2019 Exploitation 102
9/21
GS stack cookies
cookiebuffer
bufferoverflow
retaddr
saved
cookie
8/3/2019 Exploitation 102
10/21
Breaking GS
The function might use overwritten stackdata before the cookie is checked:
callee saved registers
copy of pointer and string buffer argumentslocal variables
string buffers o
exception handler record v
gs cookie e
saved frame pointer rreturn address f
arguments l
o
stack frame of the caller w
8/3/2019 Exploitation 102
11/21
Breaking GS
cookiepointervar retaddr
saved
cookie
pointer arg
bufferoverflow
buffer
shellcode
8/3/2019 Exploitation 102
12/21
GS variable reordering
Prevents the attacker from overwriting otherlocal variables or arguments:
string buffers go above other variables arguments are copied below the local
variables
source code standard stack frame stack frame with /GS
void vuln(char* arg) buf copy of arg
{ i i
char buf[100]; return address buf
int i; arg stack cookie
strcpy(buf, arg); return address
... arg (unused)
}
8/3/2019 Exploitation 102
13/21
GS variable reordering
cookiebuffer
bufferoverflow
retaddr
saved
cookie
non-buffervariables
copies ofarguments
arguments(unused)
pointerargumentsarecopied
beforetheothervariables
8/3/2019 Exploitation 102
14/21
Breaking GS, round 2
Some function still use overwritten stackdata before the cookie is checked:
callee saved registers
copy of pointer and string buffer argumentslocal variables
string buffers o
gs cookie v
exception handler record e
saved frame pointer rreturn address f
some arguments l
o
stack frame of the caller w
8/3/2019 Exploitation 102
15/21
Structured Exception Handling
Pointers to exception handlers are storedin the stack frame of each function
All exception handler records are linkedin a linked list, with head at fs:[0]
The exception handler dispatcher callsthe the first handler on the list.
8/3/2019 Exploitation 102
16/21
Overwriting exception handlers
Windows SEH pointer overwrite followed byaccess violation before the function returns:
SEH pointerbuffer
bufferoverflow
shellcode
ntdll.dll
pop/pop/ret
trampoline
8/3/2019 Exploitation 102
17/21
pop/pop/ret
When the exception handler is called, thethird word on the stack points to the SEHrecord on the stack
A sequence of two POP and a RETinstruction will return to our shellcode onthe stack.
8/3/2019 Exploitation 102
18/21
Bypassing GS with SEH
Triggering an exception will give us controlof the program execution before the GScookie check.
overwrite a pointer or counter variable overflow to the top of the stack application specific exceptions
SEH records on the stack are not protectedby GS.
8/3/2019 Exploitation 102
19/21
SafeSEH
Validates that each SEH handler is foundin the SafeSEH table of the DLL
Prevents the exploitation of overwrittenSEH records
8/3/2019 Exploitation 102
20/21
Breaking SafeSEH
Requires that all DLLs in the process arecompiled with the new /SafeSEH option
A single non-compatible DLL is enough tobypass the protection
Control flow modification is still possible
8/3/2019 Exploitation 102
21/21
SafeSEH: DLL without SafeSEH
If DEP is enabled:
Find a DLL without a SafeSEH table Point the SEH handler to code in the DLL
We can use ActiveX to load third-party DLLsin Internet Explorer.
Recommended