How to-catch-a-chameleon-steven seeley-ruxcon-2012

Steven Seeley – Ruxcon 2012

Steven Seeleysteven@immunityinc.com

@net__ninja

How to catch a chameleon

C:\> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team

● ruby python developer● reverse engineering● exploit developer

Disclaimer(s)No zerodays were hurt during the making of this presentation

Sorry but some windows heap knowledge is assumed

Agenda ● What is 'heaper' ?

● Development motivators

● Meta data attack techniques

● Functional design

● Installation

● Using heaper

● Demo analysing a heap overflow

● Limitations

● Future work

● Conclusion

But first.An entomologist's lesson.

Definition of a chameleon?

Chameleon (n) A small slow-moving Old World lizard

with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color

Definition of a chameleon?

Chameleon (n) A small slow-moving Old World lizard

with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color

A chameleon's diet

Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*

Protruding, rotating eyes Symptoms of long debugging sessions

Ability to change color rapidly

Ability to change its state rapidly

Kills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation

Similarities

* Some, such as implementations on mobile platforms, example: WebKit

What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool:

● Visualize the heap layout● Determine exploitable conditions using meta-data● Find application specific heap primitives● Find application specific function pointers● Modify heap structures on the fly for simulation

Development motivators

Meta data attack techniquesTechnique Platform Difficulty* Reliability* Supported

Coalesce unlink() NT 5.[0/1] 10% 100% Yes

VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No

Lookaside head overwrite NT 5.2 50-60% Unknown Yes

Freelist insert/search/relink NT 5.2 Unknown Unknown Yes

Bitmap flip NT 5.2 50-60% Unknown Yes

Heap cache desycronisation NT 5.2 90% Unknown No

Critical section unlink() NT 5.2 50% 70% No

FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes

Segment Offset NT 6.[0/1] 50% 80% Yes

Depth De-sync NT 6.[0/1] 50% 70% Yes

UserBlocks Overwrite NT 6.2 90% 40% No

Application data ANY Unknown Unknown Yes

difficulty/reliability* - estimated based specific testing, will vary largely depending on context

Functional design● Object oriented design● Easily extend-able● Chunk validation based on allocator ordering & categorization

● General heuristics check per allocator

Functional designchunk validation:

Full unlink() macro validation!

Functional designchunk validation:

● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets:

● 0x0026fee8+0x0 is the size● 0x0026fee8+0x2 is the previous chunks size● 0x0026fee8+0x4 is the cookie● 0x0026fee8+0x8 is the Flink/Blink

Therefore, we can validate the chunk based on its positioning and by reading memory

Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)

-> Checks ListHint[0x7f] and ListHint[0x7ff]

Functional designChunk validation on ListHint[n]:

-> Windows 7 LFH (size is encoded)

-> Checks ListHint[n]

Functional designChunk validation on FreeList[0]:

-> Windows 2000/XP FreeList[0]

Functional designChunk validation on FreeList[0]:

-> Windows 2000/XP FreeList[0]

size, flink, blink pwned! Chunk overwrite!

Functional designChunk validation on FreeList[n]:

-> Windows 2000/XP FreeList[n]

Functional designChunk validation on FreeList[n]:

-> Windows 2000/XP FreeList[n]

size, flink, blink pwned! Chunk overwrite!

Functional designGraphing:

We all know that little

green men in the debugger

can be hard to understand

Functional designGraphing:

visualize the heap

Functional designEasy to use:

● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesn't exist

● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size

● n-4 byte write simulation on function pointers with the ability to restore the said function pointers

● The ability to modify a single BIT in the FreeListInUse struct

● 'update' command for easily updating heaper.

● 'config' command to configure the output directory of logs and graphs

● Everything is logged in a new “heaper” window

● Prerequisites:

● Immunity Debugger v1.85 and above● Graphviz v2.28.0 and above -http://www.graphviz.org/● Pyparsing - http://sourceforge.net/projects/pyparsing/● PyDot - http://code.google.com/p/pydot/

1. Install Immunity Debugger :->

2. Add 'c:\python27' to your path environment

3. Run the Graphviz MSI packaged installer

4. Navigate into your pydot and pyparsing directories and execute 'python setup install'

4. Copy heaper to the 'C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\' directory

Installation

Using heaper

Usage and help menuRun '!heaper help <cmd>' to learn about the cmd and its options

Analyzing windows structsDisplay the PEB structure

Analyzing windows structsDisplay the TEB's for the process (no struct) – No TEB struct boo

Analyzing windows structsAnalyze a _heap struct

Analyzing the FreelistInUse bitmask

Bit flipping

Dumping function pointers● Finds function pointers despite if they are writable or not

● Depreciated and will be removed in the next major release

Finding writable pointers

Finding writable pointers● Similar to the dump function pointers routine but

executes the action across the whole module

● This can be executed against all modules

● As the name states, only writable function pointers to facilitate a write 4 condition

● Don't be fooled, it doesn't just dump the IAT

● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers.

Finding writable pointersUse any of these to transfer code execution

Analyzing the allocator state NT 5.x

Lookaside - chunk analysis

Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first

byte in the chunk header (size)● If userdata == flink, possible exploitation

Lookaside with verbose mode (-v)

Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been

overwritten● Much like 'dt _general_lookaside_list

<addr>' in windbg

Lookaside - graphing

Lookaside - vuln analysis

● Set a (Function pointer-0x8) to equal the new Lookaside chunk address

Lookaside - vuln analysis

FreeList - chunk analysis

FreeList with verbose mode (-v)

FreeList - graphing

FreeList - vuln analysis

LFH - UserBlocks analysis

LFH - UserBlocksCache analysis

0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY

+0x000 UserBlocks : _SLIST_HEADER+0x008 AvailableBlocks : Uint4B

LFH - buckets

0:004> dt _heap_bucketntdll!_HEAP_BUCKET

+0x000 BlockUnits : Uint2B+0x002 SizeIndex : Uchar+0x003 UseAffinity : Pos 0, 1 Bit+0x003 DebugFlags : Pos 1, 2 Bits

LFH - graphing UserBlocks

LFH - vuln analysis

ListHint - analysis

FreeList - analysis

FreeList - graphing

FreeList/ListHint - vuln analysis

Hooking the heap manager

Hooking the heap managerHard hooking

● HeapAlloc/HeapFree

● Can be extended

for other heap functions

● Discover primitives

Hooking the heap managerSoft hooking

Use only for testing, not designed to be used with large applications

PatchingPatching - PEB

● A binary may be compiled in debug mode

● What if we are trying to execute a function pointer that assumes the process is not being debugged ?

UpdatingUpdate to the latest version with ease

The update function just generates a git hash and compares digests. There is no version tracking yet.

ConfiguringConfigure the home directory on where to store graphs and logs

Detecting exploitable conditions

Detecting exploitable conditions● Detecting exploitable conditions can be very

difficult and prone to many false positives.● If you overwrite a specific chunk, then just due

to the amount of data you overwrote with, it may/may not be deemed exploitable

● Therefore understanding the limitations of each of the conditions is required for accurate analysis.

LFH – FreeEntryOffset Overwrite

FreeList/ListHint – No technique suggestion*

● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far.

Lookaside – chunk overwrite

FreeList[n] – Bitflip attack

Demo - MS12-037

Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data

attacks for now● Does not log analysis findings external to the

debugger● Needs a decent heap search function● Need to support other heap implementations

Future work● Support LFH analysis on Windows 8● Support other heap manager implementations

(jemalloc)● Support more meta-data attacks● Perform log analysis● Detect 'interesting' application data on the

heap● Add a decent search function● Improve the heuristics engine

Conclusion● Run-time analysis of the heap to detect meta-

data attack conditions is complex● Some form of solver maybe more applicable to

this type of analysis :->● Whilst heaper is not turing complete, it will

solve many corner cases.● Immunity will continue to be a leader in the

development and application of heap exploitation techniques

Thanks!You know who you are ;-)

Code design/improvements/patches/ideas are very welcome :>

steventhomasseeley@gmail.comFor more information please execute:

$ git clone https://github.com/mrmee/heaper.git

$ wget -r http://net-ninja.net/

How to-catch-a-chameleon-steven seeley-ruxcon-2012

Technology

Kayla seeley

"A chameleon" The "eyes" of a chameleon appear to rotate

Chameleon - Report

Chameleon Compact OPO - Coherent, Inc....Chameleon Compact OPO Wavelength Extension for Chameleon Ti:Sapphire Lasers The Compact Chameleon OPO (optical parametric oscillator) is a

microcapsule brochure 2019 kor outline · LightRed / Blue Chameleon T Yellow Chameleon T Violet Chameleon T Green Chameleon T Black Cham&on T Red Cham&on T rauoiseBlue Chameleon T

Terec Chameleon Veneersterec.co.uk/gallery/pdfs/template12/Terec Chameleon Veneers.pdf · Title: Terec Chameleon Veneers Author: 270 Created Date: 20130518123942Z

Armstong, Hamilton, Armstrong & Seeley

Chameleon Business Interiors Agile Workingfiles.ludostudio.co.uk/chameleon-canada/Chameleon Agile Workspac… · Agile Working Chameleon Business Interiors . 2 Designs for New Ways

Ruxcon 2006 - Unpacking Virus, Trojans and Worms

Breaking Bricks Ruxcon 2014asa

· PDF fileSpecifications Chameleon T Chameleon B Chameleon C Sonus faberu 74—51 ... Chameleon C —h 12rnmJg45 Neon cnaoe Chameleon T 0) 5 Is9—5

chameleon - RMC Modularrmcmodular.co.uk/wp-content/uploads/2016/03/Chameleon.pdf · Chameleon Chameleon A Chameleon is a type of lizard that can change its appearance at will. Chameleon

Ruxcon 2011

Seeley chapter 1

Operator’s Manual Chameleon Ultra™ and Chameleon … · Operator’s Manual Chameleon Ultra™ and Chameleon Vision™ Diode-Pumped Lasers 5100 Patrick Henry Drive Santa Clara,

Operator’s Manual Chameleon Ultra™ and Chameleon Vision™ … · 2017-12-04 · Operator’s Manual Chameleon Ultra™ and Chameleon Vision™ Diode-Pumped Lasers 5100 Patrick

De Mysteriis Dom Jobsivs Ruxcon

Chameleon Chip

Chameleon Pattern

Turning client-side-to-server-side-ruxcon-2011-laurent