Presentation on theme: "EEye Digital Security Advanced Return Address Discovery using Context- Aware Machine Code Emulation Presented by Derek Soeder, Ryan Permeh, & Yuji Ukai."— Presentation transcript:
eEye Digital Security Advanced Return Address Discovery using Context- Aware Machine Code Emulation Presented by Derek Soeder, Ryan Permeh, & Yuji Ukai
eEye Digital Security Introduction Return Addresses and You
eEye Digital Security What is a Return Address? Subverting a function pointer So you have EIP, now what? Redirecting flow of execution Stack bufferCallers EIP…Our EIPOur payloadOVERFLOW
eEye Digital Security Return Addresses in the Past Static address of a stack buffer Unix versus Windows stacks Problems with dynamic stacks and heap buffers
eEye Digital Security Return Addresses: Present Simple one- or two-instruction redirects (e.g., CALL/JMP reg) Scanning for byte sequences Change across image versions CALL reg:FF/D0.. FF/D7 JMP reg:FF/E0.. FF/E7 PUSH reg / RET:50/C2.. 57/C2 or 50/C3.. 57/C3
eEye Digital Security Enter EEREAP Similarities to current solutions –Finds viable points to execution –Examines process snapshot Exhaustive Return Address Discovery using Machine Code Emulation
eEye Digital Security EEREAP Differences from current solutions –Emulates machine code at each candidate address to see if it will reach payload –EEREAP doesn't search for byte sequences – it actually emulates at each address to see if that code can get execution to a specified target Exhaustive Return Address Discovery using Machine Code Emulation
eEye Digital Security EEREAP Continued Benefits of this approach –Finds more than simple instructions –Potentially every viable path will be uncovered –More possible addresses to match across various revisions of victim code – more universal or ASCII return addresses? Exhaustive Return Address Discovery using Machine Code Emulation
eEye Digital Security EEREAP Concluded The execution flow beginning when a candidate address is loaded is the real- world determinant of its effectiveness. Emulating at each candidate is a theoretically-ideal solution, limited only by the amount of context information and engine capabilities. Exhaustive Return Address Discovery using Machine Code Emulation
eEye Digital Security How It Works Welcome to the EEREAP Magical Mystery Tour
eEye Digital Security Overview EEREAP is an Intel 32-bit machine code emulation engine that supports nondeterminism (undefined values) and abstract address spaces Accepts a state and emulates at each candidate address to determine which will cause execution to reach a target memory region
eEye Digital Security EEREAP – State A path from the registers to a target buffer must exist Requires user observation to construct If there is a way from the initial state to the target buffer, EEREAP is designed to find it State is given as a process memory snapshot and a context stating any available information on registers and memory contents.
eEye Digital Security EEREAP – Memory Regions Memory regions are expressed abstractly because their locations shift between instances of a vulnerable process Example: ESP EDI (pointer to payload in heap) Run 1:0012FEC A8 Run 2:0032FEC4 0252F308 Run 3:0022FEC A0 Stack and heap block are both identifiable memory regions whose addresses shift between runs, due to the dynamic nature of thread creation and heap memory allocation.
eEye Digital Security EEREAP – Context Supplies register and memory values (integers or pointers) and defines memory regions Integers are tracked on the bit level (each bit is maintained as 0, 1, or X) – especially important for EFLAGS Pointers are a memory region ('virt' – the 4GB virtual address space – or a user-defined region) plus an integer offset
eEye Digital Security EEREAP – Context 2 Memory regions must be given a size, and can be defined with certain attributes as appropriate Size is usually just a guess, because an exact size often cannot be determined Attributes: –Read-Only – emulation fails on write access; useful for protecting payload –Target – region contains a payload; emulation ends successfully for return address candidate if execution reaches it
eEye Digital Security EEREAP – Context 3 Memory regions can be mapped by specifying that one region starts at a relative offset within another For instance, a target buffer could be located in the stack, or a data area could be assigned a virtual address On dereference, attributes of all regions overlapping at address apply
eEye Digital Security EEREAP – Context Example # defines STACK as a 64KB writable address space STACK = 00XXXXXXh : 65536, RW # ESP is a pointer to offset E000h within STACK ESP = STACK + E000h # BUFFER maps into STACK at offset E09Ch STACK + E09Ch : 128, TARGET, RO # memory at STACK + E004h contains a pointer into BUFFER [STACK+E004h] = BUFFER + 8 EAX = 0 ECX = 3FFXXXXXh EBP = STACK + E134h [EBP] = STACK + E180h ESI = STACK + E01Ch TIB = 7FFXX000h : 4096, RW FS = TIB EFLAGS = X0X1Xb
eEye Digital Security EEREAP – Emulation For each return address candidate, emulation is started fresh: –EIP points to that address –Other registers and memory are initialized according to the context These runs will be referred to as emulation threads, although only one is really performed at a time
eEye Digital Security EEREAP – Emulation 2 Arithmetic attempts to preserve the destination as a pointer (if possible), then as an integer Takes unknown bits into account, erring on the side of nondeterminism EFLAGS are also modified and may be partially undefined Each instruction is emulated as faithfully as possible…
eEye Digital Security EEREAP – Emulation 3 The thread dies if anything occurs that could affect execution unpredictably: –A pointer dereference exceeds the bounds of its memory region –A write occurs on read-only memory –A 'virt' pointer accesses invalid memory –An invalid opcode, privileged instruction, potential divide-by-zero, etc., occurs But sometimes faith just isnt enough
eEye Digital Security EEREAP – Emulation 4 An instruction execution countdown is used to prevent infinite loops If a Jcc or LOOPcc is reached with EFLAGS/ECX undefined, we follow both possible execution paths –Parent succeeds if both children threads reach a target buffer –Each child gets a copy of parent's context with the instruction countdown halved Loops and Branches
eEye Digital Security EEREAP – Emulation 5 Success! If an emulation thread (or both of its children, if it forked) reaches a memory region marked as Target, the return address candidate at which it started is considered a success and is logged.
eEye Digital Security How to Use It / Demonstration Dont Fear the EEREAPer
eEye Digital Security EEREAP – How-To Crash the target process using the vulnerability to be exploited –Should put the process as close as possible to the state that will be in effect when execution is hijacked –e.g., a finished exploit with an invalid return address (0x , anyone?) –Process should definitely have a debugger on it with first-chance exceptions caught
eEye Digital Security EEREAP – How-To 2 Use 'psnap' to grab a process memory snapshot C:\>psnap.exe --priority --suspend -a:r -c:w 260 lsass.ees * Record: micdhstp --- * Write: --c [#] FFF Recorded [#] FFF Recorded [ ] FFF Ignored [G] FFF Ignored [#] FFFF Recorded [#] FFF Heap Recorded [ ] FFFF Heap Ignored... [#] 00CAA CAFFFF Stack Recorded [#] FFF Image - lsass.exe Recorded [#] FFF Code - lsass.exe:.text Written [#] FFF Data - lsass.exe:.data Recorded [#] FFF Data - lsass.exe:.rsrc Recorded [ ] C8FFF Stack Ignored [G] 010C C9FFF Stack Ignored... Saved process 260 snapshot to "lsass.ees" ( bytes).
eEye Digital Security EEREAP – How-To 3 Create the context –Study the environment at crash time: consistent pointers and integers; memory regions of interest –Reverse engineer as desired –Context and snapshot are both specific to one version of the vulnerable process
eEye Digital Security EEREAP – How-To 4 STACK = 0XXXA000H:6000H,RW EAX= H EBX= H ECX=STACK+5D38H EDX=785B2C60H ESI= H EDI=STACK+5A58H ESP=STACK+5A14H EBP=XXXXXXXXH EFLAGS=0296H Context for exploiting LSASS (SP4)
eEye Digital Security EEREAP – How-To 5 Run EEREAP! Windows 2000 Advanced Server (English) No SP/Patch Windows 2000 Advanced Server (English) SP3 No Patch Windows 2000 Advanced Server (English) SP4 No Patch LSASS.EXE (MS04-011) Tested Platform : Tested Process :
eEye Digital Security Result - Performance Windows 2000 SP4 Windows 2000 SP3 Windows 2000 SP EEREAP Simple Search Comparison with common used return address finder - (jmp esp, call esp, push esp/ret) EEREAP – Result 1
eEye Digital Security Distribution: number of instructions to target buffer EEREAP – Result 2 Maximum # of instructions = 80 - Windows 2000 SP0
eEye Digital Security Maximum # of instructions = 79 EEREAP – Result 3 - Windows 2000 SP3 Distribution: number of instructions to target buffer
eEye Digital Security EEREAP – Result 4 Distribution: number of instructions to target buffer - Windows 2000 SP4 Maximum # of instructions = 91
eEye Digital Security EEREAP – Result 5 Return addresses exist on Windows 2000 SP0, SP3, and SP e2H 751c255eH 7732c167H 773e661fH H H H
eEye Digital Security Example return address for SP4 with 27 instructions push esp and al,0Ch push edi push A xor eax,eax C pop ecx D mov edi,edx F rep stosd mov eax,[esp+0Ch] xor ecx,ecx mov [edx],eax mov eax, [esp+8] D cmp eax,ecx F mov [edx+0Ch],cl je mov [edx+4],eax mov [edx+8],10h E xor eax,eax pop edi ret 0Ch mov [edx+4],ecx mov [edx+8],ecx E xor eax,eax pop edi ret 0Ch EEREAP – Result 6
eEye Digital Security EEREAP – Demonstration Plug in a suitable return address and try it out…
eEye Digital Security To-Do You Cant Always Get What You Want
eEye Digital Security EEREAP – To Do Use EEREAP to find a completely universal offset (all languages/versions) Maintain results of pointer arithmetic as expressions (e.g., ~((~ptr)+1) = ptr-1, rather than ~ptr = X, X+1 = X, ~X = X) Automated context reconnaissance? (could be done third-party *hint*) Emulate exception handlers?
eEye Digital Security Questions?! Ask an eEye Engineer Price $1.00 Questions? Comments? today!