Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploit Analysis. Anatomy of the Talk  Background  “Operation Aurora”  The Heap  The Heap Spray  The Vulnerability  The Exploit  The Code  The.

Similar presentations


Presentation on theme: "Exploit Analysis. Anatomy of the Talk  Background  “Operation Aurora”  The Heap  The Heap Spray  The Vulnerability  The Exploit  The Code  The."— Presentation transcript:

1 Exploit Analysis

2 Anatomy of the Talk  Background  “Operation Aurora”  The Heap  The Heap Spray  The Vulnerability  The Exploit  The Code  The Debugging  The Demo  The End

3 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first

4 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first  Later, IE6 was identified as the culprit

5 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first  Later, IE6 was identified as the culprit  Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others

6 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first  Later, IE6 was identified as the culprit  Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others  Jan ’10: Google attacks China  Threatens to stop censoring search results

7 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first  Later, IE6 was identified as the culprit  Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others  Jan ’10: Google attacks China  Threatens to stop censoring search results  Reveals they hacked China back- black hats ftw!

8 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first  Later, IE6 was identified as the culprit  Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others  Jan ’10: Google attacks China  Threatens to stop censoring search results  Reveals they hacked China back- black hats ftw!  The world goes ape-shit

9 Background  December ’09: China hacks Google  Adobe vulnerabilities suspected at first  Later, IE6 was identified as the culprit  Chinese hackers breached an internal auditing tool used by law enforcement agencies to monitor s in order to spy on human rights activists and others  Jan ’10: Google attacks China  Threatens to stop censoring search results  Reveals they hacked China back- black hats ftw!  The world goes ape-shit  Jan 14 th  Exploit code released on the net

10 “Operation Aurora”  Sophisticated, multitier attack 1. Possible forgery

11 “Operation Aurora”  Sophisticated, multitier attack 1. Possible forgery day IE6 exploit ( CVE ) * 16% browser share

12 “Operation Aurora”  Sophisticated, multitier attack 1. Possible forgery day IE6 exploit ( CVE ) * 16% browser share 3. Payload downloads and activates malware

13 “Operation Aurora”  Sophisticated, multitier attack 1. Possible forgery day IE6 exploit ( CVE ) * 16% browser share 3. Payload downloads and activates malware 4. Remote connection to attacker is established

14 “Operation Aurora”  Sophisticated, multitier attack 1. Possible forgery day IE6 exploit ( CVE ) * 16% browser share 3. Payload downloads and activates malware 4. Remote connection to attacker is established 5. ???

15 “Operation Aurora”  Sophisticated, multitier attack 1. Possible forgery day IE6 exploit ( CVE ) * 16% browser share 3. Payload downloads and activates malware 4. Remote connection to attacker is established 5. ??? 6. Profit

16 The Heap  First, a little about memory  User applications store dynamic data in the heap AVAILABLE HEAP HEAP

17 The Heap  First, a little about memory  User applications store dynamic data in the heap  In windows, the heap extends until address 0x7fffffff HEAP USEABLE HEAP 0x7fffffff

18 The Heap  First, a little about memory  User applications store dynamic data in the heap  In windows, the heap extends until address 0x7fffffff  As a program uses more memory, the useable heap grows HEAP USEABLE HEAP

19 The Heap  First, a little about memory  User applications store dynamic data in the heap  In windows, the heap extends until address 0x7fffffff  As a program uses more memory, the useable heap grows  The more the useable heap grows, the more space we have to play with… HEAP USEABLE HEAP

20 The Heap  First, a little about memory  User applications store dynamic data in the heap  In windows, the heap extends until address 0x7fffffff  As a program uses more memory, the useable heap grows  The more the useable heap grows, the more space we have to play with…  How can we exploit this? HEAP USEABLE HEAP

21 The Heap Spray  Heap spray!  Fills the heap up with garbage data + shellcode (ie “sprays” data at the heap) HEAP USEABLE HEAP INJECTED

22 The Heap Spray  Heap spray!  Fills the heap up with garbage data + shellcode (ie “sprays” data at the heap)  If we can get our program to call or jump somewhere in our injected heap, win! HEAP USEABLE HEAP INJECTED jmp here plz kthx

23 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”

24 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution

25 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object

26 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object  In pictures!

27 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object  In pictures! USEABLE HEAP

28 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object  In pictures! USEABLE HEAP OBJECT ∙ Create an object

29 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object  In pictures! USEABLE HEAP OBJECT ∙ Create an object

30 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object  In pictures! USEABLE HEAP ∙ Delete object The memory shouldn’t be useable again without being reallocated…

31 The Vulnerability  CVE  HTML Object Memory Corruption Vulnerability  “Use after free”  Remote code execution  Load an object, delete it, inject your code, call the object  In pictures! USEABLE HEAP USEABLE SPACE ∙ Delete object The memory shouldn’t be useable again without being reallocated… but it is!

32 The Exploit 5 Steps

33 The Exploit 5 Steps 1. Create space to overwrite our yet to be created object with

34 The Exploit 5 Steps 1. Create space to overwrite our yet to be created object with 2. Spray the heap with nops and our payload

35 The Exploit 5 Steps 1. Create space to overwrite our yet to be created object with 2. Spray the heap with nops and our payload 3. Load and dereference an image as our object

36 The Exploit 5 Steps 1. Create space to overwrite our yet to be created object with 2. Spray the heap with nops and our payload 3. Load and dereference an image as our object 4. Inject a pointer to our malicious code (step 2) inside the memory of our “image”

37 The Exploit 5 Steps 1. Create space to overwrite our yet to be created object with 2. Spray the heap with nops and our payload 3. Load and dereference an image as our object 4. Inject a pointer to our malicious code (step 2) inside the memory of our “image” 5. Call the “image” again

38 The Code

39 The Debugging  We’ll load up the exploit with our shell code:

40 The Debugging  We’ll load up the exploit with our shell code: payload = unescape("%uccccSHELLCODE SHELLCODE");

41 The Debugging  We’ll load up the exploit with our shell code: payload = unescape("%uccccSHELLCODE SHELLCODE"); If it works, EIP (the next instruction to be executed), should now contain “SHELLCODE SHELLCODE”

42 The Debugging  We’ll load up the exploit with our shell code: payload = unescape("%uccccSHELLCODE SHELLCODE"); If it works, EIP (the next instruction to be executed), should now contain “SHELLCODE SHELLCODE” Note: %ucccc == int 3, which is a debugging breakpoint

43 The Demo  Inject shellcode to run calc.exe

44 The Demo  Inject shellcode to run calc.exe  payload_calc = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407 %u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%u a63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4 bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c 0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d %ued92%u09e1%u9631%u5580");

45 The Demo  Inject shellcode to run calc.exe  payload_calc = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407 %u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%u a63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4 bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c 0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d %ued92%u09e1%u9631%u5580");  Looks fancy, huh?

46 Questions?

47 References  General     In depth    Code    exploit.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit +Blog%29 exploit.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit +Blog%29   Presentation   Under “Presentations”


Download ppt "Exploit Analysis. Anatomy of the Talk  Background  “Operation Aurora”  The Heap  The Heap Spray  The Vulnerability  The Exploit  The Code  The."

Similar presentations


Ads by Google