Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs

Similar presentations


Presentation on theme: "Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs"— Presentation transcript:

1 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs

2 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Quick Intro Don’t believe anything I say Former ISI student (’08) Worked at Symantec out of the gate – Security Response Team Interviewed with iSIGHT at BH Vegas 2009 Started work in October

3 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Hi 3

4 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Outline Basics – Some C background Exploitation technique evolution 4

5 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Outline Assignment – Hacking a webserver with DEP – Demonstrate understanding of topics discussed today 5

6 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C READ THE STANDARD (c99) – Grep for undefined – ‘sprintf … If copying takes place between objects that overlap, the behavior is undefined’ – ‘free … or if the space has been deallocated by a call to free or realloc, the behavior is undefined’ – ‘exit … a call to the longjump function is made that would terminate the call to the registered function, the behavior is undefined’ 6

7 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C 7 int main() { int a = 4; int b = 0x ; int c = a * b + 1; printf("%d\n", c); return 0; }

8 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C 8 (*pf[f1()]) (f2(), f3() + f4())

9 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C 9 (t4=f4(), t3=f3(), t2=f2(), t1=f1(), (*pf[t1]) (t2, t3 + t4))

10 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C 10 int main(int argc, char** argv) { int glob = atoi(argv[1]); glob = (glob++, glob) + (glob++, glob); printf("%d\n", glob); return 0; }

11 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C –O0 0x : call 0x40116c 0x a : mov %eax,-0x4(%ebp) 0x d : lea -0x4(%ebp),%eax 0x : incl (%eax) 0x : lea -0x4(%ebp),%eax 0x : incl (%eax) 0x : mov -0x4(%ebp),%edx 0x a : lea -0x4(%ebp),%eax 0x d : add %edx,(%eax) 0x f : mov -0x4(%ebp),%eax 0x004010a2 : mov %eax,0x4(%esp) 0x004010a6 : movl $0x402000,(%esp) 0x004010ad : call 0x40115c 11

12 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C –O3 12 0x : call 0x x : movl $0x402000,(%esp) 0x d : lea 0x4(%eax,%eax,1),%eax 0x : mov %eax,0x4(%esp) 0x : call 0x401130

13 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved C 13 int main() { int x = 4; char y[] = "haberdashery"; printf("%c\n", 4[y]); return 0; }

14 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Basics void f(int a,int b,char *c) { char buf[2]; strcpy(buf,c); } int main() { char z[]="zangief"; f(1,2,z); return 0; } 14

15 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 15 0x x “zangief\0” $esp -> call f()

16 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 16 0x x $esp -> “zangief\0” return address push %ebp

17 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 17 0x x $esp -> return address “zangief\0” frame pointer main() stack frame mov %esp,%ebp

18 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 18 0x x $esp -> return address “zangief\0” frame pointer main() stack frame

19 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 19 0x x x0040\00f eign 0x x x004010c0 frame pointer char[2]az retaddr “zangief\0”

20 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 20 0x : leave 0x : ret

21 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer is then popped from the stack into the EBP register, restoring the calling procedure’s stack frame. RET Transfers program control to a return address located on the top of the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction. 21

22 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 22 0x x x0040\00f eign az “zangief\0” $ebp->

23 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 23 0x x x0040\00f eign az $ebp->$esp-> “zangief\0”

24 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 24 0x x x0040\00f eign az $ebp->0x e $esp-> “zangief\0”

25 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 25 0x x x0040\00f eign az $ebp->0x e $esp-> $eip->0x “zangief\0”

26 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Now you’ve owned the stack Now what? Get shellcode into your string buffer Overwrite eip with address of shellcode 26

27 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 27 Shellcode smashed EBP Ptr to shellcode args

28 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Problems Arise How do I know what address my shellcode is at? 28 Shellcode smashed EBP ?????????? args

29 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Well you might not guess 29 Shellcode smashed EBP Ptr to shellcode args

30 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved First Abstract defense mechanism Why should there ever be a need to execute code off the stack? Well then,make the stack non-executable Boom – screwed. 30

31 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Where to put our shellcode? 31 Heap Stack

32 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Basics 32 void f(int a,int b,char *c) { char t[8]; for(;a <= 8; a++) { t[a]=c[a]; } int main() { char z[]="zangief!"; f(0,2,z); return 0; }

33 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Off-by-one 33 Local buffer Saved EBP Saved EIP args Local buffer Saved EBP Saved EIP args leave (mov ebp,esp) (pop ebp) ret (pop eip) … leave ret owned. Saved ebp: 0x0022cd28 1 byte overwrite ebp: 0x0022cd00

34 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved -fomit-frame-pointer 34 Dump of assembler code for function: 0x : push %ebp 0x : mov %esp,%ebp 0x : sub $0x10,%esp 0x : mov 0x8(%ebp),%eax 0x : mov %eax,-0x4(%ebp) 0x c : leave 0x d : ret Dump of assembler code for function: 0x : sub $0x10,%esp 0x : mov 0x14(%esp),%eax 0x : mov %eax,0xc(%esp) 0x b : add $0x10,%esp 0x e : ret

35 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Heap Overflows Onto Function Pointer 35

36 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Stack Canaries /GS flag in visual studio Protects against buffer overflows – How? 36

37 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Stack Canaries 37 sub esp,20h … add esp 20h ret sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] xor eax,dword ptr [esp+24h] mov dword ptr [esp+20h],eax … mov ecx,dword ptr [esp+20h] xor ecx,dword ptr [esp+24h] add esp,24h jmp __security_check_cookie (4010B2h)

38 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Stack Canaries How do you defeat them? Not all functions get protected Even if they do…. 38

39 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved SEH Windows Structured Exception Handling 39 typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;

40 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved SEH 40 Ptr to next Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to Handler 0xffffffff

41 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Abusing SEH Jmp short Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to Handler buffer Saved ebp Saved eip pop $x pop $y ret shellcode Ptr to next

42 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Software DEP Safe Structured Exception Handling. (SafeSEH) Compile time – /SafeSEH option in visual studio 42

43 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved SafeSEH IE8 on xpsp3: 43

44 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved SEHOP SEH Overwrite Protection SEHOP is enabled by default on Windows Server 2008 and disabled by default on Windows Vista SP1. Can be turned on via registry 44

45 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved SEHOP 45 Ptr to next Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to Handler Ptr to next Ptr to final handler Ntdll!FinalExcepion

46 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Memory Interview question used at google & msft: – How would you find out if a machine’s stack grows up or down in memory? 46

47 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 47 #include void sub(int *a) { int b; if (&b > a) { printf("Stack grows up. a:%p b:%p\n",a,&b); } else { printf("Stack grows down. a:%p b:%p\n",a,&b); } main () { int a; sub(&a); }

48 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Memory Actual memory isnt top down and is can be all over the place Gaps cause problems for us, because we might want some memory layout continuity 48

49 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Virtual memory 49 stack heap

50 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Actual virtual memory: 50

51 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Filling the gaps How? 51

52 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Heap spray example What is a heap spray? – Just fill memory – Was popularized before DEP was implemented – Easy to do with anything: Flash Javascript in browser Script in pdf Images Java html 52

53 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Actual spray=> 53

54 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Hardware DEP Included in all newer windows supported processors: (Intel x86/IA-64, AMD amd64, ARM ARMv6). If this bit is set for the page that the CPU is executing code on (for instance mapped as a PAGE_READWRITE) the CPU will generate a STATUS_ACCESS_VIOLATION (0xC ) access violation exception. 54

55 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved DEP /noexecute [OptIn | OptOut | AlwaysOn | AlwaysOff ] Opt-in: (Default for XPSP2, XPSP3, and Vista) In this mode of operation DEP is enabled only for processes that explicitly opt-in to DEP. Opt-Out: (Default for Windows Server 2003 and Windows Server 2008) In this mode of operation DEP is enabled by default for all processes except those that explicitly opt-out of DEP. Always On: In this mode of operation DEP is always enabled for all processes regardless of whether the program is compatible with DEP or not. Always-Of: In this mode of operation DEP is always disabled for all processes. 55

56 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved DEP 56 KPROCESS struct; typedef struct _KEXECUTE_OPTIONS { ULONG ExecuteDisable: 1; ULONG ExecuteEnable: 1; ULONG DisableThunkEmulation: 1; ULONG Permanent: 1; ULONG ExecuteDispatchEnable: 1; ULONG ImageDispatchEnable: 1; ULONG Spare: 2; } KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;

57 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved DEP SetProcessDEPPolicy() NtSetProcessInformation() 57

58 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 58 stack heap Cant execute code here

59 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Defeating DEP Any ideas? 59

60 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Assigned Reading The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) The Advanced Return-into-lib(c) Exploits: PaX case study x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique 60

61 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Assigned Reading Why were these papers good/bad? 61

62 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Assigned Reading Evolutionary exploitation techniques Hey, its easier to just jmp into.text segments 62

63 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved int system(const char *command); 63

64 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Ret2libc Fundamentals 64 Local buffer Saved EBP Saved EIP args Local buffer Saved EBP Saved EIP args Local buffer Address of system() Local buffer Saved EBP Saved EIP args “useradd mac –g wheel” Fake retaddr char * Smashed ebp

65 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 65 Local buffer Address of system() Local buffer Saved EBP Saved EIP args Fake retaddr arg1 Smashed ebp “useradd mac –g wheel” $esp-> 0x c : ret

66 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 66 Local buffer Address of system() Local buffer Saved EBP Saved EIP args Fake retaddr arg1 Smashed ebp $esp-> “useradd mac –g wheel” Now system() does its thing… 0x004010db : ret

67 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 67 Local buffer Address of system() Local buffer Saved EBP Saved EIP args Fake retaddr arg1 Smashed ebp $esp-> Now we land at fake ret And $esp points to arg1! “useradd mac –g wheel”

68 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Ret2libc limitations 68 Local buffer Address of system() Nex function() to call char * System() stack frame Same argument as we passed to system()!

69 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved So we can only call one func… damn 69

70 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Or can we… How can we string together multiple calls? 70

71 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved esp lifting with frame pointers 71 Local buffer Saved EBP Saved EIP args Local buffer Saved EBP Saved EIP args Local buffer Address of setuid() Address of system() 0xffffffff system() arg Address of pop-ret setuid() arg 0xffffffff args

72 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 72 Local buffer Address of setuid() Address of system() 0xffffffff system() arg Address of pop-ret setuid() arg 0xffffffff args $esp-> 0x c : ret

73 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 73 Local buffer Address of setuid() Address of system() 0xffffffff system() arg Address of pop-ret setuid() arg 0xffffffff args 0x c : ret $esp->

74 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 74 Local buffer Address of setuid() Address of system() 0xffffffff system() arg Address of pop-ret setuid() arg 0xffffffff args $esp-> 0x100bc0c0: pop

75 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 75 Local buffer Address of setuid() Address of system() 0xffffffff system() arg Address of pop-ret setuid() arg 0xffffffff args 0x100bc0c0: ret $esp->

76 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved 76 Local buffer Address of setuid() Address of system() 0xffffffff system() arg Address of pop-ret setuid() arg 0xffffffff args In system() Here system will return into 0xffffffff $esp->

77 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Advancements… If using -fomit-frame-pointers 77 Dump of assembler code for function g: 0x : sub $0x10,%esp 0x : mov 0x14(%esp),%eax 0x : mov %eax,0xc(%esp) 0x b : add $0x10,%esp 0x e : ret

78 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved esp lifting 78 Local buffer Saved EBP Saved EIP args Local buffer Saved EBP Saved EIP args Local buffer Address of setuid() PAD Address of system() 0xffffffff Address of epilog setuid() arg 0xffffffff args+pad = stack adjustment system() arg

79 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Frame Faking 79 Local buffer Saved EBP Saved EIP args Local buffer Fake ebp0 Addr of leave-ret Fake ebp1 Addr of setuid() Addr of leave-ret Arg to setuid() Fake ebp2 Addr of system() Addr of leave-ret Arg to system()

80 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved ROP! Return oriented programming – logical extension of ret2libc – Can use chunks from anywhere 80

81 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved ROP! 81 args empty Pop %eax ret Pop %esp ret lcall %gs:0x10(,0) ret Local buffer Saved EBP Saved EIP argsSyscall index Smashed ebp Smashed buffer

82 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved What if … 82 pop %ebp Leave ret

83 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Defeating DEP Might be able to turn it off by jumping to – SetProcessDEPPolicy() Allocate some memory that’s executable – VirtualAlloc(), Change permissions on already allocated mem – VirtualProtect() Write directly to already executable memory – WriteProcessMemory() 83

84 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Whew.. So wow, things look pretty bad right? – Welllllll…. – What ways can we prevent these type of attacks? 84

85 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Linux ASLR 85

86 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved ASLR 32 bit address space prevents serious randomization of ‘objects’ Executables will have 255 possible load address locations, offset from the preferred image base The first DLL (NTDLL.DLL) will load in 1 of 256 possible locations, but the order in which following dlls are loaded will be randomized. Thread stacks start at a maximum offset of 7FC bytes from the stack base Process heap will start at a maximum offset of 2MB from the heap base. 86

87 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Exploitation Timeline 87

88 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Exploitation Timline 88

89 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Windows Security Mechanisms 89

90 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Mac’s Conjecture To own, you must do one of the following: – (1) introduce/execute arbitrary code – (2) execute existing code out of original program order – (3) execute existing code in original program order with arbitrary data 90

91 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Where’s the FEEB Instruction Set randomization 91 Encoded Instruction Stream Encoding Key CPU

92 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Take a closer look… 92

93 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved … Weeee 93 Via Punk Ode: Hiding Shellcode in Plain Sight, Greg MacManus

94 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Assignment NIST Configured XP images – Federal desktop core configuration – Compiled webserver – Coded in C – In C:\project\httpd.exe RE/debugging tools already installed I (should) have DVD’s to hand out 94

95 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Assignment 2 ways to complete it – Figure out the secret (standard) – Own process (advanced) Plural of bonus: – Don’t use my exploit.c Find the vuln yourself, and own the httpd – Don’t crash the httpd 95

96 Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved This page Intentionally Left Blank 96


Download ppt "Proprietary and Confidential Information – Copyright© 2010 – All Rights Reserved Preventing Intrusion Prevention April 21, 2010 Ryan MacArthur, Labs"

Similar presentations


Ads by Google