Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bypassing MS Windows Memory Protections

Similar presentations

Presentation on theme: "Bypassing MS Windows Memory Protections"— Presentation transcript:

1 Bypassing MS Windows Memory Protections
1st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities Shahriyar Jalayeri

2 Who am I ? Security researcher since 2005
Senior Member of Snoop Security Researching community Writer and Technical Editor of Snoop Magazine ( First Persian Technical Information Security Magazine ) University student

3 What is this talk about? Overview of Softwares Security Flaws
Deep looking at OS protection mechanismes Explaining ways to bypass some of OS PM

4 Security Flaws Stack Based Buffer Overflow Heap Based Buffer Owerflow
Format String etc

5 Stack Based Buffer Overflow
an old story  Programer Copy Buffer entry into stack without bound checking Stack corrupted and FramePointer+Saved Return Address overwritten The BAD ret Instruction

6 Stack Based Buffer Overflow ( Cont. )
Stack.c #include <stdio.h> Int main( int argc, char **argv){ char buff[100]; strcpy(buff,argv[1]); printf(“Hello , %s!\n”,buff); return 0; } Overflow occured here

7 Stack Based Buffer Overflow ( Cont. )
Args Saved Ret Saved FP B U F E R 0xHighMemAddr 0xLowStackAddr Args Saved Ret Saved FP B U F E R A Stack Layout Overflow 0xLowMemAddr 0xHighStackAddr

8 Stack Based Buffer Overflow ( Cont. )
The BAD ret instruction ( and also leave :D ) 004012DC |. 83C ADD ESP,10 004012DF |. C LEAVE 004012E0 \. C RETN Args Saved Ret Saved FP B U F E R A Overflow EIP Boom

9 Heap Overflow Heap Structure LIST_ENTRY Structure ( WinNT.h )
FreeList array Pointer to free heap blocks typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;

10 Heap Overflow ( cont. ) Heap.c HANDLE h = HeapCreate(0, 0, 0);
DWORD vulner(LPVOID str) { LPVOID mem = HeapAlloc(h, 0, 128); // <..> strcpy(mem, str); LPVOID mem2 = HeapAlloc(h, 0, 128); return 0; } Overflow Affected Memory

11 Heap Overflow ( cont. ) Freeing Scenario and Pointers ( without Safeunlinking ) BOOLEAN RemoveEntryList(IN PLIST_ENTRY Entry) { PLIST_ENTRY Blink; PLIST_ENTRY Flink; Flink = Entry->Flink; // what Blink = Entry->Blink; // where Blink->Flink = Flink; // *(where) = what Flink->Blink = Blink; // *(what+4) = where return (BOOLEAN)(Flink == Blink); }

12 Heap Overflow ( Cont. ) Freeing Scenario and Pointers ( without Safeunlinking ) Disass... Exploitation Scenario mov dword ptr [ecx],eax mov dword ptr [eax+4],ecx EAX - Flink ECX - Blink ECX = Function Pointer EAX = Instruction which transfer execution to shellcode

13 Heap Overflow ( Cont. ) Function pointers which can overwrite during unlinking ( ECX ) Unhandled Exception Filter Vector Exception Handling ( VEH ) PEB Pointers TEB Pointers Your own pointer !

14 Format String Using format specified functions in wrong way
Printf(buffer) We are able to overwrite arbitrary address Mentioned pointers can be good target Saved Return Address !!!

15 Memory Protections Protections against buffer overflow
Guard Stack ( a.k.a /GS ) Data Execution Prevention ( a.k.a DEP or /NXCOMPAT ) Safe SEH Table ( a.k.a /SafeSEH ) SEH Overwrite Protection ( a.k.a SEHOP ) Address Space Layout Randomization ( a.k.a ASLR or /DYNAMICBASE )

16 Guard Stack ( /GS ) Protection
Compiler Insert Cookie after Function Stack Frame There is also a copy of cookie in .data section Before function return cookie check with .data saved cookie If dose not match , Ret instruction never execute In overflow situation we have to overwrite cookie befor reaching “Saved Return Address” Now what ?

17 Guard Stack ( /GS ) Protection ( cont. )
Memory Layout Parameters Parameters Parameters Return Address Return Address Return Address Frame Pointer Frame Pointer Frame Pointer Cookie Cookie Locals Exception Handler Frame Exception Handler Frame (1) Locals Without Cookie MSVC MSVC Locals (2) Safe Parameters (3)

18 Guard Stack ( /GS ) Protection ( cont. )
Parameters Q : What is Safe Parameters ? A : Function pointer overwrite prevention trick Prevention is better than cure :D Return Address #include <windows.h> int main(int argc, char *argv[]){ HMODULE Lib=NULL; unsigned int FuncAddress = 0; int err = 0; Lib = LoadLibrary("msvcrt.dll"); FuncAddress = GetProcAddress(Lib,"printf"); err = DoStuff(argv[1],FuncAddress); return 0; } int DoStuff(char *buf, FARPROC fnk){ char buffer[20]=""; strcpy(buffer,buf); (fnk)(buffer); __asm add esp,4 Frame Pointer Cookie Exception Handler Frame Locals Safe Parameters

19 Guard Stack ( /GS ) Protection ( cont. )
When /GS dose not protect your Code ? The optimization (O) option is not enabled The function does not contain a stack buffer The function is marked with naked in C++ The function has a variable argument list The function begins with inline assembly code The compiler determines that the function’s variables are used only in ways that are less likely to be exploitable

20 Guard Stack ( /GS ) Protection ( cont. )
Implementation ___security_init_cookie() Protected function prologue changes Protected function epilogue changes __security_check_cookie() ___report_gsfailure()

21 Guard Stack ( /GS ) Protection Reversing in Action Just trigger IDA

22 Security Init Cookie /GS Reversing ___security_init_cookie()
void __cdecl __security_init_cookie(void){ UINT_PTR cookie; if (__security_cookie != DEFAULT_SECURITY_COOKIE && (__security_cookie & 0xFFFF0000) != 0 ){ __security_cookie_complement = ~__security_cookie; return; } GetSystemTimeAsFileTime(&systime.ft_struct); cookie = systime.ft_struct.dwLowDateTime; cookie ^= systime.ft_struct.dwHighDateTime; cookie ^= GetCurrentProcessId(); cookie ^= GetCurrentThreadId(); cookie ^= GetTickCount(); QueryPerformanceCounter(&perfctr); cookie ^= perfctr.LowPart; cookie ^= perfctr.HighPart; if (cookie == DEFAULT_SECURITY_COOKIE){ cookie = DEFAULT_SECURITY_COOKIE + 1; else if ((cookie & 0xFFFF0000) == 0){ cookie |= cookie << 16; __security_cookie = cookie; __security_cookie_complement = ~cookie; /GS Reversing ___security_init_cookie()

23 Prologue /GS Reversing Protected function prologue changes
UINT_PTR cookie_temp_storage,cookie_global; cookie_temp_storage = 0xCCCCCCCC; cookie_temp_storage = __security_cookie; // cookie_temp_storage = cookie_temp_storage ^ EBP; // cookie_global = cookie_temp_storage; __asm { xor cookie_temp_storage, ebp mov dword prt [ebp-4],cookie_temp_storage } /GS Reversing Protected function prologue changes

24 Epilogue /GS Reversing Protected function eplilogue changes
cookie_temp_storage = cookie_global; // cookie_temp_storage = cookie_temp_storage ^ EBP; __asm{ xor cookie_temp_storage, ebp } __security_check_cookie(); /GS Reversing Protected function eplilogue changes

25 Memory Protections /GS Reversing __security_check_cookie()
void __security_check_cookie(){ if ( cookie_temp_storage == __security_cookie ) return; __report_gsfailure(); } /GS Reversing __security_check_cookie()

26 Report Gs Failure /GS Reversing ___report_gsfailure()
void __report_gsfailure(){ // rise an fake exception // saving the contex record codes skiped :D GS_ContextRecord.ContextFlags = CONTEXT_CONTROL; GS_ExceptionRecord.ExceptionAddress = (PVOID)(ULONG_PTR)GS_ContextRecord.Eip; GS_ExceptionRecord.ExceptionCode = STATUS_STACK_BUFFER_OVERRUN; GS_ExceptionRecord.ExceptionFlags = EXCEPTION_NONCONTINUABLE; cookie[0] = __security_cookie; cookie[1] = __security_cookie_complement; if ( IsDebuggerPresent() ) _CRT_DEBUGGER_HOOK(_CRT_DEBUGGER_GSFAILURE); SetUnhandledExceptionFilter(NULL); UnhandledExceptionFilter((EXCEPTION_POINTERS *)&GS_ExceptionPointers); TerminateProcess(GetCurrentProcess(), STATUS_STACK_BUFFER_OVERRUN); } /GS Reversing ___report_gsfailure()

27 Defeating /Gs Scenario
Puting shellcode into buffer Overwrite EXCEPTION_REGISTRATION Next = jump to shellcode Handler = call [ebp+30] or pop,pop,ret or ... Causing an exception before coockie check BOOOOM!!!

28 Exception Handling Overview
When exception occured os call _except_handler() function The location of handler function is store into stack by EXCEPTION_REGISTRATION structure ( E_R ) Os find address of first regsiter E_R by accessing to fisrt 4 byte of thread TEB OS access to TEB through fs register Fs[0] alwayes point to first installed E_R in TEB typedef struct EXCEPTION_REGISTRATION{ EXCEPTION_REGISTRATION *next; PEXCETION_HANDLER *handler; }EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;

29 Exception Handling Overview ( cont. )
There is chain of E_R structures in stack If one hanlder faild to handle exception , chain traversealed to find a proper handler

30 Abusing registered E_R
We can control value of both next and handler elements of a registerd E_R Overwiting handle with shellcode address and cusing an exception ,then boom ??? No !!! There is some problems  If handler address is in stack , handler never execute If handler address is in heap , handler execute  Finding writeable heap address in stack overflow situation is usualy impossible  Now what ?

31 Abusing registered E_R ( cont. )
Rules are implemnted just for handler, we still have control over next pointer Secund parameter of _except_handler() function which is EstablisherFrame point to curent EXCEPTION_REGISTRATION frame We can access to this address by poping off two value from stack and then returning to it : pop,pop,ret There is also other instructions which work same as pop,pop,ret sequence, such as : Call dword ptr[ebp+30] Jmp dword ptr [esp+8]

32 Abusing registered E_R ( cont. )
Our attack scenario : Puting shellcode into buffer Overwriting handler with pop,pop,ret instructions Overwriting next with jump to the buffer Cuasing an exception Boom !!! But there is another problem : /SafeSEH 

33 /SafeSEH Protection Create a table of safe handlers
Compare each handler value with table values If handler value is in safe table , handler excecute If not , go to treminate process with STATUS_STACK_BUFFER_OVERRUN flag

34 /SafeSEH Protection Weaknesses
If program doesnt compile with /SafeSEH every handlers are valid and execute If handler address is in module which doesnt handle with /SafeSEH , handler execute If handler address is outside of loaded module, handler execute

35 Bypassing /GS , /SafeSEH attack scenario
Target : Vista SP1 EN XP SP3 EN NOP Shellcode 0x Return Address Jmp to Jmp 0xbuffer Adress of Pop,Pop,Ret or Call dword ptr [ebp+30] instruction Jump to Buffer instructions Handler

36 Bypassing /GS , /SafeSEH Protection in Action Just trigger debuuger

37 /GS Null Byte problem In this case we can use 0x00 in data If can’t ?
Find address for pop,pop,ret which dosen’t contain 0x00 Put shellcode after overwrited E_R Overwrite next with jmp forward to shellcode Boom!

38 Data Execution Prevention
Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system DEP enables the system to mark one or more pages of memory as non-executable DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools If an application attempts to run code from a data page that is protected, a memory access violation exception occurs if the exception is not handled, the calling process is terminated

39 Data Execution Prevention ( Implementation )
Hardware-enforced DEP enables the NX bit on compatible CPUs, through the automatic use of PAE kernel in 32-bit Windows The NX bit ( XD/EVP), which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data Physical Address Extension (PAE) is a feature of x86 and x86-64 processors that enable the use of more than 4 gigabytes[1] of physical memory to be used in 32-bit systems In traditional 32-bit protected mode, x86 processors use a two-level page translation scheme, where the control register CR3 points to a single 4 KB long page directory, which is divided into 1024 × 4 byte entries The NX bit flag in the page directory, in bit 63, to mark pages as "No eXecute" Similat technologies : W^X , PAX , Exec Shield

40 Data Execution Prevention ( Implementation Cont. )
Software DEP, while unrelated to the NX bit, is what Microsoft calls their enforcement of "Safe Structured Exception Handling“ Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application requires the program to be built with it

41 Data Execution Prevention (Configuration )
OptIn: DEP is enabled by default for limited system binaries and programs that "opt in". With this option, only Windows system binaries are covered by DEP OptOut: DEP is enabled by default for all processes. A list of specific programs that should not have DEP applied can be entered using the System dialog box in Control Panel. AlwaysOn: This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. AlwaysOff: This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support.

42 Bypassing DEP Scenario
The very easy way Using newly added DEP related API SetProcessDEPPolicy Fucntion Thr easy way: Filling buffer with shellcode Calling NtSetInformationProcess with Desire parameters to disable DEP for Current Process Jumping into buffer ( jmp esp) The hard way : Making a page RWX by calling VirtualAlloc function Copying Shellcode to RWX memry region through calling memcpy Jumping to RWX memory region

43 The very easy way We can change DEP policy for spesific process at run-time. We will use SetProcessDEPPolicy with desire parameters setting dwFlags to 0 disables DEP for the process Jump back to shellcode BOOL WINAPI SetProcessDEPPolicy( DWORD dwFlags );

44 Finall attack scenario
The very easy way Target : XP SP3 EN NOP Shellcode Return Address SetProcessDEPPolicy Shellcode addr 0x

45 Bypassing DEP Protection ( very easy way ) in
Action Just trigger debugger

46 The easy way We can change DEP policy for spesific process at run-time. LdrpCheckNXCompatibility determine whether or not NX support should be enabled for the process As a result of these checks, NX support is either enabled or disabled through a new PROCESSINFOCLASS named ProcessExecuteFlags (0x22). When we calling NtSetInformationProcess 4 byte bit-mask parameter push to the buffer as parameter for MmSetExecuteOptions MmSetExecuteOptions perform appropriate operation to set the executio flag Parameters which we can pass to NtSetInformationProcess are : MEM_EXECUTE_OPTION_ENABLE ( 0x1 ) MEM_EXECUTE_OPTION_DISABLE (0x2 ) So ,all we have to do is calling NtSetInformationProcess with mentioned parameters for current process at the overflow time

47 The easy way ( cont. ) Take a quick look at NtSetInformationProcess :
We can find NtSetInformationProcess Calling with desire parameters in a few dlls , such as : ntdll.dll , acgenral.dll , .... In exploit code i use ntdll instruction sequence becaus : is more interesting than direct call in acgenrall.dll .... Maybe our program dosnt load acgenral.dll... For acgenral.dll call ,Just search this sequence of byte in selected dll by msfpescan: Msfpescan –r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF“ NtSetInformationProcess( NtCurrentProcess(), // (HANDLE)-1 ProcessExecuteFlags, // 0x22 &ExecuteFlags, // ptr to 0x2 sizeof(ExecuteFlags)); // 0x4 push 4;lea eax, [ebp+arg_0];push eax;push 22h;push 0FFFFFFFFh

48 The easy way ( cont. ) IDA View :D

49 Finall attack scenario
The easy way Target : XP SP3 EN NOP Shellcode Return Address NtSetInformationProcess Some Pad NtSetInfo Return Address Jump to Buffer

50 Bypassing DEP Protection ( easy way ) in Action Just trigger debugger

51 The Hard way calling VirtualAlloc function as return address and allocate commited memory with RWX protection mode set flAllocationType to MEM_COMMIT And flProtect to PAGE_EXECUTE_READWRITE LPVOID WINAPI VirtualAlloc( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flAllocationType, __in DWORD flProtect );

52 The Hard way ( cont. ) After VirtualAlloc returned , we call memcpy and copy shellcode into allocated RWX memory region set dest to Allocated unit by VirtualAlloc And scr to shellcode address in buffer Trick : You can also call VirtualProtect to make shellcode location executable ( no memcpy needed ) void *memcpy( void *dest, const void *src, size_t count );

53 The Hard way ( cont. ) VirtualAlloc function has __cdecl calling convention So ,Calling function pops it’s the arguments from the stack What we have to do if we want to call another function which has calling convention that not clear stack after call ? We can use pop,ret instruction Pop reg ret N time N = function arguments count

54 Finall attack scenario
Shellcode The hard way Target : XP SP3 EN VirtualAlloc Memcpy Mem Addr Saved Return Address Shellcode Size MEM_COMMIT PAGE_EXECUTE_READWRITE Mem Addr Shellcode Addr Mem Addr Shellcode Size

55 Bypassing DEP Protection ( hard way ) in Action Just trigger debuuger

56 DEP Null Byte problem In this case we can use 0x00 in data If can’t ?
Use swquence of functions which dosent need 0x00 in arguments Use NtSetInformationProcess method which dosnt need any null byte

57 DEP Vista problem In Windows Vista, NX cannot be disabled once turned on for a process now? If can use null byte , VirtualAlloc+memcpy or VritualProtect functions are handy ! ( without ASLR , in browser exploitation also with ASLR ) If cant , i dont know the asnwer ...

58 Address Space Layout Randomazation
ASLR randomizes the location of images (PE files mapped into memory), heaps, stacks,the PEB and TEBs When a new address is being selected as an image base for an executable, a random delta value is added to or subtracted from the ImageBase value in the executable's PE header This delta value is calculated by taking a random 8-bit value from the RDTSC counter and multiplying it by 64KB

59 Address Space Layout Randomazation ( cont. )
Heap Randmoazation 5-bit random value is generated multiplied by 64K This value used as an offset from the base address returned by the NtAllocateVirtualMemory

60 Address Space Layout Randomazation ( cont. )
Stack Randmoazation base of the stack is chosen randomly offset into the initial page where the stack starts getting used is also chosen at random

61 Bypassing ASLR Scenario
Heap Spray Allocating larg amount of heap blocks Filling Heap Blocks withNop and Shellcode Use randomly address base on allocated units base address and 64kb alignment Filling buffer with return address JavaScript !!! Browser dependent limitation ( or every progarm which allow us to make big block of heaps)

62 Memory Protections Demo HeapSpray Technique

63 Heap Spray notes IE disallow address which contain non-ascii bytes
Address most be taken base on heap blocks count Using ascii sequnce address are highly recommend Address such as : 0x , 0x0d0d0d0d , 0x0a0a0a0a You can also use Heap-Feng-Shui method instead of HeapSpray

64 Bypassing ASLR Protection in Action Just trigger debugger

65 SEH Overwrite Protection ( SEHOP )
FinalExceptionHandler function in NTDLL.DLL is registered as the first exception handler in all theads As additional exception handlers are registered, they form a linked list with the last record always pointing to FinalExceptionHandler The exception dispatcher walks this linked list and verifies that the last record still points to that Function If an attacker overwrites the Next field of an exception handler record, the validation loop will not reach the last record and the SEH chain corruption will be detected

66 SEHOP ( Implementation )
Skape offer ( current implementation is abit diff ) CurrentRecord = fs:[0]; ChainCorrupt = TRUE; while (CurrentRecord != 0xffffffff) { if (IsInvalidAddress(CurrentRecord->Next)) break; if (CurrentRecord->Next == ValidationFrame) { ChainCorrupt = FALSE; } CurrentRecord = CurrentRecord->Next; if (ChainCorrupt == TRUE) ReportExploitationAttempt();

67 SEHOP bypassing theories
Exist theory One potential way to bypass this protection is to point the overwritten Next pointer to a fake SEH record that points to the FinalExceptionHandler function. However, the ASLR implementation inVista randomizes the address of the function and makes it impossible to for an attacker to terminate the SEH chain unless they have a way to bypass ASLR My theory

68 Combined Protections Bypassing Scenarios
/Gs , /SafeSEH /Gs , /SafeSEH , DEP ASLR , DEP /Gs , /SafeSEH , ASLR , DEP

69 Bypassing Combined Protection in Action Just trigger debugger

70 Thank you for attending
Question ?

Download ppt "Bypassing MS Windows Memory Protections"

Similar presentations

Ads by Google