Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761.

Similar presentations


Presentation on theme: "PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761."— Presentation transcript:

1 PCIT417

2 CVE (UAF) CVE (UAF) CVE (ICARDIE) CVE (UAF) CVE (UAF) CVE (UAF) IE CVE (RTF) CVE (OGL) CVE (PNG) CVE (MSCOMCTL) Office CVE (Flash) CVE (Flash) CVE (PDF+EoP) CVE (PDF XFA) Adobe

3

4

5

6 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

7

8 app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space

9 Exploit: Partial overwrite Only the high-order two bytes are randomized in image mappings Low-order two bytes can be overwritten to return into another location within a mapping Overwriting 0x c with 0x Target address can be used to pivot Local Variables Saved EBP Return addres s Buffer overflow memcpy( dest,  Stack buf src,  Controlled length);  Controlled

10 app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll Boot 1 Boot 2Boot 3 process address space

11

12 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

13

14 void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j szIn i szOut

15 Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j = 0x0 szIn i C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30” szOut= 0x

16 Pushed Arguments Return address = 0x30B0116C EBP = 0x Higher Addresses Function main () stack area j = 0x szOut= AAAAAAAA szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” Return address of main() changed to point to a malicious code area

17 Pushed Arguments Return address = 0x30B0116C EBP = 0x Higher Addresses Function main () stack area Malicious Code szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” !!pwn3d!!

18 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

19 Local variables Previous Stack frame … Exception Registration Record NextHandler Buffer overflow void vulnerable(char *ptr){ char buf[128]; strcpy(buf, ptr); } void parent(char *ptr) { try { vulnerable(ptr); … exception … } except(…) { } }

20 Exploit: SEH Overwrite NH NH NH app!_except_handler4 k32!_except_handler4 ntdll!_except_handler4 0xfffffff f Normal SEH Chain NH 0x7c1408ac 0x414106e b Corrupt SEH Chain An exception will cause 0x7c1408ac to be called as an exception handler as: EXCEPTION_DISPOSITION Handler( PEXCEPTION_RECORD Exception, PVOID EstablisherFrame, PCONTEXT ContextRecord, PVOID DispatcherContext); pop eax ret

21 NH NH app!_except_handler4 k32!_except_handler4 NH ntdll!FinalExceptionHand ler NH app!_main+0x1c 0x Can’t reach validation frame! Valid SEH ChainInvalid SEH Chain ?

22 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

23

24

25 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

26

27 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

28 EAF DR0  kernel32[eat] DR1  ntdll[eat] DR2  kernelbase[eat]

29 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

30

31 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

32

33 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

34

35 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

36

37 OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

38 FLASH Vector JSCRIPT9 Array VGX CDashStyle KERNEL32 MZ/PE IAT/EAT NTDLL MZ/PE IAT/EAT

39

40 Subscribe to our fortnightly newsletter Free Virtual Hands-on Labs Free Online Learning Sessions on Demand

41

42


Download ppt "PCIT417. CVE-2014-1776 (UAF) CVE-2014-0322 (UAF) CVE-2013-3918 (ICARDIE) CVE-2013-3897 (UAF) CVE-2013-3893 (UAF) CVE-2013-3163 (UAF) IE CVE-2014-1761."

Similar presentations


Ads by Google