PCIT417
CVE (UAF) CVE (UAF) CVE (ICARDIE) CVE (UAF) CVE (UAF) CVE (UAF) IE CVE (RTF) CVE (OGL) CVE (PNG) CVE (MSCOMCTL) Office CVE (Flash) CVE (Flash) CVE (PDF+EoP) CVE (PDF XFA) Adobe
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space
Exploit: Partial overwrite Only the high-order two bytes are randomized in image mappings Low-order two bytes can be overwritten to return into another location within a mapping Overwriting 0x c with 0x Target address can be used to pivot Local Variables Saved EBP Return addres s Buffer overflow memcpy( dest, Stack buf src, Controlled length); Controlled
app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll Boot 1 Boot 2Boot 3 process address space
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j szIn i szOut
Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j = 0x0 szIn i C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30” szOut= 0x
Pushed Arguments Return address = 0x30B0116C EBP = 0x Higher Addresses Function main () stack area j = 0x szOut= AAAAAAAA szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” Return address of main() changed to point to a malicious code area
Pushed Arguments Return address = 0x30B0116C EBP = 0x Higher Addresses Function main () stack area Malicious Code szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” !!pwn3d!!
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
Local variables Previous Stack frame … Exception Registration Record NextHandler Buffer overflow void vulnerable(char *ptr){ char buf[128]; strcpy(buf, ptr); } void parent(char *ptr) { try { vulnerable(ptr); … exception … } except(…) { } }
Exploit: SEH Overwrite NH NH NH app!_except_handler4 k32!_except_handler4 ntdll!_except_handler4 0xfffffff f Normal SEH Chain NH 0x7c1408ac 0x414106e b Corrupt SEH Chain An exception will cause 0x7c1408ac to be called as an exception handler as: EXCEPTION_DISPOSITION Handler( PEXCEPTION_RECORD Exception, PVOID EstablisherFrame, PCONTEXT ContextRecord, PVOID DispatcherContext); pop eax ret
NH NH app!_except_handler4 k32!_except_handler4 NH ntdll!FinalExceptionHand ler NH app!_main+0x1c 0x Can’t reach validation frame! Valid SEH ChainInvalid SEH Chain ?
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
EAF DR0 kernel32[eat] DR1 ntdll[eat] DR2 kernelbase[eat]
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation
FLASH Vector JSCRIPT9 Array VGX CDashStyle KERNEL32 MZ/PE IAT/EAT NTDLL MZ/PE IAT/EAT
Subscribe to our fortnightly newsletter Free Virtual Hands-on Labs Free Online Learning Sessions on Demand