PCIT417

CVE (UAF) CVE (UAF) CVE (ICARDIE) CVE (UAF) CVE (UAF) CVE (UAF) IE CVE (RTF) CVE (OGL) CVE (PNG) CVE (MSCOMCTL) Office CVE (Flash) CVE (Flash) CVE (PDF+EoP) CVE (PDF XFA) Adobe

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll app.exe user32.dll ssleay32.dll ntdll.dll Boot 1 Boot 2 Boot 3 process address space

Exploit: Partial overwrite Only the high-order two bytes are randomized in image mappings Low-order two bytes can be overwritten to return into another location within a mapping Overwriting 0x c with 0x Target address can be used to pivot Local Variables Saved EBP Return addres s Buffer overflow memcpy( dest,  Stack buf src,  Controlled length);  Controlled

app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll app.exe user32.dll kernel32.dll ntdll.dll Boot 1 Boot 2Boot 3 process address space

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

void foo(char *szIn, int i) { int j = 0; char szOut[8]; strcpy(szOut, szIn); } Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j szIn i szOut

Pushed Arguments EIP = Return of main() EBP - Frame Pointer Higher Addresses Function main () stack area j = 0x0 szIn i C:\foo “AAAAAAAAAAAAAAAA\x6C\x11\xB0\x30” szOut= 0x

Pushed Arguments Return address = 0x30B0116C EBP = 0x Higher Addresses Function main () stack area j = 0x szOut= AAAAAAAA szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” Return address of main() changed to point to a malicious code area

Pushed Arguments Return address = 0x30B0116C EBP = 0x Higher Addresses Function main () stack area Malicious Code szIn i C:\foo “AAAAAAAAAAAAAAAA\x06C\x11\xB0\x30” !!pwn3d!!

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

Local variables Previous Stack frame … Exception Registration Record NextHandler Buffer overflow void vulnerable(char *ptr){ char buf[128]; strcpy(buf, ptr); } void parent(char *ptr) { try { vulnerable(ptr); … exception … } except(…) { } }

Exploit: SEH Overwrite NH NH NH app!_except_handler4 k32!_except_handler4 ntdll!_except_handler4 0xfffffff f Normal SEH Chain NH 0x7c1408ac 0x414106e b Corrupt SEH Chain An exception will cause 0x7c1408ac to be called as an exception handler as: EXCEPTION_DISPOSITION Handler( PEXCEPTION_RECORD Exception, PVOID EstablisherFrame, PCONTEXT ContextRecord, PVOID DispatcherContext); pop eax ret

NH NH app!_except_handler4 k32!_except_handler4 NH ntdll!FinalExceptionHand ler NH app!_main+0x1c 0x Can’t reach validation frame! Valid SEH ChainInvalid SEH Chain ?

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

EAF DR0  kernel32[eat] DR1  ntdll[eat] DR2  kernelbase[eat]

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

OS and per process memory mitigations Per process only memory mitigations Non-memory mitigation New TP mitigation

FLASH Vector JSCRIPT9 Array VGX CDashStyle KERNEL32 MZ/PE IAT/EAT NTDLL MZ/PE IAT/EAT

Subscribe to our fortnightly newsletter Free Virtual Hands-on Labs Free Online Learning Sessions on Demand