SlideShare une entreprise Scribd logo

Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]

Télécharger en tant que PPTX, PDF
securityxploded
securityxploded

This presentation is part of our Reverse Engineering & Malware Analysis Training program. For more details refer our Security Training page http://securityxploded.com/security-training.php

Technologie
1  sur  30
www.SecurityXploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
Acknowledgement  Special thanks to Null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the Trainers who have devoted their precious time and countless hours to make it happen.  Thanks to ThoughtWorks for the beautiful and bigger venue. www.SecurityXploded.com
Reversing & Malware Analysis Training This presentation is a part of our Reverse Engineering & Malware Analysis training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
Who am I #1 Amit Malik (sometimes DouBle_Zer0,DZZ)  Member SecurityXploded & Garage4Hackers  Security Researcher @ McAfee Labs  RE, Exploit Analysis/Development, Malware Analysis  Email: m.amit30@gmail.com www.SecurityXploded.com
Agenda  The material in this presentation is a bit complicated so I will be using the zig-zag approach.  Recap  Protections (GS and SAFESEH)  Client side exploits and Heap Spray  Protections (DEP)  Protections (ASLR)  If time permits then few words on the following:  Heap buffer overflows www.SecurityXploded.com
Recap  In previous session we covered:  Stack based buffer overflow ○ EIP overwrite (saved return address) ○ SEH Overwrite  We also discussed “why we need pop pop ret or other similar instruction in SEH overflow”  Now Question: Which one is more reliable or considered to be more reliable in terms of exploitation ?  Consider we have overwritten EIP and SEH successfully. www.SecurityXploded.com
Protections Enforced by OS and Processor ASLR DEP SEHOP Forced GS Cookies SAFESEH ASLR *Safe unlinking, Heap cookies etc. are also protection methods added into the OS. www.SecurityXploded.com
Protections for stack based buffer overflow (Primary)  Fortunately or Unfortunately both protection schemes are based on compiler/Linker options. EIP Overwrite ? SEH Overwrite ? GS Cookie SafeSEH (SEHop*)  * SEHOP is a different protection scheme based on run time SEH chain validation, It is not based on compiler options however can be enabled or disabled through registry. www.SecurityXploded.com
GS Cookie (/GS)  Put some random value (cookie – 32 bit) on stack before return address.  While returning, compare the value of saved cookie, if not same then we have an overwrite.  Generate “ Security Exception (if any)”, terminate the Application. www.SecurityXploded.com
/GS Cookie Cont... Function Start: Cookie check function (see “function end” in below picture.) Function end: www.SecurityXploded.com
/GS Cookie Bypass  Generate exception before cookie check  Code dependent – if some overwritten variables are used before function return.  Overwrite stack up to the end, further overwrite will generate exception  Back to the question which exploitation (EIP or SEH) is more reliable ?  SEH method is considered to be a bit more safe and reliable regardless of this bypassing technique. www.SecurityXploded.com
/GS Cookie Bypass Cont.. Leverage the implementation. Did you see something ? www.SecurityXploded.com
SafeSEH  Compiler [Linker] /SAFESEH option  Static list of known good exception handlers for the binary.  Checks every time when a handler is called against the static list, if not in the list then handler is invalid and takes preventive measures.  Load configuration directory stores meta information about safe exception handlers.  If any module is not compiled with /SAFESEH then no check is done to ensure the integrity of the handler for that module. www.SecurityXploded.com
/SAFESEH Bypassing  If any loaded module in the vulnerable binary is not /SAFESEH compiled then no check is done to ensure the integrity of the handler for that module, so we can use any p/p/r address from that module.  Use the address that is outside the address range of loaded modules.  Importance of forward and backward jump. nseh payload Forward Backward seh nseh jump jump payload seh www.SecurityXploded.com
DEP (Data Execution Prevention)  Two types:  Software DEP (forget it)  Hardware DEP (NX/XD enabled processors) – we will be talking about it in the rest of the session.  We can’t execute the code from non executable area anymore.  We are directly dealing with processer in this case. www.SecurityXploded.com
DEP (HW) Bypass  ROP (Return Oriented Programming)  Use the system/existing code  How stack works ?  Main theme  Either make non executable area executable  Or allocate new area with executable permissions  How ? ○ Well, use ROP  www.SecurityXploded.com
Stack Heap Flipping (Stack Pivoting)  I think this deserve a dedicated slide  Depending on the conditions we may have large ROP payload while space on stack may be less or may be our entire payload is on heap.  Flip the heap on to the stack so that we can get larger room.  Instructions like XCHG ESP[REG], REG[ESP] can be used.  We can also jump inside the valid instructions to change their meaning.  Example: jump one byte inside “setz al” instruction ( From Adobe U3D exploit in wild) www.SecurityXploded.com
DEP (HW) Bypass (DEMO)  Methods  HeapCreate  VirtualAlloc  VirtualProtect  WriteProcessMemory (DEMO – simple, easy, demonstrate the entire concept – XpSp3)  Often times the small code chunks in ROP are termed as “gadgets” www.SecurityXploded.com
DEP (HW) Bypass (DEMO) http://vimeo.com/49069964 www.SecurityXploded.com
ASLR  Address Space Layout Randomization  Involves randomly positioning the memory areas like base address of the binary, position of stack and heap.  Compiler[linker] /DYNAMICBASE option www.SecurityXploded.com
ASLR Bypass  Search for Non-ASLR loaded libraries in the vulnerable application or if possible load one.   JRE ?  Memory leaks  Brute force  Heavily depends on vulnerability conditions www.SecurityXploded.com
Client Side Exploits  Exploits that targets client applications like browsers, plugins, media players, readers etc.  Much more dangerous then any other form of exploits  Huge impact and landscape  Provides solid infection vector  Big malicious infrastructure.  Botnets, DDOS, Spam etc. www.SecurityXploded.com
Heap Spray  A technique used in client side exploits  IT’S NOT A VULNERABILITY or CLASS OF VUL.  It’s a technique used for code execution.  Think about the followings again:  EIP overwrite  SEH overwrite • What we used in the above and why we used that ?  Heap spray provides very simple method for code execution. www.SecurityXploded.com
Heap Spray Cont...  Fortunately or unfortunately client side scripting languages like javascript, vbscript etc. provides methods to allocate and deallocate memory on the client.  Which means we can make invalid memory addresses valid. 0x200... 0x300.. 0x500.. Valid address invalid address range Before Allocation (allocated area) 0x200... 0x400.. 0x500.. After Allocation Valid address invalid address range (0x300.. To 0x400.. (allocated area) Is valid now) www.SecurityXploded.com
Heap Spray Cont..  Allocate memory and fill with nop + shellcode  Overwrite the EIP or SEH with any address within the newly allocated area (the nop region).  Here EIP overwrite or SEH overwrite can be by any means.  Stack buffer overflow, Heap buffer overflow, memory corruption, use after free etc.. www.SecurityXploded.com
Heap Spray (DEMO – IEPeers Vulnerability (IE6, IE7) http://vimeo.com/49070337 www.SecurityXploded.com
Heap Spray (Stability Comments)  Use intelligent guesses  Stability depends on the exploitation conditions  Fragmented heap, choose little higher addresses.  Large number of allocations, choose little lower addresses  www.SecurityXploded.com
Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com
Thank You ! www.SecurityXploded.com

Recommandé

Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
n|u - The Open Security Community
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 

Recommandé

Primer on password security
Primer on password securityPrimer on password security
Primer on password security
securityxploded
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basics
securityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
securityxploded
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
securityxploded
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
securityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures
n|u - The Open Security Community
 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
securityxploded
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
securityxploded
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversing
Cysinfo Cyber Security Community
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
Cysinfo Cyber Security Community
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
Cysinfo Cyber Security Community
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
securityxploded
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
Cysinfo Cyber Security Community
 
Reversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupxReversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupx
Cysinfo Cyber Security Community
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
Cysinfo Cyber Security Community
 
Reversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internalsReversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internals
Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 

Contenu connexe

Tendances

Tendances (20)

Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of MalwaresAdvanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
 
Reversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future RoadmapReversing & Malware Analysis Training Part 13 - Future Roadmap
Reversing & Malware Analysis Training Part 13 - Future Roadmap
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis TechniquesAdvanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
 
Reversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversingReversing malware analysis training part6 practical reversing
Reversing malware analysis training part6 practical reversing
 
Reversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advancedReversing malware analysis training part11 exploit development advanced
Reversing malware analysis training part11 exploit development advanced
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Advanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automationAdvanced malware analysis training session5 reversing automation
Advanced malware analysis training session5 reversing automation
 
Advanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to androidAdvanced malware analysis training session8 introduction to android
Advanced malware analysis training session8 introduction to android
 
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
Reversing & Malware Analysis Training Part 6 - Practical Reversing (I)
 
Reversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guideReversing malware analysis training part1 lab setup guide
Reversing malware analysis training part1 lab setup guide
 
Reversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupxReversing malware analysis training part7 unpackingupx
Reversing malware analysis training part7 unpackingupx
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
Reversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internalsReversing malware analysis training part2 introduction to windows internals
Reversing malware analysis training part2 introduction to windows internals
 

Similaire à Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]

Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
Abdulrahman Bassam
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
FFRI, Inc.
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
Abdulrahman Bassam
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
Abdulrahman Bassam
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
Abdulrahman Bassam
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
Abdulrahman Bassam
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
Rob Gillen
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 

Similaire à Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced] (20)

Reversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advancedReversing & malware analysis training part 11 exploit development advanced
Reversing & malware analysis training part 11 exploit development advanced
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics Reversing & malware analysis training part 5 reverse engineering tools basics
Reversing & malware analysis training part 5 reverse engineering tools basics
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guide
 
Reversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basicsReversing & malware analysis training part 10 exploit development basics
Reversing & malware analysis training part 10 exploit development basics
 
OpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection ServiceOpenStack Tokyo Talk Application Data Protection Service
OpenStack Tokyo Talk Application Data Protection Service
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Embedded systems
Embedded systemsEmbedded systems
Embedded systems
 
ETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a HackerETCSS: Into the Mind of a Hacker
ETCSS: Into the Mind of a Hacker
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

Plus de securityxploded

Plus de securityxploded (20)

Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Understanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case StudyUnderstanding CryptoLocker (Ransomware) with a Case Study
Understanding CryptoLocker (Ransomware) with a Case Study
 
Linux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon SandboxLinux Malware Analysis using Limon Sandbox
Linux Malware Analysis using Limon Sandbox
 
Introduction to SMPC
Introduction to SMPCIntroduction to SMPC
Introduction to SMPC
 
Breaking into hospitals
Breaking into hospitalsBreaking into hospitals
Breaking into hospitals
 
Bluetooth [in]security
Bluetooth [in]securityBluetooth [in]security
Bluetooth [in]security
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Automating Malware Analysis
Automating Malware AnalysisAutomating Malware Analysis
Automating Malware Analysis
 
Reverse Engineering Malware
Reverse Engineering MalwareReverse Engineering Malware
Reverse Engineering Malware
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Return Address – The Silver Bullet
Return Address – The Silver BulletReturn Address – The Silver Bullet
Return Address – The Silver Bullet
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Hunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory ForensicsHunting Ghost RAT Using Memory Forensics
Hunting Ghost RAT Using Memory Forensics
 
Malicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine LearningMalicious Url Detection Using Machine Learning
Malicious Url Detection Using Machine Learning
 
MalwareNet Project
MalwareNet ProjectMalwareNet Project
MalwareNet Project
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]

  • 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the trainer’s only and nothing to do with the company or the organization in which the trainer is currently working. However in no circumstances neither the trainer nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here. www.SecurityXploded.com
  • 3. Acknowledgement  Special thanks to Null & Garage4Hackers community for their extended support and cooperation.  Thanks to all the Trainers who have devoted their precious time and countless hours to make it happen.  Thanks to ThoughtWorks for the beautiful and bigger venue. www.SecurityXploded.com
  • 4. Reversing & Malware Analysis Training This presentation is a part of our Reverse Engineering & Malware Analysis training program. Currently it is delivered only during our local meet for FREE of cost. For complete details of this course, visit our Security Training page. www.SecurityXploded.com
  • 5. Who am I #1 Amit Malik (sometimes DouBle_Zer0,DZZ)  Member SecurityXploded & Garage4Hackers  Security Researcher @ McAfee Labs  RE, Exploit Analysis/Development, Malware Analysis  Email: m.amit30@gmail.com www.SecurityXploded.com
  • 6. Agenda  The material in this presentation is a bit complicated so I will be using the zig-zag approach.  Recap  Protections (GS and SAFESEH)  Client side exploits and Heap Spray  Protections (DEP)  Protections (ASLR)  If time permits then few words on the following:  Heap buffer overflows www.SecurityXploded.com
  • 7. Recap  In previous session we covered:  Stack based buffer overflow ○ EIP overwrite (saved return address) ○ SEH Overwrite  We also discussed “why we need pop pop ret or other similar instruction in SEH overflow”  Now Question: Which one is more reliable or considered to be more reliable in terms of exploitation ?  Consider we have overwritten EIP and SEH successfully. www.SecurityXploded.com
  • 8. Protections Enforced by OS and Processor ASLR DEP SEHOP Forced GS Cookies SAFESEH ASLR *Safe unlinking, Heap cookies etc. are also protection methods added into the OS. www.SecurityXploded.com
  • 9. Protections for stack based buffer overflow (Primary)  Fortunately or Unfortunately both protection schemes are based on compiler/Linker options. EIP Overwrite ? SEH Overwrite ? GS Cookie SafeSEH (SEHop*)  * SEHOP is a different protection scheme based on run time SEH chain validation, It is not based on compiler options however can be enabled or disabled through registry. www.SecurityXploded.com
  • 10. GS Cookie (/GS)  Put some random value (cookie – 32 bit) on stack before return address.  While returning, compare the value of saved cookie, if not same then we have an overwrite.  Generate “ Security Exception (if any)”, terminate the Application. www.SecurityXploded.com
  • 11. /GS Cookie Cont... Function Start: Cookie check function (see “function end” in below picture.) Function end: www.SecurityXploded.com
  • 12. /GS Cookie Bypass  Generate exception before cookie check  Code dependent – if some overwritten variables are used before function return.  Overwrite stack up to the end, further overwrite will generate exception  Back to the question which exploitation (EIP or SEH) is more reliable ?  SEH method is considered to be a bit more safe and reliable regardless of this bypassing technique. www.SecurityXploded.com
  • 13. /GS Cookie Bypass Cont.. Leverage the implementation. Did you see something ? www.SecurityXploded.com
  • 14. SafeSEH  Compiler [Linker] /SAFESEH option  Static list of known good exception handlers for the binary.  Checks every time when a handler is called against the static list, if not in the list then handler is invalid and takes preventive measures.  Load configuration directory stores meta information about safe exception handlers.  If any module is not compiled with /SAFESEH then no check is done to ensure the integrity of the handler for that module. www.SecurityXploded.com
  • 15. /SAFESEH Bypassing  If any loaded module in the vulnerable binary is not /SAFESEH compiled then no check is done to ensure the integrity of the handler for that module, so we can use any p/p/r address from that module.  Use the address that is outside the address range of loaded modules.  Importance of forward and backward jump. nseh payload Forward Backward seh nseh jump jump payload seh www.SecurityXploded.com
  • 16. DEP (Data Execution Prevention)  Two types:  Software DEP (forget it)  Hardware DEP (NX/XD enabled processors) – we will be talking about it in the rest of the session.  We can’t execute the code from non executable area anymore.  We are directly dealing with processer in this case. www.SecurityXploded.com
  • 17. DEP (HW) Bypass  ROP (Return Oriented Programming)  Use the system/existing code  How stack works ?  Main theme  Either make non executable area executable  Or allocate new area with executable permissions  How ? ○ Well, use ROP  www.SecurityXploded.com
  • 18. Stack Heap Flipping (Stack Pivoting)  I think this deserve a dedicated slide  Depending on the conditions we may have large ROP payload while space on stack may be less or may be our entire payload is on heap.  Flip the heap on to the stack so that we can get larger room.  Instructions like XCHG ESP[REG], REG[ESP] can be used.  We can also jump inside the valid instructions to change their meaning.  Example: jump one byte inside “setz al” instruction ( From Adobe U3D exploit in wild) www.SecurityXploded.com
  • 19. DEP (HW) Bypass (DEMO)  Methods  HeapCreate  VirtualAlloc  VirtualProtect  WriteProcessMemory (DEMO – simple, easy, demonstrate the entire concept – XpSp3)  Often times the small code chunks in ROP are termed as “gadgets” www.SecurityXploded.com
  • 20. DEP (HW) Bypass (DEMO) http://vimeo.com/49069964 www.SecurityXploded.com
  • 21. ASLR  Address Space Layout Randomization  Involves randomly positioning the memory areas like base address of the binary, position of stack and heap.  Compiler[linker] /DYNAMICBASE option www.SecurityXploded.com
  • 22. ASLR Bypass  Search for Non-ASLR loaded libraries in the vulnerable application or if possible load one.   JRE ?  Memory leaks  Brute force  Heavily depends on vulnerability conditions www.SecurityXploded.com
  • 23. Client Side Exploits  Exploits that targets client applications like browsers, plugins, media players, readers etc.  Much more dangerous then any other form of exploits  Huge impact and landscape  Provides solid infection vector  Big malicious infrastructure.  Botnets, DDOS, Spam etc. www.SecurityXploded.com
  • 24. Heap Spray  A technique used in client side exploits  IT’S NOT A VULNERABILITY or CLASS OF VUL.  It’s a technique used for code execution.  Think about the followings again:  EIP overwrite  SEH overwrite • What we used in the above and why we used that ?  Heap spray provides very simple method for code execution. www.SecurityXploded.com
  • 25. Heap Spray Cont...  Fortunately or unfortunately client side scripting languages like javascript, vbscript etc. provides methods to allocate and deallocate memory on the client.  Which means we can make invalid memory addresses valid. 0x200... 0x300.. 0x500.. Valid address invalid address range Before Allocation (allocated area) 0x200... 0x400.. 0x500.. After Allocation Valid address invalid address range (0x300.. To 0x400.. (allocated area) Is valid now) www.SecurityXploded.com
  • 26. Heap Spray Cont..  Allocate memory and fill with nop + shellcode  Overwrite the EIP or SEH with any address within the newly allocated area (the nop region).  Here EIP overwrite or SEH overwrite can be by any means.  Stack buffer overflow, Heap buffer overflow, memory corruption, use after free etc.. www.SecurityXploded.com
  • 27. Heap Spray (DEMO – IEPeers Vulnerability (IE6, IE7) http://vimeo.com/49070337 www.SecurityXploded.com
  • 28. Heap Spray (Stability Comments)  Use intelligent guesses  Stability depends on the exploitation conditions  Fragmented heap, choose little higher addresses.  Large number of allocations, choose little lower addresses  www.SecurityXploded.com
  • 29. Reference  Complete Reference Guide for Reversing & Malware Analysis Training www.SecurityXploded.com