SlideShare une entreprise Scribd logo

[ENG] Hacktivity 2013 - Alice in eXploitland

Zoltan Balazs
Zoltan Balazs

[ENG] Hacktivity 2013 - Alice in eXploitland - attack and defense evolution

Technologie
1  sur  62
Télécharger pour lire hors ligne
Alice in eXploitland Attack & defense evolution Zoltán Balázs Hacktivity 2013
About:me OSCP, C|HFI, CISSP, CPTS, MCP Senior IT security consultant @ Deloitte Hungary Proud member of the gula.sh team zbalazs@deloittece.com https://hu.linkedin.com/in/zbalazs Twitter – zh4ck
What’s next? Evolution of memory corruption attack & defense Stack based buffer overflows Stack canary Structured Exception Handling DEP ASLR Advanced mitigation
Scope of this presentation Focus on memory corruption Not Java vulnerabilities Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits High level overview only No details like Assembly Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing
Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits
Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits You will find your product on the local Chinese market half the price
Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability
Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability Your „projects” will be revealed by hackers from Luxembourg
Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java)
Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked
Why you should care? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen
Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen Facebook wall spammed
Function calls void SayHello(char* userinput) { char buffer[100]; strcpy(buffer, userinput); printf(„Hello %sn", buffer); } int main() { SayHello(argv[1]); return 0; }
Function calls 0x00000000 ... New stack frame ESP - top of stack .... 0xFFFFFFFF ESP - extended stack pointer
Function calls 0x00000000 ... ESP - top of stack ptr to argv[1] .... 0xFFFFFFFF ESP - extended stack pointer
Function calls 0x00000000 ... ESP - top of stack Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer Overwrite this for PROFIT
Function calls 0x00000000 ... ESP - top of stack Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Function calls 0x00000000 ... ESP - top of stack Space for buffer EBP - frame pointer Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Function calls 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Stack based buffer overflow vulnerability „Stack overflow happens when the user can put more data on the allocated stack, than available” If more data is put on the stack (stack overflow) ... magic will happen Buffer overflow Stack based buffer overflow Heap based buffer overflow
Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? ***
Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? PaX team in 2000
Stack overflow history 1972 – Computer Security Technology Planning Study 1988 – Morris worm 1996 – Smashing the Stack for Fun and Profit (Aleph One) 2000 – NSA – SELinux open sourced 2000 – PaX Team 2003 – SELinux merged into mainline Linux Kernel 2004 – Egghunters - against small buffers
Shellcode The attacker code what the attacker wants to execute The instructions given by Alice to the rabbit
Mitigation techniques All of the following mitigation techniques are used against every memory corruption vulnerabilities Not just against stack overflow
Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 Strcpy writes this way Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 AAAA Strcpy writes this way Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
Stack canary/cookie history (/GS) 1997 - Linux (GCC) 2002 - MS (Visual Studio)
Stack canary/cookie bypass Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system Method 3: Guess/calculate the cookie Static cookie Method 4: Overwriting stack data in functions up the stack, switch case
Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies way too complicated to trigger
Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies Stack cookie not checked at exception handling way too complicated to trigger
SEH exploit – three step to profit Step 1. overwriting first element in the exception-handling chain Step 2. because of the overflow, the exception-handling is triggered Step 3. via exception handling, return to the malicious shellcode (PROFIT)
SEH exploit metaphor If chaos occurs disaster recovery process to handle the chaos Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
SEH exploit mitigation SafeSEH table which specifies for the operating system about valid exception handlers only a limited set of addresses where the disaster recovery manual can be found Alice can not change those SEHop OS performs SEH chain validation breaks SEH overwrite exploitation techniques Stamp from the queen on the addressess where the disaster recovery manual can be found
DEP DEP - Data Execution Prevention – Windows (OS level) Protection: mark the stack as non executable PageExec, W^X, NX, XD
PageExec, W^X, NX, XD, DEP NX - Never Execute – AMD (CPU level) XD - eXecution Disabled – Intel (CPU level) W^X - Write XOR Execute – OpenBSD, OS X (OS level) Non-Executable Memory – Linux (OS level) Windows If CPU NX/XD enabled/supported HW DEP == Real DEP If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!! DEP modes Always off OptIn OptOut Always On
PageExec, W^X, NX, XD, DEP 1997 - Openwall – Solar designer 2000 - PaX Team PageExec 2002 - Exec shield (Ingó Molnár) 2003 - OpenBSD 2004 - Linux (Ingó Molnár) 2004 - Windows XP SP2 2006 - OS X
PageExec, W^X, NX, XD, DEP bypass Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997
PageExec, W^X, NX, XD, DEP bypass Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed Does not work on protection „always on” Method 3: Disable the protection for the process Does not work on protection „always on” Method 4: Copy shellcode to executable area Exeucatable area usually read only Allocate new memory with read – write - executable support (virtualalloc) If attacking browser JavaScript heap spraying Other magic here
ASLR metaphor ASLR = Address Space Layout Randomization Changing the addressess of the memory layout every time Changing the street names, house numbers every time Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives
ASLR 1997 - Memco 2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack) 2005 - OpenBSD 2005 - Linux – first implementation weak 2007 - Windows 2007 - OS X 2011 - Android
ASLR bypass 2007 – MS07–017 ANI exploit – Alex Sotirov Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original” Method 2: Low entropy in random – brute force Catch all exception block is usually needed You never write try{ code_her } catch (Every exception) { Do nothing } do you? ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
ASLR bypass ... Method 2: Low entropy in random – brute force Alice can give 1000 addresses to the rabbit Rabbit will look for Alice in 1000 house Finally the rabbit can find Alice Alice can give him the malicious instructions PROFIT
ASLR bypass … Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit Java 7 ASLR There are still some static street names, house numbers in eXploitland, that never change Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland what the street name and house address will be of the house where Alice is when the rabbit arrives
EMET
Exploiting stack overflow in 2003 on Windows Collect three gems
Exploiting stack overflow in 2013 with ASLR + DEP You have 3 ammo left
ASLR + DEP bypass Metasploit windows/browser/ms13_037_svg_dashstyle demo Scenario 1. Disable ASLR, exploit fixed addresses Scenario 2. Enable ASLR, exploit is not working Scenario 3. Java 1.6 ROP with non-ASLR module works Scenario 4. ASLR with original information leak exploit Scenario 5. EMET heapspray only blocks exploit
What to do if I’m a user? Remove Java If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET If you use Linux Upgrade to latest OS Use latest browser (Chrome) If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome) Upgrade your software
What to do if I’m a CISO? Remove Java At least in the browsers used for Internet browsing If you use Windows Upgrade to latest OS If can’t upgrade, use EMET from GPO (Group policy) Install Microsoft and 3rd party patches
What to do if I’m a developer? Remove Java At least in the browsers used for Internet browsing Learn secure application development Use switchers in Visual Studio /GS (VS 2002) /SafeSEH (VS 2003) /DynamicBase (VS 2005) /NXCompat (VS 2005) /HIGHENTROPYVA (VS 2012) #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005) BinScope
What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers? Develop your own backdoor client/server For details see previous slide Until it is finished use EMET
Lessons learned Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1 Without Java 6 – 1 Number of working IE10 exploits in Metasploit 0 Number of Java7 (2011 July) exploits in Metasploit 16 Price for zero day memory corruption exploit getting higher and higher

Recommandé

How Xslate Works
How Xslate WorksHow Xslate Works
How Xslate Works
Goro Fuji
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
Damien Seguy
 
Simple Spring Memcached
Simple Spring MemcachedSimple Spring Memcached
Simple Spring Memcached
nelz9999
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 

Recommandé

How Xslate Works
How Xslate WorksHow Xslate Works
How Xslate Works
Goro Fuji
 
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Fuzz-testing: A hacker's approach to making your code more secure | Pascal Ze...
Codemotion
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
Damien Seguy
 
Simple Spring Memcached
Simple Spring MemcachedSimple Spring Memcached
Simple Spring Memcached
nelz9999
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
Abdulrahman Bassam
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)
RichardWarburton
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard Warburton
JAXLondon2014
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
FFRI, Inc.
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
UTD Computer Security Group
 
Everyone loves PHP
Everyone loves PHPEveryone loves PHP
Everyone loves PHP
Abhijit Das
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Generating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNE
Generating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNEGenerating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNE
Generating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNE
DataWorks Summit/Hadoop Summit
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Ajin Abraham
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
securityxploded
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
Moabi.com
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Priyanka Aash
 
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Pierre-Antoine Grégoire
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
Zoltan Balazs
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
Zoltan Balazs
 

Contenu connexe

Similaire à [ENG] Hacktivity 2013 - Alice in eXploitland

Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
Abdulrahman Bassam
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
FFRI, Inc.
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 

Similaire à [ENG] Hacktivity 2013 - Alice in eXploitland (20)

Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics Reversing & malware analysis training part 4 assembly programming basics
Reversing & malware analysis training part 4 assembly programming basics
 
Performance and predictability (1)
Performance and predictability (1)Performance and predictability (1)
Performance and predictability (1)
 
Performance and Predictability - Richard Warburton
Performance and Predictability - Richard WarburtonPerformance and Predictability - Richard Warburton
Performance and Predictability - Richard Warburton
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
SEH overwrite and its exploitability
SEH overwrite and its exploitabilitySEH overwrite and its exploitability
SEH overwrite and its exploitability
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Everyone loves PHP
Everyone loves PHPEveryone loves PHP
Everyone loves PHP
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Generating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNE
Generating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNEGenerating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNE
Generating Recommendations at Amazon Scale with Apache Spark and Amazon DSSTNE
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop camDefcon 22-colby-moore-patrick-wardle-synack-drop cam
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
 
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021Initiation concrète-à-la-virtualisation-devoxx-fr-2021
Initiation concrète-à-la-virtualisation-devoxx-fr-2021
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 

Plus de Zoltan Balazs

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
Zoltan Balazs
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 

Plus de Zoltan Balazs (19)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Dernier (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

[ENG] Hacktivity 2013 - Alice in eXploitland

  • 1. Alice in eXploitland Attack & defense evolution Zoltán Balázs Hacktivity 2013
  • 2. About:me OSCP, C|HFI, CISSP, CPTS, MCP Senior IT security consultant @ Deloitte Hungary Proud member of the gula.sh team zbalazs@deloittece.com https://hu.linkedin.com/in/zbalazs Twitter – zh4ck
  • 3. What’s next? Evolution of memory corruption attack & defense Stack based buffer overflows Stack canary Structured Exception Handling DEP ASLR Advanced mitigation
  • 4. Scope of this presentation Focus on memory corruption Not Java vulnerabilities Focus on Windows Last 15 years Windows was the biggest target for memory corruption exploits High level overview only No details like Assembly Mostly stack overflow vulnerability No heap overflow No format string No null pointer dereference No integer overflow (just a little bit) No use after free
  • 5. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing
  • 6. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits
  • 7. Why you should care about exploits? If you are a company outside of China (or place your favourite enemy here) You are a target for intellectual property stealing Your intellectual property will be stolen social engineering software exploits You will find your product on the local Chinese market half the price
  • 8. Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability
  • 9. Why you should care about exploits? If you are a military team working for the Chinese (or other) government To steal intellectual property Your C&C server will be hacked through memory corruption vulnerability Your „projects” will be revealed by hackers from Luxembourg
  • 10. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java)
  • 11. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked
  • 12. Why you should care? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen
  • 13. Why you should care about exploits? If you are a plain user surfing the web You might be hacked through memory corruption vulnerability (or Java) Credit card stolen, internet bank hacked Identity stolen Facebook wall spammed
  • 14. Function calls void SayHello(char* userinput) { char buffer[100]; strcpy(buffer, userinput); printf(„Hello %sn", buffer); } int main() { SayHello(argv[1]); return 0; }
  • 15. Function calls 0x00000000 ... New stack frame ESP - top of stack .... 0xFFFFFFFF ESP - extended stack pointer
  • 16. Function calls 0x00000000 ... ESP - top of stack ptr to argv[1] .... 0xFFFFFFFF ESP - extended stack pointer
  • 17. Function calls 0x00000000 ... ESP - top of stack Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer Overwrite this for PROFIT
  • 18. Function calls 0x00000000 ... ESP - top of stack Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 19. Function calls 0x00000000 ... ESP - top of stack Space for buffer EBP - frame pointer Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 20. Function calls 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 21.
  • 22. Stack based buffer overflow vulnerability „Stack overflow happens when the user can put more data on the allocated stack, than available” If more data is put on the stack (stack overflow) ... magic will happen Buffer overflow Stack based buffer overflow Heap based buffer overflow
  • 23. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 24. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 25. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 26. Stack overflow 0x00000000 ... ESP - top of stack EBP - frame pointer AAAA AAAA ... AAAA Saved EBP AAAA Strcpy writes this way Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 27.
  • 28. Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? ***
  • 29. Quiz for Hacker Pschorr Which team created the first Linux kernel patch to protect against stack overflows? PaX team in 2000
  • 30. Stack overflow history 1972 – Computer Security Technology Planning Study 1988 – Morris worm 1996 – Smashing the Stack for Fun and Profit (Aleph One) 2000 – NSA – SELinux open sourced 2000 – PaX Team 2003 – SELinux merged into mainline Linux Kernel 2004 – Egghunters - against small buffers
  • 31. Shellcode The attacker code what the attacker wants to execute The instructions given by Alice to the rabbit
  • 32. Mitigation techniques All of the following mitigation techniques are used against every memory corruption vulnerabilities Not just against stack overflow
  • 33. Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 Strcpy writes this way Saved EBP Saved EIP ptr to argv[1] .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 34. Stack canary/cookie 0x00000000 ... ESP - top of stack EBP - frame pointer Random cookie AAAA AAAA ... AAAA 27384AB4CD457 AAAA Strcpy writes this way Saved EBP AAAA Saved EIP AAAA ptr to argv[1] AAAA .... 0xFFFFFFFF EIP - extended instruction pointer ESP - extended stack pointer EBP - extended base pointer Overwrite this for PROFIT
  • 35.
  • 36. Stack canary/cookie history (/GS) 1997 - Linux (GCC) 2002 - MS (Visual Studio)
  • 37. Stack canary/cookie bypass Method 1: Replace cookie on stack and in .data temper the sensor in way where water does not trigger an alarm Method 2: Not protected buffer (no string buffer) use a pot which is not equipped with alarm system Method 3: Guess/calculate the cookie Static cookie Method 4: Overwriting stack data in functions up the stack, switch case
  • 38. Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies way too complicated to trigger
  • 39. Structured Exception Handling exploit In reality, traditional stack overflow exploits are sometimes not possible No EIP overwrite No jump Stack cookies Stack cookie not checked at exception handling way too complicated to trigger
  • 40. SEH exploit – three step to profit Step 1. overwriting first element in the exception-handling chain Step 2. because of the overflow, the exception-handling is triggered Step 3. via exception handling, return to the malicious shellcode (PROFIT)
  • 41. SEH exploit metaphor If chaos occurs disaster recovery process to handle the chaos Alice can rewrite the address, where the rabbit can find the disaster recovery process manual
  • 42. SEH exploit mitigation SafeSEH table which specifies for the operating system about valid exception handlers only a limited set of addresses where the disaster recovery manual can be found Alice can not change those SEHop OS performs SEH chain validation breaks SEH overwrite exploitation techniques Stamp from the queen on the addressess where the disaster recovery manual can be found
  • 43. DEP DEP - Data Execution Prevention – Windows (OS level) Protection: mark the stack as non executable PageExec, W^X, NX, XD
  • 44.
  • 45. PageExec, W^X, NX, XD, DEP NX - Never Execute – AMD (CPU level) XD - eXecution Disabled – Intel (CPU level) W^X - Write XOR Execute – OpenBSD, OS X (OS level) Non-Executable Memory – Linux (OS level) Windows If CPU NX/XD enabled/supported HW DEP == Real DEP If CPU NX/XD disabled/not supported Software DEP == SafeSEH !!! DEP modes Always off OptIn OptOut Always On
  • 46. PageExec, W^X, NX, XD, DEP 1997 - Openwall – Solar designer 2000 - PaX Team PageExec 2002 - Exec shield (Ingó Molnár) 2003 - OpenBSD 2004 - Linux (Ingó Molnár) 2004 - Windows XP SP2 2006 - OS X
  • 47. PageExec, W^X, NX, XD, DEP bypass Method 1: Return oriented Programming (ROP) Roots from Solar Designer (return-into-libc) - 1997
  • 48. PageExec, W^X, NX, XD, DEP bypass Method 2: Mark the stack part as executable Alice can override the command, that her handwritten orders can not be executed Does not work on protection „always on” Method 3: Disable the protection for the process Does not work on protection „always on” Method 4: Copy shellcode to executable area Exeucatable area usually read only Allocate new memory with read – write - executable support (virtualalloc) If attacking browser JavaScript heap spraying Other magic here
  • 49. ASLR metaphor ASLR = Address Space Layout Randomization Changing the addressess of the memory layout every time Changing the street names, house numbers every time Alice can only go to a house she won’t know what will be the address at the time when the rabbit arrives
  • 50. ASLR 1997 - Memco 2001 - PaX Team (RandExec/RandMmap/RandUStack/RandKStack) 2005 - OpenBSD 2005 - Linux – first implementation weak 2007 - Windows 2007 - OS X 2011 - Android
  • 51. ASLR bypass 2007 – MS07–017 ANI exploit – Alex Sotirov Method 1: overwrite the first two bytes of EIP (low bytes) High bytes are random - we need that info, so won’t change it Low bytes are modified to point to piece of code useful for attacker Alice case: we specify return address like „4 house to the left, next to the original” Method 2: Low entropy in random – brute force Catch all exception block is usually needed You never write try{ code_her } catch (Every exception) { Do nothing } do you? ASLR on 32 bit OS is 14m3 ASLR on 64 bit OS is 1337 (High Entropy ASLR on Win8)
  • 52. ASLR bypass ... Method 2: Low entropy in random – brute force Alice can give 1000 addresses to the rabbit Rabbit will look for Alice in 1000 house Finally the rabbit can find Alice Alice can give him the malicious instructions PROFIT
  • 53. ASLR bypass … Method 3: ASLR not enforced Java 6 (static) used in Adobe Flash exploit Java 7 ASLR There are still some static street names, house numbers in eXploitland, that never change Method 4: address space information disclosure Alice can ask an inhabitant in eXploitland what the street name and house address will be of the house where Alice is when the rabbit arrives
  • 54. EMET
  • 55. Exploiting stack overflow in 2003 on Windows Collect three gems
  • 56. Exploiting stack overflow in 2013 with ASLR + DEP You have 3 ammo left
  • 57. ASLR + DEP bypass Metasploit windows/browser/ms13_037_svg_dashstyle demo Scenario 1. Disable ASLR, exploit fixed addresses Scenario 2. Enable ASLR, exploit is not working Scenario 3. Java 1.6 ROP with non-ASLR module works Scenario 4. ASLR with original information leak exploit Scenario 5. EMET heapspray only blocks exploit
  • 58. What to do if I’m a user? Remove Java If you use Windows Upgrade to latest OS Use latest browser (Chrome/IE) If can’t upgrade, use EMET If you use Linux Upgrade to latest OS Use latest browser (Chrome) If you use OS X Upgrade to latest OS Use latest browser (Safari/Chrome) Upgrade your software
  • 59. What to do if I’m a CISO? Remove Java At least in the browsers used for Internet browsing If you use Windows Upgrade to latest OS If can’t upgrade, use EMET from GPO (Group policy) Install Microsoft and 3rd party patches
  • 60. What to do if I’m a developer? Remove Java At least in the browsers used for Internet browsing Learn secure application development Use switchers in Visual Studio /GS (VS 2002) /SafeSEH (VS 2003) /DynamicBase (VS 2005) /NXCompat (VS 2005) /HIGHENTROPYVA (VS 2012) #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1 (VS 2005) BinScope
  • 61. What to do if I’m working for the Chinese government running vulnerable Poison Ivy servers? Develop your own backdoor client/server For details see previous slide Until it is finished use EMET
  • 62. Lessons learned Always use ASLR (Always on, 64 bit) + DEP (Always On) together + EMET for additional protection Number of working IE9 (2011 March) exploits in Metasploit With Java 6 – 1 Without Java 6 – 1 Number of working IE10 exploits in Metasploit 0 Number of Java7 (2011 July) exploits in Metasploit 16 Price for zero day memory corruption exploit getting higher and higher