bypassing ms windows memory protections shahriyar jalayeri [email protected] 1 st iranian...
TRANSCRIPT
![Page 1: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/1.jpg)
Bypassing MS Windows Memory Protections
Shahriyar [email protected]
1st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities
![Page 2: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/2.jpg)
Who am I?
• Security researcher since 2005• Senior Member of Snoop Security Researching
community• Writer and Technical Editor of Snoop Magazine ( First
Persian Technical Information Security Magazine )• University student
![Page 3: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/3.jpg)
What is this talk about?
• Overview of Softwares Security Flaws• Deep looking at OS protection mechanismes• Explaining ways to bypass some of OS PM
![Page 4: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/4.jpg)
Security Flaws
• Stack Based Buffer Overflow• Heap Based Buffer Owerflow• Format String• etc
![Page 5: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/5.jpg)
Stack Based Buffer Overflow
• an old story – Programer Copy Buffer entry into stack without
bound checking– Stack corrupted and FramePointer+Saved Return
Address overwritten– The BAD ret Instruction
![Page 6: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/6.jpg)
Stack Based Buffer Overflow ( Cont. )
– Stack.c
#include <stdio.h>Int main( int argc, char **argv){
char buff[100];strcpy(buff,argv[1]);printf(“Hello , %s!\n”,buff);return 0;
}
Overflow occured here
![Page 7: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/7.jpg)
Stack Based Buffer Overflow ( Cont. )
Args--------------------
--Saved Ret
----------------------
Saved FP--------------------
--BUFFER
Stac
k La
yout
0xHighMemAddr0xLowStackAddr
Args--------------------
--Saved Ret
----------------------
Saved FP--------------------
--BUFFER
0xLowMemAddr0xHighStackAddr
AAAAAAAAAAAA
Overflow
![Page 8: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/8.jpg)
Stack Based Buffer Overflow ( Cont. )
– The BAD ret instruction ( and also leave :D ) 004012DC |. 83C4 10 ADD ESP,10004012DF |. C9 LEAVE004012E0 \. C3 RETN
Args--------------------
--Saved Ret
----------------------
Saved FP--------------------
--BUFFER
EIP
Boom
AAAAAAAAAAAA
Overflow
![Page 9: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/9.jpg)
Heap Overflow
– Heap Structure • LIST_ENTRY Structure ( WinNT.h )
• FreeList array– Pointer to free heap blocks
typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink;} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
![Page 10: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/10.jpg)
Heap Overflow ( cont. )
– Heap.c
HANDLE h = HeapCreate(0, 0, 0);DWORD vulner(LPVOID str) {
LPVOID mem = HeapAlloc(h, 0, 128);// <..>strcpy(mem, str);// <..>LPVOID mem2 = HeapAlloc(h, 0, 128);// <..>return 0;
}
Overflow
Affected Memory
![Page 11: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/11.jpg)
Heap Overflow ( cont. )
– Freeing Scenario and Pointers ( without Safeunlinking )
BOOLEAN RemoveEntryList(IN PLIST_ENTRY Entry){ PLIST_ENTRY Blink; PLIST_ENTRY Flink; Flink = Entry->Flink; // what Blink = Entry->Blink; // where Blink->Flink = Flink; // *(where) = what Flink->Blink = Blink; // *(what+4) = where return (BOOLEAN)(Flink == Blink);}
![Page 12: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/12.jpg)
Heap Overflow ( Cont. )
– Freeing Scenario and Pointers ( without Safeunlinking )
• Disass...
– Exploitation Scenario
mov dword ptr [ecx],eax mov dword ptr [eax+4],ecxEAX - Flink ECX - Blink
ECX = Function PointerEAX = Instruction which transfer execution to shellcode
![Page 13: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/13.jpg)
Heap Overflow ( Cont. )
– Function pointers which can overwrite during unlinking ( ECX )• Unhandled Exception Filter• Vector Exception Handling ( VEH )• PEB Pointers• TEB Pointers• Your own pointer !
![Page 14: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/14.jpg)
Format String
– Using format specified functions in wrong way• Printf(buffer)
– We are able to overwrite arbitrary address• Mentioned pointers can be good target• Saved Return Address !!!
![Page 15: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/15.jpg)
Memory Protections
• Protections against buffer overflow– Guard Stack ( a.k.a /GS )– Data Execution Prevention ( a.k.a DEP or
/NXCOMPAT )– Safe SEH Table ( a.k.a /SafeSEH )– SEH Overwrite Protection ( a.k.a SEHOP )– Address Space Layout Randomization ( a.k.a ASLR
or /DYNAMICBASE )
![Page 16: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/16.jpg)
Guard Stack ( /GS ) Protection
– Compiler Insert Cookie after Function Stack Frame– There is also a copy of cookie in .data section– Before function return cookie check with .data
saved cookie– If dose not match , Ret instruction never execute– In overflow situation we have to overwrite cookie
befor reaching “Saved Return Address”– Now what ?
![Page 17: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/17.jpg)
Guard Stack ( /GS ) Protection ( cont. )• Memory Layout
Parameters
Return Address
Frame Pointer
Locals
Parameters
Return Address
Frame Pointer
Exception Handler Frame
Locals
Parameters
Return Address
Frame Pointer
Exception Handler Frame
Locals
Safe Parameters
CookieCookie
(1)
(2)
(3)
(1) Without Cookie(2) MSVC++ 2003(3) MSVC++ 2005
![Page 18: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/18.jpg)
Guard Stack ( /GS ) Protection ( cont. )
– Q : What is Safe Parameters ?– A : Function pointer overwrite prevention trick
– Prevention is better than cure :D
Para
met
ers
Retu
rn A
ddre
ss
Fram
e Poin
ter
Exce
ption
Handle
r Fra
me
Loca
lsSa
fe
Para
met
ers
Cook
ie
#include <windows.h>int main(int argc, char *argv[]){ HMODULE Lib=NULL; unsigned int FuncAddress = 0; int err = 0; Lib = LoadLibrary("msvcrt.dll"); FuncAddress = GetProcAddress(Lib,"printf"); err = DoStuff(argv[1],FuncAddress); return 0;}int DoStuff(char *buf, FARPROC fnk){ char buffer[20]=""; strcpy(buffer,buf); (fnk)(buffer); __asm add esp,4 return 0;}
![Page 19: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/19.jpg)
Guard Stack ( /GS ) Protection ( cont. )
– When /GS dose not protect your Code ?• The optimization (O) option is not enabled• The function does not contain a stack buffer• The function is marked with naked in C++• The function has a variable argument list• The function begins with inline assembly code• The compiler determines that the function’s variables
are used only in ways that are less likely to be exploitable
![Page 20: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/20.jpg)
Guard Stack ( /GS ) Protection ( cont. )
– Implementation• ___security_init_cookie()• Protected function prologue changes• Protected function epilogue changes• __security_check_cookie()• ___report_gsfailure()
![Page 21: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/21.jpg)
Guard Stack ( /GS ) Protection Reversing in Action
Just trigger IDA
![Page 22: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/22.jpg)
•/G
S Reversing–
___security_init_cookie()
Security Init Cookievoid __cdecl __security_init_cookie(void){
UINT_PTR cookie; if (__security_cookie != DEFAULT_SECURITY_COOKIE && (__security_cookie & 0xFFFF0000) != 0 ){ __security_cookie_complement = ~__security_cookie; return; }
GetSystemTimeAsFileTime(&systime.ft_struct);cookie = systime.ft_struct.dwLowDateTime;
cookie ^= systime.ft_struct.dwHighDateTime; cookie ^= GetCurrentProcessId(); cookie ^= GetCurrentThreadId(); cookie ^= GetTickCount(); QueryPerformanceCounter(&perfctr);
cookie ^= perfctr.LowPart; cookie ^= perfctr.HighPart;
if (cookie == DEFAULT_SECURITY_COOKIE){ cookie = DEFAULT_SECURITY_COOKIE + 1; }
else if ((cookie & 0xFFFF0000) == 0){ cookie |= cookie << 16; }
__security_cookie = cookie; __security_cookie_complement = ~cookie;}
![Page 23: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/23.jpg)
UINT_PTR cookie_temp_storage,cookie_global;cookie_temp_storage = 0xCCCCCCCC;cookie_temp_storage = __security_cookie;// cookie_temp_storage = cookie_temp_storage ^ EBP;// cookie_global = cookie_temp_storage;__asm {
xor cookie_temp_storage, ebpmov dword prt [ebp-4],cookie_temp_storage
}
•/G
S Reversing–
Protected function prologue changesPrologue
![Page 24: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/24.jpg)
cookie_temp_storage = cookie_global;// cookie_temp_storage = cookie_temp_storage ^ EBP;__asm{
xor cookie_temp_storage, ebp}__security_check_cookie();
•/G
S Reversing–
Protected function eplilogue changesEpilogue
![Page 25: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/25.jpg)
void __security_check_cookie(){if ( cookie_temp_storage == __security_cookie )
return;__report_gsfailure();
}
•/G
S Reversing–
__security_check_cookie()Memory Protections
![Page 26: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/26.jpg)
void __report_gsfailure(){// rise an fake exception // saving the contex record codes skiped :D GS_ContextRecord.ContextFlags = CONTEXT_CONTROL; GS_ExceptionRecord.ExceptionAddress = (PVOID)(ULONG_PTR)GS_ContextRecord.Eip;
GS_ExceptionRecord.ExceptionCode = STATUS_STACK_BUFFER_OVERRUN; GS_ExceptionRecord.ExceptionFlags = EXCEPTION_NONCONTINUABLE;
cookie[0] = __security_cookie; cookie[1] = __security_cookie_complement;
if ( IsDebuggerPresent() )_CRT_DEBUGGER_HOOK(_CRT_DEBUGGER_GSFAILURE);
SetUnhandledExceptionFilter(NULL); UnhandledExceptionFilter((EXCEPTION_POINTERS *)&GS_ExceptionPointers);
TerminateProcess(GetCurrentProcess(), STATUS_STACK_BUFFER_OVERRUN);}
•/G
S Reversing–
___report_gsfailure()Report Gs Failure
![Page 27: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/27.jpg)
– Puting shellcode into buffer– Overwrite EXCEPTION_REGISTRATION• Next = jump to shellcode• Handler = call [ebp+30] or pop,pop,ret or ...
– Causing an exception before coockie check– BOOOOM!!!
Defeating /Gs Scenario
![Page 28: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/28.jpg)
– When exception occured os call _except_handler() function– The location of handler function is store into stack by
EXCEPTION_REGISTRATION structure ( E_R )
– Os find address of first regsiter E_R by accessing to fisrt 4 byte of thread TEB
– OS access to TEB through fs register– Fs[0] alwayes point to first installed E_R in TEB
Exception Handling Overview
typedef struct EXCEPTION_REGISTRATION{EXCEPTION_REGISTRATION *next;PEXCETION_HANDLER *handler;
}EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;
![Page 29: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/29.jpg)
– There is chain of E_R structures in stack– If one hanlder faild to handle exception , chain
traversealed to find a proper handler
Exception Handling Overview ( cont. )
![Page 30: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/30.jpg)
– We can control value of both next and handler elements of a registerd E_R
– Overwiting handle with shellcode address and cusing an exception ,then boom ??? No !!!• There is some problems
– If handler address is in stack , handler never execute– If handler address is in heap , handler execute
» Finding writeable heap address in stack overflow situation is usualy impossible • Now what ?
Abusing registered E_R
![Page 31: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/31.jpg)
– Rules are implemnted just for handler, we still have control over next pointer
– Secund parameter of _except_handler() function which is EstablisherFrame point to curent EXCEPTION_REGISTRATION frame
– We can access to this address by poping off two value from stack and then returning to it : pop,pop,ret
– There is also other instructions which work same as pop,pop,ret sequence, such as : • Call dword ptr[ebp+30]• Jmp dword ptr [esp+8]
Abusing registered E_R ( cont. )
![Page 32: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/32.jpg)
– Our attack scenario :– Puting shellcode into buffer– Overwriting handler with pop,pop,ret instructions– Overwriting next with jump to the buffer– Cuasing an exception– Boom !!!
– But there is another problem : /SafeSEH
Abusing registered E_R ( cont. )
![Page 33: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/33.jpg)
– Create a table of safe handlers– Compare each handler value with table values– If handler value is in safe table , handler excecute– If not , go to treminate process with
STATUS_STACK_BUFFER_OVERRUN flag
/SafeSEH Protection
![Page 34: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/34.jpg)
– If program doesnt compile with /SafeSEH every handlers are valid and execute
– If handler address is in module which doesnt handle with /SafeSEH , handler execute
– If handler address is outside of loaded module, handler execute
/SafeSEH Protection Weaknesses
![Page 35: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/35.jpg)
Bypassing /GS , /SafeSEH attack scenario
Target : Vista SP1 EN XP SP3 EN
NOP
Shellcode
Return Address
0x41414141
Jmp to Jmp 0xbuffer
Handler
Jump to Bufferinstructions
Adress of Pop,Pop,Ret
orCall dword ptr [ebp+30]
instruction
![Page 36: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/36.jpg)
Bypassing /GS , /SafeSEH Protection inAction
Just trigger debuuger
![Page 37: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/37.jpg)
– In this case we can use 0x00 in data– If can’t ?• Find address for pop,pop,ret which dosen’t contain
0x00• Put shellcode after overwrited E_R• Overwrite next with jmp forward to shellcode• Boom!
/GS Null Byte problem
![Page 38: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/38.jpg)
– Data Execution Prevention (DEP) is a system-level memory protection feature that is built into the operating system
– DEP enables the system to mark one or more pages of memory as non-executable
– DEP prevents code from being run from data pages such as the default heap, stacks, and memory pools
– If an application attempts to run code from a data page that is protected, a memory access violation exception occurs
– if the exception is not handled, the calling process is terminated
Data Execution Prevention
![Page 39: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/39.jpg)
– Hardware-enforced DEP enables the NX bit on compatible CPUs, through the automatic use of PAE kernel in 32-bit Windows
– The NX bit ( XD/EVP), which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data
– Physical Address Extension (PAE) is a feature of x86 and x86-64 processors that enable the use of more than 4 gigabytes[1] of physical memory to be used in 32-bit systems
– In traditional 32-bit protected mode, x86 processors use a two-level page translation scheme, where the control register CR3 points to a single 4 KB long page directory, which is divided into 1024 × 4 byte entries
– The NX bit flag in the page directory, in bit 63, to mark pages as "No eXecute"
– Similat technologies : W^X , PAX , Exec Shield
Data Execution Prevention ( Implementation )
![Page 40: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/40.jpg)
– Software DEP, while unrelated to the NX bit, is what Microsoft calls their enforcement of "Safe Structured Exception Handling“
– Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application
– requires the program to be built with it
Data Execution Prevention ( Implementation Cont. )
![Page 41: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/41.jpg)
– OptIn: DEP is enabled by default for limited system binaries and programs that "opt in". With this option, only Windows system binaries are covered by DEP
– OptOut: DEP is enabled by default for all processes. A list of specific programs that should not have DEP applied can be entered using the System dialog box in Control Panel.
– AlwaysOn: This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available.
– AlwaysOff: This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support.
Data Execution Prevention (Configuration )
![Page 42: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/42.jpg)
– The very easy way• Using newly added DEP related API
– SetProcessDEPPolicy Fucntion
– Thr easy way:• Filling buffer with shellcode • Calling NtSetInformationProcess with Desire parameters to disable
DEP for Current Process• Jumping into buffer ( jmp esp)
– The hard way :• Filling buffer with shellcode • Making a page RWX by calling VirtualAlloc function• Copying Shellcode to RWX memry region through calling memcpy• Jumping to RWX memory region
Bypassing DEP Scenario
![Page 43: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/43.jpg)
– We can change DEP policy for spesific process at run-time.
– We will use SetProcessDEPPolicy with desire parameters
• setting dwFlags to 0 disables DEP for the process
– Jump back to shellcode
The very easy way
BOOL WINAPI SetProcessDEPPolicy( DWORD dwFlags );
![Page 44: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/44.jpg)
Finall attack scenarioThe very easy way Target : XP SP3 EN
NOP
Shellcode
Return AddressSetProcessDEPPolicy
Shellcodeaddr
0x00000000
![Page 45: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/45.jpg)
Bypassing DEP Protection ( very easy way ) in
ActionJust trigger debugger
![Page 46: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/46.jpg)
– We can change DEP policy for spesific process at run-time.– LdrpCheckNXCompatibility determine whether or not NX support should
be enabled for the process– As a result of these checks, NX support is either enabled or disabled
through a new PROCESSINFOCLASS named ProcessExecuteFlags (0x22).– When we calling NtSetInformationProcess 4 byte bit-mask parameter
push to the buffer as parameter for MmSetExecuteOptions– MmSetExecuteOptions perform appropriate operation to set the
executio flag– Parameters which we can pass to NtSetInformationProcess are :
• MEM_EXECUTE_OPTION_ENABLE ( 0x1 )• MEM_EXECUTE_OPTION_DISABLE (0x2 )
– So ,all we have to do is calling NtSetInformationProcess with mentioned parameters for current process at the overflow time
The easy way
![Page 47: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/47.jpg)
• Take a quick look at NtSetInformationProcess :
• We can find NtSetInformationProcess Calling with desire parameters in a few dlls , such as : ntdll.dll , acgenral.dll , ....
• In exploit code i use ntdll instruction sequence becaus :– is more interesting than direct call in acgenrall.dll ....– Maybe our program dosnt load acgenral.dll...
• For acgenral.dll call ,Just search this sequence of byte in selected dll by msfpescan:– Msfpescan –r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF“
The easy way ( cont. )
NtSetInformationProcess(NtCurrentProcess(), // (HANDLE)-1ProcessExecuteFlags, // 0x22&ExecuteFlags, // ptr to 0x2sizeof(ExecuteFlags)); // 0x4
push 4;lea eax, [ebp+arg_0];push eax;push 22h;push 0FFFFFFFFh
![Page 48: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/48.jpg)
• IDA View :D
The easy way ( cont. )
![Page 49: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/49.jpg)
Finall attack scenarioThe easy way Target : XP SP3 EN
NOP
Shellcode
Return AddressNtSetInformationProcess
Some Pad
NtSetInfoReturn Address Jump to Buffer
![Page 50: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/50.jpg)
Bypassing DEP Protection ( easy way ) inAction
Just trigger debugger
![Page 51: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/51.jpg)
– calling VirtualAlloc function as return address and allocate commited memory with RWX protection mode
– set flAllocationType to MEM_COMMIT– And flProtect to PAGE_EXECUTE_READWRITE
The Hard way
LPVOID WINAPI VirtualAlloc( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flAllocationType, __in DWORD flProtect );
![Page 52: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/52.jpg)
– After VirtualAlloc returned , we call memcpy and copy shellcode into allocated RWX memory region
– set dest to Allocated unit by VirtualAlloc– And scr to shellcode address in buffer– Trick : You can also call VirtualProtect to make
shellcode location executable ( no memcpy needed )
The Hard way ( cont. )
void *memcpy( void *dest, const void *src, size_t count );
![Page 53: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/53.jpg)
– VirtualAlloc function has __cdecl calling convention
– So ,Calling function pops it’s the arguments from the stack
– What we have to do if we want to call another function which has calling convention that not clear stack after call ?
– We can use pop,ret instruction
The Hard way ( cont. )
Pop regPop regPop regret
N time
N = function arguments count
![Page 54: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/54.jpg)
Finall attack scenarioThe hard wayTarget : XP SP3 EN
Shellcode
VirtualAlloc
Memcpy
Mem Addr
Shellcode Size
MEM_COMMIT
PAGE_EXECUTE_READWRITE
Mem Addr
Shellcode Addr
Mem Addr
Shellcode Size
Saved Return Address
![Page 55: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/55.jpg)
Bypassing DEP Protection ( hard way ) inAction
Just trigger debuuger
![Page 56: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/56.jpg)
– In this case we can use 0x00 in data– If can’t ?• Use swquence of functions which dosent need 0x00 in
arguments• Use NtSetInformationProcess method which dosnt
need any null byte
DEP Null Byte problem
![Page 57: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/57.jpg)
– In Windows Vista, NX cannot be disabled once turned on for a process
– now?• If can use null byte , VirtualAlloc+memcpy or
VritualProtect functions are handy ! ( without ASLR , in browser exploitation also with ASLR )• If cant , i dont know the asnwer ...
DEP Vista problem
![Page 58: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/58.jpg)
– ASLR randomizes the location of images (PE files mapped into memory), heaps, stacks,the PEB and TEBs
– When a new address is being selected as an image base for an executable, a random delta value
– is added to or subtracted from the ImageBase value in the executable's PE header
– This delta value is calculated by taking a random 8-bit value from the RDTSC counter and multiplying it by 64KB
Address Space Layout Randomazation
![Page 59: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/59.jpg)
– Heap Randmoazation• 5-bit random value is generated• multiplied by 64K• This value used as an offset from the base address
returned by the NtAllocateVirtualMemory
Address Space Layout Randomazation ( cont. )
![Page 60: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/60.jpg)
– Stack Randmoazation• base of the stack is chosen randomly• offset into the initial page where the stack starts getting
used is also chosen at random
Address Space Layout Randomazation ( cont. )
![Page 61: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/61.jpg)
– Heap Spray• Allocating larg amount of heap blocks• Filling Heap Blocks withNop and Shellcode• Use randomly address base on allocated units base
address and 64kb alignment• Filling buffer with return address • JavaScript !!!• Browser dependent limitation ( or every progarm which
allow us to make big block of heaps)
Bypassing ASLR Scenario
![Page 62: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/62.jpg)
Memory Protections
DemoHeapSpray Technique
![Page 63: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/63.jpg)
– IE disallow address which contain non-ascii bytes– Address most be taken base on heap blocks count– Using ascii sequnce address are highly recommend– Address such as : 0x05050505 , 0x0d0d0d0d ,
0x0a0a0a0a– You can also use Heap-Feng-Shui method instead
of HeapSpray
Heap Spray notes
![Page 64: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/64.jpg)
Bypassing ASLR Protection inAction
Just trigger debugger
![Page 65: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/65.jpg)
– FinalExceptionHandler function in NTDLL.DLL is registered as the first exception handler in all theads
– As additional exception handlers are registered, they form a linked list with the last record always pointing to FinalExceptionHandler
– The exception dispatcher walks this linked list and verifies that the last record still points to that Function
– If an attacker overwrites the Next field of an exception handler record, the validation loop will not reach the last record and the SEH chain corruption will be detected
SEH Overwrite Protection ( SEHOP )
![Page 66: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/66.jpg)
– Skape offer ( current implementation is abit diff )
SEHOP ( Implementation )
CurrentRecord = fs:[0];ChainCorrupt = TRUE;while (CurrentRecord != 0xffffffff) {
if (IsInvalidAddress(CurrentRecord->Next))break;
if (CurrentRecord->Next == ValidationFrame) {ChainCorrupt = FALSE;break;
}CurrentRecord = CurrentRecord->Next;
}if (ChainCorrupt == TRUE)
ReportExploitationAttempt();
![Page 67: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/67.jpg)
– Exist theory• One potential way to bypass this protection is to point
the overwritten Next pointer to a fake SEH record that points to the FinalExceptionHandler function. However, the ASLR implementation inVista randomizes the address of the function and makes it impossible to for an attacker to terminate the SEH chain unless they have a way to bypass ASLR
– My theory
SEHOP bypassing theories
![Page 68: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/68.jpg)
– /Gs , /SafeSEH– /Gs , /SafeSEH , DEP– ASLR , DEP– /Gs , /SafeSEH , ASLR , DEP
Combined Protections Bypassing Scenarios
![Page 69: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/69.jpg)
Bypassing Combined Protection inAction
Just trigger debugger
![Page 70: Bypassing MS Windows Memory Protections Shahriyar Jalayeri Shahriyar.j@gmail.com 1 st Iranian Confrence on Cybespace Security Incidents and Vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022062713/56649cdf5503460f949a8e3a/html5/thumbnails/70.jpg)
Question ?
Thank you for attending