proprietary and confidential information – copyright© 2010 – all rights reserved preventing...

Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved

Preventing Intrusion PreventionApril 21, 2010

Ryan MacArthur, [email protected]

2Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved

Quick Intro

• Don’t believe anything I say• Former ISI student (’08)• Worked at Symantec out of the gate– Security Response Team

• Interviewed with iSIGHT at BH Vegas 2009• Started work in October 2009


Hi


Outline

• Basics– Some C background

• Exploitation technique evolution


Outline

• Assignment – Hacking a webserver with DEP– Demonstrate understanding of topics discussed

today


C

• READ THE STANDARD (c99)– Grep for undefined– ‘sprintf … If copying takes place between objects

that overlap, the behavior is undefined’– ‘free … or if the space has been deallocated by a

call to free or realloc, the behavior is undefined’– ‘exit … a call to the longjump function is made that

would terminate the call to the registered function, the behavior is undefined’


C

int main(){ int a = 4; int b = 0x40000000; int c = a * b + 1; printf("%d\n", c); return 0;}


C

(*pf[f1()]) (f2(), f3() + f4())


C

(t4=f4(), t3=f3(), t2=f2(), t1=f1(), (*pf[t1]) (t2, t3 + t4))


C

int main(int argc, char** argv){ int glob = atoi(argv[1]); glob = (glob++, glob) + (glob++, glob); printf("%d\n", glob); return 0;}


C –O0• 0x00401085 <main+53>: call 0x40116c <atoi>• 0x0040108a <main+58>: mov %eax,-0x4(%ebp)• 0x0040108d <main+61>: lea -0x4(%ebp),%eax• 0x00401090 <main+64>: incl (%eax)• 0x00401092 <main+66>: lea -0x4(%ebp),%eax• 0x00401095 <main+69>: incl (%eax)• 0x00401097 <main+71>: mov -0x4(%ebp),%edx• 0x0040109a <main+74>: lea -0x4(%ebp),%eax• 0x0040109d <main+77>: add %edx,(%eax)• 0x0040109f <main+79>: mov -0x4(%ebp),%eax• 0x004010a2 <main+82>: mov %eax,0x4(%esp)• 0x004010a6 <main+86>: movl $0x402000,(%esp)• 0x004010ad <main+93>: call 0x40115c <printf>


C –O3

0x00401071 <main+33>: call 0x401140 <atoi>0x00401076 <main+38>: movl $0x402000,(%esp)0x0040107d <main+45>: lea 0x4(%eax,%eax,1),%eax0x00401081 <main+49>: mov %eax,0x4(%esp)0x00401085 <main+53>: call 0x401130 <printf>


C

int main(){ int x = 4; char y[] = "haberdashery"; printf("%c\n", 4[y]); return 0;}


Basics

void f(int a,int b,char *c){ char buf[2]; strcpy(buf,c);}

int main(){ char z[]="zangief"; f(1,2,z); return 0;}


0x000000010x00000002

“zangief\0”

$esp ->

call f()


0x000000010x00000002

$esp ->

“zangief\0”

return address

push %ebp


0x000000010x00000002

$esp ->

return address

“zangief\0”

frame pointer main() stack frame

mov %esp,%ebp


0x000000010x00000002

$esp ->

return address

“zangief\0”

frame pointer main() stack frame


0x000000010x00000002

0x0040\00feign

0x000000010x00000002

0x004010c0frame pointer

char[2] az

retaddr

“zangief\0”


0x00401068 <f+24>: leave 0x00401069 <f+25>: ret


• The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer is then popped from the stack into the EBP register, restoring the calling procedure’s stack frame.

• RET Transfers program control to a return address located on the top of the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction.


0x000000010x00000002

0x0040\00feignaz

“zangief\0”

$ebp->


0x000000010x00000002

0x0040\00feignaz

$ebp->$esp->

“zangief\0”


0x000000010x00000002

0x0040\00feignaz

$ebp->0x6569676e

$esp->

“zangief\0”


0x000000010x00000002

0x0040\00feignaz

$ebp->0x6569676e

$esp->

$eip->0x00400066 “zangief\0”


Now you’ve owned the stack

• Now what?• Get shellcode into your string buffer• Overwrite eip with address of shellcode


Shellcode

smashed EBPPtr to shellcode

args


Problems Arise

• How do I know what address my shellcode is at?

Shellcode

smashed EBP??????????

args


Well you might not

guess

Shellcode

smashed EBPPtr to shellcode

args


First Abstract defense mechanism

• Why should there ever be a need to execute code off the stack?

• Well then,make the stack non-executable• Boom – screwed.


Where to put our shellcode?

Heap

Stack


Basics

void f(int a,int b,char *c){ char t[8]; for(;a <= 8; a++) { t[a]=c[a]; }}

int main(){ char z[]="zangief!"; f(0,2,z); return 0;}


Off-by-one

Local buffer

Saved EBPSaved EIP

args

Local bufferSaved EBPSaved EIP

args

leave(mov ebp,esp)(pop ebp)

ret(pop eip)

…leaveretowned.

Saved ebp: 0x0022cd28

1 byte overwrite ebp: 0x0022cd00


• -fomit-frame-pointer

Dump of assembler code for function:0x00401130 <g+0>: push %ebp0x00401131 <g+1>: mov %esp,%ebp0x00401133 <g+3>: sub $0x10,%esp0x00401136 <g+6>: mov 0x8(%ebp),%eax0x00401139 <g+9>: mov %eax,-0x4(%ebp)0x0040113c <g+12>: leave 0x0040113d <g+13>: ret

Dump of assembler code for function:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret


Heap Overflows

• Onto Function Pointer


Stack Canaries

• /GS flag in visual studio• Protects against buffer overflows– How?


Stack Canaries

sub esp,20h…add esp20h ret

sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] xor eax,dword ptr [esp+24h] mov dword ptr [esp+20h],eax …mov ecx,dword ptr [esp+20h] xor ecx,dword ptr [esp+24h] add esp,24h jmp __security_check_cookie (4010B2h)


Stack Canaries

• How do you defeat them?• Not all functions get protected• Even if they do….


SEH

• Windows Structured Exception Handling

typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;


SEH

Ptr to next Ptr to Handler



0xffffffff

Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved

Abusing SEH

Jmp short Ptr to Handler






bufferSaved ebpSaved eip

pop $x pop $yret

shellcode

Ptr to next


Software DEP

• Safe Structured Exception Handling. (SafeSEH)• Compile time– /SafeSEH option in visual studio


SafeSEH

• IE8 on xpsp3:


SEHOP

• SEH Overwrite Protection• SEHOP is enabled by default on Windows

Server 2008 and disabled by default on Windows Vista SP1.

• Can be turned on via registry


SEHOP




Ptr to next Ptr to final handler Ntdll!FinalExcepion


Memory

• Interview question used at google & msft:– How would you find out if a machine’s stack grows

up or down in memory?


#include <stdio.h>

void sub(int *a) { int b;

if (&b > a) { printf("Stack grows up. a:%p b:%p\n",a,&b); } else { printf("Stack grows down. a:%p b:%p\n",a,&b); }}

main () { int a; sub(&a);}


Memory

• Actual memory isnt top down and is can be all over the place

• Gaps cause problems for us, because we might want some memory layout continuity


Virtual memory

stack

heap


Actual virtual memory:


Filling the gaps

• How?


Heap spray example

• What is a heap spray?– Just fill memory– Was popularized before DEP was implemented– Easy to do with anything:• Flash• Javascript in browser• Script in pdf• Images • Java• html


• Actual spray=>


Hardware DEP

• Included in all newer windows supported processors: (Intel x86/IA-64, AMD amd64, ARM ARMv6). If this bit is set for the page that the CPU is executing code on (for instance mapped as a PAGE_READWRITE) the CPU will generate a STATUS_ACCESS_VIOLATION (0xC0000005) access violation exception.


DEP

/noexecute [OptIn | OptOut | AlwaysOn | AlwaysOff ]

• Opt-in: (Default for XPSP2, XPSP3, and Vista) In this mode of operation DEP is enabled only for processes that explicitly opt-in to DEP.

• Opt-Out: (Default for Windows Server 2003 and Windows Server 2008) In this mode of operation DEP is enabled by default for all processes except those that explicitly opt-out of DEP.

• Always On: In this mode of operation DEP is always enabled for all processes regardless of whether the program is compatible with DEP or not.

• Always-Of: In this mode of operation DEP is always disabled for all processes.


DEPKPROCESS struct;

typedef struct _KEXECUTE_OPTIONS{ ULONG ExecuteDisable: 1; ULONG ExecuteEnable: 1; ULONG DisableThunkEmulation: 1; ULONG Permanent: 1; ULONG ExecuteDispatchEnable: 1; ULONG ImageDispatchEnable: 1; ULONG Spare: 2;} KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;


DEP

• SetProcessDEPPolicy()• NtSetProcessInformation()


stack

heap

Cant execute code here

Cant execute code here


Defeating DEP

• Any ideas?


Assigned Reading

• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)

• The Advanced Return-into-lib(c) Exploits: PaX case study

• x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique


Assigned Reading

• Why were these papers good/bad?


Assigned Reading

• Evolutionary exploitation techniques• Hey, its easier to just jmp into .text segments


int system(const char *command);


Ret2libc Fundamentals


args


args

Local buffer

Address of system()


args

“useradd mac –g wheel”

Fake retaddrchar *

Smashed ebp


Local buffer

Address of system()


args

Fake retaddrarg1

Smashed ebp


$esp->

0x0040108c <main+60>: ret


Local buffer

Address of system()


args

Fake retaddrarg1

Smashed ebp

$esp->


Now system() does its thing…0x004010db <system+101>: ret


Local buffer

Address of system()


args

Fake retaddrarg1

Smashed ebp

$esp->

Now we land at fake retAnd $esp points to arg1!



Ret2libc limitations

Local bufferAddress of system()

Nex function() to call

char *

System() stack frame

Same argument as we passed to system()!


So we can only call one func…

• damn


Or can we…

• How can we string together multiple calls?


esp lifting with frame pointers


args


args

Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

args


Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

args

$esp->

0x0040108c <main+60>: ret


Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

args

0x0040108c <setuid+60>: ret

$esp->


Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

args

$esp->

0x100bc0c0: pop


Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

args

0x100bc0c0: ret

$esp->


Local buffer

Address of setuid()

Address of system()

0xffffffff

system() arg

Address of pop-ret

setuid() arg

0xffffffff

args

In system()Here system will return into 0xffffffff

$esp->


Advancements…

• If using -fomit-frame-pointers

Dump of assembler code for function g:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret


esp lifting

78


args


args

Local buffer

Address of setuid()

PAD

PAD

Address of system()

0xffffffff

Address of epilog

setuid() arg

0xffffffff

args+pad = stack adjustment

system() arg


Frame FakingLocal bufferSaved EBPSaved EIP

args

Local bufferFake ebp0

Addr of leave-ret

Fake ebp1

Addr of setuid()

Addr of leave-ret

Arg to setuid()

Fake ebp2

Addr of system()

Addr of leave-ret

Arg to system()


ROP!

• Return oriented programming– logical extension of ret2libc– Can use chunks from anywhere


ROP!

args

emptyempty

Pop %eaxret

Pop %espret

lcall %gs:0x10(,0)ret

Local buffer

Saved EBPSaved EIP

args Syscall index

Smashed ebp

Smashed buffer


What if …

pop %ebpLeaveret


Defeating DEP

• Might be able to turn it off by jumping to – SetProcessDEPPolicy()

• Allocate some memory that’s executable– VirtualAlloc(),

• Change permissions on already allocated mem– VirtualProtect()

• Write directly to already executable memory– WriteProcessMemory()


Whew..

• So wow, things look pretty bad right?– Welllllll….– What ways can we prevent these type of attacks?


Linux ASLR


ASLR

• 32 bit address space prevents serious randomization of ‘objects’

• Executables will have 255 possible load address locations, offset from the preferred image base

• The first DLL (NTDLL.DLL) will load in 1 of 256 possible locations, but the order in which following dlls are loaded will be randomized.

• Thread stacks start at a maximum offset of 7FC bytes from the stack base

• Process heap will start at a maximum offset of 2MB from the heap base.


Exploitation Timeline


Exploitation Timline


Windows Security Mechanisms


Mac’s Conjecture

• To own, you must do one of the following: – (1) introduce/execute arbitrary code– (2) execute existing code out of original program

order– (3) execute existing code in original program order

with arbitrary data


Where’s the FEEB

• Instruction Set randomization

Encoded Instruction

Stream

Encoding Key

CPU


Take a closer look…


… Weeee

Via Punk Ode: Hiding Shellcode in Plain Sight, Greg MacManus


Assignment

• NIST Configured XP images– Federal desktop core configuration– http://nvd.nist.gov/fdcc/

• Compiled webserver– Coded in C– In C:\project\httpd.exe

• RE/debugging tools already installed• I (should) have DVD’s to hand out

http://nvd.nist.gov/fdcc/


Assignment

• 2 ways to complete it– Figure out the secret (standard) – Own process (advanced)

• Plural of bonus:– Don’t use my exploit.c• Find the vuln yourself, and own the httpd

– Don’t crash the httpd


• This page Intentionally Left Blank

proprietary and confidential information – copyright© 2010 – all rights reserved preventing...

Documents

rights reserved c o3

rights reserved outline

int glob

f slide

0x401130 slide

c return

x 0x00401092

x 0x00401097