proprietary and confidential information – copyright© 2010 – all rights reserved preventing...
TRANSCRIPT
Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Preventing Intrusion PreventionApril 21, 2010
Ryan MacArthur, [email protected]
2Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Quick Intro
• Don’t believe anything I say• Former ISI student (’08)• Worked at Symantec out of the gate– Security Response Team
• Interviewed with iSIGHT at BH Vegas 2009• Started work in October 2009
3Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Hi
4Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Outline
• Basics– Some C background
• Exploitation technique evolution
5Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Outline
• Assignment – Hacking a webserver with DEP– Demonstrate understanding of topics discussed
today
6Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
• READ THE STANDARD (c99)– Grep for undefined– ‘sprintf … If copying takes place between objects
that overlap, the behavior is undefined’– ‘free … or if the space has been deallocated by a
call to free or realloc, the behavior is undefined’– ‘exit … a call to the longjump function is made that
would terminate the call to the registered function, the behavior is undefined’
7Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
int main(){ int a = 4; int b = 0x40000000; int c = a * b + 1; printf("%d\n", c); return 0;}
8Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
(*pf[f1()]) (f2(), f3() + f4())
9Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
(t4=f4(), t3=f3(), t2=f2(), t1=f1(), (*pf[t1]) (t2, t3 + t4))
10Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
int main(int argc, char** argv){ int glob = atoi(argv[1]); glob = (glob++, glob) + (glob++, glob); printf("%d\n", glob); return 0;}
11Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C –O0• 0x00401085 <main+53>: call 0x40116c <atoi>• 0x0040108a <main+58>: mov %eax,-0x4(%ebp)• 0x0040108d <main+61>: lea -0x4(%ebp),%eax• 0x00401090 <main+64>: incl (%eax)• 0x00401092 <main+66>: lea -0x4(%ebp),%eax• 0x00401095 <main+69>: incl (%eax)• 0x00401097 <main+71>: mov -0x4(%ebp),%edx• 0x0040109a <main+74>: lea -0x4(%ebp),%eax• 0x0040109d <main+77>: add %edx,(%eax)• 0x0040109f <main+79>: mov -0x4(%ebp),%eax• 0x004010a2 <main+82>: mov %eax,0x4(%esp)• 0x004010a6 <main+86>: movl $0x402000,(%esp)• 0x004010ad <main+93>: call 0x40115c <printf>
12Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C –O3
0x00401071 <main+33>: call 0x401140 <atoi>0x00401076 <main+38>: movl $0x402000,(%esp)0x0040107d <main+45>: lea 0x4(%eax,%eax,1),%eax0x00401081 <main+49>: mov %eax,0x4(%esp)0x00401085 <main+53>: call 0x401130 <printf>
13Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
C
int main(){ int x = 4; char y[] = "haberdashery"; printf("%c\n", 4[y]); return 0;}
14Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Basics
void f(int a,int b,char *c){ char buf[2]; strcpy(buf,c);}
int main(){ char z[]="zangief"; f(1,2,z); return 0;}
15Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
“zangief\0”
$esp ->
call f()
16Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
$esp ->
“zangief\0”
return address
push %ebp
17Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
$esp ->
return address
“zangief\0”
frame pointer main() stack frame
mov %esp,%ebp
18Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
$esp ->
return address
“zangief\0”
frame pointer main() stack frame
19Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feign
0x000000010x00000002
0x004010c0frame pointer
char[2] az
retaddr
“zangief\0”
20Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x00401068 <f+24>: leave 0x00401069 <f+25>: ret
21Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• The LEAVE instruction copies the frame pointer (in the EBP register) into the stack pointer register (ESP), which releases the stack space allocated to the stack frame. The old frame pointer is then popped from the stack into the EBP register, restoring the calling procedure’s stack frame.
• RET Transfers program control to a return address located on the top of the stack. The address is usually placed on the stack by a CALL instruction, and the return is made to the instruction that follows the CALL instruction.
22Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
“zangief\0”
$ebp->
23Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
$ebp->$esp->
“zangief\0”
24Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
$ebp->0x6569676e
$esp->
“zangief\0”
25Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
0x000000010x00000002
0x0040\00feignaz
$ebp->0x6569676e
$esp->
$eip->0x00400066 “zangief\0”
26Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Now you’ve owned the stack
• Now what?• Get shellcode into your string buffer• Overwrite eip with address of shellcode
27Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Shellcode
smashed EBPPtr to shellcode
args
28Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Problems Arise
• How do I know what address my shellcode is at?
Shellcode
smashed EBP??????????
args
29Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Well you might not
guess
Shellcode
smashed EBPPtr to shellcode
args
30Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
First Abstract defense mechanism
• Why should there ever be a need to execute code off the stack?
• Well then,make the stack non-executable• Boom – screwed.
31Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Where to put our shellcode?
Heap
Stack
32Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Basics
void f(int a,int b,char *c){ char t[8]; for(;a <= 8; a++) { t[a]=c[a]; }}
int main(){ char z[]="zangief!"; f(0,2,z); return 0;}
33Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Off-by-one
Local buffer
Saved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
leave(mov ebp,esp)(pop ebp)
ret(pop eip)
…leaveretowned.
Saved ebp: 0x0022cd28
1 byte overwrite ebp: 0x0022cd00
34Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• -fomit-frame-pointer
Dump of assembler code for function:0x00401130 <g+0>: push %ebp0x00401131 <g+1>: mov %esp,%ebp0x00401133 <g+3>: sub $0x10,%esp0x00401136 <g+6>: mov 0x8(%ebp),%eax0x00401139 <g+9>: mov %eax,-0x4(%ebp)0x0040113c <g+12>: leave 0x0040113d <g+13>: ret
Dump of assembler code for function:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret
35Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Heap Overflows
• Onto Function Pointer
36Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Stack Canaries
• /GS flag in visual studio• Protects against buffer overflows– How?
37Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Stack Canaries
sub esp,20h…add esp20h ret
sub esp,24h mov eax,dword ptr [___security_cookie (408040h)] xor eax,dword ptr [esp+24h] mov dword ptr [esp+20h],eax …mov ecx,dword ptr [esp+20h] xor ecx,dword ptr [esp+24h] add esp,24h jmp __security_check_cookie (4010B2h)
38Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Stack Canaries
• How do you defeat them?• Not all functions get protected• Even if they do….
39Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEH
• Windows Structured Exception Handling
typedef struct _EXCEPTION_REGISTRATION_RECORD { struct _EXCEPTION_REGISTRATION_RECORD *Next; PEXCEPTION_ROUTINE Handler; } EXCEPTION_REGISTRATION_RECORD, *PEXCEPTION_REGISTRATION_RECORD;
40Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEH
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
0xffffffff
Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Abusing SEH
Jmp short Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
bufferSaved ebpSaved eip
pop $x pop $yret
shellcode
Ptr to next
42Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Software DEP
• Safe Structured Exception Handling. (SafeSEH)• Compile time– /SafeSEH option in visual studio
43Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SafeSEH
• IE8 on xpsp3:
44Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEHOP
• SEH Overwrite Protection• SEHOP is enabled by default on Windows
Server 2008 and disabled by default on Windows Vista SP1.
• Can be turned on via registry
45Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
SEHOP
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to Handler
Ptr to next Ptr to final handler Ntdll!FinalExcepion
46Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Memory
• Interview question used at google & msft:– How would you find out if a machine’s stack grows
up or down in memory?
47Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
#include <stdio.h>
void sub(int *a) { int b;
if (&b > a) { printf("Stack grows up. a:%p b:%p\n",a,&b); } else { printf("Stack grows down. a:%p b:%p\n",a,&b); }}
main () { int a; sub(&a);}
48Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Memory
• Actual memory isnt top down and is can be all over the place
• Gaps cause problems for us, because we might want some memory layout continuity
49Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Virtual memory
stack
heap
50Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Actual virtual memory:
51Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Filling the gaps
• How?
52Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Heap spray example
• What is a heap spray?– Just fill memory– Was popularized before DEP was implemented– Easy to do with anything:• Flash• Javascript in browser• Script in pdf• Images • Java• html
53Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• Actual spray=>
54Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Hardware DEP
• Included in all newer windows supported processors: (Intel x86/IA-64, AMD amd64, ARM ARMv6). If this bit is set for the page that the CPU is executing code on (for instance mapped as a PAGE_READWRITE) the CPU will generate a STATUS_ACCESS_VIOLATION (0xC0000005) access violation exception.
55Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
DEP
/noexecute [OptIn | OptOut | AlwaysOn | AlwaysOff ]
• Opt-in: (Default for XPSP2, XPSP3, and Vista) In this mode of operation DEP is enabled only for processes that explicitly opt-in to DEP.
• Opt-Out: (Default for Windows Server 2003 and Windows Server 2008) In this mode of operation DEP is enabled by default for all processes except those that explicitly opt-out of DEP.
• Always On: In this mode of operation DEP is always enabled for all processes regardless of whether the program is compatible with DEP or not.
• Always-Of: In this mode of operation DEP is always disabled for all processes.
56Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
DEPKPROCESS struct;
typedef struct _KEXECUTE_OPTIONS{ ULONG ExecuteDisable: 1; ULONG ExecuteEnable: 1; ULONG DisableThunkEmulation: 1; ULONG Permanent: 1; ULONG ExecuteDispatchEnable: 1; ULONG ImageDispatchEnable: 1; ULONG Spare: 2;} KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS;
57Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
DEP
• SetProcessDEPPolicy()• NtSetProcessInformation()
58Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
stack
heap
Cant execute code here
Cant execute code here
59Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Defeating DEP
• Any ideas?
60Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assigned Reading
• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
• The Advanced Return-into-lib(c) Exploits: PaX case study
• x86-64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique
61Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assigned Reading
• Why were these papers good/bad?
62Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assigned Reading
• Evolutionary exploitation techniques• Hey, its easier to just jmp into .text segments
63Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
int system(const char *command);
64Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Ret2libc Fundamentals
Local bufferSaved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
“useradd mac –g wheel”
Fake retaddrchar *
Smashed ebp
65Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
Fake retaddrarg1
Smashed ebp
“useradd mac –g wheel”
$esp->
0x0040108c <main+60>: ret
66Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
Fake retaddrarg1
Smashed ebp
$esp->
“useradd mac –g wheel”
Now system() does its thing…0x004010db <system+101>: ret
67Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of system()
Local bufferSaved EBPSaved EIP
args
Fake retaddrarg1
Smashed ebp
$esp->
Now we land at fake retAnd $esp points to arg1!
“useradd mac –g wheel”
68Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Ret2libc limitations
Local bufferAddress of system()
Nex function() to call
char *
System() stack frame
Same argument as we passed to system()!
69Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
So we can only call one func…
• damn
70Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Or can we…
• How can we string together multiple calls?
71Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
esp lifting with frame pointers
Local bufferSaved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
72Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
$esp->
0x0040108c <main+60>: ret
73Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
0x0040108c <setuid+60>: ret
$esp->
74Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
$esp->
0x100bc0c0: pop
75Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
0x100bc0c0: ret
$esp->
76Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Local buffer
Address of setuid()
Address of system()
0xffffffff
system() arg
Address of pop-ret
setuid() arg
0xffffffff
args
In system()Here system will return into 0xffffffff
$esp->
77Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Advancements…
• If using -fomit-frame-pointers
Dump of assembler code for function g:0x00401130 <g+0>: sub $0x10,%esp0x00401133 <g+3>: mov 0x14(%esp),%eax0x00401137 <g+7>: mov %eax,0xc(%esp)0x0040113b <g+11>: add $0x10,%esp0x0040113e <g+14>: ret
78Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
esp lifting
78
Local bufferSaved EBPSaved EIP
args
Local bufferSaved EBPSaved EIP
args
Local buffer
Address of setuid()
PAD
PAD
Address of system()
0xffffffff
Address of epilog
setuid() arg
0xffffffff
args+pad = stack adjustment
system() arg
79Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Frame FakingLocal bufferSaved EBPSaved EIP
args
Local bufferFake ebp0
Addr of leave-ret
Fake ebp1
Addr of setuid()
Addr of leave-ret
Arg to setuid()
Fake ebp2
Addr of system()
Addr of leave-ret
Arg to system()
80Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
ROP!
• Return oriented programming– logical extension of ret2libc– Can use chunks from anywhere
81Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
ROP!
args
emptyempty
Pop %eaxret
Pop %espret
lcall %gs:0x10(,0)ret
Local buffer
Saved EBPSaved EIP
args Syscall index
Smashed ebp
Smashed buffer
82Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
What if …
pop %ebpLeaveret
83Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Defeating DEP
• Might be able to turn it off by jumping to – SetProcessDEPPolicy()
• Allocate some memory that’s executable– VirtualAlloc(),
• Change permissions on already allocated mem– VirtualProtect()
• Write directly to already executable memory– WriteProcessMemory()
84Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Whew..
• So wow, things look pretty bad right?– Welllllll….– What ways can we prevent these type of attacks?
85Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Linux ASLR
86Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
ASLR
• 32 bit address space prevents serious randomization of ‘objects’
• Executables will have 255 possible load address locations, offset from the preferred image base
• The first DLL (NTDLL.DLL) will load in 1 of 256 possible locations, but the order in which following dlls are loaded will be randomized.
• Thread stacks start at a maximum offset of 7FC bytes from the stack base
• Process heap will start at a maximum offset of 2MB from the heap base.
87Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Exploitation Timeline
88Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Exploitation Timline
89Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Windows Security Mechanisms
90Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Mac’s Conjecture
• To own, you must do one of the following: – (1) introduce/execute arbitrary code– (2) execute existing code out of original program
order– (3) execute existing code in original program order
with arbitrary data
91Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Where’s the FEEB
• Instruction Set randomization
Encoded Instruction
Stream
Encoding Key
CPU
92Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Take a closer look…
93Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
… Weeee
Via Punk Ode: Hiding Shellcode in Plain Sight, Greg MacManus
94Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assignment
• NIST Configured XP images– Federal desktop core configuration– http://nvd.nist.gov/fdcc/
• Compiled webserver– Coded in C– In C:\project\httpd.exe
• RE/debugging tools already installed• I (should) have DVD’s to hand out
95Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
Assignment
• 2 ways to complete it– Figure out the secret (standard) – Own process (advanced)
• Plural of bonus:– Don’t use my exploit.c• Find the vuln yourself, and own the httpd
– Don’t crash the httpd
96Proprietary and Confi denti al Informati on – Copyright © 2010 – All Rights Reserved
• This page Intentionally Left Blank