How to-catch-a-chameleon-steven seeley-ruxcon-2012
1. How to catch a
chameleon
Steven Seeley
steven@immunityinc.com
@net__ninja
Steven Seeley – Ruxcon 2012
2. C:> whoami /all?
●
mr_me
●
Security Researcher @ Immunity Inc
●
A member of Corelan Security Team
●
ruby python developer
●
reverse engineering
●
exploit developer
Steven Seeley – Ruxcon 2012
3. Disclaimer(s)
No zerodays were hurt during the
making of this presentation
Sorry but some windows heap
knowledge is assumed
Steven Seeley – Ruxcon 2012
4. Agenda
●
What is 'heaper' ?
●
Development motivators
●
Meta data attack techniques
●
Functional design
●
Installation
●
Using heaper
●
Demo analysing a heap overflow
●
Limitations
●
Future work
●
Conclusion
Steven Seeley – Ruxcon 2012
6. Definition of a chameleon?
Chameleon (n)
A small slow-moving Old World lizard
with a prehensile tail, long extensible
tongue, protruding eyes that rotate
independently, and a highly developed
ability to change color
Steven Seeley – Ruxcon 2012
7. Definition of a chameleon?
Chameleon (n)
A small slow-moving Old World lizard
with a prehensile tail, long extensible
tongue, protruding eyes that rotate
independently, and a highly developed
ability to change color
Steven Seeley – Ruxcon 2012
9. Similarities
Chameleon Heap manager analysis
Slow moving Slow evolution of security in heap managers*
Protruding, rotating eyes Symptoms of long debugging sessions
Ability to change color Ability to change its state rapidly
rapidly
Kills and eats bugs Difficultly leads to disclosure, in hope of
other researchers demonstrating exploitation
* Some, such as implementations on mobile platforms, example: WebKit
Steven Seeley – Ruxcon 2012
10. What is heaper?
●
A multi platform win32 heap analysis tool
●
A plug-in for Immunity Debugger
●
Developed in python using immlib/heaplib
●
An offensive focused tool:
●
Visualize the heap layout
●
Determine exploitable conditions using meta-data
●
Find application specific heap primitives
●
Find application specific function pointers
●
Modify heap structures on the fly for simulation
Steven Seeley – Ruxcon 2012
12. Meta data attack techniques
Technique Platform Difficulty* Reliability* Supported
Coalesce unlink() NT 5.[0/1] 10% 100% Yes
VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No
Lookaside head overwrite NT 5.2 50-60% Unknown Yes
Freelist insert/search/relink NT 5.2 Unknown Unknown Yes
Bitmap flip NT 5.2 50-60% Unknown Yes
Heap cache desycronisation NT 5.2 90% Unknown No
Critical section unlink() NT 5.2 50% 70% No
FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes
Segment Offset NT 6.[0/1] 50% 80% Yes
Depth De-sync NT 6.[0/1] 50% 70% Yes
UserBlocks Overwrite NT 6.2 90% 40% No
Application data ANY Unknown Unknown Yes
difficulty/reliability* - estimated based specific testing, will vary largely depending on context
Steven Seeley – Ruxcon 2012
13. Functional design
●
Object oriented design
●
Easily extend-able
●
Chunk validation based
on allocator ordering &
categorization
●
General heuristics
check per allocator
Steven Seeley – Ruxcon 2012
15. Functional design
chunk validation:
●
Lets say we have chunk 0x0026fee8 in FreeList[0].
●
We know relative offsets:
●
0x0026fee8+0x0 is the size
●
0x0026fee8+0x2 is the previous chunks size
●
0x0026fee8+0x4 is the cookie
●
0x0026fee8+0x8 is the Flink/Blink
Therefore, we can validate the chunk based on its
positioning and by reading memory
Steven Seeley – Ruxcon 2012
16. Functional design
Chunk validation on ListHint[{0x7f,0x7ff}]
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
17. Functional design
Chunk validation on ListHint[{0x7f,0x7ff}]
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
18. Functional design
Chunk validation on ListHint[{0x7f,0x7ff}]
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
19. Functional design
Chunk validation on ListHint[{0x7f,0x7ff}]
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
20. Functional design
Chunk validation on ListHint[{0x7f,0x7ff}]
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
31. Functional design
Easy to use:
●
Generates a specific menu basic on windows version in use – no
option to analyse the LFH if it doesn't exist
●
Generates graphs for each bin size separately, generally for
exploitation, we target a specific bin size
●
n-4 byte write simulation on function pointers with the ability to
restore the said function pointers
●
The ability to modify a single BIT in the FreeListInUse struct
●
'update' command for easily updating heaper.
●
'config' command to configure the output directory of logs and
graphs
●
Everything is logged in a new “heaper” window
Steven Seeley – Ruxcon 2012
32. Installation
●
Prerequisites:
●
Immunity Debugger v1.85 and above
●
Graphviz v2.28.0 and above -http://www.graphviz.org/
●
Pyparsing - http://sourceforge.net/projects/pyparsing/
●
PyDot - http://code.google.com/p/pydot/
1. Install Immunity Debugger :->
2. Add 'c:python27' to your path environment
3. Run the Graphviz MSI packaged installer
4. Navigate into your pydot and pyparsing directories and execute 'python
setup install'
4. Copy heaper to the 'C:Program FilesImmunity IncImmunity
DebuggerPyCommands' directory
Steven Seeley – Ruxcon 2012
41. Dumping function pointers
●
Finds function pointers despite if they are writable or not
●
Depreciated and will be removed in the next major release
Steven Seeley – Ruxcon 2012
43. Finding writable pointers
● Similar to the dump function pointers routine but
executes the action across the whole module
● This can be executed against all modules
● As the name states, only writable function pointers
to facilitate a write 4 condition
● Don't be fooled, it doesn't just dump the IAT
● It can find OS specific function pointers making
your exploit work despite the existence of
application specific function pointers.
Steven Seeley – Ruxcon 2012
46. Analyzing the allocator state NT 5.x
Lookaside - chunk analysis
● Easy to understand layout
● Displays the cookie, chunk size, flink
● Notification of an overwrite using the first
byte in the chunk header (size)
● If userdata == flink, possible exploitation
Steven Seeley – Ruxcon 2012
47. Analyzing the allocator state NT 5.x
Lookaside with verbose mode (-v)
Steven Seeley – Ruxcon 2012
48. Analyzing the allocator state NT 5.x
Lookaside with verbose mode (-v)
● Displays the _general_lookaside_list struct
● Displays the _slist_header struct
● Instantly determine if a list itself has been
overwritten
● Much like 'dt _general_lookaside_list
<addr>' in windbg
Steven Seeley – Ruxcon 2012
50. Analyzing the allocator state NT 5.x
Lookaside - vuln analysis
●
●
Set a (Function pointer-0x8) to equal the new Lookaside chunk address
Steven Seeley – Ruxcon 2012
73. Hooking the heap manager
Hard hooking
●
HeapAlloc/HeapFree
●
Can be extended
for other heap functions
●
Discover primitives
Steven Seeley – Ruxcon 2012
74. Hooking the heap manager
Soft hooking
Use only for testing, not designed to be used with large applications
Steven Seeley – Ruxcon 2012
75. Patching
Patching - PEB
●
A binary may be compiled in debug mode
●
What if we are trying to execute a function pointer that assumes the
process is not being debugged ?
Steven Seeley – Ruxcon 2012
76. Updating
Update to the latest version with ease
The update function just generates a git hash and compares digests. There
is no version tracking yet.
Steven Seeley – Ruxcon 2012
79. Detecting exploitable conditions
●
Detecting exploitable conditions can be very
difficult and prone to many false positives.
●
If you overwrite a specific chunk, then just due
to the amount of data you overwrote with, it
may/may not be deemed exploitable
●
Therefore understanding the limitations of
each of the conditions is required for accurate
analysis.
Steven Seeley – Ruxcon 2012
82. Detecting exploitable conditions
FreeList/ListHint – No technique suggestion*
● No techniques for exploitation against the FreeList/ListHint under windows
NT 6.x have been disclosed publicly so far.
Steven Seeley – Ruxcon 2012
88. Limitations
●
Does not analyze LFH on XP
●
Does not analyze LFH on Windows 8
●
Supports only a limited number of meta-data
attacks for now
●
Does not log analysis findings external to the
debugger
●
Needs a decent heap search function
●
Need to support other heap implementations
Steven Seeley – Ruxcon 2012
89. Future work
●
Support LFH analysis on Windows 8
●
Support other heap manager implementations
(jemalloc)
●
Support more meta-data attacks
●
Perform log analysis
●
Detect 'interesting' application data on the
heap
●
Add a decent search function
●
Improve the heuristics engine
Steven Seeley – Ruxcon 2012
90. Conclusion
●
Run-time analysis of the heap to detect meta-
data attack conditions is complex
●
Some form of solver maybe more applicable to
this type of analysis :->
●
Whilst heaper is not turing complete, it will
solve many corner cases.
●
Immunity will continue to be a leader in the
development and application of heap
exploitation techniques
Steven Seeley – Ruxcon 2012
92. Code design/improvements/patches/ideas
are very welcome :>
steventhomasseeley@gmail.com
For more information please execute:
$ git clone https://github.com/mrmee/heaper.git
$ wget -r http://net-ninja.net/
Steven Seeley – Ruxcon 2012