How to-catch-a-chameleon-steven seeley-ruxcon-2012

1. How to catch a chameleon Steven Seeley steven@immunityinc.com @net__ninja Steven Seeley – Ruxcon 2012

2. C:> whoami /all? ● mr_me ● Security Researcher @ Immunity Inc ● A member of Corelan Security Team ● ruby python developer ● reverse engineering ● exploit developer Steven Seeley – Ruxcon 2012

3. Disclaimer(s) No zerodays were hurt during the making of this presentation Sorry but some windows heap knowledge is assumed Steven Seeley – Ruxcon 2012

4. Agenda ● What is 'heaper' ? ● Development motivators ● Meta data attack techniques ● Functional design ● Installation ● Using heaper ● Demo analysing a heap overflow ● Limitations ● Future work ● Conclusion Steven Seeley – Ruxcon 2012

5. But first. An entomologist's lesson. Steven Seeley – Ruxcon 2012

6. Definition of a chameleon? Chameleon (n) A small slow-moving Old World lizard with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color Steven Seeley – Ruxcon 2012

7. Definition of a chameleon? Chameleon (n) A small slow-moving Old World lizard with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color Steven Seeley – Ruxcon 2012

8. A chameleon's diet Steven Seeley – Ruxcon 2012

9. Similarities Chameleon Heap manager analysis Slow moving Slow evolution of security in heap managers* Protruding, rotating eyes Symptoms of long debugging sessions Ability to change color Ability to change its state rapidly rapidly Kills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation * Some, such as implementations on mobile platforms, example: WebKit Steven Seeley – Ruxcon 2012

10. What is heaper? ● A multi platform win32 heap analysis tool ● A plug-in for Immunity Debugger ● Developed in python using immlib/heaplib ● An offensive focused tool: ● Visualize the heap layout ● Determine exploitable conditions using meta-data ● Find application specific heap primitives ● Find application specific function pointers ● Modify heap structures on the fly for simulation Steven Seeley – Ruxcon 2012

11. Development motivators Steven Seeley – Ruxcon 2012

12. Meta data attack techniques Technique Platform Difficulty* Reliability* Supported Coalesce unlink() NT 5.[0/1] 10% 100% Yes VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No Lookaside head overwrite NT 5.2 50-60% Unknown Yes Freelist insert/search/relink NT 5.2 Unknown Unknown Yes Bitmap flip NT 5.2 50-60% Unknown Yes Heap cache desycronisation NT 5.2 90% Unknown No Critical section unlink() NT 5.2 50% 70% No FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes Segment Offset NT 6.[0/1] 50% 80% Yes Depth De-sync NT 6.[0/1] 50% 70% Yes UserBlocks Overwrite NT 6.2 90% 40% No Application data ANY Unknown Unknown Yes difficulty/reliability* - estimated based specific testing, will vary largely depending on context Steven Seeley – Ruxcon 2012

13. Functional design ● Object oriented design ● Easily extend-able ● Chunk validation based on allocator ordering & categorization ● General heuristics check per allocator Steven Seeley – Ruxcon 2012

14. Functional design chunk validation: Full unlink() macro validation! Steven Seeley – Ruxcon 2012

15. Functional design chunk validation: ● Lets say we have chunk 0x0026fee8 in FreeList[0]. ● We know relative offsets: ● 0x0026fee8+0x0 is the size ● 0x0026fee8+0x2 is the previous chunks size ● 0x0026fee8+0x4 is the cookie ● 0x0026fee8+0x8 is the Flink/Blink Therefore, we can validate the chunk based on its positioning and by reading memory Steven Seeley – Ruxcon 2012

16. Functional design Chunk validation on ListHint[{0x7f,0x7ff}] -> Windows 7 LFH (size is encoded) -> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012

21. Functional design Chunk validation on ListHint[n]: -> Windows 7 LFH (size is encoded) -> Checks ListHint[n] Steven Seeley – Ruxcon 2012

25. Functional design Chunk validation on FreeList[0]: -> Windows 2000/XP FreeList[0] Steven Seeley – Ruxcon 2012

26. Functional design Chunk validation on FreeList[0]: -> Windows 2000/XP FreeList[0] size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012

27. Functional design Chunk validation on FreeList[n]: -> Windows 2000/XP FreeList[n] Steven Seeley – Ruxcon 2012

28. Functional design Chunk validation on FreeList[n]: -> Windows 2000/XP FreeList[n] size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012

29. Functional design Graphing: We all know that little green men in the debugger can be hard to understand Steven Seeley – Ruxcon 2012

30. Functional design Graphing: visualiz e the heap Steven Seeley – Ruxcon 2012

31. Functional design Easy to use: ● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesn't exist ● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size ● n-4 byte write simulation on function pointers with the ability to restore the said function pointers ● The ability to modify a single BIT in the FreeListInUse struct ● 'update' command for easily updating heaper. ● 'config' command to configure the output directory of logs and graphs ● Everything is logged in a new “heaper” window Steven Seeley – Ruxcon 2012

32. Installation ● Prerequisites: ● Immunity Debugger v1.85 and above ● Graphviz v2.28.0 and above -http://www.graphviz.org/ ● Pyparsing - http://sourceforge.net/projects/pyparsing/ ● PyDot - http://code.google.com/p/pydot/ 1. Install Immunity Debugger :-> 2. Add 'c:python27' to your path environment 3. Run the Graphviz MSI packaged installer 4. Navigate into your pydot and pyparsing directories and execute 'python setup install' 4. Copy heaper to the 'C:Program FilesImmunity IncImmunity DebuggerPyCommands' directory Steven Seeley – Ruxcon 2012

33. Using heaper Steven Seeley – Ruxcon 2012

34. Usage and help menu Run '!heaper help <cmd>' to learn about the cmd and its options Steven Seeley – Ruxcon 2012

35. Analyzing windows structs Display the PEB structure Steven Seeley – Ruxcon 2012

36. Analyzing windows structs Display the TEB's for the process (no struct) – No TEB struct boo Steven Seeley – Ruxcon 2012

37. Analyzing windows structs Analyze a _heap struct Steven Seeley – Ruxcon 2012

38. Analyzing the FreelistInUse bitmask Steven Seeley – Ruxcon 2012

39. Analyzing the FreelistInUse bitmask Bit flipping Steven Seeley – Ruxcon 2012

40. Analyzing the FreelistInUse bitmask Bit flipping Steven Seeley – Ruxcon 2012

41. Dumping function pointers ● Finds function pointers despite if they are writable or not ● Depreciated and will be removed in the next major release Steven Seeley – Ruxcon 2012

42. Finding writable pointers Steven Seeley – Ruxcon 2012

43. Finding writable pointers ● Similar to the dump function pointers routine but executes the action across the whole module ● This can be executed against all modules ● As the name states, only writable function pointers to facilitate a write 4 condition ● Don't be fooled, it doesn't just dump the IAT ● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers. Steven Seeley – Ruxcon 2012

44. Finding writable pointers Use any of these to transfer code execution Steven Seeley – Ruxcon 2012

45. Analyzing the allocator state NT 5.x Lookaside - chunk analysis Steven Seeley – Ruxcon 2012

46. Analyzing the allocator state NT 5.x Lookaside - chunk analysis ● Easy to understand layout ● Displays the cookie, chunk size, flink ● Notification of an overwrite using the first byte in the chunk header (size) ● If userdata == flink, possible exploitation Steven Seeley – Ruxcon 2012

47. Analyzing the allocator state NT 5.x Lookaside with verbose mode (-v) Steven Seeley – Ruxcon 2012

48. Analyzing the allocator state NT 5.x Lookaside with verbose mode (-v) ● Displays the _general_lookaside_list struct ● Displays the _slist_header struct ● Instantly determine if a list itself has been overwritten ● Much like 'dt _general_lookaside_list <addr>' in windbg Steven Seeley – Ruxcon 2012

49. Analyzing the allocator state NT 5.x Lookaside - graphing Steven Seeley – Ruxcon 2012

50. Analyzing the allocator state NT 5.x Lookaside - vuln analysis ● ● Set a (Function pointer-0x8) to equal the new Lookaside chunk address Steven Seeley – Ruxcon 2012

51. Analyzing the allocator state NT 5.x Lookaside - vuln analysis Steven Seeley – Ruxcon 2012

52. Analyzing the allocator state NT 5.x FreeList - chunk analysis Steven Seeley – Ruxcon 2012

53. Analyzing the allocator state NT 5.x FreeList with verbose mode (-v) Steven Seeley – Ruxcon 2012

54. Analyzing the allocator state NT 5.x FreeList - graphing Steven Seeley – Ruxcon 2012

55. Analyzing the allocator state NT 5.x FreeList - vuln analysis Steven Seeley – Ruxcon 2012

56. Analyzing the allocator state NT 5.x FreeList - vuln analysis Steven Seeley – Ruxcon 2012

57. Analyzing the allocator state NT 6.x LFH - UserBlocks analysis Steven Seeley – Ruxcon 2012

58. Analyzing the allocator state NT 6.x LFH - UserBlocks analysis Steven Seeley – Ruxcon 2012

59. Analyzing the allocator state NT 6.x LFH - UserBlocksCache analysis 0:004> dt _USER_MEMORY_CACHE_ENTRY ntdll!_USER_MEMORY_CACHE_ENTRY +0x000 UserBlocks : _SLIST_HEADER +0x008 AvailableBlocks : Uint4B Steven Seeley – Ruxcon 2012

60. Analyzing the allocator state NT 6.x LFH - buckets 0:004> dt _heap_bucket ntdll!_HEAP_BUCKET +0x000 BlockUnits : Uint2B +0x002 SizeIndex : Uchar +0x003 UseAffinity : Pos 0, 1 Bit +0x003 DebugFlags : Pos 1, 2 Bits Steven Seeley – Ruxcon 2012

61. Analyzing the allocator state NT 6.x LFH - graphing UserBlocks Steven Seeley – Ruxcon 2012

62. Analyzing the allocator state NT 6.x LFH - vuln analysis Steven Seeley – Ruxcon 2012

65. Analyzing the allocator state NT 6.x ListHint - analysis Steven Seeley – Ruxcon 2012

66. Analyzing the allocator state NT 6.x ListHint - analysis Steven Seeley – Ruxcon 2012

67. Analyzing the allocator state NT 6.x FreeList - analysis Steven Seeley – Ruxcon 2012

68. Analyzing the allocator state NT 6.x FreeList - analysis Steven Seeley – Ruxcon 2012

69. Analyzing the allocator state NT 6.x FreeList - graphing Steven Seeley – Ruxcon 2012

70. Analyzing the allocator state NT 6.x FreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012

71. Analyzing the allocator state NT 6.x FreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012

72. Hooking the heap manager Steven Seeley – Ruxcon 2012

73. Hooking the heap manager Hard hooking ● HeapAlloc/HeapFree ● Can be extended for other heap functions ● Discover primitives Steven Seeley – Ruxcon 2012

74. Hooking the heap manager Soft hooking Use only for testing, not designed to be used with large applications Steven Seeley – Ruxcon 2012

75. Patching Patching - PEB ● A binary may be compiled in debug mode ● What if we are trying to execute a function pointer that assumes the process is not being debugged ? Steven Seeley – Ruxcon 2012

76. Updating Update to the latest version with ease The update function just generates a git hash and compares digests. There is no version tracking yet. Steven Seeley – Ruxcon 2012

77. Configuring Configure the home directory on where to store graphs and logs Steven Seeley – Ruxcon 2012

78. Detecting exploitable conditions Steven Seeley – Ruxcon 2012

79. Detecting exploitable conditions ● Detecting exploitable conditions can be very difficult and prone to many false positives. ● If you overwrite a specific chunk, then just due to the amount of data you overwrote with, it may/may not be deemed exploitable ● Therefore understanding the limitations of each of the conditions is required for accurate analysis. Steven Seeley – Ruxcon 2012

80. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012

81. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012

82. Detecting exploitable conditions FreeList/ListHint – No technique suggestion* ● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far. Steven Seeley – Ruxcon 2012

83. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012

84. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012

85. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012

86. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012

87. Demo - MS12-037 Steven Seeley – Ruxcon 2012

88. Limitations ● Does not analyze LFH on XP ● Does not analyze LFH on Windows 8 ● Supports only a limited number of meta-data attacks for now ● Does not log analysis findings external to the debugger ● Needs a decent heap search function ● Need to support other heap implementations Steven Seeley – Ruxcon 2012

89. Future work ● Support LFH analysis on Windows 8 ● Support other heap manager implementations (jemalloc) ● Support more meta-data attacks ● Perform log analysis ● Detect 'interesting' application data on the heap ● Add a decent search function ● Improve the heuristics engine Steven Seeley – Ruxcon 2012

90. Conclusion ● Run-time analysis of the heap to detect meta- data attack conditions is complex ● Some form of solver maybe more applicable to this type of analysis :-> ● Whilst heaper is not turing complete, it will solve many corner cases. ● Immunity will continue to be a leader in the development and application of heap exploitation techniques Steven Seeley – Ruxcon 2012

91. Thanks! You know who you are ;-) Steven Seeley – Ruxcon 2012

92. Code design/improvements/patches/ideas are very welcome :> steventhomasseeley@gmail.com For more information please execute: $ git clone https://github.com/mrmee/heaper.git $ wget -r http://net-ninja.net/ Steven Seeley – Ruxcon 2012

93. MIAMI Steven Seeley – Ruxcon 2012

How to-catch-a-chameleon-steven seeley-ruxcon-2012

Esté a ler uma amostra.

Confira estes a seguir

How to-catch-a-chameleon-steven seeley-ruxcon-2012

Mais Conteúdo rRelacionado

Quem viu também gostou (20)

Semelhante a How to-catch-a-chameleon-steven seeley-ruxcon-2012 (20)

Mais recentes (20)