Upload
mrme
View
2.110
Download
1
Tags:
Embed Size (px)
Citation preview
Steven Seeley – Ruxcon 2012
C:\> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team
● ruby python developer● reverse engineering● exploit developer
Steven Seeley – Ruxcon 2012
Disclaimer(s)No zerodays were hurt during the making of this presentation
Sorry but some windows heap knowledge is assumed
Steven Seeley – Ruxcon 2012
Agenda ● What is 'heaper' ?
● Development motivators
● Meta data attack techniques
● Functional design
● Installation
● Using heaper
● Demo analysing a heap overflow
● Limitations
● Future work
● Conclusion
Steven Seeley – Ruxcon 2012
But first.An entomologist's lesson.
Steven Seeley – Ruxcon 2012
Definition of a chameleon?
Chameleon (n) A small slow-moving Old World lizard
with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color
Steven Seeley – Ruxcon 2012
Definition of a chameleon?
Chameleon (n) A small slow-moving Old World lizard
with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color
Steven Seeley – Ruxcon 2012
A chameleon's diet
Steven Seeley – Ruxcon 2012
Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*
Protruding, rotating eyes Symptoms of long debugging sessions
Ability to change color rapidly
Ability to change its state rapidly
Kills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation
Similarities
* Some, such as implementations on mobile platforms, example: WebKit
Steven Seeley – Ruxcon 2012
What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool:
● Visualize the heap layout● Determine exploitable conditions using meta-data● Find application specific heap primitives● Find application specific function pointers● Modify heap structures on the fly for simulation
Steven Seeley – Ruxcon 2012
Development motivators
Steven Seeley – Ruxcon 2012
Meta data attack techniquesTechnique Platform Difficulty* Reliability* Supported
Coalesce unlink() NT 5.[0/1] 10% 100% Yes
VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No
Lookaside head overwrite NT 5.2 50-60% Unknown Yes
Freelist insert/search/relink NT 5.2 Unknown Unknown Yes
Bitmap flip NT 5.2 50-60% Unknown Yes
Heap cache desycronisation NT 5.2 90% Unknown No
Critical section unlink() NT 5.2 50% 70% No
FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes
Segment Offset NT 6.[0/1] 50% 80% Yes
Depth De-sync NT 6.[0/1] 50% 70% Yes
UserBlocks Overwrite NT 6.2 90% 40% No
Application data ANY Unknown Unknown Yes
difficulty/reliability* - estimated based specific testing, will vary largely depending on context
Steven Seeley – Ruxcon 2012
Functional design● Object oriented design● Easily extend-able● Chunk validation based on allocator ordering & categorization
● General heuristics check per allocator
Steven Seeley – Ruxcon 2012
Functional designchunk validation:
Full unlink() macro validation!
Steven Seeley – Ruxcon 2012
Functional designchunk validation:
● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets:
● 0x0026fee8+0x0 is the size● 0x0026fee8+0x2 is the previous chunks size● 0x0026fee8+0x4 is the cookie● 0x0026fee8+0x8 is the Flink/Blink
Therefore, we can validate the chunk based on its positioning and by reading memory
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[0]:
-> Windows 2000/XP FreeList[0]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[0]:
-> Windows 2000/XP FreeList[0]
size, flink, blink pwned! Chunk overwrite!
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[n]:
-> Windows 2000/XP FreeList[n]
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[n]:
-> Windows 2000/XP FreeList[n]
size, flink, blink pwned! Chunk overwrite!
Steven Seeley – Ruxcon 2012
Functional designGraphing:
We all know that little
green men in the debugger
can be hard to understand
Steven Seeley – Ruxcon 2012
Functional designGraphing:
visualize the heap
Steven Seeley – Ruxcon 2012
Functional designEasy to use:
● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesn't exist
● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size
● n-4 byte write simulation on function pointers with the ability to restore the said function pointers
● The ability to modify a single BIT in the FreeListInUse struct
● 'update' command for easily updating heaper.
● 'config' command to configure the output directory of logs and graphs
● Everything is logged in a new “heaper” window
Steven Seeley – Ruxcon 2012
● Prerequisites:
● Immunity Debugger v1.85 and above● Graphviz v2.28.0 and above -http://www.graphviz.org/● Pyparsing - http://sourceforge.net/projects/pyparsing/● PyDot - http://code.google.com/p/pydot/
1. Install Immunity Debugger :->
2. Add 'c:\python27' to your path environment
3. Run the Graphviz MSI packaged installer
4. Navigate into your pydot and pyparsing directories and execute 'python setup install'
4. Copy heaper to the 'C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\' directory
Installation
Steven Seeley – Ruxcon 2012
Using heaper
Steven Seeley – Ruxcon 2012
Usage and help menuRun '!heaper help <cmd>' to learn about the cmd and its options
Steven Seeley – Ruxcon 2012
Analyzing windows structsDisplay the PEB structure
Steven Seeley – Ruxcon 2012
Analyzing windows structsDisplay the TEB's for the process (no struct) – No TEB struct boo
Steven Seeley – Ruxcon 2012
Analyzing windows structsAnalyze a _heap struct
Steven Seeley – Ruxcon 2012
Analyzing the FreelistInUse bitmask
Steven Seeley – Ruxcon 2012
Analyzing the FreelistInUse bitmask
Bit flipping
Steven Seeley – Ruxcon 2012
Analyzing the FreelistInUse bitmask
Bit flipping
Steven Seeley – Ruxcon 2012
Dumping function pointers● Finds function pointers despite if they are writable or not
● Depreciated and will be removed in the next major release
Steven Seeley – Ruxcon 2012
Finding writable pointers
Steven Seeley – Ruxcon 2012
Finding writable pointers● Similar to the dump function pointers routine but
executes the action across the whole module
● This can be executed against all modules
● As the name states, only writable function pointers to facilitate a write 4 condition
● Don't be fooled, it doesn't just dump the IAT
● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers.
Steven Seeley – Ruxcon 2012
Finding writable pointersUse any of these to transfer code execution
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - chunk analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first
byte in the chunk header (size)● If userdata == flink, possible exploitation
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside with verbose mode (-v)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been
overwritten● Much like 'dt _general_lookaside_list
<addr>' in windbg
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - graphing
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - vuln analysis
●
● Set a (Function pointer-0x8) to equal the new Lookaside chunk address
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - chunk analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList with verbose mode (-v)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - graphing
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - UserBlocks analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - UserBlocks analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - UserBlocksCache analysis
0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY
+0x000 UserBlocks : _SLIST_HEADER+0x008 AvailableBlocks : Uint4B
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - buckets
0:004> dt _heap_bucketntdll!_HEAP_BUCKET
+0x000 BlockUnits : Uint2B+0x002 SizeIndex : Uchar+0x003 UseAffinity : Pos 0, 1 Bit+0x003 DebugFlags : Pos 1, 2 Bits
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - graphing UserBlocks
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
ListHint - analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
ListHint - analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList - analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList - analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList - graphing
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList/ListHint - vuln analysis
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList/ListHint - vuln analysis
Steven Seeley – Ruxcon 2012
Hooking the heap manager
Steven Seeley – Ruxcon 2012
Hooking the heap managerHard hooking
● HeapAlloc/HeapFree
● Can be extended
for other heap functions
● Discover primitives
Steven Seeley – Ruxcon 2012
Hooking the heap managerSoft hooking
Use only for testing, not designed to be used with large applications
Steven Seeley – Ruxcon 2012
PatchingPatching - PEB
● A binary may be compiled in debug mode
● What if we are trying to execute a function pointer that assumes the process is not being debugged ?
Steven Seeley – Ruxcon 2012
UpdatingUpdate to the latest version with ease
The update function just generates a git hash and compares digests. There is no version tracking yet.
Steven Seeley – Ruxcon 2012
ConfiguringConfigure the home directory on where to store graphs and logs
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions● Detecting exploitable conditions can be very
difficult and prone to many false positives.● If you overwrite a specific chunk, then just due
to the amount of data you overwrote with, it may/may not be deemed exploitable
● Therefore understanding the limitations of each of the conditions is required for accurate analysis.
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
LFH – FreeEntryOffset Overwrite
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
LFH – FreeEntryOffset Overwrite
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
FreeList/ListHint – No technique suggestion*
● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far.
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
Lookaside – chunk overwrite
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
Lookaside – chunk overwrite
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
FreeList[n] – Bitflip attack
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
FreeList[n] – Bitflip attack
Steven Seeley – Ruxcon 2012
Demo - MS12-037
Steven Seeley – Ruxcon 2012
Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data
attacks for now● Does not log analysis findings external to the
debugger● Needs a decent heap search function● Need to support other heap implementations
Steven Seeley – Ruxcon 2012
Future work● Support LFH analysis on Windows 8● Support other heap manager implementations
(jemalloc)● Support more meta-data attacks● Perform log analysis● Detect 'interesting' application data on the
heap● Add a decent search function● Improve the heuristics engine
Steven Seeley – Ruxcon 2012
Conclusion● Run-time analysis of the heap to detect meta-
data attack conditions is complex● Some form of solver maybe more applicable to
this type of analysis :->● Whilst heaper is not turing complete, it will
solve many corner cases.● Immunity will continue to be a leader in the
development and application of heap exploitation techniques
Steven Seeley – Ruxcon 2012
Thanks!You know who you are ;-)
Steven Seeley – Ruxcon 2012
Code design/improvements/patches/ideas are very welcome :>
[email protected] more information please execute:
$ git clone https://github.com/mrmee/heaper.git
$ wget -r http://net-ninja.net/
Steven Seeley – Ruxcon 2012
MIAMI