Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to-catch-a-chameleon-steven seeley-ruxcon-2012

2,877 views

Published on

Published in: Technology
  • Login to see the comments

How to-catch-a-chameleon-steven seeley-ruxcon-2012

  1. 1. How to catch a chameleon Steven Seeley steven@immunityinc.com @net__ninja Steven Seeley – Ruxcon 2012
  2. 2. C:> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team ● ruby python developer ● reverse engineering ● exploit developer Steven Seeley – Ruxcon 2012
  3. 3. Disclaimer(s)No zerodays were hurt during themaking of this presentationSorry but some windows heapknowledge is assumed Steven Seeley – Ruxcon 2012
  4. 4. Agenda● What is heaper ?● Development motivators● Meta data attack techniques● Functional design● Installation● Using heaper● Demo analysing a heap overflow● Limitations● Future work● Conclusion Steven Seeley – Ruxcon 2012
  5. 5. But first.An entomologists lesson. Steven Seeley – Ruxcon 2012
  6. 6. Definition of a chameleon?Chameleon (n) A small slow-moving Old World lizardwith a prehensile tail, long extensibletongue, protruding eyes that rotateindependently, and a highly developedability to change color Steven Seeley – Ruxcon 2012
  7. 7. Definition of a chameleon?Chameleon (n) A small slow-moving Old World lizardwith a prehensile tail, long extensibletongue, protruding eyes that rotateindependently, and a highly developedability to change color Steven Seeley – Ruxcon 2012
  8. 8. A chameleons diet Steven Seeley – Ruxcon 2012
  9. 9. Similarities Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*Protruding, rotating eyes Symptoms of long debugging sessionsAbility to change color Ability to change its state rapidlyrapidlyKills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation* Some, such as implementations on mobile platforms, example: WebKit Steven Seeley – Ruxcon 2012
  10. 10. What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool: ● Visualize the heap layout ● Determine exploitable conditions using meta-data ● Find application specific heap primitives ● Find application specific function pointers ● Modify heap structures on the fly for simulation Steven Seeley – Ruxcon 2012
  11. 11. Development motivators Steven Seeley – Ruxcon 2012
  12. 12. Meta data attack techniquesTechnique Platform Difficulty* Reliability* SupportedCoalesce unlink() NT 5.[0/1] 10% 100% YesVirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown NoLookaside head overwrite NT 5.2 50-60% Unknown YesFreelist insert/search/relink NT 5.2 Unknown Unknown YesBitmap flip NT 5.2 50-60% Unknown YesHeap cache desycronisation NT 5.2 90% Unknown NoCritical section unlink() NT 5.2 50% 70% NoFreeEntryOverwrite NT 6.[0/1] 50% 60% YesSegment Offset NT 6.[0/1] 50% 80% YesDepth De-sync NT 6.[0/1] 50% 70% YesUserBlocks Overwrite NT 6.2 90% 40% NoApplication data ANY Unknown Unknown Yesdifficulty/reliability* - estimated based specific testing, will vary largely depending on context Steven Seeley – Ruxcon 2012
  13. 13. Functional design ● Object oriented design ● Easily extend-able ● Chunk validation based on allocator ordering & categorization ● General heuristics check per allocator Steven Seeley – Ruxcon 2012
  14. 14. Functional designchunk validation:Full unlink() macro validation! Steven Seeley – Ruxcon 2012
  15. 15. Functional design chunk validation:● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets: ● 0x0026fee8+0x0 is the size ● 0x0026fee8+0x2 is the previous chunks size ● 0x0026fee8+0x4 is the cookie ● 0x0026fee8+0x8 is the Flink/Blink Therefore, we can validate the chunk based on its positioning and by reading memory Steven Seeley – Ruxcon 2012
  16. 16. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  17. 17. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  18. 18. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  19. 19. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  20. 20. Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)-> Checks ListHint[0x7f] and ListHint[0x7ff] Steven Seeley – Ruxcon 2012
  21. 21. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  22. 22. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  23. 23. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  24. 24. Functional designChunk validation on ListHint[n]:-> Windows 7 LFH (size is encoded)-> Checks ListHint[n] Steven Seeley – Ruxcon 2012
  25. 25. Functional designChunk validation on FreeList[0]:-> Windows 2000/XP FreeList[0] Steven Seeley – Ruxcon 2012
  26. 26. Functional designChunk validation on FreeList[0]:-> Windows 2000/XP FreeList[0] size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012
  27. 27. Functional designChunk validation on FreeList[n]:-> Windows 2000/XP FreeList[n] Steven Seeley – Ruxcon 2012
  28. 28. Functional designChunk validation on FreeList[n]:-> Windows 2000/XP FreeList[n]size, flink, blink pwned! Chunk overwrite! Steven Seeley – Ruxcon 2012
  29. 29. Functional designGraphing:We all know that littlegreen men in the debuggercan be hard to understand Steven Seeley – Ruxcon 2012
  30. 30. Functional designGraphing:visualiz e the heap Steven Seeley – Ruxcon 2012
  31. 31. Functional design Easy to use:● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesnt exist● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size● n-4 byte write simulation on function pointers with the ability to restore the said function pointers● The ability to modify a single BIT in the FreeListInUse struct● update command for easily updating heaper.● config command to configure the output directory of logs and graphs● Everything is logged in a new “heaper” window Steven Seeley – Ruxcon 2012
  32. 32. Installation● Prerequisites: ● Immunity Debugger v1.85 and above ● Graphviz v2.28.0 and above -http://www.graphviz.org/ ● Pyparsing - http://sourceforge.net/projects/pyparsing/ ● PyDot - http://code.google.com/p/pydot/1. Install Immunity Debugger :->2. Add c:python27 to your path environment3. Run the Graphviz MSI packaged installer4. Navigate into your pydot and pyparsing directories and execute pythonsetup install4. Copy heaper to the C:Program FilesImmunity IncImmunityDebuggerPyCommands directory Steven Seeley – Ruxcon 2012
  33. 33. Using heaperSteven Seeley – Ruxcon 2012
  34. 34. Usage and help menuRun !heaper help <cmd> to learnabout the cmd and its options Steven Seeley – Ruxcon 2012
  35. 35. Analyzing windows structsDisplay the PEB structure Steven Seeley – Ruxcon 2012
  36. 36. Analyzing windows structsDisplay the TEBs for the process (nostruct) – No TEB struct boo Steven Seeley – Ruxcon 2012
  37. 37. Analyzing windows structsAnalyze a _heap struct Steven Seeley – Ruxcon 2012
  38. 38. Analyzing the FreelistInUse bitmask Steven Seeley – Ruxcon 2012
  39. 39. Analyzing the FreelistInUse bitmaskBit flipping Steven Seeley – Ruxcon 2012
  40. 40. Analyzing the FreelistInUse bitmaskBit flipping Steven Seeley – Ruxcon 2012
  41. 41. Dumping function pointers● Finds function pointers despite if they are writable or not● Depreciated and will be removed in the next major release Steven Seeley – Ruxcon 2012
  42. 42. Finding writable pointers Steven Seeley – Ruxcon 2012
  43. 43. Finding writable pointers● Similar to the dump function pointers routine but executes the action across the whole module● This can be executed against all modules● As the name states, only writable function pointers to facilitate a write 4 condition● Dont be fooled, it doesnt just dump the IAT● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers. Steven Seeley – Ruxcon 2012
  44. 44. Finding writable pointersUse any of these to transfer code execution Steven Seeley – Ruxcon 2012
  45. 45. Analyzing the allocator state NT 5.xLookaside - chunk analysis Steven Seeley – Ruxcon 2012
  46. 46. Analyzing the allocator state NT 5.x Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first byte in the chunk header (size)● If userdata == flink, possible exploitation Steven Seeley – Ruxcon 2012
  47. 47. Analyzing the allocator state NT 5.xLookaside with verbose mode (-v) Steven Seeley – Ruxcon 2012
  48. 48. Analyzing the allocator state NT 5.x Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been overwritten● Much like dt _general_lookaside_list <addr> in windbg Steven Seeley – Ruxcon 2012
  49. 49. Analyzing the allocator state NT 5.xLookaside - graphing Steven Seeley – Ruxcon 2012
  50. 50. Analyzing the allocator state NT 5.x Lookaside - vuln analysis●● Set a (Function pointer-0x8) to equal the new Lookaside chunk address Steven Seeley – Ruxcon 2012
  51. 51. Analyzing the allocator state NT 5.xLookaside - vuln analysis Steven Seeley – Ruxcon 2012
  52. 52. Analyzing the allocator state NT 5.xFreeList - chunk analysis Steven Seeley – Ruxcon 2012
  53. 53. Analyzing the allocator state NT 5.xFreeList with verbose mode (-v) Steven Seeley – Ruxcon 2012
  54. 54. Analyzing the allocator state NT 5.xFreeList - graphing Steven Seeley – Ruxcon 2012
  55. 55. Analyzing the allocator state NT 5.xFreeList - vuln analysis Steven Seeley – Ruxcon 2012
  56. 56. Analyzing the allocator state NT 5.xFreeList - vuln analysis Steven Seeley – Ruxcon 2012
  57. 57. Analyzing the allocator state NT 6.xLFH - UserBlocks analysis Steven Seeley – Ruxcon 2012
  58. 58. Analyzing the allocator state NT 6.xLFH - UserBlocks analysis Steven Seeley – Ruxcon 2012
  59. 59. Analyzing the allocator state NT 6.xLFH - UserBlocksCache analysis0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY +0x000 UserBlocks : _SLIST_HEADER +0x008 AvailableBlocks : Uint4B Steven Seeley – Ruxcon 2012
  60. 60. Analyzing the allocator state NT 6.xLFH - buckets0:004> dt _heap_bucketntdll!_HEAP_BUCKET +0x000 BlockUnits : Uint2B +0x002 SizeIndex : Uchar +0x003 UseAffinity : Pos 0, 1 Bit +0x003 DebugFlags : Pos 1, 2 Bits Steven Seeley – Ruxcon 2012
  61. 61. Analyzing the allocator state NT 6.xLFH - graphing UserBlocks Steven Seeley – Ruxcon 2012
  62. 62. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  63. 63. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  64. 64. Analyzing the allocator state NT 6.xLFH - vuln analysis Steven Seeley – Ruxcon 2012
  65. 65. Analyzing the allocator state NT 6.xListHint - analysis Steven Seeley – Ruxcon 2012
  66. 66. Analyzing the allocator state NT 6.xListHint - analysis Steven Seeley – Ruxcon 2012
  67. 67. Analyzing the allocator state NT 6.xFreeList - analysis Steven Seeley – Ruxcon 2012
  68. 68. Analyzing the allocator state NT 6.xFreeList - analysis Steven Seeley – Ruxcon 2012
  69. 69. Analyzing the allocator state NT 6.xFreeList - graphing Steven Seeley – Ruxcon 2012
  70. 70. Analyzing the allocator state NT 6.xFreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012
  71. 71. Analyzing the allocator state NT 6.xFreeList/ListHint - vuln analysis Steven Seeley – Ruxcon 2012
  72. 72. Hooking the heap manager Steven Seeley – Ruxcon 2012
  73. 73. Hooking the heap manager Hard hooking● HeapAlloc/HeapFree● Can be extended for other heap functions● Discover primitives Steven Seeley – Ruxcon 2012
  74. 74. Hooking the heap managerSoft hookingUse only for testing, not designed to be used with large applications Steven Seeley – Ruxcon 2012
  75. 75. Patching Patching - PEB● A binary may be compiled in debug mode● What if we are trying to execute a function pointer that assumes the process is not being debugged ? Steven Seeley – Ruxcon 2012
  76. 76. UpdatingUpdate to the latest version with easeThe update function just generates a git hash and compares digests. Thereis no version tracking yet. Steven Seeley – Ruxcon 2012
  77. 77. ConfiguringConfigure the home directory on where tostore graphs and logs Steven Seeley – Ruxcon 2012
  78. 78. Detecting exploitable conditions Steven Seeley – Ruxcon 2012
  79. 79. Detecting exploitable conditions● Detecting exploitable conditions can be very difficult and prone to many false positives.● If you overwrite a specific chunk, then just due to the amount of data you overwrote with, it may/may not be deemed exploitable● Therefore understanding the limitations of each of the conditions is required for accurate analysis. Steven Seeley – Ruxcon 2012
  80. 80. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012
  81. 81. Detecting exploitable conditions LFH – FreeEntryOffset Overwrite Steven Seeley – Ruxcon 2012
  82. 82. Detecting exploitable conditions FreeList/ListHint – No technique suggestion*● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far. Steven Seeley – Ruxcon 2012
  83. 83. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012
  84. 84. Detecting exploitable conditions Lookaside – chunk overwrite Steven Seeley – Ruxcon 2012
  85. 85. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012
  86. 86. Detecting exploitable conditions FreeList[n] – Bitflip attack Steven Seeley – Ruxcon 2012
  87. 87. Demo - MS12-037 Steven Seeley – Ruxcon 2012
  88. 88. Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data attacks for now● Does not log analysis findings external to the debugger● Needs a decent heap search function● Need to support other heap implementations Steven Seeley – Ruxcon 2012
  89. 89. Future work● Support LFH analysis on Windows 8● Support other heap manager implementations (jemalloc)● Support more meta-data attacks● Perform log analysis● Detect interesting application data on the heap● Add a decent search function● Improve the heuristics engine Steven Seeley – Ruxcon 2012
  90. 90. Conclusion● Run-time analysis of the heap to detect meta- data attack conditions is complex● Some form of solver maybe more applicable to this type of analysis :->● Whilst heaper is not turing complete, it will solve many corner cases.● Immunity will continue to be a leader in the development and application of heap exploitation techniques Steven Seeley – Ruxcon 2012
  91. 91. Thanks!You know who you are ;-) Steven Seeley – Ruxcon 2012
  92. 92. Code design/improvements/patches/ideas are very welcome :> steventhomasseeley@gmail.comFor more information please execute:$ git clone https://github.com/mrmee/heaper.git$ wget -r http://net-ninja.net/ Steven Seeley – Ruxcon 2012
  93. 93. MIAMI Steven Seeley – Ruxcon 2012

×