Debugging With Id

Using Immunity Debugger to Write Exploits ,[object Object],Dave Aitel, Nicolas Waisman [email_address] [email_address]

Who am I? ,[object Object],[object Object],[object Object],[object Object],[object Object]

Software vendors now understand the value of security ,[object Object],[object Object],[object Object]

Immunity Debugger is a strategic answer to defensive advances ,[object Object],[object Object],[object Object],[object Object]

But attackers have their own resources ,[object Object],[object Object],[object Object],[object Object]

Attackers will defeat the current generation of defensive technologies through profound and rapid tool innovation ,[object Object],[object Object],[object Object],[object Object]

Better interfaces save valuable time WinDBG-like commandline Pure-Python Graphing Usable GUI

Python integration offers useful analysis ,[object Object],[object Object],[object Object],[object Object]

Existing toolsets are also in Python ,[object Object],[object Object],[object Object],[object Object],[object Object]

Hackers already work in teams... ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Two examples of how Immunity Debugger changes assessment and exploitation ,[object Object],[object Object]

SQL Injection/File Include ,[object Object],[object Object],[object Object],[object Object],[object Object]

Heap overflows are dead, long live heap overflows ,[object Object],[object Object]

And so... heap protection has been introduced ,[object Object],[object Object],[object Object],[object Object]

XP SP2 makes our work hard ,[object Object],[object Object],blink = chunk ->blink flink = chunk ->flink if blink ->flink == flink ->blink and blink ->flink == chunk

and harder... ,[object Object],[object Object],Chunk been unlinked

XP SP2 ( and Vista) introduced more heap protections ,[object Object],[object Object],subsegment = chunk ->subsegmentcode subsegment ^= RtlpLFHKey subsegment ^= Heap subsegment ^= chunk >> 3

Vista heap algorithm changes make unlink() unlikely ,[object Object],[object Object],*(chunk) ^= HEAP->EncodingKey checksum = (char) *( chunk + 1) checksum ^= (char) *( chunk ) checksum ^= (char) *( chunk + 2) if checksum == chunk ->Checksum

Checksum makes it hard to predict and control the header ,[object Object],[object Object],0 1 2 3 Xor against HEAP->EncodingKey

Other protections in Vista are not heap specific ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A lot of excellent work has been done to bypass heap protections ,[object Object],[object Object],[object Object]

We no longer use heap algorithms to get write4 primitives ,[object Object],[object Object],[object Object],[object Object]

We have been working on this methodology for years ,[object Object],[object Object],[object Object],[object Object]

Previous exploits already carefully crafted the heap ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

[object Object],[object Object],[object Object],[object Object],[object Object]

The heap, piece by piece ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

A quick look at the lookaside ,[object Object],0 1 2 3 4 5 8 bytes 8 bytes 24 bytes Note: 24 bytes is the total size. The actual data size is: 24 - 8 = 16 byes

A quick look at the FreeList data structure ,[object Object],0 1 2 3 24 bytes 24 bytes 4 n n*8 bytes 1600 bytes 2000 bytes 5 Where n < 128

Chunk coalescing: contiguous free chunks are joined to minimize fragmentation ptr Back_chunk PSize= *( ptr +2) Back_chunk = ptr - (PSize*8) if Back_chunk is not BUSY: unlink( Back_chunk )

Chunks are split into two chunks when necessary ,[object Object],[object Object]

The life-cycle of a heap overflow ,[object Object],[object Object],[object Object],[object Object],[object Object],} Might be the same

An alternate heap overflow lifecycle that requires emphasis on surviving with a broken heap ,[object Object],[object Object],[object Object],[object Object],[object Object]

Heaps do not all start in the same layout ,[object Object],[object Object],[object Object]

Heap Holes ,[object Object],Vulnerable(function) A = Allocate(0x300); B = Allocate(0x300); [...] Overwrite(A); fn_ptr = B[4]; fn_ptr(“hello world”); Chunk is part of the FreeList[97]

Heap Holes ,[object Object],Vulnerable(function) A = Allocate(0x300); B = Allocate(0x300); [...] Overwrite(A); fn_ptr = B[4]; fn_ptr(“hello world”);

Two types of memory leaks are used in heap exploitation ,[object Object],[object Object],[object Object],[object Object]

Several bad coding practises lead to hard memleaks ,[object Object],[object Object],[object Object],[object Object]

Soft memory leaks are almost as useful to exploit writers ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

We correct our heap layout with memory leaks ,[object Object],[object Object],[object Object],[object Object],} Both have the same objective: to allow us to have consecutive chunks

Heap Rule #1: Force and control the layout ,[object Object],Vulnerable(function) A = Allocate(0x300); B = Allocate(0x300); [...] Overwrite(A); fn_ptr = B[4]; fn_ptr(“hello world”);

[object Object],Vulnerable(function) A = Allocate(0x300); B = Allocate(0x300); [...] Overwrite(A); fn_ptr = B[4]; fn_ptr(“hello world”); Heap Rule #1: Force and control the layout Calculating size: 768 + 8 = 776 776/8 = entry 97

[object Object],Vulnerable(function) A = Allocate(0x300); B = Allocate(0x300); [...] Overwrite(A); fn_ptr = B[4]; fn_ptr(“hello world”); Heap Rule #1: Force and control the layout

Good exploits are the result of Intelligent Debugging ,[object Object],[object Object]

Immunity Debugger is the first debugger specifically for vulnerability development ,[object Object],[object Object],[object Object]

Immunity Debugger's specialized heap analysis tools ,[object Object],[object Object],[object Object],[object Object]

Immunity Debugger ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Searching the heap using Immlib ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Comparing a heap before and after you break it ,[object Object],[object Object],[object Object],[object Object],[object Object]

Heap Fingerprinting ,[object Object],[object Object]

Heap Fingerprinting ,[object Object],[object Object],[object Object],[object Object],[object Object]

Automated data type discovery using Immlib ,[object Object],[object Object],[object Object]

Immunity Debugger offers simple runtime analysis of heap data to find data types ,[object Object],[object Object],[object Object],[object Object]

Data Discovery ,[object Object],[object Object]

Data Discovery can be scripted easily ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Heap Fuzzing helps you discover a way to obtain the correct layout ,[object Object],[object Object]

Heap Fuzzing ,[object Object],[object Object],[object Object],[object Object]

Heap Fuzzing ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Inject Hook ,[object Object],[object Object],[object Object],[object Object]

Inject Hooks into the target process speeds things up ,[object Object],[object Object]

Inject Hook process VirtualAllocEx mapped mem

Inject Hook process InjectHooks mapped mem

Inject Hook process Redirect Function mapped mem RtlAllocateHeap RtlFreeHeap

Inject Hook process Run the program mapped mem RtlAllocateHeap RtlFreeHeap

Inject Hook process Inspect the result mapped mem

Inject Hook ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

The future ,[object Object],[object Object],[object Object]

Automating exploitation ,[object Object],[object Object],[object Object],[object Object]

Conclusions ,[object Object],[object Object],[object Object],[object Object]

Debugging With Id

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Debugging With Id

Similar to Debugging With Id (20)

Recently uploaded

Recently uploaded (20)

Debugging With Id