Use After Free Defcon Russia # 14 21 Feb. 2012

Slides:

Advertisements

Similar presentations

Smashing the Stack for Fun and Profit

Advertisements

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights st of November 2014.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

Bromium Confidential. CVE IE CMshtmlEd UAF.

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Defeating public exploit protections (EMET v5.2 and more)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Finding Malware on a Web Scale

2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

MIS Week 2 Site:

Computer Security 2014 – Ymir Vigfusson Some slides borrowed from David Brumley’s lectures at CMU, and Vitaly Shmatikov’s CS380S.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Mitigation of Buffer Overflow Attacks

Strategic Security, Inc. © Exploit Development For Mere Mortals Part 4: Windows Stack Overflows Presented By: Joe McCray

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)

Chapter 7 Pointers: Java does not have pointers. Used for dynamic memory allocation.

Amit Malik SecurityXploded Research Group FireEye Labs.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

Introduction to Information Security ROP – Recitation 5.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.

Nozzle: A Defense Against Heap Spraying Attacks

EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.

JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.

Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

So Johnny wants to learn exploits…. What is this?  I have spent thousands of hours on advanced exploitation and have taught this series of classes before.

Exploiting & Defense Day 1 Recap

Introduction to Information Security

Shellcode COSC 480 Presentation Alison Buben.

Buffer Overflows ...or How I Learned to Never Trust the User

Mitigation against Buffer Overflow Attacks

Return Oriented Programming

Exploiting and Defense

Introduction to Information Security

CSC 495/583 Topics of Software Security Stack Overflows (2)

CSC 495/583 Topics of Software Security Return-oriented programming

CMSC 414 Computer and Network Security Lecture 21

Trust Boundary Vulnerability Exploitation State of the Exploit

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Week 2: Buffer Overflow Part 2.

Destructor CSCE 121 J. Michael Moore.

Destructor CSCE 121.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

Understanding and Preventing Buffer Overflow Attacks in Unix

Several Tips on Project 1

Run-time environments

Return-to-libc Attacks

Presentation transcript:

Use After Free Defcon Russia # Feb

Agenda Use-After-Free Heap Spray Address leak ASLR => calc.exe

Excluded Shellcode dev. Heap Spray Metasploit (btw, there is workshop by Rick!) Sandboxing Advanced techniques by N. Tarakanov 8) Browser’s vulns

Environment Target ? IE8 x32 IE9 Windows 7 Tools ? Immunity Debugger mona.py notepad  

Evolution Year Difficult Stolen from Dino Dai Zovi Finding vulns. Expolit development

Hey! Ho! Let’s go!

theory.getShellcode(); Assembler instructions Program Shell 8-) EIP > Asm Code that doing something bad

theory.getHeap(); -Process Memory -Modules -Vuln. module. -System modules -Heap pages - Nop sled - Shellcode 0x0c0c0c0c

theory.getHeap(‘IE9’); Array of strings (substring()…)… Header(0x10)

ASLR / ROP /GS /safeSEH

theory.getUAF()[0]; -Process Memory -Modules -Object with pointer -System modules -Heap pages Object *obj = (Object *)malloc(sizeof(Object)); obj->callMethod(); free(obj); HeapSpray(0x0c0c0c0c); obj->callMethod(); CALL 0x0C0C0C0C

theory.getUAF()[1]; - Some objects -Object with pointer -Attacker’s blocks 1) Free(); 2) Spray(); SIZE MATTERS

workshop.getUAF(); 1.\part2\bin\uaf.bat 2.\part2\exercises\Fig1\demo.htm Full armored: ALSR/DEP/GS/SEH/SEHOP Useless ROP Task 8: Find UAF vulnPlugin2.InitRed(31337,0x ); var a = vulnPlugin2.CallRed(); alert(a); //a=31337 vulnPlugin2.FreeRed(); vulnPlugin2.InitGreen(666,0x ); var b = vulnPlugin2.CallRed(); alert(b); //b= ??? Task 9: Rewrite object by using InitString();

theory.getLeak()[0]; - Data -Pointer Obj1, Freed… Obj2, same size… Obj2.ReadData() ---- ???

theory.getLeak()[1]; - Data -Pointer Obj1, Freed… Obj2, same size… Obj1.ReadData() ---- ??? Task 10: Get leak by using InitOther();

workshop.exploitUAF(); Task 11: \part2\exercises\Fig2\final.htm Exploit Leak! Build ROP by leaked address Make pwning ESP (stack pivot) ESP -> HeapSpray -> ROP Make heap executable Run shellcode!

delete workshop; twitter.com/asintsov