Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Smashing the Stack for Fun and Profit

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Buffer Overflow. Process Memory Organization.

Run time vs. Compile time

Run-time Environment and Program Organization

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

Security-Assessment.com Copyright Security-Assessment.com 2004 A Day in the Life of a Hacker by Brett Moore.

Module 7: Configuring TCP/IP Addressing and Name Resolution.

1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.

Tutorial 6 Memory Management

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Address Space Layout Permutation

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Tutorial 7 Memory Management presented by: Antonio Maiorano Paul Di Marco.

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Attacking Applications: SQL Injection & Buffer Overflows.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Remote Procedure Calls Adam Smith, Rodrigo Groppa, and Peter Tonner.

FORESEC Academy FORESEC Academy Security Essentials (III)

Mitigation of Buffer Overflow Attacks

CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.

Strategic Security, Inc. © Exploit Development For Mere Mortals Part 4: Windows Stack Overflows Presented By: Joe McCray

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Computer Systems Week 14: Memory Management Amanda Oddie.

CNIT 127: Exploit Development Ch 1: Before you begin.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

Operating Systems Lesson 5. Plan Memory Management ◦ Memory segments types ◦ Processes & Memory ◦ Virtual Memory ◦ Virtual Memory Management ◦ Swap File.

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

Web Security Firewalls, Buffer overflows and proxy servers.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.

Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

LECTURE 3 Translation. PROCESS MEMORY There are four general areas of memory in a process. The text area contains the instructions for the application.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Optimizing your windows system. Windows updates Updates Security updates Feature updates Driver updates Service pack A group of features & Security updates.

Shellcode COSC 480 Presentation Alison Buben.

Mitigation against Buffer Overflow Attacks

Introduction to Information Security

Protecting Memory What is there to protect in memory?

CSC 495/583 Topics of Software Security Stack Overflows (2)

Introduction to Information Security

Common Operating System Exploits

An Embedded Software Primer

CSC 495/583 Topics of Software Security Return-oriented programming

Web Application Penetration Testing ‘17

Lecture 9: Buffer Overflow*

Binding Times Binding is an association between two things Examples:

Week 2: Buffer Overflow Part 2.

Understanding and Preventing Buffer Overflow Attacks in Unix

System and Cyber Security

Presentation transcript:

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén

Chalmers University of Technology Language-based Security What we wanted to do ”Real” attack on a ”real” program –Internet Explorer is one of the most used programs in the world Recent vulnerability –works on current systems –exploit a ”new” bug Give us access to remote machine

Chalmers University of Technology Language-based Security The Vulnerability createTextRange() –JavaScript-method –crashes when used on a HTML-checkbox Rated critical Platform –Internet Explorer 6.0 –Windows XP –Service Pack 2

Chalmers University of Technology Language-based Security Where to start? What did we know/have? –the code that triggered the bug –OllyDbg debugger for windows-binaries What did we not know/have? –no source code –why it crashed

Chalmers University of Technology Language-based Security Debugger Access violation when executing [3C0474C2] Jumps from module mshtml to unallocated address

Chalmers University of Technology Language-based Security Strategy Flooding the heap with NOPs –NOP slide –similar to lab2, but heap instead of stack Make large global variable –global variables are saved on heap Shellcode at the end of NOP slide

Chalmers University of Technology Language-based Security Problems Finding the heap in memory –yes, this was actually a problem –couldn’t see what we were doing at first

Chalmers University of Technology Language-based Security Problems The heap had to be extremely large –NOP slide ≈ 1 GB –create on the fly –first attempt: 10 minutes –better algorithms: 65 seconds

Chalmers University of Technology Language-based Security Problems One heap block couldn’t grow larger than 384 MB –don’t know why –solution array structure each element gets own heap block

Chalmers University of Technology Language-based Security EIP owned

Chalmers University of Technology Language-based Security Shellcode Requirements –start WinSOCK –listen on port 1337 –spawn command shell and bind stdin/stdout to the socket –attacker can then connect

Chalmers University of Technology Language-based Security Shellcode Written in win32 assembly Could not use static addresses –had to fetch all APIs/DLLs dynamically e.g. kernel32.dll, ws2_32.dll

Chalmers University of Technology Language-based Security Results

Chalmers University of Technology Language-based Security Current Limitations JMP address must be less than 0x –not always the case in different versions of IE Still very slow –Normal user would probably kill IE after 1-2 minutes

Chalmers University of Technology Language-based Security Possible improvements Efficiency –SkyLined’s heap spraying algorithm Shellcode –escape the internet explorer process write itself to disk and execute automatically on startup –optimization hashes instead of strings when fetching APIs/DLLs –polymorphism (encryption) To hide from pattern scanners –callback instead of listening To bypass firewalls

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén