Presentation is loading. Please wait.

Presentation is loading. Please wait.

Use After Free Defcon Russia # 14 21 Feb. 2012

Published bySheryl Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "Use After Free Defcon Russia # 14 21 Feb. 2012"— Presentation transcript:

1 Use After Free Defcon Russia # 14 21 Feb. 2012 by @asintsov

2 Agenda Use-After-Free Heap Spray Address leak ASLR => calc.exe

3 Excluded Shellcode dev. Heap Spray Metasploit (btw, there is workshop by Rick!) Sandboxing Advanced techniques by N. Tarakanov 8) Browser’s vulns

4 Environment Target ? IE8 x32 IE9 Windows 7 Tools ? Immunity Debugger mona.py notepad  http://immunityinc.com/products-immdbg.shtml http://immunityinc.com/products-immdbg.shtml  http://redmine.corelan.be/projects/mona/repository/raw/trunk/1.8/mona.py http://redmine.corelan.be/projects/mona/repository/raw/trunk/1.8/mona.py

5 Evolution Year Difficult Stolen from Dino Dai Zovi 1990200520001995 2010 Finding vulns. Expolit development

6 Hey! Ho! Let’s go!

7 theory.getShellcode(); Assembler instructions Program Shell 8-) EIP ---------> Asm Code that doing something bad

8 theory.getHeap(); -Process Memory -Modules -Vuln. module. -System modules -Heap pages - Nop sled - Shellcode 0x0c0c0c0c

9 theory.getHeap(‘IE9’); Array of strings (substring()…)… 0061 0061 0061 0061 00 Header(0x10)

10 ASLR / ROP /GS /safeSEH

11 theory.getUAF()[0]; -Process Memory -Modules -Object with pointer -System modules -Heap pages Object *obj = (Object *)malloc(sizeof(Object)); obj->callMethod(); free(obj); HeapSpray(0x0c0c0c0c); obj->callMethod(); CALL 0x0C0C0C0C

12 theory.getUAF()[1]; - Some objects -Object with pointer -Attacker’s blocks 1) Free(); 2) Spray(); SIZE MATTERS

13 workshop.getUAF(); 1.\part2\bin\uaf.bat 2.\part2\exercises\Fig1\demo.htm Full armored: ALSR/DEP/GS/SEH/SEHOP Useless ROP Task 8: Find UAF -------------------------------------------------------------------------------- vulnPlugin2.InitRed(31337,0x31333331); var a = vulnPlugin2.CallRed(); alert(a); //a=31337 vulnPlugin2.FreeRed(); vulnPlugin2.InitGreen(666,0x31333331); var b = vulnPlugin2.CallRed(); alert(b); //b= ??? Task 9: Rewrite object by using InitString(); --------------------------------------------------------------------------------

14 theory.getLeak()[0]; - Data -Pointer Obj1, Freed… Obj2, same size… Obj2.ReadData() ---- ???

15 theory.getLeak()[1]; - Data -Pointer Obj1, Freed… Obj2, same size… Obj1.ReadData() ---- ??? Task 10: Get leak by using InitOther(); --------------------------------------------------------------------------------

16 workshop.exploitUAF(); Task 11: \part2\exercises\Fig2\final.htm Exploit Leak! Build ROP by leaked address Make pwning ESP (stack pivot) ESP -> HeapSpray -> ROP Make heap executable Run shellcode!

17 delete workshop; twitter.com/asintsov alexey.sintsov@nokia.com www.defcon-russia.ru www.zeronights.ru

Download ppt "Use After Free Defcon Russia # 14 21 Feb. 2012"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.

Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.

Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks

Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014.

The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights st of November 2014.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Bromium Confidential. CVE-2012-4969 IE CMshtmlEd UAF.

Bromium Confidential. CVE IE CMshtmlEd UAF.
Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Defeating public exploit protections (EMET v5.2 and more)

Defeating public exploit protections (EMET v5.2 and more)

Similar presentations

Ads by Google