Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén."— Presentation transcript:

1 Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén

2 Chalmers University of Technology Language-based Security What we wanted to do ”Real” attack on a ”real” program –Internet Explorer is one of the most used programs in the world Recent vulnerability –works on current systems –exploit a ”new” bug Give us access to remote machine

3 Chalmers University of Technology Language-based Security The Vulnerability createTextRange() –JavaScript-method –crashes when used on a HTML-checkbox Rated critical Platform –Internet Explorer 6.0 –Windows XP –Service Pack 2

4 Chalmers University of Technology Language-based Security Where to start? What did we know/have? –the code that triggered the bug –OllyDbg debugger for windows-binaries What did we not know/have? –no source code –why it crashed

5 Chalmers University of Technology Language-based Security Debugger Access violation when executing [3C0474C2] Jumps from module mshtml to unallocated address

6 Chalmers University of Technology Language-based Security Strategy Flooding the heap with NOPs –NOP slide –similar to lab2, but heap instead of stack Make large global variable –global variables are saved on heap Shellcode at the end of NOP slide

7 Chalmers University of Technology Language-based Security Problems Finding the heap in memory –yes, this was actually a problem –couldn’t see what we were doing at first

8 Chalmers University of Technology Language-based Security Problems The heap had to be extremely large –NOP slide ≈ 1 GB –create on the fly –first attempt: 10 minutes –better algorithms: 65 seconds

9 Chalmers University of Technology Language-based Security Problems One heap block couldn’t grow larger than 384 MB –don’t know why –solution array structure each element gets own heap block

10 Chalmers University of Technology Language-based Security EIP owned

11 Chalmers University of Technology Language-based Security Shellcode Requirements –start WinSOCK –listen on port 1337 –spawn command shell and bind stdin/stdout to the socket –attacker can then connect

12 Chalmers University of Technology Language-based Security Shellcode Written in win32 assembly Could not use static addresses –had to fetch all APIs/DLLs dynamically e.g. kernel32.dll, ws2_32.dll

13 Chalmers University of Technology Language-based Security Results

14 Chalmers University of Technology Language-based Security Current Limitations JMP address must be less than 0x40000000 –not always the case in different versions of IE Still very slow –Normal user would probably kill IE after 1-2 minutes

15 Chalmers University of Technology Language-based Security Possible improvements Efficiency –SkyLined’s heap spraying algorithm Shellcode –escape the internet explorer process write itself to disk and execute automatically on startup –optimization hashes instead of strings when fetching APIs/DLLs –polymorphism (encryption) To hide from pattern scanners –callback instead of listening To bypass firewalls

16 Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén

Download ppt "Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.

1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Run time vs. Compile time

Run time vs. Compile time
Run-time Environment and Program Organization

Run-time Environment and Program Organization
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.

1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Security-Assessment.com Copyright Security-Assessment.com 2004 A Day in the Life of a Hacker by Brett Moore.

Security-Assessment.com Copyright Security-Assessment.com 2004 A Day in the Life of a Hacker by Brett Moore.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.

1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
Tutorial 6 Memory Management

Tutorial 6 Memory Management
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.

Similar presentations

Ads by Google