Hostile Exploitation under

win32
Leveling the playing field

Steven Seeley
Associate consultant at stratsec

Overview

Disclaimer(s)

What is DEP?

What is ASLR?

DEP bypass techniques

- ROP : Return Oriented Programming

ASLR bypass techniques
Case study: AOL Desktop - ESI to stack pivot control
Case study: IE 7 Aurora Object pointer to stack pivot
control

Conclusions

References

Questions

Disclaimer(s)

My apologies in advance if I miss things, I

only have up to 20 minutes.
I didn't invent this stuff!
Sorry I didn't use vuln.c, I try to keep it
things practical.
DEP bypasses are not new! It was being
done even before MS officially introduced
DEP.

What is DEP?

NX & XD No eXecute/eXecute Disabled

First hit the MS scene in Windows XP SP2

We are at win7/2008 server now and most people

still OptOut of DEP for a lot of common third party
applications.
Two types, software and hardware enforced
A focus on hardware enabled DEP

The NX flag is set in the CPU (windows runs in

PAE mode by default now)
The parent process enables DEP by using a win32
API such as SetProcessDEPPolicy()

What is DEP?

Marks data areas of memory to be not executable such the

stack and heap
If an attempt is made to execute code, A
STATUS_ACCESS_VIOLATION 0xc0000005 will occur
4 ways to set DEP policy under win32
1) OptIn : Only a limited set of Windows system
modules/binaries are protected by DEP.
2) OptOut : All programs, processes, services on the
Windows system are protected, except for processes in
the exception list.
3) AlwaysOn : All programs, processes, services, etc on
the Windows system are protected. No exceptions.
4) AlwaysOff : DEP is turned off.

What is ASLR?

Address Space Layout Randomization

Rebooting the OS leads to randomizing the
lower of the two most significant bytes in a
32bit address.
0x75??e4f6
We no longer can use a direct pointer such
as JMP ESP/POP POP RET unless we know
the base address, or can guess it.
Exploits often rely on pointers, heap
overflow write 4, stack overflow jmp esp etc.
Now these pointers will fail..

What is ASLR?

8 bits of entropy with 256 possible values

When running tests, approximately, only 32
different bytes actually used.

Wake up! This is where it

gets fun!

DEP bypass techniques

Using Return oriented programming, we can

return into Windows API.

VirtualAlloc()

HeapCreate(HEAP_CREATE_ENABLE_EXECUTABLE)

SetProcessDEPPolicy()

NtSetInformationProcess()

VirtualProtect() - update memory as executable

WriteProcessMemory() - copy payload into executable

memory. Technique: patch kernel32.dll itself
WinExec() - local payloads mostly (priv escalate), etc

We can reallocate, create or directly change

the permissions of a given page of memory

DEP bypass techniques

Each API call requires a stack setup and call to the
function, once it is complete, it must return to our payload
or other controllable memory.

There is a known old school technique (circa 2005) for

returning to ntdll.dll at 0x7c91d3f8 under XP SP3
Before we do, we must set AL to 1, (the lower 16 bits of
EAX.)
After a few checks, the windows code practically gives us a
free dep bypass.

DEP bypass techniques

!findantidep shipped with Immunity v1.0

Set AL to 1, let ntdll setup our stack and call

ZWSetInformationProcess() and then return to a ptr (eg: jmp
esp) that finally parses control to our shellcode
Perfect, a generic way to bypass DEP without the /permanent
flag set!

but doesn't defeat enforced hardware DEP :(

DEP bypass techniques

New(er) school techniques to bypass hardware enforced
DEP with /noexecute=AlwaysOn

We can use special heap sprays (JIT, JAVA)

ROP Return Oriented Programming

Return to one of many windows API

ROP requires dynamic generation of ARG values

Changes/allocates/creates new memory as executable

As Saumil Shah said, ESP is the new EIP. If you pivot
control of ESP, then you will win.

DEP bypass techniques

So whats the problem?

ASLR, We don't know where the ROP gadgets are

stored at!
Reliability - different module versions have
different code.
Reliability - program state is important. Opening a
file dialog loads a lot more libraries.
Payload space anyone?
VET Vulnerability to Exploit Time is longer, might
take a few days instead of a few hours.

ROP Return Oriented Programming

Preventing the introduction of malicious code is not
enough to prevent the execution of malicious
computations - Dino A. Dai Zovi

Return chaining via gadgets, a single gadget will execute a

chain of instructions that will setup an argument value.
Uses borrowed sequences of instructions that RETN back to
the stack.
Vulnerabilities with heavy character restrictions will provide for a
very difficult exploitation experience.
Is simple in understanding and only becomes difficult if other
mitigation's are involved.
Example gadget?

ROP Return Oriented Programming

POP EAX
RETN

POP 0xffffffff into EAX

ADD EAX,20
RETN

EAX is 0x0000001f

ADD EAX,20
RETN

EAX is 0x0000003f

XCHG EDX,EAX
ADD EDX, 1
RETN

Write into memory:

Reference EAX+4 to point to attacker
controlled value (0x00000040)

The secret to ROP

is to keep it
simple!

EDX is 0x1001678f
EAX is 0x0000003f
EAX is becomes 0x1001678f
EDX is becomes 0x00000040

MOV DWORD PTR DS:[EAX+4], EDX

RETN

ROP Return Oriented Programming

Many instructions can be used to pivot control back to the
stack.
Structured Exception handler based:

ADD ESP, XXX; RETN

POP R32, POP R32, POP ESP; RETN, etc

Direct RETN overwrite:

Anything almost, as long as it RETN's back to the stack.

Object pointer to EIP control

Overwrite the vtable pointer with a pointer to our shellcode.

Make a virtual function call and trigger vulnerability.
Pivot control from EAX to ESP. MOV ESP, EAX; RETN ?

ASLR bypass techniques

Bruteforce the base address if the parent process creates

child processes. Example: PHP Dev 6.0 str_transliterate()
Buffer overflow exploit.
Leak a pointer from the stack, re-base it, calculate offset.
Example: Blaze DVD .plf file buffer overflow exploit. (This is
dependent on application state)
Memory address disclosure (memory leak)
Maybe pointer inferences such as Action Script dictionary
leak.

JIT spray with interpreted xor instructions (patched and

dead for now).
One or two byte overwrite
.NET user control loading using <object> (blocked from
internet zone now)

ASLR bypass techniques

Remember, even if your application only has one module

that is not ASLR compliment, then you don't really have
ASLR.
Load 3rd party DLL:
- JRE ? jp2ssv.dll
- Adobe Shockwave ? dirapi.dll

.NET Framework v2 is default on Windows 7

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorie.
dll is without ASLR.

IAT Import Array Table (intermodular calls) eg: wireshark

aslr/dep bypass in msf.

Case study: AOL Desktop

AOL Desktop .rtx file overflow

Almost typical stack overflow, nice and easy with full EIP control

Case study: AOL Desktop

AOL Desktop .rtx file overflow

Controlled memory

Load EAX with a pointer to our shellcode

Case study: AOL Desktop

AOL Desktop .rtx file overflow

Valid memory written at EAX so that

we don't fail here

Given this, can anyone

tell me where we are
returning too in memory?

Swap ESI for ESP, taking full control of the stack

Case study: AOL Desktop

AOL Desktop .rtx file overflow
Just to clarify, this is how
the stack may look like,
pointers everywhere.

Note: The hardcoded

VirtualProtect() call, if we
were to bypass ASLR, this
would have to be generated
dynamically

Case study: AOL Desktop

AOL Desktop .rtx file overflow

The arguments to virtualProtect()

all setup on the stack.

Arguments in registers, ready for

the final pushad; retn

After the call to virtualprotect(),

we will be returning this address
here (nop sled)

Case study: AOL Desktop

AOL Desktop .rtx file overflow
Profit

Case study: IE 7 Aurora

Internet Explorer 7 - use after free memory corruption (CVE-2010-0249)

Inject your shellcode, load an object, delete that object, re-allocate the
objects memory, call a virtual function of the object -----> kthanxbye

ESI contains a pointer to which we control the value of and ECX is reading in a
pointer from that vtable (which is currently just D's). Then, the deference occurs
and because the D's are unreadable ie, not a valid memory address there is an
access violation when trying to read 44444444.

Case study: IE 7 Aurora

Internet Explorer 7 - use after free memory corruption (CVE-2010-0249)

An object which implements polymorphism (such as our free object) will

contain a virtual function table (vtable) pointer as the first member of
the object. We need to change this address to point to a new table
containing the address of our rop stub at table offset 0x34'

Base address
of the pointer
we are going to
use
We would set
EAX to
61616161, which
would later be
changed to a
pointer to the
ROP stub eg:
0x039f01b4

Case study: IE 7 Aurora

Internet Explorer 7 - use after free memory corruption (CVE-2010-0249)

What we would do is set the value to a reliable known offset (0x01b4)

after a decent spray has occured. So simply, we will set EAX to the same
value as ECX so that a call EAX+34 lands in our ROP stub.

Where are the 0x61's coming from? Heap spray?

Case study: IE 7 Aurora

Internet Explorer 7 - use after free memory corruption (CVE-2010-0249)

Lets spray a ROP stub and call a pivot to gain control of ESP.
Our ROP stub,
ready to
execute from
the stack

Final call :-)

Case study: IE 7 Aurora

Internet Explorer 7 - use after free memory corruption (CVE-2010-0249)

Profit

Conclusion: Are we safe?

DEP and ASLR together are a powerful mix, one

compliments the other.
You will see less and less public practical
exploitation against win7/server 2008 as both
mechanisms are on by default.
The 0day techniques to bypass these mitigation's
are worth more than 0days themselves. These will
be kept private for sure.

Conclusions: Are we safe?

Both the mitigation's are on by default and

will stop a fair amount of exploitation, but
not all.
Specific analysis on individual
platforms/applications will need to be
conducted to determine the exploitability
and impact.
This process will become expensive, so
clients will miss out?
Oh boy and I haven't even talked about
Protected mode or EMET.

Thanks !
tecr0c, wireghoul, corelanc0d3r, sud0, chap0, muts,
Lincoln, _sinn3r, jduck
To all the people who understand that exploitation is a way
of life and have contributed to my understanding some
how in this field:
Pratt, Moore, Sintsov, Dai Zovi, Anisimov, Xiaobo, Jun,
Aharoni, Memelli, Miller, @WTFUZZ
Probably ALOT more, my apologies to anyone I have
missed !
Special thanks to the Ruxmon team and Chris Spencer.

References

http://www.uninformed.org/?v=2&a=4&t=txt

http://www.exploit-db.com/exploits/12189/

http://www.breakingpointsystems.com/community/blog/ie-vulnerability/

http://www.insomniasec.com/publications/DEPinDepth.ppt

http://www.dsecrg.com/files/pub/pdf/Confidence2010+ROP+and+JIT-Spray.pdf

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7InternetExplorer8.pdf

Questions ?