Hostel Exploitation
Hostel Exploitation
win32
Leveling the playing field
Steven Seeley
Associate consultant at stratsec
Overview
Disclaimer(s)
What is DEP?
What is ASLR?
Conclusions
References
Questions
Disclaimer(s)
What is DEP?
What is DEP?
What is ASLR?
What is ASLR?
VirtualAlloc()
HeapCreate(HEAP_CREATE_ENABLE_EXECUTABLE)
SetProcessDEPPolicy()
NtSetInformationProcess()
ADD EAX,20
RETN
EAX is 0x0000001f
ADD EAX,20
RETN
EAX is 0x0000003f
XCHG EDX,EAX
ADD EDX, 1
RETN
EDX is 0x1001678f
EAX is 0x0000003f
EAX is becomes 0x1001678f
EDX is becomes 0x00000040
Almost typical stack overflow, nice and easy with full EIP control
Controlled memory
Inject your shellcode, load an object, delete that object, re-allocate the
objects memory, call a virtual function of the object -----> kthanxbye
ESI contains a pointer to which we control the value of and ECX is reading in a
pointer from that vtable (which is currently just D's). Then, the deference occurs
and because the D's are unreadable ie, not a valid memory address there is an
access violation when trying to read 44444444.
Base address
of the pointer
we are going to
use
We would set
EAX to
61616161, which
would later be
changed to a
pointer to the
ROP stub eg:
0x039f01b4
Lets spray a ROP stub and call a pivot to gain control of ESP.
Our ROP stub,
ready to
execute from
the stack
Profit
Thanks !
tecr0c, wireghoul, corelanc0d3r, sud0, chap0, muts,
Lincoln, _sinn3r, jduck
To all the people who understand that exploitation is a way
of life and have contributed to my understanding some
how in this field:
Pratt, Moore, Sintsov, Dai Zovi, Anisimov, Xiaobo, Jun,
Aharoni, Memelli, Miller, @WTFUZZ
Probably ALOT more, my apologies to anyone I have
missed !
Special thanks to the Ruxmon team and Chris Spencer.
References
http://www.uninformed.org/?v=2&a=4&t=txt
http://www.exploit-db.com/exploits/12189/
http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
http://www.insomniasec.com/publications/DEPinDepth.ppt
http://www.dsecrg.com/files/pub/pdf/Confidence2010+ROP+and+JIT-Spray.pdf
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7InternetExplorer8.pdf
Questions ?