Exploitation 102

8/3/2019 Exploitation 102

1/21

Exploitation 102

Alexander [email protected]


2/21

Overview

Exploiting stack overflows Exploitation mitigations in depth (GS and

SafeSEH)

Practical exploitation of Internet Explorer


3/21

Exploiting basic stack overflows

Part I


4/21

Exploiting stack overflows

Single-threaded applications with a staticstack base address:

NOPNOPNOPNOPNOPNOPNOP shellcode retaddr

bufferoverflow


5/21

Exploiting stack overflows

Multi-threaded applications, ntdll.dll loadedat a static base address:

retaddrbuffer

bufferoverflow

shellcode

ntdll.dll

jmpesp


6/21

Diving into

Internet Explorer


7/21

Exploitation Mitigations

Part II


8/21

GS stack cookies

GS prevents the attacker from using anoverwritten return addresses on the stack:

adds a stack cookie between the localvariables and the return address

checks the cookie at the end of thefunction


9/21

GS stack cookies

cookiebuffer

bufferoverflow

retaddr

saved

cookie


10/21

Breaking GS

The function might use overwritten stackdata before the cookie is checked:

callee saved registers

copy of pointer and string buffer argumentslocal variables

string buffers o

exception handler record v

gs cookie e

saved frame pointer rreturn address f

arguments l

o

stack frame of the caller w


11/21

Breaking GS

cookiepointervar retaddr

saved

cookie

pointer arg

bufferoverflow

buffer

shellcode


12/21

GS variable reordering

Prevents the attacker from overwriting otherlocal variables or arguments:

string buffers go above other variables arguments are copied below the local

variables

source code standard stack frame stack frame with /GS

void vuln(char* arg) buf copy of arg

{ i i

char buf[100]; return address buf

int i; arg stack cookie

strcpy(buf, arg); return address

... arg (unused)

}


13/21

GS variable reordering

cookiebuffer

bufferoverflow

retaddr

saved

cookie

non-buffervariables

copies ofarguments

arguments(unused)

pointerargumentsarecopied

beforetheothervariables


14/21

Breaking GS, round 2

Some function still use overwritten stackdata before the cookie is checked:

callee saved registers

copy of pointer and string buffer argumentslocal variables

string buffers o

gs cookie v

exception handler record e

saved frame pointer rreturn address f

some arguments l

o

stack frame of the caller w


15/21

Structured Exception Handling

Pointers to exception handlers are storedin the stack frame of each function

All exception handler records are linkedin a linked list, with head at fs:[0]

The exception handler dispatcher callsthe the first handler on the list.


16/21

Overwriting exception handlers

Windows SEH pointer overwrite followed byaccess violation before the function returns:

SEH pointerbuffer

bufferoverflow

shellcode

ntdll.dll

pop/pop/ret

trampoline


17/21

pop/pop/ret

When the exception handler is called, thethird word on the stack points to the SEHrecord on the stack

A sequence of two POP and a RETinstruction will return to our shellcode onthe stack.


18/21

Bypassing GS with SEH

Triggering an exception will give us controlof the program execution before the GScookie check.

overwrite a pointer or counter variable overflow to the top of the stack application specific exceptions

SEH records on the stack are not protectedby GS.


19/21

SafeSEH

Validates that each SEH handler is foundin the SafeSEH table of the DLL

Prevents the exploitation of overwrittenSEH records


20/21

Breaking SafeSEH

Requires that all DLLs in the process arecompiled with the new /SafeSEH option

A single non-compatible DLL is enough tobypass the protection

Control flow modification is still possible


21/21

SafeSEH: DLL without SafeSEH

If DEP is enabled:

Find a DLL without a SafeSEH table Point the SEH handler to code in the DLL

We can use ActiveX to load third-party DLLsin Internet Explorer.

Documents

Exploitation 102