Trampoliner: Selecting return addresses in memory corruption exploits.

1
Trampoliner Selecting return addresses in memory
corruption exploits.
2
Intro

• Tom Keetch
• Talk has changed a bit since It was first planned
  
• Titles a bit out of date...
• ...More of a Windows Exploit Development Tool /
  Fuzzing harness

3
Windows Executable Modules

• Modules are the unit of executable content which
  are stored on disk
• EXE
• DLL
• OCX
• ...
• Format is PE/COFF
• Both on disk and in memory
• Offsets into file are RVAs Relative Virtual
  Addresses

4
Exploitation Preventions Schemes
5
Introducing Trampoliner... (1)

• Youve found a buffer overflow, now what?
• GS means that the function knows you will get EIP
  on return and terminates..
• SafeSEH means you can't overwrite the exception
  handler on the stack after the return address...
• ASLR means you don't know where to jump even if
  you get EIP...
• DEP means you can't execute code/data from the
  stack/heap.

6
Introducing Trampoliner... (2)

• Trampoliner finds the gaps in these defences
• Utilises PE/COFF headers in memory/on disk
• Which defences are missing from which modules?
• Finds executable trampolines in memory
• Enumerates executable sections
• Assembles short opcode sequences to search for

7
Trampolines

• Trampolines are executable bytes in memory which
  transfer execution to memory pointed to by a
  register
• REG gt EIP
• Call EAX
• Jmp EAX
• Push EAX, Ret
• ...
• Registers may point into the stack/heap.

8
Similar tools

• Metasploit tool
• Static return address finder
• Doesnt take Memory Protections into account
• Windows Opcode Database online
• EEREAP
• Dynamic tool
• Emulation based
• Doesnt take Memory Protections into account
• 10x more trampolines -gt Clustering!

9
Architecture

• A debugger injects DLL into process
• DLL Injection currently fails with some vista
  processes
• Maybe use AppInit_Dlls instead?
• Everything done from within process VAS
• Easy to add features quickly )
• Could use (ReadWrite)ProcessMemory() instead.
• TODO Add IPC to allow communication from outside
  process.

10
Demo

• BTStackServer.exe
• Continue Christers theme of Bluetooth Software
• WIDCOMM BT implementation for Windows
• Problematic DLLs
• NSI.dll Network Storage Interface
• PSAPI.dll
• ...

11
Instumentation (GS)

• Locates all references to GS cookie
• Cmp REG,__security_cookie
• Replace with Cmp EAX,EAX
• Replace with Breakpoint (0xCCh)
• Call arbitrary function on failed comparison
• ASLR complicates things

12
ASLR complicates things...

• ASLR randomises location of master cookie
• Cant overwrite with secondary overwrite
• References to master cookie (MC) are absolute
• References to MC need to be adjusted
• New location RVA of MC New base address
• This is a hidden cost of loading modules.
• Presumably relatively minor?
• PE/COFF Header gets updated after relocation, but
  not randomisation!

13
Instrumentation (SafeSEH,ASLR,DEP)

• SafeSEH
• Just catch first-chance exceptions!
• ASLR
• Turn on/off
• Spray the heap from within the process.
• DEP
• Turn on/off (at run time)
• Hook LoadLibrary() and detect when DEP is turned
  off by incompatible DLL.

14
ASLR What are the odds?

• What are the odds?
• Intended to slow internet worms.
• Randomised DLL bases are fixed across all
  processes
• Local attacks are not hindered!

15
ASLR The probabilities (1)

• Remotely guessing an EXE base address 1/254
• Randomly generated value is the shift in
  position.
• LO 2 bytes cant be changed
• Would invalidate RVAs
• HO 2 bits determine kernel/user-mode
• Round 1,6 down to 1 Byte (Simplicity?)
• Left with 28 options.
• Cant be zero shift (EXE always gets rebased)

16
ASLR The probabilities (2)

• For EXE relocations, there was a bug )
• DLL relocations are a bit more complicated
• SP0
• If d0 d1
• P(d1) 2 P(d2..255)
• P(correct guess) 1/128 (not 1/256 as intended)
• SP1
• Delta (((RDTSC gtgt 4) 0xFE) 1) 0x10000
• Fix reduced possible shifts to 254.

17
Conclusions (1)

• Use GS everywhere
• otherwise people will notice!
• Use SafeSEH everywhere (on x86)
• Only takes one module to undermine protection.
• Use DEP everywhere
• Otherwise DEP may be turned off for the whole
  process.
• Use ASLR everywhere.
• Only takes one predictable module.

18
Conclusions (2)

• Protections must be combined and total to be
  effective
• 3rd Party extensions can spoil the party!
• Code available online
• www.tkeetch.co.uk
• Please mail with bugs/suggestions!
• twkeetch_at_googlemail.com

19
More information

• Bypassing memory protections in browsers
• http//taossa.com/archive/bh08sotirovdowd.pdf
• GS and ASLR in Windows Vista Ollie W
• http//www.blackhat.com/presentations/bh-dc-07/Whi
  tehouse/Presentation/bh-dc-07-Whitehouse.pdf
• EEREAP
• http//research.eeye.com/html/tools/RT20060801-2.h
  tml

20
Questions?