errata

About This Presentation

Title:

errata

Description:

Title: Slide 1 Last modified by: jf Document presentation format: On-screen Show Other titles: Arial Lucida Grande Default Design Slide 1 errata What?! – PowerPoint PPT presentation

Number of Views:164

Avg rating:3.0/5.0

Slides: 63

Provided by: orkspaceN

Category:

more less

Transcript and Presenter's Notes

Title: errata

1
(No Transcript)
2
errata

EuSecWest website references IOActive
No longer IOActive employee
Independent contractor with IOActive
Research is the work of myself and does not
relate to IOActive
No one at IOActive doing similar research

3
What?!

Interpreters serve as abstraction layer
Conceptually similar to VMs used in managed
languages (i.e. Java or .Net)
Attacks against interpreted languages typically
focus around traditional web-app attacks
Poison NULL byte complications
SQL Injection
Et cetera
Traditionally thought of as being immune to
problems that plague other languages- i.e. buffer
overflows
/ PSz 12 Nov 03
Be proud that perl(1) may proclaim
Setuid Perl scripts are safer than C
programs
Do not abandon (deprecate) suidperl. Do not
advocate C wrappers.

4
Reason for Rhyme

Usage of web and managed applications only going
to increase
Gap between how these are attacked
Protections against application based attack are
C-centric
Stack cookies
Higher layers of abstraction may have their own
call stacks
Heap cookies protect against heap memory
corruption
Many languages implement their own allocator that
lack cookies
The unlink() macro sanity checks the
forward/backward pointers
Many languages implement their own allocator that
lack sanity checks
Linked lists often implemented on top of block of
memory
NX protects against execution
Byte code is read/interpreted, not executed
ASLR protects against return-to-libc/et cetera
Still valid

5
But, the future of insecurity?

Hacking community is largely content with the
world as it is
World is changing
Most OSs ship with some hardening anymore
GCC ships with SSP
Visual Studio 2005 is pretty effective
Interpreted Managed language use on the rise
We dont get to choose what the applications we
break are written in
Adapt or die
Maybe not the future
But, Im at least thinking about it

6
Goals Prior Art

Goals
Memory Corruption bug in interpreter
Attack interpreted language metadata
Return into interpreted language bytecode
Stephan Esser
Hardened PHP, Month of PHP bugs, et cetera
Mark Dowd
Leveraging the ActionScript Virtual Machine

7
Damn the torpedoes

In Mid-April 2008 Google rolled out AppEngine
AppEngine enables you to build web applications
on the same scalable systems that power Google
applications
AKA Heres a python interpreter, you cant break
us.
A flagship example is the shell application
Literally a web-based interface to the
interpreter
Interpreter runs in a restricted environment
All file-based I/O is (supposed to be) disabled
and a Google specific datastore API is provided
Subprocesses, threads, et cetera disabled
No sockets
Many modules disabled or modified
Perfect target.

8
Abba Zabba, you my only friend

Having direct access to the interpreter allows a
lot of flexibility
Stopping address space leaks becomes incredibly
problematic (sys._getframe() ?)
Attacker can manipulate interpreter state to
match necessary conditions
Situation is the same that shared hosting
providers have faced for years
Except now its Google, theyre pushing this for
enterprise use, and the attack surface has been
acknowledged

9
But interpreted languages dont have buffer
overflows

More common than expected
CVE-2008-1679 Multiple integer overflows in
imageop module
CVE-2008-1887 Signedness issues in
PyString_FromStringAndSize()
CVE-2008-1721 Signedness issues cause buffer
overflow in zlib module
CVE-2008-XXXX Integer overflow leads to buffer
overflow in Unicode processing
CVE-2008-XXXX Integer overflow leads to buffer
overflow in Buffer objects
Et cetera
Interpreter code still relatively virgin
Many in Python due to extensive use of signed
integers

10
On 0-day

Over next few slides several bugs are discussed
Some are reported and patched
Some are reported and unpatched
Some are undisclosed and unpatched
Not all bugs are equal
Most occur in unusual circumstances
Most require direct interpreter access
Others are typically unexploitable (i.e. memcpy()
of 4G)
Most undisclosed were found in a very short
period of time
Point is, they exist theyre not hard to find

11
Ethics of 0-day

Arguments would be easier to take serious if
contracts didnt have clauses like this

12
When good APIs go bad

Patched in CVS, broken in Python versions up to
2.5.2
Also in PyBytes_FromStringAndSize()
PyUnicode_FromStringAndSize()
52 PyObject
53 PyString_FromStringAndSize(const char
str, Py_ssize_t size)
54
55 register PyStringObject op
56 assert(size gt 0)
57 if (size 0 (op nullstring) !
NULL)
63
64 if (size 1 str ! NULL
65 (op charactersstr UCHAR_MAX) !
NULL)
66
72
73
74 / Inline PyObject_NewVar /
75 op (PyStringObject )PyObject_MALLOC(s
izeof(PyStringObject) size)

13
Where the wild things roam..

Currently reported but unpatched
Like previous example causes faults in numerous
places including core data types
85 define PyMem_New(type, n)
\
86 (assert((n) lt PY_SIZE_MAX /
sizeof(type)) , \
87 ((type ) PyMem_Malloc((n)
sizeof(type))))
88 define PyMem_NEW(type, n)
\
89 (assert((n) lt PY_SIZE_MAX / sizeof(type)
) , \
90 ((type ) PyMem_MALLOC((n)
sizeof(type))))
91
92 define PyMem_Resize(p, type, n)
\
93 (assert((n) lt PY_SIZE_MAX /
sizeof(type)) , \
94 ((p) (type ) PyMem_Realloc((p), (n)
sizeof(type))))
95 define PyMem_RESIZE(p, type, n)
\
96 (assert((n) lt PY_SIZE_MAX /
sizeof(type)) , \
97 ((p) (type ) PyMem_REALLOC((p), (n)
sizeof(type))))

14
0xbadc0ded

Reported, but currently unpatched
static int
unicode_resize(register PyUnicodeObject unicode,
Py_ssize_t length)
...oldstr unicode-gtstrPyMem_RESIZE(unicod
e-gtstr, Py_UNICODE, length 1)
...unicode-gtstrlength 0
static
PyUnicodeObject _PyUnicode_New(Py_ssize_t
length)
... / Unicode freelist memory
allocation / if (unicode_freelist)
if ((unicode-gtlength lt
length) unicode_resize(unicode, length) lt 0)
else unicode-gtstr
PyMem_NEW(Py_UNICODE, length 1)

15
0xbadc0ded

Reported and patched in CVS, versions up to 2.5.2
are vulnerable
768 static PyObject
769 PyZlib_unflush(compobject self, PyObject
args)
770
771 int err, length DEFAULTALLOC
772 PyObject retval NULL
773 unsigned long start_total_out
774
775
776 if (!PyArg_ParseTuple(args, "iflush",
length))
777 return NULL
778 if (!(retval PyString_FromStringAndSize(
NULL, length)))
779 return NULL
783 start_total_out self-gtzst.total_out
784 self-gtzst.avail_out length
785 self-gtzst.next_out (Byte
)PyString_AS_STRING(retval)
786

16
0xbadc0ded

Currently undisclosed unpatched
static PyObject
array_fromunicode(arrayobject self, PyObject
args)
Py_UNICODE ustr Py_ssize_t
n if (!PyArg_ParseTuple(args,
ufromunicode", ustr, n))
return NULL ... if (n gt 0)
Py_UNICODE item (Py_UNICODE )
self-gtob_item if (self-gtob_size
gt PY_SSIZE_T_MAX - n)
return PyErr_NoMemory()
PyMem_RESIZE(item, Py_UNICODE,
self-gtob_size n) if (item
NULL)
PyErr_NoMemory() return
NULL
self-gtob_item (char ) item
self-gtob_size n
self-gtallocated self-gtob_size
memcpy(item self-gtob_size - n, ustr, n
sizeof(Py_UNICODE))

17
0xbadc0ded

Currently undisclosed unpatched
static PyObject
encoder_encode_stateful(MultibyteStatefulEncoderCo
ntext ctx,
PyObject
unistr, int final)
PyObject ucvt, r NULL
Py_UNICODE inbuf, inbuf_end, inbuf_tmp
NULL Py_ssize_t datalen,
origpending ... datalen
PyUnicode_GET_SIZE(unistr) origpending
ctx-gtpendingsize if (origpending gt 0)
if (datalen gt PY_SSIZE_T_MAX -
ctx-gtpendingsize)
inbuf_tmp
PyMem_New(Py_UNICODE, datalen
ctx-gtpendingsize)
memcpy(inbuf_tmp, ctx-gtpending,
Py_UNICODE_SIZE ctx-gtpendingsize)

18
ya dig?

Currently undisclosed unpatched
static PyObject
posix_execv(PyObject self, PyObject args)
if (!PyArg_ParseTuple(args,
"etOexecv", Py_FileSystemDefaultEncoding,
path,
argv)) return NULL if
(PyList_Check(argv)) argc
PyList_Size(argv) else if
(PyTuple_Check(argv)) argc
PyTuple_Size(argv) argvlist
PyMem_NEW(char , argc1) ... for
(i 0 i lt argc i) if
(!PyArg_Parse((getitem)(argv, i), "et",
Py_FileSystemDefaultEncodi
ng,
argvlisti)) ...

19
Goals review

Goal 0 memory corruption bugs
Bugs are just as prevalent as other traditional
applications
Some of them are pretty silly
Lots are still easy to spot and require very
little in the way of deep thinking
Some are exploitable, some require specific
circumstances, others are just bugs
Goal 1 attack interpreter level metadata..

20
Python Call stack

Simple test program
!/usr/bin/python
import time
while 1
time.sleep(500)
gdbgt r
Program received signal SIGINT, Interrupt.
Switching to Thread 0x2b9d5bdd4d00 (LWP 28588)
0x00002b9d5bb4f043 in select () from
/lib/libc.so.6
gdbgt bt
0 0x00002b9d5bb4f043 in select () from
/lib/libc.so.6
1 0x00002b9d5bdd869f in time_sleep
2 0x0000000000486097 in PyEval_EvalFrameEx
3 0x0000000000488002 in PyEval_EvalCodeEx
4 0x00000000004882a2 in PyEval_EvalCode
5 0x00000000004a969e in PyRun_FileExFlags
6 0x00000000004a9930 in PyRun_SimpleFileExFlags

21
Bytecode flow overview
22
Python Objects

Most (interesting) object types start with a
reference to PyObject_VAR_HEAD
i.e.
typedef struct _xyz
PyObject_VAR_HEAD
PyObject_VAR_HEAD macro expands to
Contain the objects reference count
Contain pointers to next/previous in-use object
(doubly linked list)
Contains a pointer to the objects type
This point is way more important at first may
seem

23
PyCodeObject

/ Bytecode object /
typedef struct
PyObject_HEAD
int co_argcount / arguments,
except args /
int co_nlocals / local
variables /
int co_stacksize / entries
needed for evaluation stack /
int co_flags / CO_...,
see below /
PyObject co_code / instruction
opcodes /
PyObject co_consts / list (constants
used) /
PyObject co_names / list of strings
(names used) /
PyObject co_varnames / tuple of strings
(local variable names) /
PyObject co_freevars / tuple of strings
(free variable names) /
PyObject co_cellvars / tuple of strings
(cell variable names) /
PyObject co_filename / string (where it
was loaded from) /
PyObject co_name / string (name, for
reference) /
int co_firstlineno / first
source line number /
PyObject co_lnotab / string (encoding
addrlt-gtlineno mapping) /
void co_zombieframe / for optimization
only (see frameobject.c) /
PyCodeObject

24
PyEval_EvalCodeEx()

PyEval_EvalCode() is a simple wrapper to
PyEval_EvalCodeEx()
Uses default arguments for last seven parameters
passes NULL or 0
Takes a PyCodeObject as a parameter
Creates a PyFrameObject
Sets up local/global/et cetera variables
Serves essentially to setup environment

25
PyFrameObject

typedef struct _frame
PyObject_VAR_HEAD
struct _frame f_back / previous frame,
or NULL /
PyCodeObject f_code / code segment /
PyObject f_builtins / builtin symbol
table (PyDictObject) /
PyObject f_globals / global symbol
table (PyDictObject) /
PyObject f_locals / local symbol
table (any mapping) /
PyObject f_valuestack / points after the
last local /
/ Next free slot in f_valuestack. Frame
creation sets to f_valuestack.
Frame evaluation usually NULLs it, but a
frame that yields sets I
to the current stack top. /
PyObject f_stacktop
PyObject f_trace / Trace function
/
PyThreadState f_tstate
int f_lasti / Last
instruction if called /
int f_iblock / index in
f_blockstack /
PyTryBlock f_blockstackCO_MAXBLOCKS / for
try and loop blocks /

26
PyFrameObject destruction

As frames go out of scope, frame_dealloc() is
called to destroy them
During destruction, only locals, exception and
debugging information is cleared
Frame can end up in the PyCodeObjects zombie
frame, the free list, or just destroyed
void
frame_dealloc(PyFrameObject f)
...for (p f-gtf_localsplus p lt valuestack
p) Py_CLEAR(p)...Py_CLEAR(f-gtf_locals)
Py_CLEAR(f-gtf_trace)Py_CLEAR(f-gtf_exc_type)Py_
CLEAR(f-gtf_exc_value)Py_CLEAR(f-gtf_exc_traceback
)co f-gtf_codeif (co-gtco_zombieframe
NULL) co-gtco_zombieframe felse if (numfree lt
MAXFREELIST) numfree f-gtf_back
free_list free_list f

27
Zombies attack!!1

PyFrameObject PyFrame_New(PyThreadState tstate,
PyCodeObject code, PyObject globals, PyObject
locals)
... if (code-gtco_zombieframe ! NULL)
f code-gtco_zombieframe
code-gtco_zombieframe NULL
assert(f-gtcode code)
else ...
f-gtf_stacktop f-gtf_valuestack
f-gtf_builtins builtinsPy_XINCREF(back)
f-gtf_back backPy_INCREF(code)Py_INCREF(globa
ls)f-gtf_globals globals...return f

28
Unleashing your zombie army..

Attacking zombie frame not always necessary, or
doing so may not make sense
Many heap overflows occur in direct control of
byte stream
Many others either also allow direct control of
the argument stack or both
Plenty of instances where you dont hit either
Zombie frame is useful for pointer sized writes
anywhere in memory
On smaller overflows, fairly typical to corrupt
members of object
Many objects destructors use linked lists with
unprotected unlinking functionality

29
PyEval_EvalFrameEx()

Implements state-machine for processing bytecode
define INSTR_OFFSET() ((int))(next_instr
first_instr))
define NEXTOP() (next_instr)
define NEXTARG() (next_instr 2,
(next_instr-1ltlt8) next_instr-2)
PyObject
PyEval_EvalFrameEx(PyFrameObject f, int
throwflag)
...first_instr (unsigned char)
PyString_AS_STRING(co-gtco_code)...next_instr
first_instr f-gtf_lasti 1stack_pointer
f-gtf_stacktop...for () ...
f-gtf_lasti INSTR_OFFSET() ... opcode
NEXTOP() oparg 0 / allows oparg
to be stored in a register because
it doesn't have to be remembered across a full
loop / if (HAS_ARG(opcode))
oparg NEXTARG()
switch (opcode)

30
Important variables

first_instr
Taken directly from f-gtf_code-gtco_code
Determines first instruction in
PyCodeObject/bytecode to be executed
Local (stack based) variable in
PyEval_EvalFrameEx()
Points to heap data
next_instr
Derived from first_instr starts out pointing to
same location
Incremented by one to three bytes per opcode
Dictates next instruction in bytecode to be
interpreted
Local (stack based) variable in
PyEval_EvalFrameEx()
Points to heap data
stack_pointer
Derived from f-gtf_stacktop
Determines next argument to given opcode
Makes up data stack
Local (stack based) variable in
PyEval_EvalFrameEx()
Points to heap data

31
Only handguns and tequila allow bigger mistakes
faster

define JUMPTO(x) (next_instr first_instr
(x))while (why ! WHY_NOT f-gtf_iblock gt
0) PyTryBlock b PyFrame_BlockPop(f) asser
t(why ! WHY_YIELD) if (b-gtb_type SETUP_LOOP
why WHY_CONTINUE) PyFrame_BlockSetup(f,
b-gtb_type, b-gtb_handler,b-gtb_level) why
WHY_NOT JUMPTO(PyInt_AS_LONG(retval)) Py_DEC
REF(retval) break ... if (b-gtb_type
SETUP_LOOP why WHY_BREAK) why
WHY_NOT JUMPTO(b-gtb_handler) break if
(b-gtb_type SETUP_FINALLY (b-gtb_type
SETUP_EXCEPT why WHY_EXCEPTION))
... why WHY_NOT JUMPTO(b-gtb_handler)
break / unwind stack /

32
Other interpreter targets..

Pythons debugging functionality allows for
tracing of the application
Whether the currently executing byte-code is
being traced is determined by a member in the
stack frame
Tracing allows for calls before opcode execution,
function entry, exception handling, et cetera
Many Objects have functionality that can be
abused with small amounts of memory corruption
Be creative, they havent been beat on like the
various libcs, so they havent hardened their
implementations

33
Goal Review

Goal 1 Attack interpreter level metadata
In most cases overwriting a PyCodeObject or the
stack_pointer is trivial
In others attacking the zombie frame allows for
an interesting and humorous exercise
Pythons exception handling can also be abused
Objects are unhardened
This allows us to bypass many of the hardening
functionality in existence, i.e. stack/heap
cookies, unlink() hardening, et cetera
Goal 2 Return into byte-code

34
opcodes

Python opcodes are a single char
As of 2.5.2 there are 103 opcodes
Opcodes take optional 16-bit modifier
Can be thought of as like a sub-opcode
Arguments/parameters are pointed to by
stack_pointer
Thus, parameters need to be placed on the stack
first, then the opcode in question called
i.e.
gtgtgt def test()
print PsychoAlphaDiscoBetaBioAquaDoLoop
gtgtgt __import__(dis).dis(test)
2 0 LOAD_CONST 1
('PsychoAlphaDiscoBetaBioAquaDoLoop') 3
PRINT_ITEM
4 PRINT_NEWLINE
5 LOAD_CONST 0 (None)
8 RETURN_VALUE

35
Our House..

Easiest method is to abuse the support for
run-time functions (lambdas)
Opcode is MAKE_FUNCTION
case MAKE_FUNCTION
v POP() / code object / x
PyFunction_New(v, f-gtf_globals)
Py_DECREF(v) / XXX Maybe this
should be a separate opcode? / if (x
! NULL oparg gt 0) v
PyTuple_New(oparg)
if (v NULL)
Py_DECREF(x)
x NULL
break
while (--oparg gt
0) w POP()

PyTuple_SET_ITEM(v, oparg, w)

err PyFunction_SetDefaults(x, v)
Py_DECREF(v)
PUSH(x)
break

36
In the middle of our street..

Python natively generates code that has a
STORE_FAST/LOAD_FAST
Dont think theyre necessary
Pressed for time, so didnt investigate whether
they were necessary or not
define GETLOCAL(i) (fastlocalsi) define
SETLOCAL(i, value) do PyObject tmp
GETLOCAL(i) \
GETLOCAL(i) value \
Py_XDECREF(tmp) while (0)
case LOAD_FAST
x GETLOCAL(oparg) if
(x ! NULL)
Py_INCREF(x)
PUSH(x) goto
fast_next_opcode
break case
STORE_FAST v POP()
SETLOCAL(oparg, v)
goto fast_next_opcode

37
Let there be light.

Now that weve built the function and setup the
argument stack, its just time to call it
Accomplished via CALL_FUNCTION opcode
case CALL_FUNCTION
PyObject sp
PCALL(PCALL_ALL) sp
stack_pointerifdef WITH_TSC
x call_function(sp, oparg, intr0,
intr1)else x
call_function(sp, oparg)endif
stack_pointer sp
PUSH(x) if (x !
NULL) continue
break

38
Calling the call_function() function

static PyObject
call_function(PyObject pp_stack, int
opargifdef WITH_TSC , uint64
pintr0, uint64 pintr1endif )
int na oparg 0xffint nk (oparggtgt8)
0xffint n na 2 nkPyObject pfunc
(pp_stack) - n - 1PyObject func
pfuncPyObject x, w if (PyCFunction_Check(f
unc) nk 0) ... if (flags
METH_NOARGS na 0) C_TRACE(x,
(meth)(self,NULL)) else if (flags
METH_O na 1) PyObject arg
EXT_POP(pp_stack)
C_TRACE(x, (meth)(self,arg))
Py_DECREF(arg)
...

39
calling the call_function() function

static PyObject
call_function(PyObject pp_stack, int oparg
ifdef WITH_TSC
, uint64 pintr0, uint64 pintr1
endif
)
if (PyCFunction_Check(func) nk 0)
... else if (PyMethod_Check(func)
PyMethod_GET_SELF(func) ! NULL)
PyObject self PyMethod_GET_SELF(func)
...
else ... if
(PyFunction_Check(func)) x
fast_function(func, pp_stack, n, na, nk)

40
A final note about call_function()

Often after overflow the code returned into is
call_function()
call_function() cleans up the argument stack
after calling the function
while ((pp_stack) gt pfunc) w
EXT_POP(pp_stack) Py_DECREF(w) PCALL(PCALL_
POP)
Py_DECREF() will almost certainly cause a
destructor to get called
If data stack_pointer pointed to was corrupted,
this will be the first place its felt
Unless youre ready for a ret-into-libc type
attack, make sure that w points to valid memory
that has a value greater than 1

41
PyCodeObjects dont grow on trees you know!

Where to get a PyCodeObject?
Two options, dependant on context
AppEngine, et al
x unicode(compile(print zdravstvoyte mir!,
ltstringgt, exec))
x will contain string along the lines of
ltcode object ltmodulegt at 0x4e058f1c37daf18, file
ltstringgt, line 1gt
Now stack_pointer just needs to point at
0x4e058f1c37daf18
Less controlled environments
Use compile() to obtain code object
References in header need to be updated--
PyCodeObject-gtco_code
Requires address space leak

42
But..

Returning into bytecode in AppEngine doesnt make
much sense?
Already have control of the interpreter
Return into same restricted environment
Not exactly true-- but ret-into-libc or similar
eventually becomes necessary
Ret-into-libc requires address space info
Non-AppEngine attacks require address space info

43
Tell me about your mother..

One reason for return into byte-code on
AppEngine PRINT_EXPR opcode
case PRINT_EXPR
v POP()w PySys_GetObject("displayhook")
if (w NULL) PyErr_SetString(PyExc_RuntimeEr
ror, "lost sys.displayhook") err
-1 x NULLif (err 0) x
PyTuple_Pack(1, v) if (x NULL)
err -1if (err 0) w
PyEval_CallObject(w, x) Py_XDECREF(w) if (w
NULL) err -1Py_DECREF(v)Py
_XDECREF(x)break

44
All we had to do was ask..

Typical results of memory leak
\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x80\x00
\x00\x01\x00\x00\x00\x01\x00\x00\x00\xa0\x91\x81\x
00\x00\x00\x00\x00\x00\x90\x91\x81\x00\x00\x00\xb0
\x91\x81\x12\x1e\x01\x00\x00\x02\
Leaking heap addresses in this example
0x8191XXXX
If stack_pointer is controlled, can point
anywhere in the address space
Leak is really only bounded by how much byte-code
you can get into the stream
Objects used to verify typing information are
statically allocated and use fixed offsets thus
once you know the low-order bytes, you can spot
them easily
Problematic because it prints to standard out,
which can be redirected but post-overflow is a
lot of trouble
Good strategy is to take advantage of fact that
were dealing with a web-app that can crash an
infinite number of times

45
Loose APIs sink ships.

Python is one of those overly helpful languages
Pretty much all objects can be printed out
When you print an object, the address of the
object is leak
Object can also be converted to a string where
the same string that gets printed ends up in
string, i.e. unicode(compile()) gives you the
address of a PyCodeObject
Leak PyFrameObject addresses
sys._getframe() returns frame object
sys._currentframes() returns a dictionary with
each threads current frame
builtin function id()
Each object has a unique id
This is accomplished by using the address of the
object for the id
i.e. id(None) yields address of None object
(think about that in context of obtaining type
object addresses)
Builtin functions dir() and getattr()
dir() allows you to enumerate attributes of an
object
getattr() allows you to obtain its value
Useful when function pointers cannot be avoided

46
Goals in review

Goal 2 return into interpreter byte-code
Easier to accomplish than initially thought
Process of executing byte-code is more
problematic due to type-checks
Successful exploitation absolutely requires
address space leaks
Python provides us with nice opcodes to allow
leaking
Easiest method is to use MAKE_FUNCTION/CALL_FUNCTI
ON combination as bootstrap mechanism
Restricted interpreters require return-into-C
code to break out of
Returning into byte-code provides these
advantages
Non-executable memory is not necessary- byte-code
is interpreted not executed
Because its not executed we can use it to dump
address space info

47
22

Overall process
Obtain address space information via memory
corruption and executing PRINT_EXPR opcode
Obtain addresses that were valid at one time and
fix up data with addresses
Craft a PyCodeObject either in the address space
or in the shellcode, update PyCodeObject header
information if injecting into address space
Execute following opcodes MAKE_FUNCTION/STORE_FAS
T/LOAD_FAST/CALL_FUNCTION
Return into PyCodeObject
From PyCodeObject return into executable memory

48
Other available opcodes

LOAD_CONST loads constant onto argument stack
using oparg index into consts member of
PyCodeObject
POP_TOP removes member from top of argument
stack, decreases reference
ROT_TWO/ROT_THREE/ROT_FOUR rotates position of
argument stack, moving 2, 3 or 4 arguments around
DUP_TOPX duplicates either 2 or 3 pointers on
argument stack
STORE_SLICEX some code paths do not have type
checks and instead create a new object, allows
object creation
PRINT_ITEM_TO allows redirection of output,
pops output data from variable stack, falls
through to PRINT_ITEM which may redirect to
stdout
LOAD_LOCALS places f-gtf_locals onto argument
stack, great opcode to prefix PRINT_X opcodes
YIELD_VALUE takes return value from argument
stack, sets f-gtf_stacktop to point to
stack_ponter
POP_BLOCK Obtains PyTryBlock from argument
stack, decrements references for each record
STORE_GLOBAL / LOAD_GLOBAL same as with other
STORE_X/LOAD_X opcodes, except operates on
globals

49
More opcodes

JUMP_ABSOLUTE like JUMP_FORWARD except is not
relative to first_instr
FOR_ITER makes function pointer call from
pointer retrieved from argument stack, good once
address space layout is known
EXTENDED_ARGS advances to next opcode, obtains
another 16-bit oparg and combines it with
existing 16-bit oparg, combined with
JUMP_ABSOLUTE allows byte-code to exist anywhere
(on 32-bit machines)
LOAD_CLOSURE places pointer on argument stack
from different section of heap memory
BUILD_X several opcodes, allows for creation of
Tuples, Lists, Maps and Slices
JUMP_FORWARD advances position in bytecode by
oparg bytes
Other opcodes perform type checks or have
callbacks
Many of the ones with type checks can be coaxed
into usage by first building an object via one of
the BUILD_X opcodes
Once address space is know, opcodes with
callbacks are not dangerous

50
python.fin()

Bugs in Python exist and are easy to find
Data structures and general metadata is easy to
abuse
Byte-code is position independent and thus easy
to make
Because of its PIC nature argument stack exists
elsewhere
Ownership can be transferred with one or the
other, but made more difficult
Hardest part of returning into byte-code is ASLR
Python is really helpful there.

51
What about PERL?

PERL has bugs too
Reading PERL is an exercise in patience
Friend I still maintain that PERL was not
written.. It was found.. On a crashed UFO
Yeah, it is that bad
Be careful when looking into the abyss..

52
Ugh, wtf?

Just an example (from 5.8.8)
int
perl_parse(PTHXx_, XSINIT_t xsinit, int argc,
char argv, char env)
ifdef PERL_FLEXIBLE_EXCEPTIONS
CALLPROTECT(aTHX_ pcur_env, ret,
MEMBER_TO_FPTR(S_vparse_body),
env, xsinit)
else
JMPENV_PUSH(ret)
endif

53
Are you kidding me?

If PERL_FLEXIBLE_EXCEPTIONS is defined
define CALLPROTECT CALL_FPTR(PL_protect)
define CALL_FPTR(fptr) (fptr)
define PL_protect (aTHX-gtTprotect)
define aTHX PERL_GET_THX
define aTHX_ aTHX,
ifdef USE_5005THREADS
define PERL_GET_THX ((struct perl_thread
)PERL_GET_CONTEXT)
else
ifdef MULTIPLICITY
define PERL_GET_THX ((PerlInterpreter
)PERL_GET_CONTEXT)
endif
endif

54
Larry Wall is trying to kill me

And some more
ifndef PERL_GET_CONTEXT
define PERL_GET_CONTEXT ((void )NULL)
define PERL_GET_CONTEXT Perl_get_context()
define MEMBER_TO_FPTR(name) name
So, on conditional compilation expands to
perl_get_context()-gtTprotect((struct perl_thread
)Perl_get_context(),
pcur_env,
ret,
S_Vparse_body,
env,
xsinit)

55
You outsourced to the guy who wrote procmail
didnt you?!

If PERL_FLEXIBLE_EXCEPTIONS is not defined
define JMPENV_PUSH(v) JMPENV_PUSH_ENV((JMPENV)p
cur_env, v)
define JMPENV_PUSH_ENV(ce, v) \
STMT_START \
if (!(ce).je_noset) \
DEBUG_1(Perl_deb(aTHX_ Setting up jumplevel
p, was p\n, \
cl, PL_top_env)) \
JMPENV_PUSH_INIT_ENV(ce, NULL) \
EXCEPT_SET_ENV(ce, PerlProc_setjmp((ce).je_buf,
SCOPE_SAVES_SIGNAL_MASK)) \
(ce).je_noset 1 \
\
else \
EXCEPT_SET_ENV(ce, 0) \
JMPENV_POST_CATCH_ENV(ce) \
(v) EXCEPT_GET_ENV(ce) \
STMT_END

56
sigh

Does do while(0) not work somewhere??
if defined(__GNUC__) !defined(PERL_GCC_BRACE_G
ROUPS_FORBIDDEN) !defined (__cplusplus)
define STMT_START (void)
define STMT_END
else
if (VOIDFLAGS) (defined(sun)
defined(__sun__)) !defined(__GNUC__)
define STMT_START if (1)
define STMT_END else (void)0
else
define STMT_START do
define STMT_END while (0)
endif
endif

Were just gonna skip expanding Debug_1() and
guess that it probably deals with debugging
output
define JMPENV_PUSH_INIT_ENV(ce, THROWFUNC) \
STMT_START \
(ce).je_throw (THROWFUNC) \
(ce).je_ret -1 \
(ce).je_mustcatch FALSE \
(ce).je_prev PL_top_env \
PL_TOP_env (ce) \
OP_REG_TO_MEM \
STMT_END
define PL_top_env (aTHX-gtTtop_env)
ifdef OP_IN_REGISTER
define OP_REG_TO_MEM PL_opsave op
else
define OP_REG_TO_MEM NOOP

58
Anyone wanna bet how many slides it takes to
explain one line of PERL?

Almost there
define EXCEPT_SET_ENV(ce, v) ((ce).je_ret (v))
define JMPENV_POST_CATCH_ENV(ce) \
STMT_START \
OP_MEM_TO_REG \
PL_top_env (ce) \
STMT_END
define EXCEPT_GET_ENV(ce) ((ce).je_ret)

59
Huzzah! One line expanded!

seven slides later..
Two of over a dozen possible conditional
compilations were explored
Weve successfully decoded one line of perl
Except we havent, now we have to find out where
the function pointers get initialized
And of course, discover where the heck op came
from
I dont think an hour is long enough to cover
just PERL, much less PERL and Python

60
0xbadc0ded

Undisclosed unpatched
do i_img im read_one_tiff(tif, 0)
if (!im) break if (count gt
result_alloc) if (result_alloc 0)
result_alloc 5 results
mymalloc(result_alloc sizeof(i_img ))
else i_img newresults
result_alloc 2 newresults
myrealloc(results, result_alloc sizeof(i_img
)) if (!newresults)
i_img_destroy(im) / don't leak it /
break results newresults
resultscount-1 im while
(TIFFSetDirectory(tif, dirnum))

61
0xbadc0ded

Undisclosed unpatched
static i_img
read_one_rgb_tiled(TIFF tif, int width, int
height, int allow_incomplete) ... uint32
raster NULL ... uint32 tile_width,
tile_height i_color line ...
TIFFGetField(tif, TIFFTAG_TILEWIDTH,
tile_width) TIFFGetField(tif,
TIFFTAG_TILELENGTH, tile_height) ...
raster (uint32)_TIFFmalloc(tile_width
tile_height sizeof (uint32)) ... line
mymalloc(tile_width sizeof(i_color)) for(
row 0 row lt height row tile_height )
for( col 0 col lt width col tile_width )
/ Read the tile into an RGBA array
/ if (myTIFFReadRGBATile(img, col, row,
raster)) ...

62
0xbadc0ded

Undisclosed unpatched
i_img
read_one_rgb_lines(TIFF tif, int width, int
height, int allow_incomplete) i_img
im uint32 raster NULL
uint32 rowsperstrip, row i_color
line_buf int alpha_chan
int rc im make_rgb(tif, width,
height, alpha_chan) ... rc
TIFFGetField(tif, TIFFTAG_ROWSPERSTRIP,
rowsperstrip) ... raster
(uint32)_TIFFmalloc(width rowsperstrip
sizeof (uint32)) ... line_buf
mymalloc(sizeof(i_color) width)
for( row 0 row lt height row rowsperstrip )
uint32 newrows, i_row
if (!TIFFReadRGBAStrip(tif, row, raster))