Past, Present, Future of Windows Exploitation - 2
classic windows stack overflows
lots of great and detailed papers in this area i just wanna link a few of them :
1- Win32 Buffer Overflows (Location, Exploitation and Prevention) by dark spyrit in 1999
http://www.phrack.com/issues.html?issue=55&id=15#article
2- S.K Chong Win32 Stack Based Buffer Overflow Walkthrough in july 2002
http://www.scan-associates.net/papers/win32_bo_walkthrough.txt
3- Nish Bhalla’s series on Writing Stack Based Overflows on Windows in 2005
http://www.packetstormsecurity.org/papers/win/
if i want to have brief description of them they all are talking about finding a reliable return address in a reliable Dynamic Linked Library (MOST in OS DLL’s kernel32.dll ntdll.dll shell32.dll user32.dll and … ) and then after overwriting a function return address by sending big value to not good checked input variable and getting program execution flow redirect that flow to address in DLL that address is mostly JMP / call / PUSH ESP (stack pointer) or EBP (base pointer) because most of time in classic stack overflow attacker store her / his malicious code in the stack and a JMP / CALL / PUSH ESP RET will lead his / her to jump to start of shellcode .thats all!
classic windows heap overflows
1 – Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002
http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt
2- Exploiting the MSRPC Heap Overflow two part by Dave Aitel (MS03-026) sep 2003
http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap.pdf
http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap2.pdf
3- david litchfield did a great detailed penetration in black hat 2004
https://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt
if i want to have brief description of them they all are talking about exploiting unlink macro and using write4 (where + what) and actually ability of writing 4byte (32bit ) of selected address in memory by using specific function pointers like :
- UnhandledExceptionFilter
- VectoredExceptionHandling
- RtlEnterCriticalSection
- TEB Exception Handler
- Application specific function pointer
…..
kernel based Windows overflows (not so classic)
because of Inexorability of this type of attacks i want to share all of most notable history in this area here : (note that i will back to heap and stack with protections after in it)
=================
First noticeable whitepaper that stated how to attack kernel based vulns on
windows was done by a Polish group called “sec-labs” around 2003 .
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/0101.html
sec-lab old whitepaper : http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm
sec-lab old exploit : http://www.securityfocus.com/bid/8329/info
(thanks Piotr Bania !)
1- Windows Local Kernel Exploitation by S.K Chong in 2004 (based on sec-lab research)
http://www.packetstormsecurity.org/hitb04/hitb04-sk-chong.pdf
http://www.scan-associates.net/papers/navx.c
2-Windows interrupt context kernel overflow exploit BY FLASHSKY in 2004
3- How to exploit Windows kernel memory pool in 2005 by SoBeIt
http://packetstormsecurity.nl/Xcon2005/Xcon2005_SoBeIt.pdf
4- in 2005 eeye security published great paper about exploiting remote kernel overflows in windows
http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf
5- later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed
http://www.uninformed.org/?v=3&a=4&t=pdf
6- in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
http://www.uninformed.org/?v=6&a=2&t=pdf
7- in 2007 Jonathan Lindsay published and did a presentation in BH US 2007 called Attacking the Windows Kernel
http://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf
8- same in BH US 2007 Yuriy Bulygin did a peresentiation called Remote and Local Exploitation of Network Drivers
http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf
9- in 2007 also Ruben Santamarta wrote Exploiting Comon Flaws In Drivers
http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1
10- in 2008 Justin Seitz wrote a paper and called I2OMGMT Driver Impersonation Attack
http://www.immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf
in that paper Justin talked about new type of kernel attacks and about i2OMGMT bug that founded by ruben.
11- later in 2008 Kostya Kortchinsky did a presentation called Real World Kernel Pool Exploitation
http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf
in that presentation kostya talked about how he wrote exploit for ms08-001 (Microsoft marked it as not-exploitable !)
12- later in 2008 Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8
- artice :
- http://www.argeniss.com/research/TokenKidnapping.pdf
- poc 2k3:
- http://www.argeniss.com/research/Churrasco.zip
- poc 2k8:
- http://www.argeniss.com/research/Churrasco2.zip
13- again later in 2008 mxtone wrote a paper called Analyzing local privilege escalations in win32k
http://www.uninformed.org/?v=10&a=2&t=pdf
in that paper he analyzed vulnerabilities and exploitation vector of win32k driver .
14- in ucon 2009 Stephen A. Ridley did a presentation called Intro to Windows Kernel Security Development
download it here
15- Tavis Ormandy, Julien Tinnes and great presentation called There’s a party at ring0 and you’re invited
http://www.cr0.org/paper/to-jt-party-at-ring0.pdf
16- in January 2010 Matthew “j00ru” Jurczyk and Gynvael Coldwind, Hispasec wrote a detailed paper called GDT and LDT in Windows kernel vulnerability exploitation.
http://vexillium.org/dl.php?call_gate_exploitation.pdf
in that paper they describes some possible ways of exploiting kernel-mode write-what-where vulnerabilities in a stable manner
17- later they did a presentation called Case Study of Recent Windows Vulnerabilities in HITB 2010
Windows memory protections !
OK so now we are going back to user-land this time with memory protections !
due to lots of generic exploitation methods as well as lots of worms ! Microsoft decided to use of memory protections in hardware and software layer. so from windows XP SP2 (Windows XP Tablet PC Edition 2005) , Windows Server 2003 Service Pack 1 (OS level) and from visual studio 2003 (compiler level) added lots of memory protections functionality.
here i’m going to have brief history of them and then i will introduce great researchers and their research against memory protections .
1- Data Execution Prevention (DEP)
DEP is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.
hardware-enforced DEP for CPUs that can mark memory pages as non-executable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support.
in windows XP SP2 and windows 2003 sp1 and sp2 you can get access on DEP setting by editing boot.ini in noexecute section.
there is four options :
1- OptIn : DEP only will work for all of windows services as well as necessary programs.
2- OptOut : DEP will work for all of windows services as well as all of 3d-party installed program but you can add some process as exception from controll panel.
3- AlwaysOn : fully protected by DEP no exception is acceptable.
4- AlwaysOff : Go to hell DEP , turns DEP off .
most of CPUs those are made after 2004 (AMD , Intel) can support hardware DEP.
read more on DEP : http://support.microsoft.com/kb/875352
/GS (Buffer Security Check)
GS (a.k.a stack cookie) is a compiler option that added from visual studio 2003 and will detects some buffer overruns that overwrite the return address, a common technique for exploiting code that does not enforce buffer size restrictions. This is achieved by injecting security checks into the compiled code.
so by using /GS flag compiler will add __security_init_cookie() function to your program and each time you want to overwrite a function return address you actually overwrite cookie as well and so comparison of cookie will fall so process will be terminate and you can’t use your return address.
for more detail read : http://msdn.microsoft.com/en-us/library/Aa290051
/SAFESEH
a linked option also system functionality added in visual studio 2005. when a program is linked with /SAFESEH in header of file will be contain of a acceptable Exception Handler Table. so each time an exception occurs and attacker wants overwrite a record from exception handler the ntdll dispatcher will understand this and will terminate program execution.
for more detail read : http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx
ASLR
for more detail read : here
SEHOP
used in most modern windows operation systems like 2008 and 7 . the idea beyond this new mitigation comes from matt miller article called Preventing the Exploitation of SEH Overwrites. for detailed explanation of this protection just read flowing link :
http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
Heap Protection
Microsoft also introduce to some new heap protections like heap meta cookie , safe unlinking , and in newer systems (after vista) function pointer obfuscation and so on …
==================================================
Advanced Windows Exploitation (bypassing filter and protections )
after 2005 exploitation getting harder and harder and number of public and “white-hat” hackers who can made a reliable multi platform exploit for modern windows OS was not too much.
in this section i want to have review on most interesting researches against protections.
1- Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002
http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt
windows 2k heap exploitation.
2- chris anley wrote Creating Arbitrary Shellcode In Unicode Expanded Strings
http://www.net-security.org/dl/articles/unicodebo.pdf
this was first public article about unicode based shellcode and is also known as “Venetian” shellcode. the method explained in this paper was good enough to making poor ASCII shellcodes .
3- Dave aitel advanced windows exploitation in 2003
http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt
in that talk dave talked about no so typical windows exploitation and start making game more advanced .
4- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by david litchfield
http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf
this paper actually was first detailed paper about abusing SEH (structured exception handler) and the generic way to bypass /GS and also write not lots of public exploit are using this method for exploitation so it also can called one of most important research in windows exploitation history.
5- reliable heap exploits (matt Conover in cansecwest 2004 ) and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)
http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt
i think that was one of most important heap related research in history of windows exploitation a great and gentle introduction to overwrite a chunk on lookaside list for bypassing safe unlinking and also give lots of great information about windows heap manager internals .
6- later in 2004 matt miller wrote an article Safely Searching Process Virtual Address Space
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
this article was first great and public article about using egg-hunters shellcode and it’s about when we have limited memory space for our shellcode and we can store our big and main shellcode some-where in memory. this can be also called practical introduction to search shellcodes .
7- later in 2004 skylined wrote on IE exploit and used a technology called Heap Spray
http://www.exploit-db.com/exploits/612
heap spray is one of most important technologies even in modern exploitation and it’s about code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run.
for a few years heap spray was just used in java script and mostly in browsers but today modern attackers are using anything possible to allocate more heap for sparing . like action script , silver light , bmp files and … and not just in browsers ! from my point of view heap spray is like cheating in modern exploitation !
8- bypassing hardware-enforced DEP skape (matt miller) Skywing (ken johnson) (in October 2005)
http://www.uninformed.org/?v=2&a=4&t=pdf
yay ! they finally did it . hardware enforced DEP bypassed by using a return to libc style attack . in simple explanation the problem was in not CPU the problem and weakness was in windows related API that was used for setting DEP for various process. and the API was NtSetInformationProcess. but there was some simple problem in that article like they forget talk about it we need to to have EBP always writable and …
9- Exploiting Freelist[0] On XP Service Pack 2 by brett moore (dec 2005)
download here
this is was another great example of bypassing heap protections by using Freelist[0] and really useful is some case .
10 - later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed
http://www.uninformed.org/?v=3&a=4&t=pdf
this article was great article for porting exploits to kernel-land.
11- in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
http://www.uninformed.org/?v=6&a=2&t=pdf
good example of real-world driver exploitation.
12- in 2007 Ruben Santamarta wrote Exploiting Comon Flaws In Drivers
Read it here
note that before ruben we can find lots of great research about this topic but ruben makes it different . he made a tool that called kartoffel which is a great driver fuzzer for finding IOCTL vulnerabilities in drivers. but kartoffel was not main reason to make it different.
after he wrote kartofell and published lots of detailed advisories in various vendor drivers , windows driver exploitation got speed and changed to one of focusable area in exploitation .
13- Heap Feng Shui in JavaScript by Alexander sotirov (2007)
http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf
notable improvements to skylined heap spray technology . heap spray was good but blind and not so reliable is some case. Heap Feng Shui is great research about doing advanced FU in heap (heap manipulation) it will lead you to have more control on heap.
14- Understanding and bypassing Windows Heap Protection by Nicolas Waisman (2007)
http://kkamagui.springnote.com/pages/1350732/attachments/579350
nico is one of a few guys that focused on windows heap he also developed immunity debugger heaplib and did lots of great heap related researches. he is one of world leading heap !
15- Heaps About Heaps by brett moore (in 2008)
http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt
that was one of most complete researches about heap. yes that is just a few slides but great hint if you want do something on heap !
16- Bypassing browser memory protections in Windows Vista by Mark Dowd and Alex Sotirov (in 2008)
http://taossa.com/archive/bh08sotirovdowd.pdf
one of most greatest exploitation related research with a focus on bypassing browsers memory protections in vista .
great generic .net shellcode trick (loading a .net dll and use shellcode in it), java spraying , deep into combined protections and great ways to bypassing them.
17 – Attacking the Vista Heap by ben hawkes (in 2008)
http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf
great research about vista heap internals and some ways to bypassing vista heap protections.
18- Return oriented programming Exploitation without Code Injection by Hovav Shacham (and others ) (in 2008)
http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf
not a so new technology. it’s just code resue ! by great official introduction to Return-Oriented-Programming now known as ROP. this technology is great to bypass permanent DEP (vista / 7 / 2008)
19- Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 (2008)
http://www.argeniss.com/research/TokenKidnapping.pdf
20- Defeating DEP Immunity Way by Pablo sole (2008)
http://www.immunityinc.com/downloads/DEPLIB.pdf
first automation of ROP . thats it ;)
21- Practical Windows XP2003 Heap Exploitation (bh 2009) by John McDonald and Chris Valasek.
http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
if you want write a heap exploit for modern OS . you should read this one . most complete heap related article .
22- Bypassing SEHOP by Stefan Le Berre Damien Cauquil (in 2009)
http://www.sysdream.com/articles/sehop_en.pdf
cool and good research ! but ALSR will make it not so useful because SEHOP = SEHOP + ASLR
23- Interpreter Exploitation : Pointer Inference and JIT Spraying by Dionysus Blazakis (2010)
http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf
http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf
Great ! exploitation is still alive . generic exploitation method for bypassing DEP and ASLR together . if you read and understand it you can write lots of exploits for windows 7 !
24- write-up of Pwn2Own 2010 by Peter Vreugdenhil (2010)
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
a great and short article about how to own DEP+ASLR without any 3rd-party plugin
(used two vulnerability and toke around 4 minutes)
25- ruben santamarta all in one 0day presented in rootedCON (2010)
http://wintercore.com/downloads/rootedcon_0day_english.pdf
some great idea for bypassing IE XSS Filter and protected mod not exploitation specific but it’s great for being combined with other exploitation methods .
=========================================================