[h2hc] generic exploitation of invalid memory writes
DESCRIPTION
Talk generic exploitation of invalid memory writes as given in Sao Paulo at the h2hc 2010 Conference.TRANSCRIPT
![Page 1: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/1.jpg)
Jonathan BrossardCEO – Toucan System
Generic exploitation of invalid memory writes
![Page 2: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/2.jpg)
Agenda
•The case of invalid writes
Determining the type of error
Taxonomy of invalid memory access
Memory permissions
Introduction
![Page 3: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/3.jpg)
Introduction
Maybe you did some fuzzing and found some bugs ?
Welcome in 2010 : exploitation is more difficult than finding trivial bugs.
The goal of this talk is to detail (and automate !) the steps to successful exploitation of invalid memory writes.
![Page 4: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/4.jpg)
Memory permissions
This is the key to modern exploitation...
![Page 5: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/5.jpg)
Memory permissions
Under x86 : permissions are set at MMU (+ Kernel) level using three flags :
R : read permissionW : write permissionX : execution permission
5 years back, everything was in fact +X !!
![Page 6: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/6.jpg)
Memory permissions
Where to get my shellcode executed in memory ??
Alternatively (when not using shellcode) : where to return in memory to execute something usefull (think ROP).
![Page 7: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/7.jpg)
Memory permissions
What is or not executable depends on :- your cpu (NX flag) + BIOS Config.- your kernel (PaX, PAE...) and more
globally your toolchain.- the dynamic loader (shared libs).
![Page 8: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/8.jpg)
DEMO
Using readelf and /proc/pid/maps to check what permissions should be.
Using paxtest to verify what is actually executable or not.
![Page 9: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/9.jpg)
Taxonomy of invalid memory access
What's the impact of this bug ?
int main(int argc, char **argv){printf(argv[1]) ;return 0;
}
![Page 10: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/10.jpg)
Exemple 1
Truth is : we can't know from C source : we have to check at instruction level to see if the c library was actually built with a write primitive...
![Page 11: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/11.jpg)
Segfault at...
mov DWORD PTR [eax], edx
eax 0x4000e030ecx 0xbffff848edx 0x0ebx 0x40199ff4
=> Invalid write.
![Page 12: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/12.jpg)
(more complex) exemple:
fld QWORD PTR [eax+0x8]
=> Read ? Write ? Both ??
![Page 13: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/13.jpg)
DEMO
Triggering the bug in xpdf
Determining the error type of complex bugs using valgrind
![Page 14: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/14.jpg)
Summarizing
At instruction level, an invalid memory access can be of three kinds :
- invalid read- invalid write- invalid exec
![Page 15: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/15.jpg)
Exploiting invalid exec
Trivial if jump location is user controled.eg : call [eax]
Exploitation strategy :Have eax pointing to our shellcode
![Page 16: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/16.jpg)
Exploiting invalid exec (2/2)
Fairly rare in userland
Used to be a major problem in kernel land (invalid Null ptr dereference in exec mode from kernel land). First page not mappable without privs
since kernel 2.6.23
![Page 17: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/17.jpg)
Exploiting invalid reads
Cannot hijack control flow directly :(
Exploitation strategy:- Either use no memory corruption (eg :
information leakage)- Or trigger a bug latter in the code (either
invalid exec or invalid write)- … Or it is just plain non exploitable :(
![Page 18: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/18.jpg)
Exploiting invalid writes
This is the meat !
Exploitation strategy :- Either overwrite important data (eg :
tast_struct->uid in kernel land)- Or try to hijack the control flow
![Page 19: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/19.jpg)
The case of invalid writes :different levels of control
X86 allows accessing either :- 8 bytes- 4 bytes (most instructions)- 2 bytes- 1 byte
![Page 20: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/20.jpg)
The case of invalid writes :different levels of control
- If both destination and value are fully user controled : overwrite .dtors, liked list in at_exit, function pointers... (ideal case such as missing format strings, easy !)
- If only destination is user controled : attempt a pointer truncation on a given function pointer.
![Page 21: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/21.jpg)
Problem is...
Out of 3Gb of user land, how to find a suitable function pointer to overwrite
or truncate ?
![Page 22: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/22.jpg)
Exploitation strategy
- Dump the content of every section of the binary
- Parse the +W ones- Check for pointers to +X locations
=> exhaustive, reduced list of potential candidates.
Then chose one based on actual binary constraints (will truncation point to a user controled location ?)
![Page 23: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/23.jpg)
DEMO
Triggering an invalid write in Opera
Using livedump to chose potential candidates
![Page 24: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/24.jpg)
Memory alignement
Most Intel instructions only allow reads/writes on aligned boundaries.
Typically : 4b aligned memory
![Page 25: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/25.jpg)
(Common) Worst case scenario
If only 0x00000000 can be written, in 4b aligned memory locations...
=> Then pointer truncation won't be possible on 4b aligned sections :-(
![Page 26: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/26.jpg)
Naive exploitation strategy
- Trigger the bug- set a signal handler for signal 5 which re
enables single stepping- set the « trap » cpu flag
=> Single step until exit and monitor unaligned reads/writes.
=> Slow, painfull, per thread :(
![Page 27: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/27.jpg)
Elite exploitation strategy with livedump
- Trigger the bug- set the « align » cpu flag- setup a signal handler for SIGBUS
=> every read/write to unaligned memory will be trapped and give potential truncation candidates
![Page 28: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/28.jpg)
DEMO
Using livedump to detect unaligned memory access
![Page 29: [h2hc] Generic exploitation of invalid memory writes](https://reader035.vdocuments.us/reader035/viewer/2022062405/5584c6b7d8b42ae5138b48af/html5/thumbnails/29.jpg)
Questions ?
Thank you for coming