Intro to Windows Exploit Techniques for Linux PWNers

IntrotoWindowsExploitTechniquesforLinuxPWNers

Atum

Aboutme

• Atum• @blue-lotus• @TeaDeliverers• @PekingUniversity

• Keywords• SoftwareSecurity,SystemSecurity• CTFPWNer,WeakChicken

• [email protected]

Outline

• Basics• WindowsExploitToolchains• WindowsSecurity Mitigations• LinuxExploitTechniqueson Windows• Windows-onlyExploitTechniques

Basics

PE/COFFFILEFormat• DOSHeader• MZsignature

• PEFILEHEADER• EntryPoint• DataDirectory

• SectionTable• TableofSectionHeaders

Basics

PE/COFFFILEFormat• ImportAddressTable• SimilarasELFGOT• ReadOnly

• ExportAddressTable• ExportedfunctionsofaModule• ReadOnly

Basics

ImportantDLLs• ntdll.dll• Interfaceofuserspaceandkernel• exportstheWindowsNativeAPI• Resideinwrite-protectedpage;shared baseamongprocesses

• kernel32.dll• Importsntdll.dll• exportstheWindowsAPI• Resideinwrite-protectedpage;shared baseamongprocesses

• mscrtxxx.dll• MicrosoftCruntimelibrary(similartoglibc)

WindowsExploitToolchains

GeneralTools• Cygwin• AbashenvironmentonWindows

• Pwintools• Asimplescriptusedtointeractwithexecutableslikepwntools

• ProcessExplorer• Anenhancedversionoftasklist

• VisualStudio• DeveloperCommandPrompt

WindowsExploitToolchains

Debuggers• Windbg• Recommend,verypowerful

• IDAProDebugger• Adebuggerfront-end,supportmulti-backenddebuggersuchasgdb, windbg.

• Ollydbg• Easy&powerful,butcannotdebugx64program

• X64dbg• Similartoollydbg,candebugx64program,butshortofplugins

WindowsSecurity Mitigations

GeneralExploitMitigations• DEP• ASLR• CFG

WindowsSecurity MitigationsDEP• NXonLinux• Bypassedby• ROP• JITpage,VirualProtect etc.


ASLR• SlightlydifferentfromPIE&ASLRonLinux

• Imagerandomizationbasechangedeverytimesystembooted

• TEB/PEB/heap/stackrandomizationbasechangedeverytimeprocessstart

• Somekernelrelateddlls (suchasntdll.dllkernel32.dll)sharebaseamongallprocesses

• Bypassedby• Infoleak(crossprocessisOK)• brute-force(win7x64,win10x86)• AttackNon-ASLRimagesortopdownalloc(win7)

ControlFlowGuard• Allindirectcallarecheckedbypredefinedread-onlybitmap• AttackVtableishistorynow.• Bypassedby• OverwriteCFGunprotectedvalue(returnaddress, SEHhandler,etc.).• OverwriteCFGdisabledmodule• COOP++


WindowsSecurity MitigationsStackBasedVulnerabilityMitigations• GS• SafeSEH• SEHOP


GS• Similartostackcanary• Bypassedby• corruptSEH(x86)• Stackunderflow• nonlinearwrite


SafeSEH(x86)• Checkwhetherhandlerisvalidbeforecallingtheexceptionhandler• Bypassedby:• corrupthandlertoanimagewithseh butwithoutsafeseh


SEHOP(x86)• CheckwhetherSEHchainendswithntdll!FinalExceptionHandler• Bypassedby• LeakstackaddressandrecovertheSEHchain


Heap-basedvulnerabilitymitigations• Metadatacheck&hardening• LFHallocationrandomization• VirtualAllocrandomization


Metadatacheck&hardening• Almostimpossibletoattackheapmeta-data

• Safeunlink• ReplacelookasidelistswithLFH• Heapcookies&Guardpages

• Heapcookiesarecheckedinsomeplacessuchasentryfree• ZeroPermissionGuardpagesafterVirtualAllocmemory

• Metadataencoding• Pointerencoding

• AlmostallfunctionpointerareencodedsuchasVEH,UEF,CommitRoutine,etc.

• Bypassedby• OverflowUserdata


Metadatacheck&hardening


VirtualAllocrandomization• Ptr=VirtualAlloc(size+random),returnptr+randomLFHallocationrandomization• GetNextFreedLFHblock(random_start_index)• Bypassedby• allocateLFHunhandledsize(largerthan0x4000)• allocateLFHdisabledsize(specific-sizedLFHwillenableonlyifallocationtimesexceededsomethreshold)• heapspray• brute-force

LinuxExploitTechniqueson Windows

GeneralExploitTechniques• Heapmetadataattack(off-by-one,houseofxxx,xxxbin attack)• Hard,heapmetadataarewellprotectedonwindows

• Heapmanipulation(heapfengshui orsomething)• AlittlehardduetoLFHallocationrandomization

• Stackcanaryoverwrite• OK,Stackcookieon.datasectionandwriteable


GeneralExploitTechniques• Returnorientedprogramming• Sometimehard,indirectcallsareprotectedbyCFG

• DisableDEPviamprotectlikefunction• OK,VirtualProtectonwindows

• Systemcallstyleshellcode• Hard,Windowssystemcallsarenotwell-documentedandvarybyversion


InformationLeakTechniques• Non-PIEBinaryFixedbinarybase• Hard,BinaryBasearechangedeverytimesystemreboot

• LeakshareobjectbaseviaGOT/GOT_PLT• OK,IATisstillreadable

• DynamiclinkrelatedtechniquessuchasDYNELF,ret2dlresolve• Nolazybinding,Ret2dlresolverelatedtechniquesareunavailable• IATEATarereadable,DYNELF-likethingsarestillavailable


InformationLeakTechniques• Leakstackaddressvianon-stackaddress(suchaslibc environ)• OK,Stackaddresscanbeleakedviaheap,TEB,etc.

• LeakAddressviaFormatStringBug• No$sign,alittlehard

• LeakStack/SO/BinaryBaseAddressviauninitializedstackbuffer(OK)• Leakmemoryviastack_check_failed• Impossible,report_gs_failed don’tprintanything


ControlFlowhijackTechniques• GOToverwrite• Impossible,IATonwindowsareread-only

• Internalfunctionpointersoverwrite(IO_FILE_JUMP,freehooketc.)• Hard,somefunctionpointersareencodedorremoved

• UEFVEHencoded,PEBRtlEnterCriticalSection,RtlLeaveCriticalSection Removed.• SomefunctionpointersuchasSEHhandlerarestillavailabletowrite


ControlFlowhijackTechniques• Vtableoverwrite• Hard,CFGlimitedtheoverwritevaluetofunctionstart

• Returnaddressnon-linear overwrite(OK)• Userfunctionpointeroverwrite(OK)

Windows-onlyExploitTechniques

BypassGSviaSEH(x86)• WhatisSEH• Forfunctioncontainstry..exceptblock,aVC_EXCEPTION_REGISTRATIONstruct willbepushedintostack• Overwritehandlerandtriggeraexceptiontohijackcontrolflow


BypassGSbyoverwritingSEH• BypassSafeSEH• CorrupthandlertoanimagewithSHEbutwithoutsafeSEH.(onlyway,seentdll.dll!RtlIsValidHandler)

• BypassSEHOP• Leakstackaddress,recoverSEHchains

• Alittlehard


• X86addressbrute-force• Only8bitsrandomizationentropyforx86image&dll base

• CrossBinaryLeak• Somekernelrelateddlls (suchasntdll.dllkernel32.dll)sharebaseamongallprocesses

• CrossSame-BinaryProcessLeak• Imagerandomizationbasechangedeverytimesystembooted

Reference

• http://blog.talosintelligence.com/2014/06/exceptional-behavior-windows-81-x64-seh.html

Intro to Windows Exploit Techniques for Linux PWNers

Documents

Transcript of Intro to Windows Exploit Techniques for Linux PWNers