smashing the stack with hydra
DESCRIPTION
Presented this at DEFCON 17TRANSCRIPT
SMASHING THE STACK WITH HYDRA
Pratap Prabhu, Yingbo Song and Sal Stolfo
Columbia University Intrusion Detection Systems Lab
1
Overview
• Hydraisapolymorphicshellcodeengineforx86.
• Goal:tobypasssignature,staAsAcal,andemulator‐basedIDS.
• IntegratesseveralobfuscaAontechniquesintooneengine.Self‐cipher,staAsAcalmimicry,fork()code,andmore...
1 2
LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLE
Address of Calling function
INSTRUCTIONS
LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLEINSTRUCTIONS
NOPSLED PAYLOAD RETURNZONE
NOPSLED PAYLOAD RETURNZONE
“ret” jumps here
Overwrites EIP
2 3
PolymorphicShellcode
• IDSsignatures:“\x90\x90\x90\x90”,“/bin/sh”
• Useanencoderandcipherthepayloadwitharandomkey.
• Doesn’tworkiftheIDScandetectthedecoder.
• WhataboutstaAsAcalIDSwhichlooksatbytedistribuAons?
• Networkemulator,anddynamicdisassembly‐basedIDS?
3 4
HydraFeatures
• NOPinstrucAonsgenerator.• RecursiveNOPsled.• RandomizedregisterselecAon
andclearing.
• RandomizedmulA‐layerciphering.
• Inlinejunkcode/datainserAon.
• MulA‐parAtedecoders.
• MulA‐gramstaAsAcalmimicry.
• Randomizedreturnzone.• fork()’ingshellcode.• Time‐lockedcipheringforanA‐
emulatorandanA‐disassembly.
• Alphanumericencoding.
4 5
NOPSledObfuscaAon
• NOPdoesn’thavetobe\x90.‘A’,‘B’,‘C’,..,’Z’allwork
• Hydracontainsa“NOPgenerator”thatcanbuildalibraryofpossibleNOPinstrucAons.
• Testmethod:
– Addcodetosetupstack/registercanaryvariables.– AddasledbuiltwithNOPinstrucAontobetested.– AddvalidaAoncodetocheckstack/registervariables.– Execute.
• FindsNOPequivalentinstrucAons.5 6
NOPSledObfuscaAon
• Notjustsingle‐byteNOPS.MulA‐byteNOPinstrucAonsbywayofrecursiveNOP.(Phrack,CLET)
• Findall1‐byteNOPinstrucAonsbybrute‐force,thenfindtwo‐byteNOPswhere2ndbyteisaone‐byteNOP.Repeat.
• LargerNOPinstrucAonrecursivelycontainssmallerNOPs.ExecuAoncanlandanywhereintheinstrucAon.
6 7
NOPSledObfuscaAon
• HydrauAlizestwotypesofNOPinstrucAons.
1. BasicNOPequivalentinstrucAonswhichcanbeusedtobuildasledandsafelypassexecuAonintothepayload.
2. NOPswhichcanbesafelyinsertedbetweeninstrucAons.
• Secondcase:“State‐safe”NOPsdonotcontaininstrucAonswhichmodifythestack,registers,controlflow,etc.
• 1.9MtotalNOPequivalentinstrucAonsfound.30,000state‐safeNOPs.
7 8
RandomregisteroperaAons
• DifferentsynonymousinstrucAonsperinvocaAon.
• HydraprovidesalargelibraryofsuchinstrucAonsandaplamormtoaddmore.
• ForsomeoperaAons,thekeyusedisrandomlygeneratedtofurtherobfuscatethepayload.
Twoexamplewaystocleararegister
Method1:
movreg,<key>subreg,<key>
Method2:
pushdword<key>popregsubreg,<key>
8 9
MulA‐parAteDecoding
• Hydrageneratesnon‐con)guousdecoders.
• Thepaddeddecodercipherloopissplitapartandintermixedwiththeencodedpayload.
• Currentlyonlybi‐parAtedecodingisimplemented:halfofthedecoderinstrucAonsareinfrontofthepayload,halfaperit.
• DecoderinstrucAonsjumpbetweeneachotherwhiledecodingthepayload.
9 10
MulA‐LayerCiphering
• MulAplecipheroperaAons,subsetsselectedatrandomperinvocaAon.Veryusefultechnique(ADMmutate,CLET,..)
• RandomcipheroperaAons:ROR/ROL,XOR,ADD/SUB,etc…
• CipherorderisrandomeachAme.
• Arandomlychosen32‐bitkeyisgeneratedpercipher.
• Sixroundsofcipheringbydefault–usercanspecifynumber.
10 11
InlineJunkCodeInserAon
• HydraautomaAcallyaddsspacebetweeninstrucAons.Arbitrarydatacanbeinserted:
[instr1][junk][instr2][junk][instr3][junk][instr4]
• Amountofdatatobeinsertedcanbespecified.
• CaninsertNOPinstrucAons,anA‐disassemblycode,randomjunk,etc.Thecipherswillskiptheseareasduringdecoding.
• CanalsoinsertcertainbytesforstaAsAcalmimicry.
11 12
StaAsAcalMimicry
• StaAsAcalIDS–typicallyworkbylearningfrequenciesfornormalcontentthendetecAngexploitsasanomalies.
• Hydrausesmachinelearning‐basedtechniquestomakeshellcodemimicnormaltraffic.
• LearnastaAsAcalmodelforthedistribuAonofn‐gramswithinlegiAmatenetworkcontent.
• SamplefromthisdistribuAon,andusepaddingandinlinepadding(junkinserAon)toskewthedistribuAonofshellcodetoappearnormal.
12 13
RandomizedAddressZone
• Sequenceofrepeatedtargetaddresses.
• Usedtooverwrites%ESPonthestacktopointtoNOPsled.
• AnIDScanlookforastructuralsignaturesuchastheexistenceofNOPinstrucAonsandrepeatednumbers(sled+returnzone.)
• Breaksignaturesbyaddingrandomoffsetstoeachaddresselementinthereturnaddresszone.
14 1414
Time‐CipherShellcode
• EmulatorIDS?Buildstrippeddownx86emulatoranddynamicallyexecuteALLnetworktraffic.Lookforself‐decrypAonbehaviorand/orlargebasicblocks.
• SoluAon?Usesyscall‐basedciphering.Exploitthefactthatemulatorscan’thandlefullOSfuncAonality.
• HydrausestheAme()syscall.MostsignificantbitsusedaskeytodecodethemaincipherinstrucAons(ROR,XOR,etc).
• Syscallnothandled?Timerunsout?Shellcodeisdecodedincorrectly–nopolymorphicbehaviorisobserved.
15
Time‐CipherShellcode
• Goodforauser‐definedperiodofAme.Usercanadjustthe“shell‐life”windowbythenumberofbitsused.
• NetworkIDScan’temulateallpossiblesyscalls.
• Time‐cipheredshellcodewillpassthroughtheemulatorsandarriveonthetargethostwherethesyscallscanbehandled.
• Bypassessomeemulatoranddisassemblybasedmethods,andslowsdownhumanreverseengineers.
16
ForkingShellcode
• Exploitcouldcausethetargetprocesstohang.Notgood–couldbepickedupbyanIDS.Gracefulrecovery(SkylerCanSecWest’09.)
• SoluAon:fork()’ingshellcode.Childexecutespayload,parenta1emptstorecovertheexploitedprocess.
• Recoveryishard–correct%EIPisnormallylostduringexploit.
• Needtoknowtargetprocessaddressspace–relaAveoffset.
• Hydrafork()syourshellcodeforyouautomaAcally.17 17
AlphanumericEncoding
• Hydraalsoincorporatesthealpha2encoder.
• AutomaAcallyselectsalphanumericNOPsfromtheNOP‐generatortoconstructsled.Choiceofmorethan4000ASCIIinstrucAons.
• AlphaNOPsareinsertedinbetweendecoderinstrucAonsandshellcodetofurtherobfuscatebothcontentandsize.
• ModularnatureoftheengineallowstheAlphaencodingtocombinewithalloftheotheropAons.
18
NOPSLED PAYLOAD RETURNZONE
Traditional shellcode:
Hydra shellcode:
RECURSIVESLED
PAYLOAD
RandomizedRETURNZONE
DECODERMimicryBytes
MimicryBytesPAYLOAD
DECODER
Time‐lockCipherFork()
MimicryBytes
MimicryBytes
• Hydra is designed to be modular.
• Shellcode and mimicry bytes intermixed.
• Only ciphers shellcode instructions, mimicry bytes kept in the clear.
ALPHADECODER
19
DEMO
20
THANKYOUDEFCON
Codetobereleasedinthefuture.
PratapPrabhu([email protected])YingboSong([email protected])SalvatoreStolfo([email protected])
21
• Hydraaccept“trainingsamples”fornormaldataandlearnsmodelsfornormaltraffic.
• Inline‐padshellcodetomakeitlookstaAsAcallysimilar.
StaAsAcalMimicry
Song, et al. Machine Learning Journal. 2009.
Markov chains and Monte-Carlo simulation.
13 22