Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat - - PowerPoint PPT Presentation

dangling pointer dangling pointer
SMART_READER_LITE
LIVE PREVIEW

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat - - PowerPoint PPT Presentation

Oct 27, 2023 247 likes •549 views

Dangling Pointer Dangling Pointer Jonathan Afek, 2/ 8/ 07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A 2 What is a

slide-1
SLIDE 1

1

Jonathan Afek, 2/ 8/ 07, BlackHat USA

Dangling Pointer Dangling Pointer

slide-2
SLIDE 2

2

What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A

Table of Contents

slide-3
SLIDE 3

3

What is a Dangling Pointer?

Invalid Pointer:

Dangerous Easy to Exploit Common

Pointer Pointer Pointer Pointer Pointer Pointer Object Object Object Object Deleted Object Deleted Object Dangling Pointer Dangling Pointer New Data New Data Object Object

slide-4
SLIDE 4

4

What is a Dangling Pointer? – An Example

Results:

Crash

slide-5
SLIDE 5

5

What is a Dangling Pointer? – An Example

Debugger View

slide-6
SLIDE 6

6

What is a Dangling Pointer? Code I njection Object Overriding Demonstrations Remediation Summary Q&A

Where are We

slide-7
SLIDE 7

7

Code I njection – The Layout of an Object

Class_A:

class Class_A { int member_of_A; public: virtual long vfunc_A1(); virtual long vfunc_A2(); static void sfunc_A(); void funcA(); }; class Class_A { int member_of_A; public: virtual long vfunc_A1(); virtual long vfunc_A2(); static void sfunc_A(); void funcA(); };

vfunc_A1 Code vfunc_A1 Code Class_A VFTable Class_A VFTable Instance_A memory Instance_A memory

vfunc_A1 address vfunc_A1 address vfunc_A2 address vfunc_A2 address VFTABLE Pointer VFTABLE Pointer member_of_A member_of_A

Assembly code Assembly code

vfunc_A2 Code vfunc_A2 Code

Assembly code Assembly code

{ ... this.vfunc_A2(); ... } { ... this.vfunc_A2(); ... } … …

MOVE EAX, [ECX] MOVE EAX, [ECX] CALL [EAX + 4] CALL [EAX + 4]

… …

slide-8
SLIDE 8

8

Code I njection – The Double Reference Exploit

Exploit Overview:

– Free the Object – Override the Object – covered later – Execute a Virtual Function

slide-9
SLIDE 9

9

Original Object Original Object Freed Space Freed Space

9

Code I njection – The Double Reference Exploit

Injecting Code

– Free the Object – Shellcode – Call/Jmp ECX – Finding a “VFTABLE” – Interpreted as Code

VFTABLE VFTABLE VFTABLE + 4 VFTABLE + 4 VFTABLE + 8 VFTABLE + 8 VFTABLE + C VFTABLE + C VFTABLE + 10 VFTABLE + 10

VFTABLE Pointer VFTABLE Pointer

SHELLCODE SHELLCODE

CALL/JMP ECX CALL/JMP ECX

ECX – Original Object ECX – Original Object

Pointer Pointer

Continue

– Automation

slide-10
SLIDE 10

10

We can now override the second VFTABLE!!!

10

Code I njection – Double I nheritance

Multiple Inheritance

Class_A::vfunc_A1 Class_A::vfunc_A1 Inherited::Class_A VFTable Inherited::Class_A VFTable Object’s memory Object’s memory

vfunc_A1 address vfunc_A1 address vfunc_A2 address vfunc_A2 address A VFTABLE Pointer A VFTABLE Pointer member_of_A member_of_A

Assembly code Assembly code

Inherited::vfunc_A2 Inherited::vfunc_A2

Assembly code Assembly code

Class_B::vfunc_B1 Class_B::vfunc_B1 Inherited::Class_B VFTable Inherited::Class_B VFTable

vfunc_B1 address vfunc_B1 address vfunc_B2 address vfunc_B2 address B VFTABLE Pointer B VFTABLE Pointer member1_of_B member1_of_B

Assembly code Assembly code

Inherited::vfunc_B2 Inherited::vfunc_B2

Assembly code Assembly code

Member2_of_B Member2_of_B

Class A Class B

class Inherited: public Class_A, public Class_B { public: virtual int vfunc_A2(); virtual int vfunc_B2(); }; class Inherited: public Class_A, public Class_B { public: virtual int vfunc_A2(); virtual int vfunc_B2(); };

slide-11
SLIDE 11

11

What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A

Where are We

slide-12
SLIDE 12

12 12

Object Overriding

Allocation Implementation

– Numerous heaps

  • Two Default heaps
  • Different API
  • C-Runtime functions

– Malloc – Free – New – Delete – Etc.

slide-13
SLIDE 13

13

A De-Allocated Buffer A De-Allocated Buffer

Next Buffer Pointer Next Buffer Pointer

Another De-Allocated Buffer Another De-Allocated Buffer

13

Object Overriding

Allocation implementation details

– Lookaside List

  • A list for each size (8-1024) (8) and for each heap
  • First Allocation Priority
  • Merges

NULL NULL Lookaside list base pointer Lookaside list base pointer 40 Bytes 40 Bytes 40 Bytes 40 Bytes

slide-14
SLIDE 14

14 14

Object Overriding

And Finally – Overriding

– Search for Allocations

  • Static Analysis

– Method: Disassembly – Restriction: Static Size – Validation: Controllable Content – Usage: Causing the Allocation

  • Dynamic analysis

– Method: API Breakpoints – Restriction: Static/Dynamic Size – Validation: Controllable Content

slide-15
SLIDE 15

15

New Buffer New Buffer SHELLCODE Rest of SHELLCODE SHELLCODE Rest of SHELLCODE

VFTABLE + 8 VFTABLE VFTABLE Pointer

Object Overriding – The VFTABLE Exploit

Exploitation:

– Empty the Lookaside List – Allocate a Buffer – Insert Content – Free the Buffer

VFTABLE Pointer VFTABLE Pointer

CALL/JMP EAX CALL/JMP EAX

Original Object Original Object Continue:

– Free the Object – Execute a VFunc

NULL

slide-16
SLIDE 16

16

The De-Allocated Buffer The De-Allocated Buffer

A Function Pointer A Function Pointer … …

The De-Allocated Object The De-Allocated Object

A VFTABLE Pointer A VFTABLE Pointer … …

The Shellcode Buffer The Shellcode Buffer

NULL NULL Shellcode Shellcode

16

Object Overriding – The Lookaside Exploit

Empty the Lookaside Allocate Two Buffers Insert Shellcode Free One Buffer Free The Other Free The Object Execute the Destructor

GAME OVER!!!

slide-17
SLIDE 17

17 17

Object Overriding – The Lookaside Exploit

Executing NULL – NO Problem

slide-18
SLIDE 18

18

Summary

Summary

– Double Reference

  • Controllable First DWORD
  • Static Address

– VFTABLE Exploit

  • Controllable Allocations
  • No First DWORD
  • Static Address

– Lookaside Exploit

  • Controllable Allocations
  • No First DWORD
  • No Static Address
  • Destructor Execution
slide-19
SLIDE 19

19

What is a Dangling Pointer? Code Injection Object Overriding Demonstrations Remediation Summary Q&A

Where are We

slide-20
SLIDE 20

20

Demonstrations – Configuration I tem

Allocating the Object De-Allocation the Object

slide-21
SLIDE 21

21

Demonstrations – Configuration I tem

Allocating User Data

slide-22
SLIDE 22

22

Demonstrations – Configuration I tem

Executing a VFunc

slide-23
SLIDE 23

23

Demonstrations – Configuration I tem

Putting it Together

– De-Allocate – Re-Allocate – Execute

slide-24
SLIDE 24

24

Demonstrations – Remote Exploit

Another Exploit on IIS,

but this time – a remote one

slide-25
SLIDE 25

25

What is a Dangling Pointer Code Injection Object Overriding Demonstrations Remediation? Summary Q&A

Where are We

slide-26
SLIDE 26

26

Remediation

Known Protection Mechanisms

– NX Bit – ASLR

VFTABLE Sanitation Safe Programming

slide-27
SLIDE 27

27

Summary

Technical Background

– Memory Allocations – Objects Implementation

Exploits

– Double Reference Exploit – VFTABLE Exploit – Lookaside Exploit

Demonstrations

– Configuration Item – Remote Exploit

Dangling Pointer

– Only Object Oriented Objects

slide-28
SLIDE 28

28

Questions

Ask Away…