macro reliability in win32 exploits
play

Macro-Reliability in Win32 Exploits A la conquete du monde... - PowerPoint PPT Presentation

Feb 16, 2024 •431 likes •874 views

Macro-Reliability in Win32 Exploits A la conquete du monde... Kostya Kortchinsky http://www.immunityinc.com/ Agenda Problems with large scale exploitation Immunity's Solutions Common Addresses Remote Language Fingerprinting

  1. Macro-Reliability in Win32 Exploits “A la conquete du monde...” Kostya Kortchinsky http://www.immunityinc.com/

  2. Agenda ● Problems with large scale exploitation ● Immunity's Solutions – Common Addresses – Remote Language Fingerprinting ● The Future

  3. Problems in Large Scale Remote Exploitation ● Targets are not homogeneous ● Targets have host protection layers ● Targets have network protection layers ● Targets vary over time

  4. Windows Machine Types ● Targeting a remote exploit requires: – Major/Minor versions – Service Packs – Patches – Configurations – Language Packs – Software version and configuration – Networking conditions between attacker and target – Host protections on target

  5. Exploits and Magic Numbers ● Most exploits contain a list of “magic numbers” that help them target remote machines – shellcode offsets – return addresses – writable addresses – etc ● Each magic number decreases the reliability of the exploit in the wild

  6. Minimizing Magic Numbers ● Two obvious approaches – Find common addresses that are the same across all your target types – Find a way to do fine-grained fingerprinting on your targets to accurately determine their magic numbers ● Hardest and best way – Rewrite the exploit to not need magic numbers at all

  7. Common Addresses ● Avoid fingerprinting as much as possible – Fingerprinting is usually noisy – SP fingerprinting is not that reliable ● Usually using MSRPC interfaces – AFAIK, localization fingerprinting is pretty nonexistent ● Major Windows version fingerprinting is quite reliable – Some work was already done on SP independent return addresses ● “Universal address” often means English only

  8. Naïve Approach ● Try and find addresses as independent as possible of the targets – In DLLs: image base address usually changes with language pack – In EXEs: image base doesn't change much – In EXEs and DLLs: different versions usually means different offsets relatively to image base ● DLLs with same version and same image base might provide common return addresses... – Small C program: dllvers.c

  9. Some Results ● Common DLLs 1 Windows 2000 \system32 DLLs admparse.dll 5.0.2920.0 0x80000000 bootvid.dll 5.0.2172.1 0x80010000 dbmsadsn.dll 1999.10.20.0 0x42bd0000 dbmssocn.dll 1999.10.20.0 0x73330000 443 dbmsspxn.dll 1999.10.20.0 0x42be0000 gpkcsp.dll 5.0.2134.1 0x8000000 15 mcdsrv32.dll 5.0.2160.1 0x80010000 msvcirt.dll 6.1.8637.0 0x780a0000 msvcp50.dll 5.0.0.7051 0x780c0000 rtipxmib.dll 5.0.2168.1 0xd0000000 500 slbcsp.dll 5.0.2134.1 0x8000000 slbkygen.dll 5.0.2144.1 0x8000000 sqlwid.dll 1999.10.20.0 0x412f0000 1 English, Japanese, Italian, Dutch, German, vcdex.dll 5.0.2134.1 0x0ffb0000 Spanish, Chinese, Russian, French vdmredir.dll 5.0.2134.1 0x0ffa0000 SP0 to SP4 up to date Pretty useless! Common Common Others accross accross SP Language

  10. In Memory ● Not only DLLs and EXEs and memory – Stacks – Heaps – File mappings – PEB, TEBs – Various different kinds of sections... ● Do not only stick to EXEs or DLLs to search for opcodes, look into the whole memory space – Small C program: dumpop.c

  11. NLS File Mappings ● Several NLS files are mapped by default by Windows before the process even starts – unicode.nls locale.nls sortkey.nls sorttbls.nls ● Others can be loaded at runtime depending on the locale used – ctype.nls for example ● Mapping base address is (almost) fixed for a given binary on the same major version of Windows

  12. NLS File Mappings (cont.) ● Mapping base address will depend on previously allocated pages: – Stack of main thread ● Based on SizeOfStackReserve parameter in PE header – Imported DLLs ● Based on their image base address ● Include a lot of jmp reg, call reg, push reg & ret ● Haven't changed since Windows NT 4.0 ● Contain 1 NULL byte, not executable – Still can be used quite efficiently

  13. Memory Mapping Example

  14. Remote options ● Passive – SIGINT can tell you a lot of things about a machine, including language strings ● This is mostly useful for client-side attacks ● Active – Scanning may correlate your SIGINT data with a particular machine after it moves IP addresses – Various services on the remote machine may offer “localized” strings which can be used for language detection

  15. Determining Language Pack Remotely ● Microsoft Windows does not offer a remote and anonymous way to correctly determine the language pack of a Windows install ● The applied language pack changes offsets and base addresses within DLLs which affect our exploits ● Some vulnerabilities and/or exploits are only effective on certain languages – MS06-009: Korean Input Method Editor – MS07-001: Brazilian Portuguese Grammar Checker

  16. Why care so much about language pack? ● Most research on exploit reliability assumes English Windows ● But any large company has branches in places where the native language is not English ● Consultants come from all countries and place their non-English Windows laptops onto corporate networks

  17. The Same Path Principle ● When exploiting a vulnerability we want to reduce the number of services and ports used – All services might not be running – All ports might not be opened ● Try and find as many ways as possible to remotely fingerprint a Windows language – MSRPC – SNMP – Web browsers – ...

  18. MSRPC Localization using Shares ● Works by matching “remark” unicode field of a SHARE_INFO_1 structure returned by the NetShareEnum() API – Interface 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0, opnum 15 in services.exe (2000) – Endpoints on ncacn_np, ncadg_ip_udp (old SP) ● Needs IPC$ and/or C$ share to exist – Usually better be if exploiting a RPC bug ● Will work anonymously against NT 4.0, 2000, XP < SP2 and 2003 SP0

  19. Shares Results ● Uniquely matched ● “Collisions” – Common (no translation) French – Spanish Russian ● English German Arabic Dutch Hebrew Polish Japanese Simplified Chinese Korean Traditional Chinese – On IPC$ share Turkish Hungarian Czech ● Italian Norwegian Portuguese Swedish Brazilian Greek – On C$ share (or any Danish Finnish disk) ● Portuguese Brazilian

  20. MSRPC Localization using Users ● List users on a system using LsaLookupSids() API by bruteforcing SIDs, match the default ones that are localization dependent – Interface 12345778-1234-abcd-ef00-0123456789ab v0.0, opnum 57 – Endpoints on ncacn_np ● Will work anonymously against NT 4.0 and 2000 – Useful in some case to refine previous technique results ● Works against XP SP1a with fake credentials if a Share has been setup

  21. MSRPC Localization using Print Providers ● Best of the RPC methods, unique to CANVAS ● Works by matching the “comment” unicode field of a PRINTER_INFO_1 structure returned by the EnumPrinters() API – API itself doesn't support remote listing of Print Providers ● Needs access to the spoolsv.exe service – Interface 12345678-1234-abcd-ef00-0123456789ab v1.0, opnum 0 – Usually through ncacn_np:\PIPE\spoolss ● Works anonymously against up to and including XP SP2! – No access on 2003 unless configured as a Printer Server

  22. Print Providers ● Windows based clients and servers have 3 print providers by default – win32spl.dll comment string is localized ● 3 rd party software can install their own print provider ● Side note: multiple vulnerabilities in the recent past, PP enumeration is interesting for that too – MS05-043: Heap overflow in win32spl.dll – Novell TID #3125538: Stack overflow in nwspool.dll – CTX111686: Stack overflow in cpprov.dll – And more...

  23. Print Providers Results ● Uniquely matched ● “Collisions” – English French – Spanish Arabic Russian German Hebrew Dutch Polish – Probably due to lazy Simplified Chinese Traditional Chinese translators Turkish Hungarian Czech Norwegian Swedish Greek Danish Finnish Japanese Korean Protuguese Italian Brazilian

  24. SNMP Localization ● No such thing as a Windows Language OID :-( – Well at least I haven't found one – SNMPv2-MIB::sysLocation.0 is pretty useless ● Hopefully, Windows provides a list of installed software accessible from the public community – HOST-RESOURCES-MIB::hrSWInstalledName.* – Hopefully the term “Hotfix” is localized ● “Correctif” in French, “Revisión” in Spanish ● Needs at least some hotfixes installed – No hotfix usually means no trouble for us though :>

  25. IIS & IE Localization ● IIS is not very talkative about its localization ● 40x errors are localized – 404 error string – 404 pages ● If customized, several other 40x pages to try ● Localization through IE might be useful for client-side exploits – Accept-Language header can give an hint – Nowadays heap-spray provides a mean to disregard this

  26. Configuration Options ● Of we can't get the localization of the remote target: – Assume it is English or another particular localization – Don't run the exploit – Assume the target has the same localization of the nearest neighbor

  27. CANVAS Example

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reliability Engineering - Discussions and Clarifications Reliability Engineering VS.

Reliability Engineering - Discussions and Clarifications Reliability Engineering VS.

Mission Success Starts with Safety Reliability Engineering - Discussions and Clarifications Reliability Engineering VS. Probabilistic Risk Assessment (PRA) Reliability Prediction VS. Reliability Demonstration Design Reliability VS. Process

783 views • 20 slides
P/Invoke and CIL functions in COM objects, C/C++ DLLs, etc. E.g. access to Win32 API

P/Invoke and CIL functions in COM objects, C/C++ DLLs, etc. E.g. access to Win32 API

2/15/2008 P/Invoke Allows managed code to call unmanaged P/Invoke and CIL functions in COM objects, C/C++ DLLs, etc. E.g. access to Win32 API Mingsheng Hong To declare unmanaged functions CS 215, Spring 2008 Use DllImport

245 views • 3 slides
Win32 Exploit Development with pvefindaddr Peter Van Eeckhoutte 2011 Peter

Win32 Exploit Development with pvefindaddr Peter Van Eeckhoutte 2011 Peter

Win32 Exploit Development with pvefindaddr Peter Van Eeckhoutte 2011 Peter corelanc0d3r Van Eeckhoutte Corelan Team www.corelan.be @corelanc0d3r Im not a CISSP,CEH,MCSE,A+,OCSE,CCNA,SSCP,CIW,GIAC,R

1.19k views • 63 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
When Inequality Matters for Macro and Macro Matters for Inequality Discussion by Christopher

When Inequality Matters for Macro and Macro Matters for Inequality Discussion by Christopher

When Inequality Matters for Macro and Macro Matters for Inequality Discussion by Christopher Carroll 1 (with help from Edmund Crawley 1 ) 1 Johns Hopkins University ccarroll@jhu.edu edmundcrawley@gmail.com NBER Macro Annual Meeting, April

2.21k views • 192 slides
August 7 2019 www.firstbanknigeria.com Outline Macro, T rending News..Global Macro, T

August 7 2019 www.firstbanknigeria.com Outline Macro, T rending News..Global Macro, T

STRATEGIC VENDORS ENGAGEMENT SESSEION. MACRO-ECONOMIC UPDATE August 7 2019 www.firstbanknigeria.com Outline Macro, T rending News..Global Macro, T rending News..Domestic Market Updates 2 Macro Trends - Global Fed cut rates

1.44k views • 60 slides
- Reliability - Reliability What It Is, Why, and How Jason Nicholas, Ph.D. November 13,

- Reliability - Reliability What It Is, Why, and How Jason Nicholas, Ph.D. November 13,

- Reliability - Reliability What It Is, Why, and How Jason Nicholas, Ph.D. November 13, 2008 Objective - Introduction to reliability - Meeting requirements of Body of Evidence guidelines for consistency Evaluation Criteria for Body

914 views • 66 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Art Center Camera Club February Workshop Macro Photography MACRO PHOTOGRAPHY by......Pete

Art Center Camera Club February Workshop Macro Photography MACRO PHOTOGRAPHY by......Pete

Art Center Camera Club February Workshop Macro Photography MACRO PHOTOGRAPHY by......Pete Gumaskas What is Macro Photography Taking close-up pictures of small things Presentation Discussion Items Cameras Lenses &amp; Accessories

761 views • 35 slides
Macro and Close up Photography What does Macro mean? Extreme close-up photography, usually of

Macro and Close up Photography What does Macro mean? Extreme close-up photography, usually of

Macro and Close up Photography What does Macro mean? Extreme close-up photography, usually of very small subjects and living organisms like insects, flowers and good for abstracts, in which the size of the subject in the photograph is

212 views • 17 slides
Software Reliability Categorizing and specifying the reliability of software systems CS 422

Software Reliability Categorizing and specifying the reliability of software systems CS 422

Chapter 18 Chapter 18 Software Reliability Learning Objective ... Define the basic principles underlying software reliability engineering (metrics, measurement, and prediction) Frederick T Sheldon Assistant Professor of Computer Science

435 views • 14 slides
MACRO GROUP | PRESENTATION MACRO GROUP | SHAREHOLDERS Ctia Rebelo, Financial, HR &amp; Quality

MACRO GROUP | PRESENTATION MACRO GROUP | SHAREHOLDERS Ctia Rebelo, Financial, HR &amp; Quality

MACRO GROUP | PRESENTATION MACRO GROUP | SHAREHOLDERS Ctia Rebelo, Financial, HR &amp; Quality Mrio Rebelo, CEO Macro Groups Founder Pedro Rebelo, Project &amp; IS Bruno Rebelo, Commercial &amp; Operations MACRO GROUPS SECOND

570 views • 13 slides
Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

759 views • 43 slides
Reliability Perspectives on Clean Power Plan Implications NERC Reliability Assessments John Moura

Reliability Perspectives on Clean Power Plan Implications NERC Reliability Assessments John Moura

Reliability Perspectives on Clean Power Plan Implications NERC Reliability Assessments John Moura Director, Reliability Assessment and System Analysis June 22, U.S. Energy Association About NERC: Mission To ensure the reliability of the North

507 views • 32 slides
Macro Photography Macro Photography Photography of small items larger than life size. Typical

Macro Photography Macro Photography Photography of small items larger than life size. Typical

Macro Photography Macro Photography Photography of small items larger than life size. Typical subjects are still life, such as fruit, flowers, jewelry and small household objects. Macro photography often reveals details of the subject not

543 views • 19 slides
Macro Photography Macro Photography Photography of small items larger than life size. Typical

Macro Photography Macro Photography Photography of small items larger than life size. Typical

Macro Photography Macro Photography Photography of small items larger than life size. Typical subjects are still life, such as fruit, flowers, jewelry and small household objects. Macro photography often reveals details of the subject not

199 views • 4 slides
SmartQuant USA Overview SmartQuant Algo Trading Infrastructure is designed for quantitative

SmartQuant USA Overview SmartQuant Algo Trading Infrastructure is designed for quantitative

SmartQuant USA Overview SmartQuant Algo Trading Infrastructure is designed for quantitative investors and traders, as well as institutional users such as hedge funds, proprietary trading groups, brokers, consultants and service providers.

495 views • 46 slides
Student Health Insurance Program 2016 Procurement Results HEATHER CLORAN Associate Director,

Student Health Insurance Program 2016 Procurement Results HEATHER CLORAN Associate Director,

Student Health Insurance Program 2016 Procurement Results HEATHER CLORAN Associate Director, Program and Product Strategy Board of Directors Meeting, June 11, 2015 INTERNAL DRAFT FOR POLICY DEVELOPMENT Todays Discussion Today we will

309 views • 12 slides
ESGF Installer Status Update William Hill, Prashanth Dwarakanath, Sasha Ames Lawrence Livermore

ESGF Installer Status Update William Hill, Prashanth Dwarakanath, Sasha Ames Lawrence Livermore

ESGF Installer Status Update William Hill, Prashanth Dwarakanath, Sasha Ames Lawrence Livermore National Laboratory 2017 ESGF Face 2 Face Conference, San Francisco, CA December 4-8, 2017 Outline 2017 IWT Accomplishments IWT Roadmap 2

238 views • 10 slides
E-Commerce International Strategies for Online Retailers going local in China and Eastern Asia

E-Commerce International Strategies for Online Retailers going local in China and Eastern Asia

E-Commerce International Strategies for Online Retailers going local in China and Eastern Asia Patrick Deloy Founder &amp; Executive Director, Bluecom Group E-Commerce Soars in China NYTimes.com, May 2013 China A Booming Market: 66,5%

621 views • 49 slides
Citigroup to Congress: Never Mind! (Some reflections on the Gramm-Leach-Bliley Act prompted by

Citigroup to Congress: Never Mind! (Some reflections on the Gramm-Leach-Bliley Act prompted by

Citigroup to Congress: Never Mind! (Some reflections on the Gramm-Leach-Bliley Act prompted by Citigroup's exit from insurance underwriting) Peter E. Heyward Venable LLP Washington, D.C. There is an obvious irony in Citigroups decision,

417 views • 9 slides
DEVELOPMENT SECURITIES PLC INVESTOR DAY 23rd OCTOBER 2014 Agenda Presentations and tour

DEVELOPMENT SECURITIES PLC INVESTOR DAY 23rd OCTOBER 2014 Agenda Presentations and tour

DEVELOPMENT SECURITIES PLC INVESTOR DAY 23rd OCTOBER 2014 Agenda Presentations and tour Timings Arrivals and breakfast 7.30 8.00am Introduction Michael Marx 8.00 8.10am Interim results overview Marcus Shepherd 8.10 8.25am

935 views • 64 slides
Autograft: The Gold Standard Steven R. Garfin, MD Distinguished Professor and Chair Department

Autograft: The Gold Standard Steven R. Garfin, MD Distinguished Professor and Chair Department

Autograft: The Gold Standard Steven R. Garfin, MD Distinguished Professor and Chair Department of Orthopaedic Surgery UC San Diego Disclosures Magnifi Group AO Spine Medtronic Benvenue Medical NuVasive, Inc. EBI SI

270 views • 23 slides
Rob Lawton Division Manager CMJ Medical DePuy Synthes Mitek Sports Medicine Demonstrate

Rob Lawton Division Manager CMJ Medical DePuy Synthes Mitek Sports Medicine Demonstrate

Rob Lawton Division Manager CMJ Medical DePuy Synthes Mitek Sports Medicine Demonstrate ATs background &amp; skills are great fit for medical sales Provide an overview of medical sales opportunities Describe the medical

681 views • 27 slides

More recommend