JMP ESP. - Black Hat
advertisement
Environment Dependencies in
Windows Exploitation
Yuji Ukai , Senior Software Engineer
Derek Soeder, Software Engineer
Ryan Permeh, Senior Software Engineer
http://www.eeye.com
Introduction
When vulnerability information is published…
Exploit published
Exploit improved
Worm
The vulnerabilities used by worms usually share the
same kinds of vulnerability factors.
A precise threat analysis is important in the early stages.
Introduction – Threat Analysis
Precise and detailed technical analysis of the vulnerability.
(attack vector, reliability, difficulty to exploit, privileges gained,
etc.)
Impact
Vulnerability information which is already published.
Technical capabilities of malicious code authors and worm
authors.
etc…
Attack trends
We must take these factors into account for precise threat analyses.
Introduction – Environment Dependencies
Some exploits/worms have environment dependencies.
- Especially in the case of vulnerabilities that allow machine
code execution, such as typical buffer overflow bugs.
If an exploit or worm also affects Japanese OSes,
the risk will be increased in Japan.
If we analyze the environment dependences of
worms, we can estimate its impact in the world.
How do recent worms/exploits avoid environment dependences ?
Can they avoid environment dependences perfectly ?
How to protect your systems against environment-independent worms and
exploits.
Environment Dependencies
1
Environment Dependencies - Overview
[Environment Dependencies]
The phenomenon that influences the effectiveness of a
specific exploit or worm depending on the target “environment”.
Environment (example)
•OS version
•Application version
•Language version
Environment Dependencies – Case Example(1)
MS03-026 – Blaster Worm
(Source :JP Vulnerability Notes)
2003-07-27 BugTraq Mailing List
“DCOM RPC exploit (dcom.c)” is posted.
2003-07-31 Full-Disclosure Mailing List
“RPC DCOM universal offsets” is posted.
Japanese version is affected.
2003-08-11
Blaster Worm is released. Japanese version is
affected.
Environment Dependencies – Case Example(2)
MS04-011 – Sasser Worm
2004-4-25 : Full-Disclosure Mailing List (k-otik)
DsRoleUpgradeDownlevelServer ()API rewriting version
・Japanese Windows2000
・Japanese WindowsXP
: Affected
: Not affected
2004-4-29 : Full-Disclosure Mailing List (SecurityLab)
LSADS DCE/RPC raw packet version
・Japanese Windows2000
・Japanese WindowsXP
: Not affected
: Affected
Sasser
Environment Dependencies – Reasons
Stack Based
Buffer Overflow Exploit
user32.dll=0x77E10000
user32.dll=0x77DE0000
JMP ESP
0x77E09EB8
Return Address
ESP
JMP ESP
・ DLL base address difference
・ DLL code difference
Environment dependences
Environment Dependencies
– Avoidance and Protection
Avoidance methods usually used by exploits and worms:
• Common return address
• Version detection + return address table
• Brute forcing
Protecting from the avoidance of environment dependencies:
• Do not give “hints” which can be used to avoid
environment dependences.
• Remove the risk factors that make environmentindependent attacks possible.
Avoidance of Environment Dependences
Using a Common Return Address
2
Common Return Address – Definition
The return addresses that can be used in various kinds of
environments.
The most perilous return address is one that:
• Can be used in all major versions.
• Can be used in all service pack levels and patch levels.
• Can be used in all language versions.
Common Return Address – Case Example
2004-4-29 (SecurityLab)
Full-Disclosure: MS04011 Lsasrv.dll RPC buffer overflow
remote exploit (PoC) with Universal targets
This exploit is not “truly universal”
Common Return Address – Potential Risks
Is there a return address that can be used in
the following environments ?
・ All language versions
・ All service pack levels, all patch levels
We would like to know whether or
not a common return address exists.
・ If it exists, it should be removed before malicious code uses it.
・ If it does not exist, we can prove that a “true universal” exploit
cannot be developed.
Common Return Address – Targets
Targets of “common return addresses:”
In the case of jumping to the address specified by ESP…
Classic method
However, we also must find…
• JMP ESP
• PUSH ESP / RET
• MOV ECX,ESP / JMP ECX
• MOV EAX,EBX / JMP ESP
・・・・ There are numerous combinations.
We cannot enumerate all return addresses by simply searching a binary.
★ We must recognize the byte stream as “instructions.”
★ We must take “context” into account when jumping to a return address.
EEREAP
- eEye Emulating Return Address Purveyor
Advanced Return Address Discovery Using
Context-Aware Machine Code Emulation
EEREAPer
© Derek Soeder@eEye
EEREAP - Objective
We would like to know whether common
return addresses exist or not.
・ If one exists, it should be removed before malicious code uses it.
* Common return addresses are a potential threat.
* EEREAP will be a powerful tool to find and remove
common return addresses.
・ If it does not exist, we can prove that a “true universal” exploit
cannot be developed for the specified process.
* We don’t have to worry about the threat of “truly universal” exploits.
EEREAP - Overview
・IA32 Machine Code Emulator
・Virtual Memory Manager
Target Process
・ Registers
・ Memory Snapshot
・ Limit on Number
of Instructions
EEREAP
0x71234412
0x712A5123
0x714E0234
0x73A1BA02
:
:
・ Show all candidates of return addresses in the code sections.
・ Not only jumping to ESP. All instruction streams that perform a jump
to the specified buffer can be listed.
(For heap based buffer overflows, format string bugs, etc.)
EEREAP - Registers
Bit level value for each register {0,1,X} (X: undetermined value)
( Example )
# defines STACK as a 64KB writable address space
STACK @ 00XXXXXXh : 65536, RW
# ESP is a pointer to offset E000h within ‘STACK’
ESP = STACK + E000h
# BUFFER maps into STACK at offset E09Ch (Read Only)
BUFFER @ STACK + E09Ch : 128, TARGET, RO
# memory at STACK + E004h contains a pointer into BUFFER
[STACK+E004h] = BUFFER + 8
EAX = 0
ECX = 3FFXXXXXh
EBP = STACK + E134h
ESI = STACK + E01Ch
TIB @ 7FFXX000h : 4096, RW
FS = TIB
EFLAGS = 0010000X0X1Xb
EEREAP – Memory Snapshot
C:\>psnap.exe --priority --suspend -a:r -c:w 260 lsass.ees
* Record:
* Write:
micdhstp ----c----- ---
[#] 00010000..00010FFF
[#] 00020000..00020FFF
[ ] 00030000..00065FFF
[G] 00066000..00066FFF
[#] 00067000..0006FFFF
[#] 00070000..00120FFF
[ ] 00121000..0016FFFF
...
[#] 00CAA000..00CAFFFF
[#] 01000000..01000FFF
[#] 01001000..01001FFF
[#] 01002000..01002FFF
[#] 01003000..01009FFF
[ ] 01090000..010C8FFF
[G] 010C9000..010C9FFF
...
Saved process 260 snapshot
.................................. Recorded
.................................. Recorded
................................... Ignored
................................... Ignored
.................................. Recorded
Heap .............................. Recorded
Heap ............................... Ignored
Stack
Image
Code
Data
Data
Stack
Stack
............................. Recorded
- lsass.exe ................ Recorded
- lsass.exe:.text ........... Written
- lsass.exe:.data .......... Recorded
- lsass.exe:.rsrc .......... Recorded
.............................. Ignored
.............................. Ignored
to "lsass.ees" (12795328 bytes).
EEREAP – Emulation
• For each return address candidate, emulation is started fresh.
• An instruction execution countdown is used to prevent infinite loops.
• Takes unknown bits into account, erring on the side of
nondeterminism.
• If a Jcc or LOOPcc is reached with EFLAGS/ECX undefined, we
follow both possible execution paths.
- Parent succeeds if both children “threads” reach a target buffer.
- Each child gets a copy of parent's context with the instruction
countdown halved.
• The “thread” dies if anything occurs that could affect execution
unpredictably (access violation, privileged instruction, potential
divide-by-zero, etc.)
EEREAP - How-To
• Process should definitely have a debugger on it with first-chance
exceptions caught.
• Crash the target process using the vulnerability to be exploited.
- Should put the process as close as possible to the state
that will be in effect when execution is hijacked.
(ex. EIP=0x41414141)
• Use 'psnap' to grab a process memory snapshot.
• Create the context.
MS04-011 LSASS
Windows2000
Advanced Server
SP4
STACK = 0XXXA000H:6000H,RW
BUFFER@STACK+5A14H:10H,RO,TARGET
EAX=00000000H
EBX=00000000H
ECX=STACK+5D38H
EDX=785B2C60H
ESI=00000004H
EDI=STACK+5A58H
ESP=STACK+5A14H
EBP=XXXXXXXXH
EFLAGS=0296H
EEREAP – Case Example
Process :
LSASS.EXE
MS04-011 : LSASS vulnerability
EEYE : Windows Local Security Authority Service Remote Buffer Overflow
Platform :
• Windows 2000 Advanced Server (English) SP0 ~ SP4
• Windows 2000 Advanced Server (Japanese) SP0 ~ SP4
EEREAP – Performance
EEREAP vs “Simple Search” - JMP ESP/CALL ESP/PUSH ESP&RET
Detected Return Addresses:
EEREAP – Distribution
• Distribution: number of instructions to target buffer(SP4
English)
# Instructions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 or more
Total
Addresses
59
63
90
90
106
100
57
54
30
20
22
13
11
5
104
824
Maximum # of instructions = 91
EEREAP – Common Return Addresses
Windows 2000 Advanced Server LSASS
English
SP0 - SP4
Addresses=19
Japanese
SP0 - SP4
Japanese and English
SP4
Addresses = 24
Printable = 3
Addresses = 207
Printable = 18
Alpha-Numerical = 2
How to protect your system from common return
address exploits ?
(1) Change the DLL base address.
(2) Move the subroutine containing the code at the
common return address’s destination.
Avoidance of Environment Dependencies
Based on Version Detection
3
Version Detection - Overview
• If the environment of the target system can be identified
automatically, then the exploit code (payload) specific to
each environment can be generated at run-time.
• If the exploit code has a return address table for every
environment, it has the potential to be a “universal” exploit.
• Version detection used for exploitation.
(ex. “Windows 2000 SP4 Japanese”)
• Avoiding version detection - benefits and problems.
Version Detection – Active Detection
Attacker (exploit code) identifies the version information of the
target system actively.
OS identification methods that are usually used by major
vulnerability scanners:
・TCP OS Fingerprinting (NMap)
・ICMP OS Fingerprinting
・SNMP
・SMB (SessionSetupAndX Reply)
・Workstation Service (NetWkstaGetInfo API)
・DCE/RPC IfID list
・Banners (HTTP, TELNET, etc)
Version Detection
– Avoidance of Active Detection
SMB (SessionSetupAndX)
Information
OS Major version
Avoidance
* Filtering
Workstation Service (NetWkstaGetInfo)
Information
OS Major Version, Language Version
Avoidance
* Disabling anonymous access
* Filtering
* Disabling Workstation service
DCE/RPC IfID list
Information
OS Major Version, SP Level, etc.
Avoidance
* Filtering
Version Detection – Passive Detection
•Passive attacks against network clients, such as web browsers.
•Vulnerabilities that can be exploited if the attacker places a host in
the network.
Victim
Version
Information
Exploit Code
• Internet Explorer
Application version, OS major version, language version
• Apple QuickTime Player、iTunes
Application version, OS major version, SP level
Attacker
Version Detection
- Avoidance of Passive Detection
Web browser
+
Application that
announces version
=
Detailed
Version Info
Environment dependences can be avoided if the attacker
(or exploit) can qcquire detailed version information.
・Security policy
・Delete the version information at a proxy server.
・Disable Active scripting and execution of ActiveX controls.
Avoidance of Environment Dependences
Using Brute Forcing Method
4
Brute Forcing Method – Active Attack
• Prepare a return address table, try them in sequence or
randomly.
• Brute forcing can be applied against a service that will reboot
automatically, even if it crashes.
• It is not necessary to detect the version.
[Case example]
Blaster
Brute forcing attack
(80%:WindowsXP, 20%:Windows2000)
Sasser
OS identification using SMB banner.
No brute forcing attack.
Brute Forcing Method – Passive Attack
• Make multiple exploits (ex. files) using different return addresses.
Attacker
Victim
×
×
SP1
SP2
○
×
SP3
SP4
Brute Forcing Method – How to Protect ?
•
If the passive brute forcing method can be used to attack the client,
it will be difficult to protect against in some cases.
How protect your system from passive brute forcing attacks ?
If your environment is VERY special, the attacker will
not be able to own your system.
Particularization
to Protect Your System
5
Particularization - Overview
• Version differences provide a form of protection as a by-product.
• However, there are some factors that allow environment
dependences to be avoided, such as common return addresses,
version detection, brute forcing, etc.
• Additionally, language version dependencies can also be used to
conduct a cyber attack that targets a specific country.
Change the “environment” in each host.
Particularization – How-To
* UNIX Application (delegate)
Changes the stack top based on a random value
at every boot-up. Jumping directly to shell code
stored on the stack will fail.
* However, in the case of Windows …
The stack top of the target thread changes dynamically. The “JMP
ESP” method is always used for jumping to shell code.
(1) Move the base addresses of DLLs that contain “JMP ESP.”
(2) Move the functions that contain “JMP ESP.”
Particularization – DLL Base address
If we move the base address of a DLL that contains “JMP ESP,”
using it as a return address destination should be impossible.
[Developers]
• Boot time
• Installer
Name
A-C
D-F
G-I
J-L
M-O
P-R
S-U
V-X
Y-Z
System DLL
Address
0x60000000
0x61000000
0x62000000
0x63000000
0x64000000
0x65000000
0x66000000
0x67000000
0x68000000
0x70000000-0x78000000
Microsoft recommended
base address table
Particularization – DLL Base Address
[Users]
• Changes DLL base addresses
• Windows system DLLs :
1) Search for DLLs that need to be moved using EEREAP.
2) Move base address using REBASE.EXE.
Particularization – DLL Base address
[ex: Change the base address of Lsasrv.dll]
1.
2.
3.
4.
5.
6.
7.
8.
Prepare REBASE.EXE (included in Visual Studio)
Boot the system in Safe Mode + Console
copy lsasrv.dll temp.dll
REBASE –b 0x14000000 temp.dll (arbitrary address)
Shut down LSASS.EXE
copy temp.dll dllcache\lsasrv.dll
copy temp.dll lsasrv.dll
reboot
Move all DLLs using EEREAP and REBASE.EXE
Particularization – API Hooking
List the subroutines that contain JMP ESP using EEREAP.
Move the subroutines.
enter
return
JMP hook
Func A
90 90 90 90
90 90 90 90
90 90 90 90
・・・
Func A
JMP ESP
NOP
JMP ESP
exception
Different
address
JMP ESP is replaced with a NOP slide. Exception happens.
Conclusion
• Environment dependencies deeply affect the threat level.
• Particularization of the environment reduces potential risks.
Future Work
• Improve EEREAP to be more useful and accurate, distribute
it for system administrators, application developers, security
researchers, etc.
• We must make a mechanism that prevents worm writers from
using EEREAP to make malicious code.
Questions ?
Contact : eereap@eeye.com
Thank you for your attention !
EEREAP Project Researchers :
・Yuji Ukai, Senior Software Engineer, eEye Digital Security
・Derek Soeder, Software Engineer, eEye Digital Security
・Ryan Permeh, Senior Software Engineer, eEye Digital Security
EEREAP Contact : eereap@eeye.com
Black Hat Japan 2004
Oct. 14-15, 2004, Tokyo
Yuji Ukai - eEye Digital Security
