28C3: Post Memory Corruption Memory Analysis (en)

Just another WordPress site

28C3: Post Memory Corruption Memory Analysis (en)

we could start we are in time indoors in will show us in his session something about memory corruption memory analysis I think it’s a hardware heck I don’t know exactly I’m interested in this so I sent here and let’s start thank you mate our beef before we start I will actually ask you to give a bit clap to the organizers because I think they’re doing an amazing job and like I’m very happy to be here with you today alright so we got to talk today about our memory corruption bugs and all to automate the process to be fully honest with you are we really the tool like three month back and we got more than 10,000 downloads and every single question I got was regarding remote stack overflows which is something the tool was not meant to do like the tool was meant to automate our exploitation of invalid memory rights and not at all I mean stack overflows which I felt you know it’s pretty well understood like commodities so first class of bugs are which was disclosed which actually deals with memory corruptions if you google for memory corruption bugs like everybody in his brother wrote a paper about stack overflows so it’s kind of all about stack overflows and I felt like ah come on and then I thought a bit about it and you know eventually are they’re actually quite in quite a few new security mechanisms like 45 or are p IE position independent executables which actually worth a look so if you guys agree i’m going to start with this and then we’ll switch to the meat which is auto fine and ought to automate atomic or not so atomic so like overwrite in any other section of a binary you may see by now that i’m not a native speaker and i’m pretty sick today I’m actually coming from Australia I mean anybody is coming from New Zealand alright so I’m the one coming from the opposite side of Earth and uh I got I got pretty sick in the plane so if at any point in time you don’t understand what I’m what I’m saying please interrupt me like you can scream or wave around and stuff and I’d be very a pitch well you know rephrase my wording or reword what I’m saying let’s do it anybody world’s a anybody Reds a white paper yeah Mon you guys have any idea how much time I spend on that stuff and there is one dude who actually read it and come on at least lie lie to me tell me tell me everybody wrote it ready yeah thank you so much that some love I love you too all right so um well duh that’s not really important the only point which is actually relevant to me that I’m very happy to be here and we’re trying to create a small security conference in Paris it’s called a key to orgasm it’s not too far and it’s pretty I just some quality so if you like if you guys like my talk please submit please calm we’d be very happy to see you guys in Paris all right why do in binary stuff because our to be fully honest with you in my daily job I don’t enjoy web application that much it’s super repetitive and I think the world binary thing is a lot more complex and more exciting and more that’s meet agenda so I go back to a few basics if it’s too easy you please rise your hands and I’ll be very happy to skip the basics and go to the meet I have like 95 slides there is no way it’s going to fit in one hour yeah I’m going to be late sorry guys so if it’s if it’s too easy let me know i’ll be more than happy to skip in a nutshell the tool is available it’s free software so the

address is p.m. CM a lot org yeah i know the name is pretty strange but whatever it was available surprisingly it’s published under the apache to license so it’s free as in free software we also have a repository on github and people actually do submit patches so if you want to improve the tool yourself and add new checks and stuff like that feel free to do so we’re very happy to merge new patches if you do that please use the github it’s a lot easier for us in terms of maintenance but so like like I mentioned earlier we got 10,000 downloads for a tool which is actually helping reverse engineering on lenox so either some guys is psychic or is using a bot to download it all day long or the tool is actually interesting with this is like way more than we actually expected so what is it you’re supposed to do the truly is actually a debugger it’s petrus base so much like gdb but it does all the stuff that gdb can not do for you and in particular whenever you you can trigger an explorer you can trigger a bug so you’ve been doing some fuzzing session or something you’ve got a plenty of crashes and you’d like to analyze which one actually exploitable and which 1n relevant are they truly 02 so it’s not writing and exploit for you but it’s showing you exploitation strategies what we call exploitation scenarios I’m going to start with the demo because like so we’ll all be on the same page so any questions so far okay okay so I’m starting as a tool I cheated a bit I created a small a small script what it does is just starting is just stunning pearl and feeling it plc one PL which actually triggers a another pointer dereference yeah full-size yeah doable font size font size do-able doable is that more sexy yeah kinda everybody can read yeah all right okay so um this is just a small null pointer inside a poll but at least yeah any question okay so at least we’ll be on the same page on what the tool does and how it works and stuff so you have different ways to invoke it like much like gdb you can attach your running process or you can start a new process and and started banging it so it shows you a bunch of stuff blah blah blah like the comment line which you can reach me from the stack like which instruction it failed on the state of registers that’s not too exciting then okay what’s what really starts to be exciting is that it does it tries to analyze the root cause of the back by looking at the registers looking at the instruction and the state of the stack basically if you can walk back the stack you know the stack is not mangled so it’s not stack overflow you received a signal 11 so you know it’s like you know some kind of invalid memory reference and by looking at their registers is pretty easy here to say that it’s a read operation because it’s only comparing and not writing anywhere in memory and it’s actually failing because ebx which is worth in 0 at this time is actually punching to in value memory you have any kind of laser pointer or something if anybody does that’d be sweet no ok so the e bx plus eight if you have ebx within 0 pre obviously it’s going to try to read from the first page which is never mapped in the linux thing is if you don’t know assembly if you don’t know all that stuff the tool tells it for you in human language so that’s pretty sweet it’s much like you know being exploitable for Microsoft or whatever then it looks such a bunch of binary properties like was it compared with p IE i get back to this stack cookies fortify you know a bunch of properties like easy the c++ binary for instance it’s kind of relevant because

like if you have a c++ binary you expect to find its of function pointers why well because every class is basically I mean when you invoke a class in C++ what you actually do is direct calling a function pointer right so well it’s pretty interesting to notice okay then the real thing it checks right ASL is stuff it’s when we actually writing exploit repeatability is a problem and so a SLR is you know at the core of the defense mechanism in under linux what do you check a SLR the ID that the tool is going to respawn the very same application one edge returns and look if the mapping of every section differs from around to the other one all right you could say a I’m going to do that with static analysis by you know looking at the binary spie or whatever if it’s not you expect the main battery to be made the to me mapped always at the same address and you can make a wild guess regarding our shared libraries it’s actually much easier to just really cute the binary and check in practice if it works or not I got some surprises like on some pretty old Colonels the lipsy for instance would be met ten percent of the time at the same address so 10 / search is a lot I mean if you if you’re doing a if you if you can attack at weill meaning you can are you attacking see a server and it’s forking so you can you can you can trigger the bug as much as you want in 10 times you sure to get a shell that’s a lot so you want to see it so it seems it’s interesting to see it in practice all right okay then we check much like Max test the regression test for the GL security and and packs inside your security Colonel we check like either stack executable is the eep executable this is entirely dependent on your Colonel only and not the application you’re attacking but it’s worth noting and it’s always something you get a check before writing a proper exploit so here I’m using a random latest ubuntu machine or something so like by default or the mappings are not executable I mean what’s writable is not executable but if you call them protect then you can is it always the case of course not if you use a gr security Colonel for instance you can have a hardon configuration which which is going to prevent you from executing anything on the set on the stack even if you try to and protect it basically the culture and protect is going to fail but you mucho is like not that good okay then what the tool does is um trying to get arm is basically passing every writable section and looking for function pointers if we go back to the definition of a function pointer it’s something which is going to be on a writable section and it’s something which is pointing to executable memory so by passing all the writable memory we can actually get us a short list of all the possible function pointers inside the application even if they stored Satan shared libraries and people tell me r by I do that manually a you know what you’re never going to find a function pointer in say the data section of lip crypt right and even if you do it statically some tools are here to do this like monitored Qi anybody’s using this it’s a cultural from the guys from kollam thing is it’s only static and there is a massive difference between a function pointer being somewhere in the other space and from a given point in point in time this particular function pointer being called and this is what I mean it’s twisted on I don’t care about finding function pointers which are not called during the normal flow of execution any questions so far too easy yeah okay he’s asking me if Mona Qi is available on linux no it’s not available on Linux yeah but it’s like the state of the art so it’s a good benchmark then we try to see if basically the tool is checking if after the crash we’re getting back to the same instruction

this is pretty relevant why yeah all right the main idea all right so photo is not in the room yeah they saying that the probability yeah is I to be in a loop are actually depends like either so in in the case of my comparation here you know are you going to get back to the very same instruction with a very same set of registers it’s hard to predict like you know basically arbitrary computation may happen and I have no idea the thing is if we want to distinguish between an atomic right which failed and another right which failed if I can override multiple time like overwrite an entire section it’s a lot more interesting to me that a single atomic right somewhere because if if for instance if I can overwrite the wall eep we’ve content I control it’s a lot more interesting to me that writing say four bytes somewhere in the EP especially in case of SLR I get back to this all right and then from them was a tool does is basically looking for function pointers okay all this case it did not find any wow that was a cool demo right okay so people ask me about stack overflows so I’ll do the stack overflow stuff if it gets boring please we’ll get back to the meet boring yeah i know but like agar questions now there is actually some pretty cool stuff to say anybody knows how to bypass position independent executable for instance okay position independent executable is the fact of having full randomization let’s see that okay so basically your stack overflow blah blah blah so you have a bunch of possible I mean compared to the very first articles like a diff one and stuff like this we got non-executable bits we got stack cookies we got SLR position-dependent curled possibly study God’s and eschewing the real point where i am saying it’s not that interesting that you can do the wall analysis and right to exploit statically you don’t need a debugger to do that and I’m going to prove it to you ssp so that’s the main difficulty when writing a remote stack overflows this guy then oaks is a really sharp guy in addition to be nice and being australian yeah top five so you sure that discovering sin in Australia which are really recommend to you which is called rocks can you show that basically when you call when you develop a server under unix for to make the world design more robust what we do instead of using threads because we could use pthread much like those you know whose windows morons now what we do is actually for King because it creates another process and like we want to have two threads trying to you know write in the same memory triggering rest conditions or whatever so what we do is actually creating a replica of the parent process by calling fork when you do this the process is going to inherit is stack cookie from its parent because you’re not calling exactly e which is the only system call which is setting the stack cookie for you so every single fork is going to have the same mapping in terms of SLR it’s going to be the exact same mapping and the stack cookie is going to be the same so what Ben said is that a you know what I’m going to overwrite bite by bite the stack kooky in different threads so like I create a new connection I send the amount of data to fill in my buffer my stack buffer and then I’m reaching my cannery I’m a ver writing only the first bite I have 256 trials and after 260 56 tries one of them is actually going to succeed and that’s going to give me the first bite so by provide you have four byte assuming a 32-bit architecture so in 1024 tries you can actually brute force the stack cooking yep that’s

pretty bad right the second production honestly stack cookie was G absolute nightmare for everybody until pretty recently fortify is like a new compiler enhancement basically at compilation time they’re trying to replace say mem copy which could be reliable when writing to a stack buffer chua stack overflow so they’re going to replace mem copy by mem copy and the score chk which takes an additional argument and the additional argument is the maximum size of the buffer assuming can be known at compilation time and it’s going to check at runtime that you’re not trying to copy past the end of the buffer if you look at the implementation of say mem check and the score chk under apple it’s scary it completely sucks what it does is verifying that the the length you giving at runtime is smaller than the actual size of the buffer but it’s not verifying that the copy starting from the start of the buffer saying that if you have a buffer of 20 and you stunning the copy in the middle of the buffer of the size of 20 it’s actually going to say eh it’s alright man let me show you something really cool about um about 45 I love it I call it 40 fail all right anybody can see what’s the problem with this courier well it’s pretty legit and if I asked GCC to compile it so I’m going to use the 45 flag I’m going to ask you guys a favor can anybody grim bring me a beer is this drinkable water it’s only water right I shall survive right so depending on the exact version of your compiler 45 may be applied by default if you use our optimization of at least two if you use optimization greater than to you being stupid because it’s not supported by GCC anyway all right so if i do this Jesus he gives me a warning but it does compile the thing and if we look at the dynamic symbols inside the newly created binary there is no mem copy underscore chk whatsoever so here 45 actually failed and it did so because it could not find the definition of mem copy this is super bad because if you take a binary like SSH you will find both mem copy and mem copy underscore chk which is actually expected because 45 cannot protect every single in single call to mem copy it only protect those to actually copy to a static buffer with a known sighs hood in the stack so if you copy data in the app or if the size of the buffer is not known in advance then it’s totally unable to to protect the the binary thing is in sshd imagine that one of the object is actually using mem copy to call I mean to copy data to a static buffer in the stack if one of the objects actually failed to include string.h like in my previous example you’ll totally unable to see it thank you man I love you right so the problem it was actually that my definition of mem copy was missing because string dot H was not uh well was missing from my gmail example here but you know is it happening in ssh well hard to say alright do that okay so he’s asking me if mem copy here

as length checking so in the example I compiled not at all like it completely failed like if you look at the symbols inside the binary I did compile if it had this additional leg length check you would have mem copy underscore chk all right it’ll be more what larger yeah sure I can do that I didn’t get you excuse me yep so I’m not saying that SSH is actually relatable to anything I’m just saying that it’s impossible to verify that fortify has been applied to every object which has been used to create the big SSH executable and if you look at if you look at you know if you compile every single our network gmail available and lenox you will probably find oops of the liabilities of that kind I mean missing checks like this and you can credit me for your advisory now I’m kidding i totally don’t care all right so the big thing is gie which stands for for pie come on no yeah position in the penalty executable the main idea that even though we have a SLR normally your main binary unless you compile it with these new fancy flags is not actually been going to be randomized meaning your shared libraries may be randomized your app and your stack that are going to be randomized but because at compile time the compiler is assuming that the base address of the main binary is going to be static it’s going to heart called all the references to other sections like to data sections to BSS sections any channel section in the binary and therefore you cannot change the base address of well the many as the main executable which is pretty bad if you have even if you have randomization and you don’t have p IE you have a lot in case of stack overflows you can find Rob gadget for instance inside the main executable because the process the PMT is going to be a static location just a sec so if you want to do a return to PLT or if you want to do a wrap you can find your gadgets at no locations yes what with 1110 yeah it’s gonna work with 11 doctor but my version is 10 to 10 it’s usually you know if you have if it works and if you have this feature on top 10 yeah it’s gonna be on the next versions too good question thank you much so if you look at a public exploit I honestly could not find a real exploit for p IE well II wrote one but you failed at the compilation phase you want to come on stage and discard this no okay all right so thing is if you compile with p IE the main executable is going to be combined like a shared library and it can be mapped at any address so it can be randomized to and then exploitation becomes a problem yes it does because you even if you can even if you have an exploitable stack overflow and you can return any where you control the stack and whatever what do you return you have no idea good news is I found something for you the main idea that okay if we keep in mind the layout of the stack so you’re going to have like the buffer you’re going to feel then you have your stack cooking that we know how to brute force then we have the saved EVP and then we have this saved eip the safety BP is not that relevant but the safety IP is like if I get to know the safety IP basically i win why because the safety IP is going to be the return address which can be either in one library and if I get the mapping of that

library I can find Rob gadgets or whatever inside that buyer that library entirely not to mention that usually in the linux library only translated one from each other meaning that if you have the base address of one library usually have the base address of all the libraries so in particular the lipsy so in particularly protect so i can call it product or umaine or your return address if it’s not in a shared library it’s going to be in your main binary and if I find this return address I get the base address of the main binary and if I get the main address of the main binary I have the PLT of the main binary the wall executable of the main binary and then back to you know what we need to do breed for I mean red to PLT or rock enough let’s have a demo okay i’m gonna show you something really cool here I’m pretty proud of it to be honest yeah a larger felt chill out are you well done yeah I try ctrl + + it doesn’t work from some reason so alright let’s first verify that I’m not bullshitting you and that the binary is actually compared with in the state of the art so there is tacky and X is enable I c’mon a nexus label and the binary is actually compiled with p IE what is this for arrow thing here for relocation means that so it means two things first off you’re destructors are before the data section we don’t really give a but like in terms of I mean it’s pretty standard when you have a BSS overflow to overwrite also the detour section and to overwrite the pointer in the detail section 2.2 your shellcode in ok I’ll indicates the stack overflow it’s in relevant and it also means another thing which is that your global of set table is actually going to be solved by the dynamic linker at the very moment you execute the binary so no lazy biding it’s a bit costly in terms of performance but then your global offset table instead of being right Abel is remapped as read-only so you can not like we often do when using rap you cannot patch the global of the table right so let me run this server here ok and I’m going to run Mike will exploit ok so it’s attacking my stuff here right it brute force the stack kooky then it Britt forced the saved eip therefore it finds the base address of the text when we have this honestly is game over we could use we could use say red to PLT or rap and we would not need any kind of bread forcing but my exploit is much cooler yeah Mon hahaha let me explain you why let me explain you why I actually do brute force a bit lipsy because my exploit is going to work against any binary and not just that one if i write if i write a payload using rap it’s going to be very specific to one application here the exploit i have can target well assuming you can reach the label buffer it’s going to be pretty universal so i’m going to i’m going to use another server so the one I run here was server demon or something we have another server here which is severed nopee ie which is not compared with tiie so it’s definitely not the same binary right the security properties are different we don’t have p IE we don’t have this full retro thing well actually partial railroad means that the

destructor section is before the BSS but we don’t have a static got and we still have cookies so let let me run this application here and I’m going to use the same exploit again that one I’ll just buy the stuff a bit i’m going to run it as root why not I like food shells no PA yep so I’m going to use the same exploit against a different binary so it it it founds a cookie then it found that it was not compiled with kie so my exploit is pretty smart and I got my root shell okay thank you alright so as you can see our remote stack overflows are not that interesting and this is why the original tool what we getting back to is actually not targeting stack overflows any question too easy all right let’s go to the meet so what I’m really interested on to be fully honest he’s not stack overflows because up I mean when you do securities research and stuff you don’t find that many stack overflows anymore what you get a lot is invalid read and invalid rights like if you felt any kind of you know servers or whatever or even like local stuff you get oops of that stuff like the lame pearl bug i showed you like this compare something with nine and compare stuff is reading from the first page if this exploitable are to say so this is why we took the time to write a debugger dude you don’t like my talk are you bringing me beer I love you all right the basics you already care about the basics yeah all right so quick the basics ah why’d you abdication crash all right I they can crash in a you know many different ways basically you can eat an a cert and like it’s going to abort and end up with a signal 6 you can get a stack corruption and if it’s compiled with SSP it’s going to be cooked by the end link routine of the lipsy or more interestingly you can have an invalid memory access we can be which can be of three different types you can try to execute a memory location you’re not supposed to execute what’s the probability that this is going to be exploitable your application is dying and it’s trying to execute something which is not supposed to be executed no idea we say that this is very unlikely to be executed to be exploitable yeah one peep one person two people three all right who says it’s like 50 50 all right who says it’s super likely to be exploitable well thing is it depends if you can actually control the location right but if you control the location I mean if the application is trying to execute a memory location it’s not supposed to and you can control this location you make it point to some data you control in this game over right I have flights to explain this all right just a why do bugs a pen all right we don’t really care i mean there are so many ways you can up like valuable misuse yeah blame my french eep overflows you know other floors in any kind of sections I’m especially interested in doing like if stack overflows are very well understood and there is some literature epub flows there is kind of it all which is currently usable for say BSS overalls especially because of what I just mentioned like if you have your d structures which are before the BSS section then in case you have a proper BSS overflow you need to override something in this very section to achieve a remote execution and this something you’re going to have a right in the BSS section and we’re looking for it’s actually called a function pointer same thing for a power flows like in

theory you can overwrite it metadata I’m assuming you have a you know a recent Peeta Mellark I mean memory management we’re not in two thousand anymore I mean the we have safe and linking and stuff like this so by overwriting only eat metadata I know in theory does exist but you need to be able to like allocate thousands of chunks with arbitrary size and arbitrary content to achieve an arbitrary for right this is total in real life the real way we do exploit it overflows is basically you find a function pointer in your EP you overwrite the EP I love you finally you override the function pointer and you make the function pointer point to data you control and this is a we achieve arbitrary code execution there’s no poison you dare try has made all right obviously NX is going to be a problem but I’m gonna discover this I have 51 minutes left whoo alright so back to the exact thing imaging I have call eax and I have a segmentation fault in that job I mean come on if I control eax this is cheesy you make eax point2 data your control and that set is going to be executed or you making point you an interesting routine inside the application invalid memory reads that’s pretty unlikely actually to be executable there are some cases where it is for instance imaging this comparison is supposed to be true ninety-nine percent of the time and you can make it fail is going to take another branch and execute code it was not supposed to and that’s pretty bad yeah question nope oh good another example of an invalid memory right invalid memory it sorry if this one this is kind of unlikely to recognize FLD it’s like a floating point instruction so if you’re not super fluent in assembly it’s not immediately obvious that this is actually a read and p.m. CMA so the tool is going to find it for you all right we don’t care we don’t care i’m going to skip to the demons we have only 15 minutes left any questions if you like the job by meteors yep you asking me the structure the actual distribution data is written a detour is read-only so it depends like detours so is a destruction the detour section which is a section which contains an array of function pointers to be called when you basically equal exit beta when you have what we call partial relocation yes it’s room at before the data segment so yeah it’s going to be remapped as readable but it really depends on all you compile your binary and actually if you’re smart you can produce a binary which has no des truc district which has no detail section at all like you can you can produce our custom Lee linker script which removes the section entirely or we patch which which but the detail section between to read only section and is going to be mapped as read-only which effectively means it’s not going to be used at all good question thank you any other question all right so let’s do this cool stuff I’m gonna do a bunch of GM 0 0 please give your hand to your neighbor yeah do it we’re going to we’re going to pray together we’re going to press the demo lot because it never works in real life all right I’m going to start with a few videos and if we have some time I run p.m. CMA on ssh which is like vocals job

all right let’s start with I’m not too sure how much time I have left so I’m going to start with that one we yeah it’s fake it’s a movie but I’m gonna jizz or anything after man I just to show you how it works so the idea that because I’ve been asked yeah mine is koala now we using the tool to prototype the exploit and not to exploit I’m saying this because like I’ve been asked previously so I mean some people dude yeah I mean it’s pretty obvious that if you can pitch race attached to ssh your route already so like p.m. CMAs of no help to you pmc ma is fine to prototype the exploit and we don’t actually use it during the real exploitation stage right I’m just mentioning because some people got confused previously all right here we go sorry here we go so we’re going to attacks you do so i’m stopping studio during its execution i’m copying it speed which is 21 20 or something and i’m attaching to this kid 2120 asking kmc mhm list only function pointers and if it finds one to actually exploit it so here it’s finding me a bunch on the left of it’s telling me a i found function pointers which are actually called and the river the mapping of this function pointer is repeatable with one hundred percent which means this function pointer is spite of SLR is going to be a very same location all the time what does it mean game over if I ever write one of those and I make it points to my shell cold it’s going to work people who follow it should be like well there is one problem actually it’s an X like if you did introduce some shell code yeah it should be in a writable zone and it should not be executable I go back to this after video well here it’s the debuggers obviously it’s kind of working the coffin here is that at the end of the video yeah here it should create a tu t’appelle report on 666 and by Nichelle to it and since we are taking studio is going to be around with root privileges so let’s run netcat on board 666 and we wrote whoo yeah that was a video but that was pretty cool so you could upload I think thank you up i’m going to show you why I wrote this wall tool entirely I actually found a cool bug in Opera so I need to do some voodoo here I’m gonna explain the Voodoo hey no cheating come on now I like under ubuntu you cannot debug your own applications like yeah I know you need to set this particular key in the pra├ža phase filesystems I’m just going to run this as root now I can debug my own applications and I’m just going to run the stuff on Oprah alright so I’m stunning opera with pmc ma it’s fasting all right here we go and I’m going to trigger the bug yeah that one or pure plc mind the size of the proof of concept it’s ridiculously small anyway so upper I started and it’s crashing on this instruction does this look exploitable a it looks pretty good it’s a writable instruction it’s a right instruction so maybe i can write anywhere in memory turns out I can yes I can write anywhere in memory problem is eax is actually always now so i can write 0 on for byte aligned memory anywhere I want either exploitable

writing 0 anywhere no it doesn’t look good at all so but it’s not impossible so let’s see let’s see all right so it’s doing my SLR test I’m just showing you here that it the tool can actually scale to an application to the size of opera even though the last stuff yeah so here it’s going to is going to take forever why because basically it’s going to pass the EP which is several hundreds of megabytes big so this stuff is going to take like one hour or something and it’s going to find 0 exploitation pointer because if I find exploitation pointer all I can do all function pointer in your binary are going to be four byte aligned for compiler performance basically your compiler is going to make sure that all your functions point you are for beta line and if you can write 0 on for my delight binary all you can do is basically zero one function pointer and you can lock truncate one which sucks so plan B yep five minutes thank you is it cheesy no worries no I’m not going to restart up around so what’s plan B okay even if I find function pointers i cannot overwrite them to I Jack them and I can only write zeros so I felt like a you know what but I can still write pretty much anywhere I want in memory and that’s pretty cool so what we’re going to do is use p.m. cma to do something I find pretty amazing which is tracing all the unaligned memory written right we do this by basically I let you look at the gmail and which is going to trace SSH and I’m going to explain your eye works basically we set the we’re gonna we’re going to set one flag in the it’s called the iron align flag in the e flag register so like an Intel Architecture you have this special register which is called a flags there is this special flag which nobody ever uses which is called the unaligned flag when you set the unlined flag every time your application is going to read a ride from unaligned memory it’s going to trigger a signal 7a sigmas so pmc amy is going to catch the sig bus and set back the trace flag and effectively i’m going to try trace all the memory reads and writes inside the application I don’t know any other way to do it and what’s cool about it is that yep sorry ear in ssh you can see that i find a bunch of x or a word register i’m using a 64-bit architecture just to show off and show you that it works on 64-bit architecture and if you want to put it on bsd you do most welcome basically here the reed is on the line why that because of the three here and here because of the one right if you take any value you multiply it by eight you had another register and you add one is very likely to be an aligned so our this way we can list all the reads of variables into registers which are aligned so if I can only write 0 into a memory what I want to do is write at this location why because I’m going to find a variable I can truncate it and maybe I’m going to trigger a secondary bug inside the application Wow all right one last thing and I’m down oh hey that’s cool I haha all right ok so two things I’m sorry I’m going to be a bit like the inner working of the process is so it doesn’t work at all like gdb what gdb does is basically you have gdb and it’s be tracing another process and that’s it yeah my debugger what it does is we have the debugger it’s debugging it’s debugged process and it’s going to force it to fork so it’s going to recreate a replica of the very same in terms of mapping state of variables that kooky whatever an interesting property is going to create a clone if you will of the debugging process in memory so you can repeat that wheel thing is how

do I find all the function pointers in memory basically in the first offspring and creating another writing the first possible valuable in writable memory in the second fork I’m averaging a different variable etc etc etc and I can do it n times so the process is actually not super closely and it’s it is exhaustive so that’s pretty cool I’m skipping you all the gory details if you’re interested please go to the white paper the last thing when i told you i bullshitted you was ah the next thing which should be ah yeah Mon oh that’s really interesting to it now okay hey next year you tell them to give me two slots ah yeah that the thing stack the synchronization I thought that was a genius when I found that and I got an email from naka al which only a that was in my Frank white paper five years ago but yeah that was a cool white paper real world and I felt even smarter because that guy is just a genius anyway the idea that ok an ex is a problem so instead even if you manage to find a function pointer and overwrite it you cannot point directly to your shellcode because the shellcode you’re going to load is going to be in writable memory and it’s not going to be executable if you have right able X or executable so how do you move around this well the idea that if you sum all control a big buffer in the stack what you do is instead of returning to the normal function prologue which has a given size you return to a different function prologue and what you’re going to do is distinct realize this jack if the stack expected to be for instance to a pub 10 variables ten bites before returning and you pop 200 well you’re just synchronizing the stack and what you can do from here is actually create a fake stack frame in size the stack itself wow that’s really cool and you can actually do that remotely so the idea that statically we can very very well fine assuming you’ve you control a big buffer somewhere just a sec assuming you control a big buffer somewhere in the stack you try to find a function prologue which actually allows you to shift the function pointer bang in the middle of the buffer you control and from there you can actually put a bunch of red I mean point pointers to read which is going to act exactly like an OP sled and then you bet your fake stack frame which is going to call em protect much like Rob and copy the proper shellcode in a writable zone call em protect and make it executable yep how do you do pop and push under stack because normally it won’t execute this is so if you have a stack segment so it won’t execute because it’s a it’s a joke in this thing you want you don’t want to have executable stack yeah so you have a buffer in the stack and you can can write a push instruction in a proper instruction but it won’t execute this yeah you miss the point I’m not doing any pop up brush I’m returning because I control if I if I if I over write a function pointer I control the next instruction to be executed I can I can return to say sub ESP whatever a very big value pop up right so what I do is pointing to this different function different epilogue from the normal epilogue and this is going to return in the middle of a big buffer and I if I control the big buffer then i create my fake stack frame over there yeah any other question yep will the some examples including the sources to be download and if yes where anybody got the question I missed it then oh sorry I’m gonna get back to the address hey thank you for helping me

doing my little promotion buddy here we go so the source code can be downloaded on p.m. CM 804 okay and the slides are over there too so and there’s another question it means um is there a possibility to pretty fast stack quickly without having heaps of forks of the program so thing is P so this is not about p.m. CMA right it’s about the stack eruption thing basically if your application is not forking so if it’s using thread or even if it’s simply not a network demon you’re doing like local exploitation so you’re attacking studio anytime you’re going to execute the binary the cookie is going to be different right so there is no way to brute force it I mean you can bridge for sit in the chance you can try to find a 32-bit value but that’s really big like doing 18 are 1000 tries is a lot smaller you can this is what we do like in effectively stay in ubuntu the first the first bit is the first byte is always 0 so the size of the stack kooky and they’re 32-bit is actually 24-bit there is 24 bits randomness that’s a really big I mean it’s in millions so you need to execute to exploit millions of time in the up to our get one working stuff if you attacking bsd the cookie is always the same it’s called a null terminator and if you’re lucky like if you can copy Zero’s you actually know what this what the cookie is going to be so there is raised your randomness and you can actually are right a reliable exploit without any kind of bridge forcing but that’s just because the way they implement stack cookies is pretty lame compared to the Linux want any other questions thank you mate all right thank you so much