Mirrored for http://redd.it/19crcw==========================================

1. Mirrored for http://redd.it/19crcw
2.  
3. ================================================================================
4. Attacking the Windows 7/8 Address Space Randomization
5. Copyright (C) 2013 Kingcope
6.  
7. "Was nicht passt wird passend gemacht"
8. (English: "If it don't fit, use a bigger hammer.")
9. German phrase
10. ================================================================================
11.  
12.  
13. Synopsis - What this text is all about
14. ================================================================================
15.  
16. The following text is what looks like an attempt to circumvent windows 7 and
17. windows 8 memory protections in order to execute arbritrary assembly code.
18. The presented methods are in particular useful for client-side attacks as used
19. for example in browser exploits.
20. The topic that is discussed is a very complex one. At the time I started the
21. research I thought the idea behind the attack will be applied to real-world
22. scenarios quick and easy. I had to be convinced by the opposite.
23. The research was done without knowing much about the real internals of the
24. windows memory space protection but rather using brute force, trial & failure
25. in order to achieve what will be presented in the upcoming text. Be warned -
26. the methods to attack the protection mechanisms hereby presented are not
27. failsafe and can be improved. Tough in many cases it is possible to
28. completely bypass Windows 7 and especially Windows 8 ASLR by using the
29. techniques.
30.  
31.  
32. Target Software
33. ================================================================================
34.  
35. The used operating systems are Windows 7 and Windows 8, the included PoC code
36. runs on 32 Bits platforms and exploits Internet Explorer 8. All can be applied
37. to Internet Explorer 9 with modifications to the PoC code.
38. For Internet Explorer 10 the memory protection bypass is included and
39. demonstrated in the PoC. Executing code through return oriented programming
40. is left as an excercise to the reader.
41. The PoC makes use of the following vulnerability and therefore for testing the
42. PoC the patch must not be installed.
43. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
44. This vulnerability is identified as CVE-2012-4969.
45. It might be possible to use the very same method to exploit other browsers
46. as other browsers give similar opportunities to the exploit writer. I don't want
47. to sound crazy but even other Operating Systems might be affected by this, yet
48. unconfirmed.
49.  
50.  
51. Current ways to exploit browsers
52. ================================================================================
53.  
54. Today alot of attention is brought to client side exploits especially inside
55. web browsers. Normally the exploitation is done through the old known method
56. of spraying the heap. This is done by populating the heap with nopsleds and
57. actual shellcode. By filling the heap in this way a heap overrun can be used
58. to rewrite the instruction pointer of the processor to a known heap address
59. where the shellcode resides quite deterministic.
60. In order to bypass protections like Data Execution Prevention a ROP chain is
61. built. There are exploits that install a stack pivot in the first place in
62. order to exploit a heap overrun as it would be a stack based buffer overrun
63. using a "return into code" technique. The mentioned modern ways to exploit
64. heap corruptions are documented very well.
65. When it comes to Windows 7 and Windows 8 exploitation the exploit writer
66. will face the obstacle of randomized memory space. There remains the simple
67. question where do I jump to when having control over the instruction pointer?
68. It might by possible to leak memory directly from the web browser and use this
69. information to gain information about the correct offsets and executable code
70. sections. This requires knowledge about a memory leak bug tough and therefore
71. is not used alot. Another option is to use old DLLs that do not have their
72. image bases randomized, for example older Java versions are known to have un-
73. randomized image bases. This option requires the use of third-party software
74. that has to be installed.
75. This text will present a new way to deal with the 'where do i jump when
76. I have code execution' problem.
77.  
78.  
79. Introduction to Windows memory randomization
80. ================================================================================
81.  
82. Windows 7 and Windows 8 have a special security relevant protection programmed
83. in. The so called A.S.L.R or '[A]ddress [S]pace [L]ayout [R]andomization' that
84. does nothing more than randomize every piece of memory, say its offsets.
85. For example the program image is randomized, the DLLs the program uses are
86. randomized too. There is not a single piece of memory from what one could say
87. after a reboot the data in the memory space will be at the same place as before
88. the reboot. The addresses even change when a program is restarted.
89.  
90.  
91. ActiveX and other useful features
92. ================================================================================
93.  
94. Web browser exploits have many advantages to other kinds of exploits.
95. For example JavaScript code can be executed inside the webbrowser. This is also
96. the tool that heap spraying makes use of.
97. Let us have a look at what happens if we load an ActiveX object dynamically
98. when a web page loads. The ActiveX object we will load is the Windows Media
99. Player control. This can either be done using JavaScript or plain HTML code.
100. At the point the ActiveX object is loaded Windows will internally load the
101. DLLs into memory space if they previously where not inside the programs
102. memory space. The offset of loading the DLLs in memory space is completely
103. random. At least it should be. Let us now see how we can manage to put a DLL
104. into memory space at a fixed address by loading an ActiveX object at runtime.
105.  
106.  
107. Exhausting memory space and squeezing DLLs into memory
108. ================================================================================
109.  
110. The nuts and bolts of what is presented here is the idea that DLLs are loaded
111. into memory space if there is memory available, and if there is no memory or
112. only small amounts of memory available then the DLL will be put into the
113. remaining memory hole. This sounds simple. And it works, we can load a DLL
114. into a remaining memory hole. First of all the exploit writer has to code
115. a javascript routine that does fill memory until the memory boundary is hit
116. and a javascript exception is raised. When the memory is filled up the installed
117. javascript exception handler will execute javascript code that frees small
118. chunks of memory in several steps, each step the javascript code will try to
119. load an ActiveX object. The result is that the DLL (sometimes there are several
120. DLLs loaded for an ActiveX object) will be loaded at a predictable address.
121. This means that now the exploit writer has a predictable address to jump to and
122. the 'where do i jump when I have code execution' problem is solved.
123. One problem the method has is that Windows will become unresponsive at the time
124. memory is exhausted but will resume normal operation after the DLL is loaded
125. at a fixed address and the memory is freed using the javascript code.
126.  
127. Summary of exploitation stages:
128. * Fill the heap with random bytes until all memory is used up.
129. During the heap filling stage Windows might become unresponsive and will relax
130. soon afterwards
131. ·* Free small heap blocks one by one and try adding a DLL
132. (for example by using a new ActiveX Object that is loadable without a warning
133. by Internet Explorer) This DLL (and the DLLs that are loaded from it) will
134. be squeezed into the remaining memory region (the space that was freed by us
135. through JavaScript). This address is fixed and predictable for us to jump to
136. * Free the remaining memory blocks which were allocated before
137. * Spray the heap using the well known method
138. * Finally trigger the heap corruption and jump to this fixed DLL base to
139. execute our code in a ROP manner.
140.  
141. To say it abstract the exploit writer has to be especially careful about the
142. timing in the JavaScript code and about the memory the exploit routines
143. themselves take up.
144.  
145.  
146. ROP chain and the LoadLibrary API
147. ================================================================================
148.  
149. At the time we have loaded the DLL at a predictable address it is possible to
150. use a ROP chain in order to execute shellcode. The PoC code goes a much simpler
151. path. It will use a short ROP chain and call the LoadLibrary API that is
152. contained in the Windows Media Player DLLs. This way another DLL can be fetched
153. from a WebDAV share and loaded into the Internet Explorer memory space in order
154. to fully execute arbritrary code.
155.  
156.  
157. Windows 8 singularity
158. ================================================================================
159.  
160. Testcases have shown that Windows 8 behaves more vulnerable to the method than
161. Windows 7. In Windows 8 the DLL will be loaded at the very low address 0x10000
162. and more reliable than in Windows 7. Windows 7 is much more persistant in
163. loading the DLL at a fixed memory address. The testcases for Windows 7 have
164. shown that the DLL will be loaded at the predictable address at least 7 out of
165. 10 times of loading the exploit.
166.  
167.  
168. The PoC codes
169. ================================================================================
170.  
171. There are two different PoCs, one for Windows 7 and one for Windows 8.
172. The Windows 8 code is a slightly modified version of the Windows 7 code.
173. Please note that Windows Defender detects the Win8 PoC as being an exploit and
174. blocks execution. The parts which are detectable by windows defender are
175. not needed for the A.S.L.R. attack to work. Please disable Windows Defender
176. if you test the Windows 8 PoC for now.
177.  
178. The Windows 7 PoC is successful if it loads gdiplus.dll at the predictable
179. fixed offset 0x7F7F0000. If you are lucky and have set up the exploit
180. appropriately the payload will be executed, which is currently a MessageBox that
181. pops up.
182. The Windows 8 PoC is successful if it loads gdiplus.dll at the predictable
183. fixed offset 0x10000.
184. Please note that wmp.dll (Windows Media Player DLL) and gdiplus.dll should not
185. be in the Internet Explorer address space prior to executing the PoC for it
186. to succeed.
187. As a final note, the PoC does not depend on the ActiveX control that is added it
188. can be changed with some effort to load a different DLL.
189.  
190. Here are the mappings I tested when the PoC succeeds:
191.  
192. Windows 7 32-Bit Service Pack 0 & Service Pack 1 across reboots:
193. Address Size Owner Section Contains Type Access
194. 7F7F0000 00001000 gdiplus PE header Imag R RWE
195. 7F7F1000 0016B000 gdiplus .text code,imports Imag R RWE
196. 7F95C000 00008000 gdiplus .data data Imag R RWE
197. 7F964000 00001000 gdiplus Shared Imag R RWE
198. 7F965000 00012000 gdiplus .rsrc resources Imag R RWE
199. 7F977000 00009000 gdiplus .reloc relocations Imag R RWE
200.  
201. Windows 8 32-Bit across reboots:
202. Address Size Owner Section Contains Type Access
203. 00010000 00001000 gdiplus PE header Imag R RWE
204. 00011000 00142000 gdiplus .text code,exports Imag R RWE
205. 00153000 00002000 gdiplus .data Imag R RWE
206. 00155000 00003000 gdiplus .idata imports Imag R RWE
207. 00158000 00012000 gdiplus .rsrc resources Imag R RWE
208. 0016A000 00009000 gdiplus .reloc relocations Imag R RWE
209.  
210. Enjoy!