EEye Digital Security Advanced Return Address Discovery using Context- Aware Machine Code Emulation...

eEye D

igit

al S

ecu

rity Advanced Return Address

Discovery using Context-Aware Machine Code Emulation

Presented byDerek Soeder,

Ryan Permeh, & Yuji Ukai

eEye D

igit

al S

ecu

rity

Introduction

Return Addresses and You

eEye D

igit

al S

ecu

rity

What is a Return Address?

• Subverting a function pointer

• So you have EIP, now what?

• Redirecting flow of execution

Stack buffer Caller’s EIP …Our EIP Our payloadOVERFLOW

eEye D

igit

al S

ecu

rity

Return Addresses in the Past

• Static address of a stack buffer

• Unix versus Windows stacks

• Problems with dynamic stacks and heap buffers

eEye D

igit

al S

ecu

rity

Return Addresses: Present

• Simple one- or two-instruction redirects (e.g., CALL/JMP reg)

• Scanning for byte sequences

• Change across image versions

CALL reg:FF/D0 .. FF/D7

JMP reg: FF/E0 .. FF/E7

PUSH reg / RET: 50/C2 .. 57/C2 or 50/C3 .. 57/C3

eEye D

igit

al S

ecu

rity

Enter EEREAP

• Similarities to current solutions– Finds viable points to execution– Examines process snapshot

Exhaustive Return Address Discovery using Machine Code Emulation

eEye D

igit

al S

ecu

rity

EEREAP

• Differences from current solutions– Emulates machine code at each candidate

address to see if it will reach payload– EEREAP doesn't search for byte

sequences – it actually emulates at each address to see if that code can get execution to a specified target


eEye D

igit

al S

ecu

rity

EEREAP Continued

• Benefits of this approach– Finds more than simple instructions– Potentially every viable path will be

uncovered– More possible addresses to match across

various revisions of victim code – more universal or ASCII return addresses?


eEye D

igit

al S

ecu

rity

EEREAP Concluded

• The execution flow beginning when a candidate address is loaded is the real-world determinant of its effectiveness.

• Emulating at each candidate is a theoretically-ideal solution, limited only by the amount of context information and engine capabilities.


eEye D

igit

al S

ecu

rity

How It Works

Welcome to the EEREAP Magical Mystery Tour

eEye D

igit

al S

ecu

rity

Overview

• EEREAP is an Intel 32-bit machine code emulation engine that supports nondeterminism (undefined values) and abstract address spaces

• Accepts a “state” and emulates at each candidate address to determine which will cause execution to reach a target memory region

eEye D

igit

al S

ecu

rity

EEREAP – State

• A path from the registers to a target buffer must exist

• Requires user observation to construct

• If there is a way from the initial state to the target buffer, EEREAP is designed to find it

State is given as a process memory snapshot and a context stating any available information on registers and memory contents.

eEye D

igit

al S

ecu

rity

EEREAP – Memory Regions

Memory regions are expressed abstractly because their locations shift between instances of a vulnerable process

Example:ESP EDI (pointer to payload in heap)

Run 1: 0012FEC4 025470A8

Run 2: 0032FEC4 0252F308

Run 3: 0022FEC4 025206A0

“Stack” and “heap block” are both identifiable memory regions whose addresses shift between runs, due to the dynamic nature of thread creation and heap memory allocation.

eEye D

igit

al S

ecu

rity

EEREAP – Context

Supplies register and memory values (integers or pointers) and defines memory regions

• Integers are tracked on the bit level (each bit is maintained as 0, 1, or X) – especially important for EFLAGS

• Pointers are a memory region ('virt' – the 4GB virtual address space – or a user-defined region) plus an integer offset

eEye D

igit

al S

ecu

rity

EEREAP – Context 2

Memory regions must be given a size, and can be defined with certain attributes as appropriate

• Size is usually just a guess, because an exact size often cannot be determined

• Attributes:– Read-Only – emulation fails on write

access; useful for protecting payload– Target – region contains a payload;

emulation ends successfully for return address candidate if execution reaches it

eEye D

igit

al S

ecu

rity

EEREAP – Context 3

• Memory regions can be “mapped” by specifying that one region starts at a relative offset within another

• For instance, a target buffer could be located in the stack, or a data area could be assigned a virtual address

• On dereference, attributes of all regions overlapping at address apply

eEye D

igit

al S

ecu

rity

EEREAP – Context Example

# defines STACK as a 64KB writable address space

STACK = 00XXXXXXh : 65536, RW# ESP is a pointer to offset E000h within ‘STACK’

ESP = STACK + E000h# BUFFER maps into STACK at offset E09Ch

BUFFER @ STACK + E09Ch : 128, TARGET, RO# memory at STACK + E004h contains a pointer into BUFFER

[STACK+E004h] = BUFFER + 8

EAX = 0ECX = 3FFXXXXXhEBP = STACK + E134h[EBP] = STACK + E180hESI = STACK + E01ChTIB = 7FFXX000h : 4096, RWFS = TIBEFLAGS = 0010000X0X1Xb

eEye D

igit

al S

ecu

rity

EEREAP – Emulation

• For each return address candidate, emulation is started fresh:– EIP points to that address– Other registers and memory are initialized

according to the context

• These runs will be referred to as “emulation threads,” although only one is really performed at a time

eEye D

igit

al S

ecu

rity

EEREAP – Emulation 2

• Arithmetic attempts to preserve the destination as a pointer (if possible), then as an integer

• Takes unknown bits into account, erring on the side of nondeterminism

• EFLAGS are also modified and may be partially undefined

Each instruction is emulated as faithfully as possible…

eEye D

igit

al S

ecu

rity


• The thread dies if anything occurs that could affect execution unpredictably:– A pointer dereference exceeds the bounds

of its memory region– A write occurs on read-only memory– A 'virt' pointer accesses invalid memory– An invalid opcode, privileged instruction,

potential divide-by-zero, etc., occurs

But sometimes faith just isn’t enough

eEye D

igit

al S

ecu

rity


• An instruction execution countdown is used to prevent infinite loops

• If a Jcc or LOOPcc is reached with EFLAGS/ECX undefined, we follow both possible execution paths– Parent succeeds if both children “threads”

reach a target buffer– Each child gets a copy of parent's context

with the instruction countdown halved

Loops and Branches

eEye D

igit

al S

ecu

rity


Success!

If an emulation thread (or both of its children, if it forked) reaches a memory region marked as Target, the return address candidate at which it started is considered a success and is logged.

eEye D

igit

al S

ecu

rity

How to Use It / Demonstration

Don’t Fear the EEREAPer

eEye D

igit

al S

ecu

rity

EEREAP – How-To

• Crash the target process using the vulnerability to be exploited– Should put the process as close as

possible to the state that will be in effect when execution is hijacked

– e.g., a finished exploit with an invalid return address (0x41414141, anyone?)

– Process should definitely have a debugger on it with first-chance exceptions caught

eEye D

igit

al S

ecu

rity

EEREAP – How-To 2

• Use 'psnap' to grab a process memory snapshot

C:\>psnap.exe --priority --suspend -a:r -c:w 260 lsass.ees

* Record: micdhstp ---* Write: --c----- ---

[#] 00010000..00010FFF .................................. Recorded [#] 00020000..00020FFF .................................. Recorded [ ] 00030000..00065FFF ................................... Ignored [G] 00066000..00066FFF ................................... Ignored [#] 00067000..0006FFFF .................................. Recorded [#] 00070000..00120FFF Heap .............................. Recorded [ ] 00121000..0016FFFF Heap ............................... Ignored... [#] 00CAA000..00CAFFFF Stack ............................. Recorded [#] 01000000..01000FFF Image - lsass.exe ................ Recorded [#] 01001000..01001FFF Code - lsass.exe:.text ........... Written [#] 01002000..01002FFF Data - lsass.exe:.data .......... Recorded [#] 01003000..01009FFF Data - lsass.exe:.rsrc .......... Recorded [ ] 01090000..010C8FFF Stack .............................. Ignored [G] 010C9000..010C9FFF Stack .............................. Ignored...Saved process 260 snapshot to "lsass.ees" (12795328 bytes).

eEye D

igit

al S

ecu

rity

EEREAP – How-To 3

• Create the context– Study the environment at crash time:

consistent pointers and integers; memory regions of interest

– Reverse engineer as desired

– Context and snapshot are both specific to one version of the vulnerable process

eEye D

igit

al S

ecu

rity

EEREAP – How-To 4

STACK = 0XXXA000H:6000H,RW

EAX=00000000HEBX=00000000HECX=STACK+5D38HEDX=785B2C60HESI=00000004HEDI=STACK+5A58HESP=STACK+5A14HEBP=XXXXXXXXHEFLAGS=0296H

BUFFER@STACK+5A14H:10H,RO,TARGET

• Context for exploiting LSASS (SP4)

eEye D

igit

al S

ecu

rity

EEREAP – How-To 5

• Run EEREAP!

• Windows 2000 Advanced Server (English) No SP/Patch• Windows 2000 Advanced Server (English) SP3 No Patch• Windows 2000 Advanced Server (English) SP4 No Patch

LSASS.EXE (MS04-011)

Tested Platform :

Tested Process :

eEye D

igit

al S

ecu

rity

• Result - Performance

Windows 2000 SP4

Windows 2000 SP3

Windows 2000 SP0

824

796

542126

143

167

0 200 400 600 800

EEREAP

Simple Search

Comparison with common used return address finder - (jmp esp, call esp, push esp/ret)

EEREAP – Result 1

eEye D

igit

al S

ecu

rity

• Distribution: number of instructions to target buffer

EEREAP – Result 2

# Instructions Addresses1 572 683 564 585 626 457 368 219 21

10 1311 1512 1513 2314 2

15 or more 50Total 542

Maximum # of instructions = 80

- Windows 2000 SP0

eEye D

igit

al S

ecu

rity


EEREAP – Result 3


10 2211 2212 1613 2214 2


- Windows 2000 SP3

• Distribution: number of instructions to target buffer

eEye D

igit

al S

ecu

rity

EEREAP – Result 4

• Distribution: number of instructions to target buffer- Windows 2000 SP4



10 2011 2212 1313 1114 5


eEye D

igit

al S

ecu

rity

EEREAP – Result 5

• Return addresses exist onWindows 2000 SP0, SP3, and SP4

750231e2H

751c255eH

7732c167H

773e661fH

77836305H

77836307H

77836309H

eEye D

igit

al S

ecu

rity

• Example return address for SP4 with 27 instructions

78599354 push esp78599355 and al,0Ch78599357 push edi78599358 push 77859935A xor eax,eax7859935C pop ecx7859935D mov edi,edx7859935F rep stosd78599361 mov eax,[esp+0Ch]78599365 xor ecx,ecx78599367 mov [edx],eax78599369 mov eax, [esp+8]7859936D cmp eax,ecx7859936F mov [edx+0Ch],cl

78599372 je 78599384

78599374 mov [edx+4],eax78599377 mov [edx+8],10h7859937E xor eax,eax78599380 pop edi78599381 ret 0Ch

78599384 mov [edx+4],ecx78599387 mov [edx+8],ecx7859937E xor eax,eax78599380 pop edi78599381 ret 0Ch

EEREAP – Result 6

eEye D

igit

al S

ecu

rity

EEREAP – Demonstration

• Plug in a suitable return address and try it out…

eEye D

igit

al S

ecu

rity

To-Do

You Can’t Always Get What You Want

eEye D

igit

al S

ecu

rity

EEREAP – To Do

• Use EEREAP to find a completely universal offset (all languages/versions)

• Maintain results of pointer arithmetic as expressions (e.g., ~((~ptr)+1) = ptr-1, rather than ~ptr = X, X+1 = X, ~X = X)

• Automated context reconnaissance? (could be done third-party *hint*)

• Emulate exception handlers?

eEye D

igit

al S

ecu

rity

Questions?!

Ask an eEye Engineer

Price $1.00

Questions? Comments? Email <[email protected]> today!

EEye Digital Security Advanced Return Address Discovery using Context- Aware Machine Code Emulation...

Documents

Transcript of EEye Digital Security Advanced Return Address Discovery using Context- Aware Machine Code Emulation...