This document outlines a technique for executing arbitrary binaries in memory on a Mac OS X machine by defeating address space layout randomization (ASLR). It discusses: 1. The structure of Mach-O files and how binaries are executed by the kernel and dynamic linker in Mac OS X. 2. A proposed attack that embeds a shellcode and crafted stack in a binary to impersonate the kernel and load a new binary into memory. 3. How ASLR works in Mac OS X Leopard and a method to retrieve the base address of the libSystem library to adjust symbol addresses and defeat ASLR, enhancing the attack. 4. A demonstration of the technique executing Nmap and Safari

1. Let your Mach-O fly
Vincenzo Iozzo
snagg@sikurezza.org

2. 03/08/2010
Who am I?
• Student at Politecnico di Milano.
• Security Consultant at Secure Network
srl.
• Reverse Engineer at Zynamics GmbH.
2

3. 03/08/2010
Goal of the talk
In-memory execution of arbitrary binaries
on a Mac OS X machine.
3

4. 03/08/2010
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
4

5. 03/08/2010
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
5

6. 03/08/2010
Mach-O file
• Header structure: information on the target
architecture and options to interpret the file.
• Load commands: symbol table location,
registers state.
• Segments: define region of the virtual
memory, contain sections with code or data.
6

7. 03/08/2010
Segment and Sections
segment section
Virtual Virtual
address Address
0x1000 0x1d54
Virtual Virtual
memory size memory size
0x1000 0x275
File Offset File Offset
0x0 0xd54
File Size
0x1000
7

8. 03/08/2010
Important segments
• __PAGEZERO, if a piece of code accesses
NULL it lands here. no protection flags.
• __TEXT, holds code and read-only data. RX
protection.
• __DATA, holds data. RW protection.
• __LINKEDIT, holds information for the
dynamic linker including symbol and string
tables. RW protection.
8

9. 03/08/2010
Mach-O representation
9

10. 03/08/2010
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
10

11. 03/08/2010
Binary execution
• Conducted by the kernel and the
dynamic linker.
• The kernel, when finishes his part,
jumps to the dynamic linker entry point.
• The dynamic linker is not randomized.
11

12. 03/08/2010
Execution steps
Kernel Dynamic linker
• Maps the dynamic linker • Retrieves base address
in the process address of the binary.
space. • Resolves symbols.
• Parses the header • Resolves library
structure and loads all dependencies.
segments. • Jumps to the binary entry
• Creates a new stack. point.
12

13. 03/08/2010
Stack
• Mach-O file base address.
• Command line arguments.
• Environment variables.
• Execution path.
• All padded.
13

14. 03/08/2010
Stack representation
14

15. 03/08/2010
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
15

16. 03/08/2010
Proposed attack
• Userland-exec attack.
• Encapsulate a shellcode, aka auto-
loader, and a crafted stack in the
injected binary.
• Execute the auto-loader in the address
space of the attacked process.
16

17. 03/08/2010
WWW
• Who: an attacker with a remote code
execution in his pocket.
• Where: the attack is two-staged. First
run a shellcode to receive the binary,
then run the auto-loader contained in
the binary.
• Why: later in this talk.
17

18. 03/08/2010
What kind of binaries?
Any Mach-O file, from ls to Safari
18

19. 03/08/2010
A nice picture
19

20. 03/08/2010
Infected binary
• We need to find a place to store the
auto-loader and the crafted stack.
• __PAGEZERO infection technique.
• Cavity infector technique.
20

21. 03/08/2010
__PAGEZERO INFECTION
• Change __PAGEZERO protection flags
with a custom value.
• Store the crafted stack and the auto-
loader code at the end of the binary.
• Point __PAGEZERO to the crafted
stack.
• Overwrite the first bytes of the file with
the auto-loader address.
21

22. 03/08/2010
Binary layout
22

23. 03/08/2010
Auto-loader
• Impersonates the kernel.
• Un-maps the old binary.
• Maps the new one.
23

24. 03/08/2010
Auto-loader description
• Parses the binary.
• Reads the virtual addresses of the
injected binary segments.
• Unloads the attacked binary segments
pointed by the virtual addresses.
• Loads the injected binary segments.
24

25. 03/08/2010
Auto-loader description(2)
• Maps the crafted stack referenced by
__PAGEZERO.
• Cleans registers.
• Cleans some libSystem variables.
• Jumps to dynamic linker entry point.
25

26. 03/08/2010
We do like pictures, don’t we?
Victim’s process address space
TEXT DATA LINKEDIT SEGMENT
-N
TEXT DATA LINKEDIT SEGMENT-N
26

27. 03/08/2010
libSystem variables
• _malloc_def_zone_state
• _NXArgv_pointer
• _malloc_num_zones
• __keymgr_global
27

28. 03/08/2010
Why are those variables
important?
• They are used in the initialization of
malloc.
• Two of them are used for command line
arguments parsing.
• Not cleaning them will result in a crash.
28

29. 03/08/2010
Hunts the variables
• Mac OS X Leopard has ASLR for
libraries.
• Those variables are not exported.
• Cannot use dlopen()/dlsym() combo.
29

30. 03/08/2010
Talk outline
• Mach-O file structure
• XNU binary execution
• Attack technique
• Defeat ASLR on libraries to enhance
the attack
30

31. 03/08/2010
Defeat ASLR
• Retrieve libSystem in-memory base
address.
• Read symbols from the libSystem
binary.
• Adjust symbols to the new address.
31

32. 03/08/2010
How ASLR works in Leopard
• Only libraries are randomized.
• The randomization is performed
whenever the system or the libraries are
updated.
• Library segments addresses are saved
in dyld_shared_cache_arch.map.
32

33. 03/08/2010
Retrieve libSystem address
• Parse • Adopt functions
dyld_shared_cache exported by the
_i386.map and dynamic linker and
search for libSystem perform the whole
entry. task in-memory.
33

34. 03/08/2010
Dyld functions
• _dyld_image_count() used to retrieve the
number of linked libraries of a process.
• _dyld_get_image_header() used to retrieve
the base address of each library.
• _dyld_get_image_name() used to retrieve
the name of a given library.
34

35. 03/08/2010
Find ‘em
• Parse dyld load commands.
• Retrieve __LINKEDIT address.
• Iterate dyld symbol table and search for
the functions name in __LINKEDIT.
35

36. 03/08/2010
Back to libSystem
• Non-exported symbols are taken out
from the symbol table when loaded.
• Open libSystem binary, find the
variables in the symbol table.
• Adjust variables to the base address of
the in-memory __DATA segment.
36

37. 03/08/2010
Put pieces together
• Iterate the header structure of libSystem
in-memory and find the __DATA base
address.
– __DATA base address 0x2000
– Symbol at 0x2054
– In-memory __DATA base address 0x4000
– Symbol in-memory at 0x4054
37

38. 03/08/2010
Results
• Run a binary into an arbitrary machine.
• No traces on the hard-disk.
• No execve(), the kernel doesn’t know
about us.
• It works with every binary.
• It is possible to write payloads in a high
level language.
38

39. 03/08/2010
Demo description
• Run a simple piece of code which acts
like a shellcode and retrieve the binary.
• Execute the attack with nmap and
Safari.
• Show network dump.
• Show memory layout before and after
the attack.
39

40. 03/08/2010
DEMO
40

41. 03/08/2010
Future developments
• Employ encryption to avoid NIDS
detection.
• Using cavity infector technique.
• Port the code to iPhone to evade code
signing protection ( Catch you at BH
Europe).
41

42. 03/08/2010
Thanks, questions?
42