dangling pointer - owasp · code injection –the double reference exploit object allocated object...
TRANSCRIPT
1
Jonathan Afek, 1/8/07, BlackHat USA
Dangling PointerDangling Pointer
� What is a Dangling Pointer?
� Code Injection
� Object Overwriting
Demonstration
Table of Contents
2
� Demonstration
� Remediation
� Summary
� Q&A
Pointer3
What is a Dangling Pointer?
Invalid Pointer:
� Real Life Example
� Dangerous
Exploitable
Pointer1 Pointer2Dangling
Pointer
3
Deleted
ObjectNew DataObject
3
� Exploitable
� Common
ObjectObject
Pointer3 = new Object();…delete Pointer3;…Pointer3->func();
Application Code:
Overwritethe object
Pointer
What is a Dangling Pointer?
� Assembly
– Memory Layout
4
– Registers
– Assembly code
� What is a Dangling Pointer?
� Code Injection
� Object Overwriting
Demonstration
Where are We
5
� Demonstration
� Remediation
� Summary
� Q&A
Code Injection – The Layout of an Object
� Class_A:
class Class_A
{
int member_of_A;
vfunc_A1 CodeClass_A VFTableInstance_A memory
vfunc_A1 address
vfunc_A2 address
VFTABLE Pointer
member_of_AAssembly code
vfunc_A3 address
6
};
int member_of_A;
public:
virtual long vfunc_A1();
virtual long vfunc_A2();
virtual long vfunc_A3();
static void sfunc_A();
void funcA();
};
{
...
this.vfunc_A3();
...
}
……MOV EAX, [ECX]
CALL [EAX + 8]
……
vfunc_A2 Code
Assembly code
vfunc_A3 address
vfunc_A3 Code
Assembly code
Code Injection – The Double Reference Exploit
Exploit Overview:
– Free the Object
– Overwrite the Object
– Execute a Virtual Function
77
Shellcode
Finding a “VFTable”
Code Injection – The Double Reference Exploit
� Object Allocated
� Object De-allocated
� Overwriting Object
� VFunc3 Executed
Application Code:
8
Original ObjectFreed Space
delete a;a->v_func3();a = new A();
Pointer
“VFTABLE”
8
Memory Junk
Memory Junk
Pointer
Memory Junk
Memory Junk
“VFTABLE” Pointer
CALL/JMP ECX
ECX – Original Object
Application Code:
……MOV EAX, [ECX]
CALL [EAX + 8]
……
EAX – “VFTABLE”
SHELLCODE
� What is a Dangling Pointer?
� Code Injection
� Object Overwriting
Demonstration
Where are We
9
� Demonstration
� Remediation
� Summary
� Q&A
Object Overriding
� Allocation Implementation
– C-Runtime heap
– C-Runtime functions
• Malloc
• Free
1010
• Free
• New
• Delete
• Etc.
Object Overriding
� Allocation implementation details
– Lookaside List: Cache De-allcated Memory
• A list for each size (8-1024) (8)
• First Allocation Priority
11
Another De-Allocated
Buffer
NULL
40
Bytes
A De-Allocated Buffer
Next Buffer Pointer
40
Bytes
11
40 bytes
Lookaside list
base pointer
Object Overriding
� Exploit Review
� Overwriting
– Search for Allocations
• DisassemblyPointer3Dangling
Pointer
1212
• Same Size
• Controllable Content
Deleted
ObjectNew DataObject
Pointer3 = new Object();…delete Pointer3;…Pointer3->func();
Application Code:
Overwritethe object
Pointer
Object Overriding – The VFTABLE Exploit
� Empty the Lookaside List
� Allocate a Buffer
� Insert Content
……MOV EAX, [ECX]
� Free the Buffer
� Free the Object
� Execute a VFunc
13
Pointer
New Buffer
SHELLCODE
SHELLCODE
Rest of
SHELLCODE
Pointer
“VFTABLE”
“VFTABLE” Pointer
CALL/JMP EAX
Original Object
NULL
MOV EAX, [ECX]
CALL [EAX + 8]
……
ECX – Original Object EAX – “VFTABLE”
Object Overriding – The Lookaside Exploit
� Empty the Lookaside
� Allocate Two Buffers
� Insert Shellcode
� Free One Buffer
� Free the Other
� Free the Object
� Trigger the Bug
1414
The De-Allocated
Buffer
Pointer
A Function
Pointer
…
The De-Allocated
Object
Pointer
A VFTABLE
Pointer
…
The Shellcode
Buffer
NULL
ShellcodeGAME OVER!!!GAME OVER!!!
Object Overriding – The Lookaside Exploit
� Executing NULL – NO Problem
1515
Summary
� Double Reference Exploit
– Controllable First DWORD
– Static Address
� VFTABLE Exploit
– Controllable Allocations
16
– Controllable Allocations
– No First DWORD
– Static Address
� Lookaside Exploit
– Controllable Allocations
– No First DWORD
– No Static Address
– Destructor Execution
� What is a Dangling Pointer?
� Code Injection
� Object Overwriting
Demonstration
Where are We
17
� Demonstration
� Remediation
� Summary
� Q&A
Demonstration
� Putting it Together
– De-Allocate
– Inject
– Trigger
18
� What is a Dangling Pointer
� Code Injection
� Object Overwriting
Demonstration
Where are We
19
� Demonstration
� Remediation
� Summary
� Q&A
Remediation
� Known Protection Mechanisms
– NX Bit
– ASLR
� VFTABLE Sanitation
20
� Safe Programming
Summary
� Technical Background
– Memory Allocations
– Objects Implementation
� Exploits
21
– Double Reference Exploit
– VFTABLE Exploit
– Lookaside Exploit
� Demonstration
– Microsoft IIS 5.1
� Dangling Pointer
– Only Object Oriented Objects
More Information
� www.Watchfire.com
22
Questions
� Ask Away…
23