![Page 2: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/2.jpg)
Steven Seeley – Ruxcon 2012
C:\> whoami /all?● mr_me● Security Researcher @ Immunity Inc● A member of Corelan Security Team
● ruby python developer● reverse engineering● exploit developer
![Page 3: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/3.jpg)
Steven Seeley – Ruxcon 2012
Disclaimer(s)No zerodays were hurt during the making of this presentation
Sorry but some windows heap knowledge is assumed
![Page 4: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/4.jpg)
Steven Seeley – Ruxcon 2012
Agenda ● What is 'heaper' ?
● Development motivators
● Meta data attack techniques
● Functional design
● Installation
● Using heaper
● Demo analysing a heap overflow
● Limitations
● Future work
● Conclusion
![Page 5: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/5.jpg)
Steven Seeley – Ruxcon 2012
But first.An entomologist's lesson.
![Page 6: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/6.jpg)
Steven Seeley – Ruxcon 2012
Definition of a chameleon?
Chameleon (n) A small slow-moving Old World lizard
with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color
![Page 7: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/7.jpg)
Steven Seeley – Ruxcon 2012
Definition of a chameleon?
Chameleon (n) A small slow-moving Old World lizard
with a prehensile tail, long extensible tongue, protruding eyes that rotate independently, and a highly developed ability to change color
![Page 8: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/8.jpg)
Steven Seeley – Ruxcon 2012
A chameleon's diet
![Page 9: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/9.jpg)
Steven Seeley – Ruxcon 2012
Chameleon Heap manager analysisSlow moving Slow evolution of security in heap managers*
Protruding, rotating eyes Symptoms of long debugging sessions
Ability to change color rapidly
Ability to change its state rapidly
Kills and eats bugs Difficultly leads to disclosure, in hope of other researchers demonstrating exploitation
Similarities
* Some, such as implementations on mobile platforms, example: WebKit
![Page 10: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/10.jpg)
Steven Seeley – Ruxcon 2012
What is heaper?● A multi platform win32 heap analysis tool● A plug-in for Immunity Debugger● Developed in python using immlib/heaplib● An offensive focused tool:
● Visualize the heap layout● Determine exploitable conditions using meta-data● Find application specific heap primitives● Find application specific function pointers● Modify heap structures on the fly for simulation
![Page 11: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/11.jpg)
Steven Seeley – Ruxcon 2012
Development motivators
![Page 12: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/12.jpg)
Steven Seeley – Ruxcon 2012
Meta data attack techniquesTechnique Platform Difficulty* Reliability* Supported
Coalesce unlink() NT 5.[0/1] 10% 100% Yes
VirtualAlloc block unlink() NT 5.[0/1] Unknown Unknown No
Lookaside head overwrite NT 5.2 50-60% Unknown Yes
Freelist insert/search/relink NT 5.2 Unknown Unknown Yes
Bitmap flip NT 5.2 50-60% Unknown Yes
Heap cache desycronisation NT 5.2 90% Unknown No
Critical section unlink() NT 5.2 50% 70% No
FreeEntryOverwrite NT 6.[0/1] 50% 60% Yes
Segment Offset NT 6.[0/1] 50% 80% Yes
Depth De-sync NT 6.[0/1] 50% 70% Yes
UserBlocks Overwrite NT 6.2 90% 40% No
Application data ANY Unknown Unknown Yes
difficulty/reliability* - estimated based specific testing, will vary largely depending on context
![Page 13: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/13.jpg)
Steven Seeley – Ruxcon 2012
Functional design● Object oriented design● Easily extend-able● Chunk validation based on allocator ordering & categorization
● General heuristics check per allocator
![Page 14: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/14.jpg)
Steven Seeley – Ruxcon 2012
Functional designchunk validation:
Full unlink() macro validation!
![Page 15: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/15.jpg)
Steven Seeley – Ruxcon 2012
Functional designchunk validation:
● Lets say we have chunk 0x0026fee8 in FreeList[0].● We know relative offsets:
● 0x0026fee8+0x0 is the size● 0x0026fee8+0x2 is the previous chunks size● 0x0026fee8+0x4 is the cookie● 0x0026fee8+0x8 is the Flink/Blink
Therefore, we can validate the chunk based on its positioning and by reading memory
![Page 16: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/16.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
![Page 17: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/17.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
![Page 18: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/18.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
![Page 19: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/19.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
![Page 20: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/20.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[{0x7f,0x7ff}]-> Windows 7 LFH (size is encoded)
-> Checks ListHint[0x7f] and ListHint[0x7ff]
![Page 21: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/21.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
![Page 22: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/22.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
![Page 23: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/23.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
![Page 24: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/24.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on ListHint[n]:
-> Windows 7 LFH (size is encoded)
-> Checks ListHint[n]
![Page 25: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/25.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[0]:
-> Windows 2000/XP FreeList[0]
![Page 26: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/26.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[0]:
-> Windows 2000/XP FreeList[0]
size, flink, blink pwned! Chunk overwrite!
![Page 27: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/27.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[n]:
-> Windows 2000/XP FreeList[n]
![Page 28: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/28.jpg)
Steven Seeley – Ruxcon 2012
Functional designChunk validation on FreeList[n]:
-> Windows 2000/XP FreeList[n]
size, flink, blink pwned! Chunk overwrite!
![Page 29: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/29.jpg)
Steven Seeley – Ruxcon 2012
Functional designGraphing:
We all know that little
green men in the debugger
can be hard to understand
![Page 30: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/30.jpg)
Steven Seeley – Ruxcon 2012
Functional designGraphing:
visualize the heap
![Page 31: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/31.jpg)
Steven Seeley – Ruxcon 2012
Functional designEasy to use:
● Generates a specific menu basic on windows version in use – no option to analyse the LFH if it doesn't exist
● Generates graphs for each bin size separately, generally for exploitation, we target a specific bin size
● n-4 byte write simulation on function pointers with the ability to restore the said function pointers
● The ability to modify a single BIT in the FreeListInUse struct
● 'update' command for easily updating heaper.
● 'config' command to configure the output directory of logs and graphs
● Everything is logged in a new “heaper” window
![Page 32: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/32.jpg)
Steven Seeley – Ruxcon 2012
● Prerequisites:
● Immunity Debugger v1.85 and above● Graphviz v2.28.0 and above -http://www.graphviz.org/● Pyparsing - http://sourceforge.net/projects/pyparsing/● PyDot - http://code.google.com/p/pydot/
1. Install Immunity Debugger :->
2. Add 'c:\python27' to your path environment
3. Run the Graphviz MSI packaged installer
4. Navigate into your pydot and pyparsing directories and execute 'python setup install'
4. Copy heaper to the 'C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\' directory
Installation
![Page 33: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/33.jpg)
Steven Seeley – Ruxcon 2012
Using heaper
![Page 34: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/34.jpg)
Steven Seeley – Ruxcon 2012
Usage and help menuRun '!heaper help <cmd>' to learn about the cmd and its options
![Page 35: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/35.jpg)
Steven Seeley – Ruxcon 2012
Analyzing windows structsDisplay the PEB structure
![Page 36: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/36.jpg)
Steven Seeley – Ruxcon 2012
Analyzing windows structsDisplay the TEB's for the process (no struct) – No TEB struct boo
![Page 37: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/37.jpg)
Steven Seeley – Ruxcon 2012
Analyzing windows structsAnalyze a _heap struct
![Page 38: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/38.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the FreelistInUse bitmask
![Page 39: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/39.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the FreelistInUse bitmask
Bit flipping
![Page 40: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/40.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the FreelistInUse bitmask
Bit flipping
![Page 41: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/41.jpg)
Steven Seeley – Ruxcon 2012
Dumping function pointers● Finds function pointers despite if they are writable or not
● Depreciated and will be removed in the next major release
![Page 42: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/42.jpg)
Steven Seeley – Ruxcon 2012
Finding writable pointers
![Page 43: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/43.jpg)
Steven Seeley – Ruxcon 2012
Finding writable pointers● Similar to the dump function pointers routine but
executes the action across the whole module
● This can be executed against all modules
● As the name states, only writable function pointers to facilitate a write 4 condition
● Don't be fooled, it doesn't just dump the IAT
● It can find OS specific function pointers making your exploit work despite the existence of application specific function pointers.
![Page 44: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/44.jpg)
Steven Seeley – Ruxcon 2012
Finding writable pointersUse any of these to transfer code execution
![Page 45: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/45.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - chunk analysis
![Page 46: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/46.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - chunk analysis● Easy to understand layout● Displays the cookie, chunk size, flink● Notification of an overwrite using the first
byte in the chunk header (size)● If userdata == flink, possible exploitation
![Page 47: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/47.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside with verbose mode (-v)
![Page 48: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/48.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside with verbose mode (-v)● Displays the _general_lookaside_list struct● Displays the _slist_header struct● Instantly determine if a list itself has been
overwritten● Much like 'dt _general_lookaside_list
<addr>' in windbg
![Page 49: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/49.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - graphing
![Page 50: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/50.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - vuln analysis
●
● Set a (Function pointer-0x8) to equal the new Lookaside chunk address
![Page 51: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/51.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
Lookaside - vuln analysis
![Page 52: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/52.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - chunk analysis
![Page 53: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/53.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList with verbose mode (-v)
![Page 54: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/54.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - graphing
![Page 55: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/55.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - vuln analysis
![Page 56: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/56.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 5.x
FreeList - vuln analysis
![Page 57: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/57.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - UserBlocks analysis
![Page 58: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/58.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - UserBlocks analysis
![Page 59: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/59.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - UserBlocksCache analysis
0:004> dt _USER_MEMORY_CACHE_ENTRYntdll!_USER_MEMORY_CACHE_ENTRY
+0x000 UserBlocks : _SLIST_HEADER+0x008 AvailableBlocks : Uint4B
![Page 60: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/60.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - buckets
0:004> dt _heap_bucketntdll!_HEAP_BUCKET
+0x000 BlockUnits : Uint2B+0x002 SizeIndex : Uchar+0x003 UseAffinity : Pos 0, 1 Bit+0x003 DebugFlags : Pos 1, 2 Bits
![Page 61: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/61.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - graphing UserBlocks
![Page 62: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/62.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - vuln analysis
![Page 63: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/63.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - vuln analysis
![Page 64: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/64.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
LFH - vuln analysis
![Page 65: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/65.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
ListHint - analysis
![Page 66: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/66.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
ListHint - analysis
![Page 67: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/67.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList - analysis
![Page 68: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/68.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList - analysis
![Page 69: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/69.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList - graphing
![Page 70: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/70.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList/ListHint - vuln analysis
![Page 71: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/71.jpg)
Steven Seeley – Ruxcon 2012
Analyzing the allocator state NT 6.x
FreeList/ListHint - vuln analysis
![Page 72: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/72.jpg)
Steven Seeley – Ruxcon 2012
Hooking the heap manager
![Page 73: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/73.jpg)
Steven Seeley – Ruxcon 2012
Hooking the heap managerHard hooking
● HeapAlloc/HeapFree
● Can be extended
for other heap functions
● Discover primitives
![Page 74: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/74.jpg)
Steven Seeley – Ruxcon 2012
Hooking the heap managerSoft hooking
Use only for testing, not designed to be used with large applications
![Page 75: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/75.jpg)
Steven Seeley – Ruxcon 2012
PatchingPatching - PEB
● A binary may be compiled in debug mode
● What if we are trying to execute a function pointer that assumes the process is not being debugged ?
![Page 76: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/76.jpg)
Steven Seeley – Ruxcon 2012
UpdatingUpdate to the latest version with ease
The update function just generates a git hash and compares digests. There is no version tracking yet.
![Page 77: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/77.jpg)
Steven Seeley – Ruxcon 2012
ConfiguringConfigure the home directory on where to store graphs and logs
![Page 78: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/78.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
![Page 79: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/79.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions● Detecting exploitable conditions can be very
difficult and prone to many false positives.● If you overwrite a specific chunk, then just due
to the amount of data you overwrote with, it may/may not be deemed exploitable
● Therefore understanding the limitations of each of the conditions is required for accurate analysis.
![Page 80: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/80.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
LFH – FreeEntryOffset Overwrite
![Page 81: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/81.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
LFH – FreeEntryOffset Overwrite
![Page 82: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/82.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
FreeList/ListHint – No technique suggestion*
● No techniques for exploitation against the FreeList/ListHint under windows NT 6.x have been disclosed publicly so far.
![Page 83: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/83.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
Lookaside – chunk overwrite
![Page 84: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/84.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
Lookaside – chunk overwrite
![Page 85: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/85.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
FreeList[n] – Bitflip attack
![Page 86: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/86.jpg)
Steven Seeley – Ruxcon 2012
Detecting exploitable conditions
FreeList[n] – Bitflip attack
![Page 87: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/87.jpg)
Steven Seeley – Ruxcon 2012
Demo - MS12-037
![Page 88: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/88.jpg)
Steven Seeley – Ruxcon 2012
Limitations● Does not analyze LFH on XP● Does not analyze LFH on Windows 8● Supports only a limited number of meta-data
attacks for now● Does not log analysis findings external to the
debugger● Needs a decent heap search function● Need to support other heap implementations
![Page 89: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/89.jpg)
Steven Seeley – Ruxcon 2012
Future work● Support LFH analysis on Windows 8● Support other heap manager implementations
(jemalloc)● Support more meta-data attacks● Perform log analysis● Detect 'interesting' application data on the
heap● Add a decent search function● Improve the heuristics engine
![Page 90: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/90.jpg)
Steven Seeley – Ruxcon 2012
Conclusion● Run-time analysis of the heap to detect meta-
data attack conditions is complex● Some form of solver maybe more applicable to
this type of analysis :->● Whilst heaper is not turing complete, it will
solve many corner cases.● Immunity will continue to be a leader in the
development and application of heap exploitation techniques
![Page 91: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/91.jpg)
Steven Seeley – Ruxcon 2012
Thanks!You know who you are ;-)
![Page 92: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/92.jpg)
Steven Seeley – Ruxcon 2012
Code design/improvements/patches/ideas are very welcome :>
[email protected] more information please execute:
$ git clone https://github.com/mrmee/heaper.git
$ wget -r http://net-ninja.net/
![Page 93: How to-catch-a-chameleon-steven seeley-ruxcon-2012](https://reader034.vdocuments.site/reader034/viewer/2022052321/555c4306d8b42a2c068b4ecf/html5/thumbnails/93.jpg)
Steven Seeley – Ruxcon 2012
MIAMI