General Notes About Exploiting Windows X64

Transcription

General notes about exploitingWindows x64Sebastian Fernandezsebastian@immunityinc.comSecurity Research1

Who am I? Security researcher at Immunity Inc.–Exploit development for CANVAS–Ported many parts of CANVAS to Windowsx64 (shellcodes, backdoors and other“things”)–Researching x64 exploitation techniques2

x64, what are you talking about? x64 (formally x86 64) is an architectureextending the 32bit x86 arch with moreregisters, instructions and memory rangeMost of the PCs sold over the last few yearsare based on this arch so most likely yourcomputer supports x64 OSsMost software companies have ported theiroperating system to the platform. Microsoftalso did it!–No, not reallyWindows XP, 2003, Vista, 2008 and 7have ports for this arch3

Why research x64? Kernel works entirely on 64 bits. Remote/Local exploitation of services. Most likely new bugs have beenintroduced while porting the system.4

Clientside on 64bit age IE is not default, but still available touse.When Adobe launches 64bit Flashversion in their next major release, IEx64 could become default.5

Windows 64 Services run in 64bits. Most applications still don't do it. IE and WMP are ported to x64, but bydefault are launched the 32bit ones.6

Windows Applications32bit64bitServicesIIS, Locals, etcWin ClientsIE, WMPThird-partyAdobe, Firefox7

Windows 64 internals Native 64bit with support for 32bitapplications using wow64 subsystem.No more Ntvdm, 16 bit applicationsare unsupported.Fastcall calling convention.8

Windows 64ntoskrnl (64bits)ntdll (64bits)WOW64 ntdll(64bits)native 64bit dllsntdll (32bit)64bit applications32bit dlls32bit applications9

WOW64 Windows on Windows 64:–Abstraction layer to run 32 bitapplications on 64bit OS.–Patch many ntdll functions for sycallcompatibility.–Redirect registry access.–Environment variables.–Switch context to 32bits.10

WOW64ProcessInit .text:0000000078BE73C3 .callMapNtdll32: .Loads ntdll from windows/syswow64/ xt:0000000078BE7E83mov.text:0000000078BE7E8Bmov .text:0000000078BE7FAE.text:0000000078BE7FAE loc BE7FF6mov .MapNtdll32; MapNtdll32 200jcs:NtDll32Base, ebp[rsp 518h var 498], rbp[rsp 518h var 490], rbp; CODE XREF: MapNtdll32 334jeax, dword ptr [rsp 518h var 498]cs:NtDll32Base, eaxeax, ds:7FFE0334hcs:Ntdll32LoaderInitRoutine, eaxeax, ds:7FFE0338hcs:Ntdll32KiUserExceptionDispatcher, eaxeax, ds:7FFE033Chcs:Ntdll32KiUserApcDispatcher, eaxeax, ds:7FFE0340hcs:Ntdll32KiUserCallbackDispatcher, eaxeax, ds:7FFE0344hcs:dword 78C1FD98, eax11

Stdcall calling convention Each argument is pushed into thestack right-to-left. Ret value is on eax. Stack aligned to 32 bits. Calle cleans stack.12

Fastcall Calling convention First 4 arguments are passed in RCX,RDX, R8 and R9.The rest of the arguments are pushedin the stack.Shadow space must be added in thestack for arguments that have beenpassed.128 bit stack alignment.13

After a call on stdcallint function(arg1,arg2,arg3,arg4,arg5,arg6);.push arg6push arg5push arg4push arg3push arg2push arg1call function.RET ADDRESS1st arg2nd arg3rd arg4th arg5th arg6th arg14

After a call on fastcall128bit alignementRET ADDRESSShadow SpaceRCX: 1st argRDX: 2nd argR8 : 3rd argR9 : 4th arg5th arg6th arg15

Calling convention Shellcoding is easier, less usage of thestack.Harder to make ret2libc exploits.16

Shellcoding17

Shellcode 32bits on Win64 Can detect WOW64 environment usingIsWow64Process function.Be aware of not using direct syscalls.Other things are basically the same aswow64 sets a friendly environment forrunning almost every 32bit code.18

Shellcodes 64bits on Win64 Much cleaner since x64 arch letreference RIP (instruction pointer).Don't need to use stack (usually), butbe aware of 128-bit alignement andshadow space.Smaller size of shellcodes becausearguments are maintained in registersand half of them are restored bycalling functions.19

x86 referencingshellcode init:jmp get strreturn str:pop ebx;get address from the stack.get str:call return str.string “c:\calc.exe”20

Ugly codeEverybody writes ugly codechar *str “string”;char *new str strcpy(malloc(strlen(str) 1), str);But.21

x64 referencingYou don't feel as ugly when writing shellcodes for x64.init shellcode:lea rcx, qword ptr[rel the str] ;reference address.;using RIP as base.the str:.string “c:\calc.exe”22

Exploiting23

Problems when exploiting “Classic” security measures: ASLR,DEP, stack and heap protections.All addresses contain at least 2 zerobytes.Calling convention.24

ASLR Microsoft first implemented it onWindows VistaApplication/module needs base-dynamicflag to be set at compilation time Always enabled on system services IE has enabled full ASLR since version 825

Defeating ASLR Search for non address-randomizedmodules.No common technique.We need an info leak per exploit todefeat data randomization.IE8 gives us the opportunity to guessthe base address 2 times before warningthat someone is hacking us :) .26

DEP No executable data sections (stack,heap, etc).No direct ret2libc because of callingconvention.DEP is enabled automatically on all64bit applications.27

DEP bypass Build stack with addresses andarguments.Use ROP to pop arguments from thestack:–POP RET multiple times–POP Trash Code RET–Other ways to assign the data in thestackRet2libc.28

DEP bypass: ROPEIPPrepareStackRETPrepareRegisters(Pop Ret)Call function29

Dep bypass: ROPTop stack when EIPpointing to a RETinstruction.POP RCX RETRCX ValuePOP RDX RETRDX ValuePOP R8 RETR8 ValuePOP R9 RETR9 ValueFunction addr.30

2 zero-bytes on addresses Typical dll base address:000007FF:XXXXXXXXImplies a NULL unicode char–Will prevent any wstrcpy/strcpy frombeing completed–On clientside exploits when convertingfrom BSTR to Cstrings, it will cutdown the string to the first null31

Overwrite less fsetXXXXXXXXDll Start Address000007FF32

Client side use-after-free Very common vulnerability:–Aurora (ms10 002)–iepeers set attribute (ms10 018)–CfunctionPointer (ms09 002)Exploited replacing freed objectsmaintaining references to them.33

Client side use-after-free;function referencing from an object;our object is on rcxmovcallrdx,qword ptr [rcx]qword ptr [rdx 8];get vtable;call the function;from the vtable34

Client side unction1Function2Function3Function4Function5Freed object35

Client side use-after-freeFake yXXXXXXXXXXXXXXX36

Use-after-free (x86) Transform javascript strings toCstrings for filling vtable.–UnicodeStr( unescape(“%u0d0d%u0d0d.”))–cstring “\x0d\x0d\x0d\x0d\x.\x.\x00\x00”Use heap spray techniques to createthe vtable functions in memory andalign it.37

Use-after-free(x64) There is no way to transform javascriptstrings cointaining nulls in Cstrings:–UnicodeStr( unescape(“%u0d0d%u0d0d%u0000%u0000.”) )–cstring “\x0d\x0d\x0d\x0d\x00\x00”Need to load binary data in memoryto replace the freed objects.Heap spray to create functions in memory(using conventional heap spray).38

Tools for Windows x64 Windbg. WinAppDbg. MOSDEF x64. IDA64 IDAPython64 Next. Immunity Debugger.39

The Future Look for more interesting bug classesin ported applicationsNext Windows version release will runall the 64bit applications default.–Those who don’t ramp up now will beleft behind!40

Questions?41

Thank you for your timeContact me at:sebastian@immunityinc.comSecurity Research Team42

No more Ntvdm, 16 bit applications are unsupported. Fastcall calling convention. 9 Windows 64 ntoskrnl (64bits) ntdll (64bits) native 64bit dlls WOW64 ntdll(64bits) 64bit applications 32bit applications 32bit dlls ntdll (32bit) 10 WOW64 Windows on Windows 64: – Abstraction layer to run 32 bit applications on 64bit OS. – Patch many ntdll functions for sycall compatibility. – Redirect .