ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Bh dc09

•
•
zynamics GmbH
zynamics GmbH

This document outlines a technique for executing arbitrary binaries in memory on a Mac OS X machine by defeating address space layout randomization (ASLR). It discusses: 1. The structure of Mach-O files and how binaries are executed by the kernel and dynamic linker in Mac OS X. 2. A proposed attack that embeds a shellcode and crafted stack in a binary to impersonate the kernel and load a new binary into memory. 3. How ASLR works in Mac OS X Leopard and a method to retrieve the base address of the libSystem library to adjust symbol addresses and defeat ASLR, enhancing the attack. 4. A demonstration of the technique executing Nmap and Safari

1 of 42
Downloaded 21 times
Let your Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
03/08/2010 Who am I? • Student at Politecnico di Milano. • Security Consultant at Secure Network srl. • Reverse Engineer at Zynamics GmbH. 2
03/08/2010 Goal of the talk In-memory execution of arbitrary binaries on a Mac OS X machine. 3
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 4
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 5
03/08/2010 Mach-O file • Header structure: information on the target architecture and options to interpret the file. • Load commands: symbol table location, registers state. • Segments: define region of the virtual memory, contain sections with code or data. 6
03/08/2010 Segment and Sections segment section Virtual Virtual address Address 0x1000 0x1d54 Virtual Virtual memory size memory size 0x1000 0x275 File Offset File Offset 0x0 0xd54 File Size 0x1000 7
03/08/2010 Important segments • __PAGEZERO, if a piece of code accesses NULL it lands here. no protection flags. • __TEXT, holds code and read-only data. RX protection. • __DATA, holds data. RW protection. • __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 8
03/08/2010 Mach-O representation 9
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 10
03/08/2010 Binary execution • Conducted by the kernel and the dynamic linker. • The kernel, when finishes his part, jumps to the dynamic linker entry point. • The dynamic linker is not randomized. 11
03/08/2010 Execution steps Kernel Dynamic linker • Maps the dynamic linker • Retrieves base address in the process address of the binary. space. • Resolves symbols. • Parses the header • Resolves library structure and loads all dependencies. segments. • Jumps to the binary entry • Creates a new stack. point. 12
03/08/2010 Stack • Mach-O file base address. • Command line arguments. • Environment variables. • Execution path. • All padded. 13
03/08/2010 Stack representation 14
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 15
03/08/2010 Proposed attack • Userland-exec attack. • Encapsulate a shellcode, aka auto- loader, and a crafted stack in the injected binary. • Execute the auto-loader in the address space of the attacked process. 16
03/08/2010 WWW • Who: an attacker with a remote code execution in his pocket. • Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. • Why: later in this talk. 17
03/08/2010 What kind of binaries? Any Mach-O file, from ls to Safari 18
03/08/2010 A nice picture 19
03/08/2010 Infected binary • We need to find a place to store the auto-loader and the crafted stack. • __PAGEZERO infection technique. • Cavity infector technique. 20
03/08/2010 __PAGEZERO INFECTION • Change __PAGEZERO protection flags with a custom value. • Store the crafted stack and the auto- loader code at the end of the binary. • Point __PAGEZERO to the crafted stack. • Overwrite the first bytes of the file with the auto-loader address. 21
03/08/2010 Binary layout 22
03/08/2010 Auto-loader • Impersonates the kernel. • Un-maps the old binary. • Maps the new one. 23
03/08/2010 Auto-loader description • Parses the binary. • Reads the virtual addresses of the injected binary segments. • Unloads the attacked binary segments pointed by the virtual addresses. • Loads the injected binary segments. 24
03/08/2010 Auto-loader description(2) • Maps the crafted stack referenced by __PAGEZERO. • Cleans registers. • Cleans some libSystem variables. • Jumps to dynamic linker entry point. 25
03/08/2010 We do like pictures, don’t we? Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N 26
03/08/2010 libSystem variables • _malloc_def_zone_state • _NXArgv_pointer • _malloc_num_zones • __keymgr_global 27
03/08/2010 Why are those variables important? • They are used in the initialization of malloc. • Two of them are used for command line arguments parsing. • Not cleaning them will result in a crash. 28
03/08/2010 Hunts the variables • Mac OS X Leopard has ASLR for libraries. • Those variables are not exported. • Cannot use dlopen()/dlsym() combo. 29
03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 30
03/08/2010 Defeat ASLR • Retrieve libSystem in-memory base address. • Read symbols from the libSystem binary. • Adjust symbols to the new address. 31
03/08/2010 How ASLR works in Leopard • Only libraries are randomized. • The randomization is performed whenever the system or the libraries are updated. • Library segments addresses are saved in dyld_shared_cache_arch.map. 32
03/08/2010 Retrieve libSystem address • Parse • Adopt functions dyld_shared_cache exported by the _i386.map and dynamic linker and search for libSystem perform the whole entry. task in-memory. 33
03/08/2010 Dyld functions • _dyld_image_count() used to retrieve the number of linked libraries of a process. • _dyld_get_image_header() used to retrieve the base address of each library. • _dyld_get_image_name() used to retrieve the name of a given library. 34
03/08/2010 Find ‘em • Parse dyld load commands. • Retrieve __LINKEDIT address. • Iterate dyld symbol table and search for the functions name in __LINKEDIT. 35
03/08/2010 Back to libSystem • Non-exported symbols are taken out from the symbol table when loaded. • Open libSystem binary, find the variables in the symbol table. • Adjust variables to the base address of the in-memory __DATA segment. 36
03/08/2010 Put pieces together • Iterate the header structure of libSystem in-memory and find the __DATA base address. – __DATA base address 0x2000 – Symbol at 0x2054 – In-memory __DATA base address 0x4000 – Symbol in-memory at 0x4054 37
03/08/2010 Results • Run a binary into an arbitrary machine. • No traces on the hard-disk. • No execve(), the kernel doesn’t know about us. • It works with every binary. • It is possible to write payloads in a high level language. 38
03/08/2010 Demo description • Run a simple piece of code which acts like a shellcode and retrieve the binary. • Execute the attack with nmap and Safari. • Show network dump. • Show memory layout before and after the attack. 39
03/08/2010 DEMO 40
03/08/2010 Future developments • Employ encryption to avoid NIDS detection. • Using cavity infector technique. • Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 41
03/08/2010 Thanks, questions? 42

More Related Content

Bh dc09

  • 1. Let your Mach-O fly Vincenzo Iozzo snagg@sikurezza.org
  • 2. 03/08/2010 Who am I? • Student at Politecnico di Milano. • Security Consultant at Secure Network srl. • Reverse Engineer at Zynamics GmbH. 2
  • 3. 03/08/2010 Goal of the talk In-memory execution of arbitrary binaries on a Mac OS X machine. 3
  • 4. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 4
  • 5. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 5
  • 6. 03/08/2010 Mach-O file • Header structure: information on the target architecture and options to interpret the file. • Load commands: symbol table location, registers state. • Segments: define region of the virtual memory, contain sections with code or data. 6
  • 7. 03/08/2010 Segment and Sections segment section Virtual Virtual address Address 0x1000 0x1d54 Virtual Virtual memory size memory size 0x1000 0x275 File Offset File Offset 0x0 0xd54 File Size 0x1000 7
  • 8. 03/08/2010 Important segments • __PAGEZERO, if a piece of code accesses NULL it lands here. no protection flags. • __TEXT, holds code and read-only data. RX protection. • __DATA, holds data. RW protection. • __LINKEDIT, holds information for the dynamic linker including symbol and string tables. RW protection. 8
  • 10. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 10
  • 11. 03/08/2010 Binary execution • Conducted by the kernel and the dynamic linker. • The kernel, when finishes his part, jumps to the dynamic linker entry point. • The dynamic linker is not randomized. 11
  • 12. 03/08/2010 Execution steps Kernel Dynamic linker • Maps the dynamic linker • Retrieves base address in the process address of the binary. space. • Resolves symbols. • Parses the header • Resolves library structure and loads all dependencies. segments. • Jumps to the binary entry • Creates a new stack. point. 12
  • 13. 03/08/2010 Stack • Mach-O file base address. • Command line arguments. • Environment variables. • Execution path. • All padded. 13
  • 15. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 15
  • 16. 03/08/2010 Proposed attack • Userland-exec attack. • Encapsulate a shellcode, aka auto- loader, and a crafted stack in the injected binary. • Execute the auto-loader in the address space of the attacked process. 16
  • 17. 03/08/2010 WWW • Who: an attacker with a remote code execution in his pocket. • Where: the attack is two-staged. First run a shellcode to receive the binary, then run the auto-loader contained in the binary. • Why: later in this talk. 17
  • 18. 03/08/2010 What kind of binaries? Any Mach-O file, from ls to Safari 18
  • 20. 03/08/2010 Infected binary • We need to find a place to store the auto-loader and the crafted stack. • __PAGEZERO infection technique. • Cavity infector technique. 20
  • 21. 03/08/2010 __PAGEZERO INFECTION • Change __PAGEZERO protection flags with a custom value. • Store the crafted stack and the auto- loader code at the end of the binary. • Point __PAGEZERO to the crafted stack. • Overwrite the first bytes of the file with the auto-loader address. 21
  • 23. 03/08/2010 Auto-loader • Impersonates the kernel. • Un-maps the old binary. • Maps the new one. 23
  • 24. 03/08/2010 Auto-loader description • Parses the binary. • Reads the virtual addresses of the injected binary segments. • Unloads the attacked binary segments pointed by the virtual addresses. • Loads the injected binary segments. 24
  • 25. 03/08/2010 Auto-loader description(2) • Maps the crafted stack referenced by __PAGEZERO. • Cleans registers. • Cleans some libSystem variables. • Jumps to dynamic linker entry point. 25
  • 26. 03/08/2010 We do like pictures, don’t we? Victim’s process address space TEXT DATA LINKEDIT SEGMENT -N TEXT DATA LINKEDIT SEGMENT-N 26
  • 27. 03/08/2010 libSystem variables • _malloc_def_zone_state • _NXArgv_pointer • _malloc_num_zones • __keymgr_global 27
  • 28. 03/08/2010 Why are those variables important? • They are used in the initialization of malloc. • Two of them are used for command line arguments parsing. • Not cleaning them will result in a crash. 28
  • 29. 03/08/2010 Hunts the variables • Mac OS X Leopard has ASLR for libraries. • Those variables are not exported. • Cannot use dlopen()/dlsym() combo. 29
  • 30. 03/08/2010 Talk outline • Mach-O file structure • XNU binary execution • Attack technique • Defeat ASLR on libraries to enhance the attack 30
  • 31. 03/08/2010 Defeat ASLR • Retrieve libSystem in-memory base address. • Read symbols from the libSystem binary. • Adjust symbols to the new address. 31
  • 32. 03/08/2010 How ASLR works in Leopard • Only libraries are randomized. • The randomization is performed whenever the system or the libraries are updated. • Library segments addresses are saved in dyld_shared_cache_arch.map. 32
  • 33. 03/08/2010 Retrieve libSystem address • Parse • Adopt functions dyld_shared_cache exported by the _i386.map and dynamic linker and search for libSystem perform the whole entry. task in-memory. 33
  • 34. 03/08/2010 Dyld functions • _dyld_image_count() used to retrieve the number of linked libraries of a process. • _dyld_get_image_header() used to retrieve the base address of each library. • _dyld_get_image_name() used to retrieve the name of a given library. 34
  • 35. 03/08/2010 Find ‘em • Parse dyld load commands. • Retrieve __LINKEDIT address. • Iterate dyld symbol table and search for the functions name in __LINKEDIT. 35
  • 36. 03/08/2010 Back to libSystem • Non-exported symbols are taken out from the symbol table when loaded. • Open libSystem binary, find the variables in the symbol table. • Adjust variables to the base address of the in-memory __DATA segment. 36
  • 37. 03/08/2010 Put pieces together • Iterate the header structure of libSystem in-memory and find the __DATA base address. – __DATA base address 0x2000 – Symbol at 0x2054 – In-memory __DATA base address 0x4000 – Symbol in-memory at 0x4054 37
  • 38. 03/08/2010 Results • Run a binary into an arbitrary machine. • No traces on the hard-disk. • No execve(), the kernel doesn’t know about us. • It works with every binary. • It is possible to write payloads in a high level language. 38
  • 39. 03/08/2010 Demo description • Run a simple piece of code which acts like a shellcode and retrieve the binary. • Execute the attack with nmap and Safari. • Show network dump. • Show memory layout before and after the attack. 39
  • 41. 03/08/2010 Future developments • Employ encryption to avoid NIDS detection. • Using cavity infector technique. • Port the code to iPhone to evade code signing protection ( Catch you at BH Europe). 41