Advanced Windows Exploitation

Advanced
Windows Exploitation Techniques
Advanced Windows
Exploitation Techniques

Matteo Memelli
Jim OGorman

Copyright 2012 Offensive Security Ltd. All rights reserved.
Page 1 of 331
Advanced Windows Exploitation Techniques
All rights reserved to Offensive Security, 2012
No part of this publication, in whole or in part, may be reproduced, copied,

transferred or any other right reserved to its copyright owner, including
photocopying and all other copying, any transfer or transmission using any
network or other means of communication, any broadcast for distant learning, in
any form or by any means such as any information storage, transmission or
retrieval system, without prior written permission from the author.

Page 2 of 331
This page intentionally left blank.

Page 3 of 331
Table of Contents
Module 0x00 Introduction ...................................................................................................... 8
Module 0x01 Egghunters ........................................................................................................ 9
Lab Objectives .............................................................................................................................................................................. 9
Overview .......................................................................................................................................................................................... 9
Exercise 1-1 ................................................................................................................................................................................. 11
MS08-067 Vulnerability ....................................................................................................................................................... 12
MS08-067 Case Study: Crashing the Service ................................................................................................................ 12
MS08-067 Case Study: Finding the Right Offset .......................................................................................................... 15
MS08-067 Case Study: From PoC to Exploit ................................................................................................................. 17
Controlling the Execution Flow .......................................................................................................................................... 20
Getting our Remote Shell ...................................................................................................................................................... 30
Wrapping Up ............................................................................................................................................................................. 34
Module 0x02 Bypassing NX ................................................................................................... 35
Lab Objectives ........................................................................................................................................................................... 35
A Note from the Authors ....................................................................................................................................................... 35
Overview ....................................................................................................................................................................................... 36
Hardware-Enforcement and the NX Bit ........................................................................................................................ 36
Hardware-Enforced DEP Bypassing Theory Part I ................................................................................................... 37
Hardware-Enforced DEP Bypassing Theory Part II ................................................................................................. 38
Hardware-Enforced DEP on Windows 2003 Server SP2 ....................................................................................... 39
MS08-067 Case Study: Testing NX Protection ............................................................................................................ 40
Exercise ......................................................................................................................................................................................... 43
MS08-067 Case Study: Approaching the NX Problem ............................................................................................. 44
MS08-067 Case Study: Memory Space Scanning ....................................................................................................... 46
MS08-067 Case Study: Defeating NX .............................................................................................................................. 49
Exercise ......................................................................................................................................................................................... 52
MS08-067 Case Study: Returning into our Buffer ..................................................................................................... 53
Exercise ......................................................................................................................................................................................... 65
Wrapping Up ............................................................................................................................................................................. 65
Module 0x02 (Update) Bypassing DEP AlwaysOn Policy ........................................................ 66
Lab Objectives ........................................................................................................................................................................... 66
Overview ....................................................................................................................................................................................... 66
Ret2Lib Attacks and Their Evolution ............................................................................................................................. 67
Return Oriented Programming Exploitation ............................................................................................................... 67

Page 4 of 331

Immunity Debuggers API and findrop.py .................................................................................................................... 72
Exercise ......................................................................................................................................................................................... 80
ASLR .............................................................................................................................................................................................. 80
PHP 6.0 Dev Case Study: The Crash ................................................................................................................................ 81
PHP 6.0 Dev Case Study: The ROP Approach .............................................................................................................. 85
PHP 6.0 Dev Case Study: Preparing the Battlefield .................................................................................................. 86
Exercise ......................................................................................................................................................................................... 88
PHP 6.0 Dev Case Study: Crafting the ROP Payload ................................................................................................. 89
Steps 1 and 2 ............................................................................................................................................................................... 89
Steps 3 and 4 ............................................................................................................................................................................... 94
Step 5 ............................................................................................................................................................................................. 97
PHP 6.0 Dev Case Study: Getting our Shell ................................................................................................................ 101
Exercise ...................................................................................................................................................................................... 104
Deplib: Gadgets on Steroids ............................................................................................................................................. 105
Classification ........................................................................................................................................................................... 105
Searching the Database ...................................................................................................................................................... 107
Stack Pivoting ......................................................................................................................................................................... 111
Wrapping Up .......................................................................................................................................................................... 112
Module 0x03 Custom Shellcode Creation ............................................................................ 113

Lab Objectives ........................................................................................................................................................................ 113
Overview .................................................................................................................................................................................... 113
System Calls and The Windows Problem ............................................................................................................... 114
Talking to the Kernel .......................................................................................................................................................... 115
Finding kernel32.dll: PEB Method ................................................................................................................................ 116
Exercise ...................................................................................................................................................................................... 121
Resolving Symbols: Export Directory Table Method ............................................................................................ 122
Working with the Export Names Array ....................................................................................................................... 123
Computing Function Names Hashes ............................................................................................................................. 127
Fetching Function's VMA ................................................................................................................................................... 129
MessageBox Shellcode ....................................................................................................................................................... 132
Exercise ...................................................................................................................................................................................... 135
Position Independent Shellcode (PIC) ........................................................................................................................ 136
Exercise ...................................................................................................................................................................................... 139
Shellcode in a Real Exploit ............................................................................................................................................... 140
Exercise ...................................................................................................................................................................................... 142
Wrapping Up .......................................................................................................................................................................... 142
Module 0x04 Venetian Shellcode ........................................................................................ 143

Page 5 of 331

Lab Objectives ........................................................................................................................................................................ 143
Overview .................................................................................................................................................................................... 143
The Unicode Problem ......................................................................................................................................................... 144
The Venetian Blinds Method ........................................................................................................................................... 145
Exercise ...................................................................................................................................................................................... 146
DivX Player 6.6 Case Study: Crashing the Application ......................................................................................... 147
Exercise ...................................................................................................................................................................................... 148
DivX Player 6.6 Case Study: Controlling the Execution Flow ............................................................................ 149
Exercise ...................................................................................................................................................................................... 157
DivX Player 6.6 Case Study: The Unicode Payload Builder ................................................................................ 158
DivX Player 6.6 Case Study: Getting our Shell ......................................................................................................... 162
Exercise ...................................................................................................................................................................................... 173
Module 0x05 Kernel Drivers Exploitation ............................................................................ 174

Lab Objectives ........................................................................................................................................................................ 174
Overview .................................................................................................................................................................................... 174
Windows I/O System and Device Drivers ................................................................................................................. 174
Communicating with drivers .......................................................................................................................................... 175
I/O Control Codes ................................................................................................................................................................ 176
Privilege Levels and Ring0 Payloads ........................................................................................................................... 176
Staging R3 Payloads from Kernel Space ..................................................................................................................... 178
Case Study Payloads ............................................................................................................................................................ 179
Case Study Payload (1): Token Stealing ...................................................................................................................... 179
Case Study payload (2): MSR Hooking ......................................................................................................................... 185
Function Pointer Overwrites .......................................................................................................................................... 191
avast! Case Study: Kernel Memory Corruption ....................................................................................................... 194
avast! Case Study: Way Down in ring0 Land ............................................................................................................ 194
Exercise ...................................................................................................................................................................................... 201
avast! Case Study: Bypassing Device Driver Checks ............................................................................................. 202
Exercise ...................................................................................................................................................................................... 212
avast! Case Study: EIP Hunting ...................................................................................................................................... 213
Exercise ...................................................................................................................................................................................... 222
avast! Case Study: Elevation (1) .................................................................................................................................... 224
Exercise ...................................................................................................................................................................................... 228
avast! Case Study: Elevation (2) .................................................................................................................................... 229
Exercise ...................................................................................................................................................................................... 240
Wrapping up ........................................................................................................................................................................... 240
Module 0x06 64-bit Kernel Driver Exploitation ................................................................... 241

Page 6 of 331

Lab Objectives ........................................................................................................................................................................ 241
Overview .................................................................................................................................................................................... 241
64-bit Address Space .......................................................................................................................................................... 242
64-bit Main Enhancements .............................................................................................................................................. 244
Windows-On-Windows Emulation ............................................................................................................................... 245
64-bit Exploitation: General Concepts ........................................................................................................................ 247
MS11-080 Case Study: The Bug ..................................................................................................................................... 249
MS11-080 Case Study: IOCTL Hunting ....................................................................................................................... 251
MS11-080 Case Study: Triggering the vulnerable code ...................................................................................... 253
Exercise ...................................................................................................................................................................................... 261
MS11-080 Case Study: Mapping your Route ............................................................................................................ 262
MS11-080 Case Study: BSODing the Box ................................................................................................................ 266
Exercise ...................................................................................................................................................................................... 274
MS11-080 Case Study: Owning RIP .............................................................................................................................. 275
MS11-080 Case Study: You are on your Own. Bring me a SYSTEM Shell! ................................................... 291
Module 0x07 Heap Spraying ............................................................................................... 292

Lab Objectives ........................................................................................................................................................................ 292
Overview .................................................................................................................................................................................... 292
JavaScript Heap Internals Key Points .......................................................................................................................... 293
Heap Spray: The Technique ............................................................................................................................................. 296
Heap Spray Case Study: CVE-2011-2371 POC ......................................................................................................... 301
Exercise ...................................................................................................................................................................................... 304
Heap Spray Case Study: A Deeper Look at the Bug ............................................................................................... 305
Heap Spray Case Study: Mapping the Object in Memory .................................................................................... 307
Exercise ...................................................................................................................................................................................... 312
Heap Spray Case Study: Controlling the Execution Flow .................................................................................... 313
Exercise ...................................................................................................................................................................................... 316
Heap Spray Case Study: Stack Pivoting ...................................................................................................................... 317
Exercise ...................................................................................................................................................................................... 320
Heap Spray Case Study: Pointers Stunts .................................................................................................................... 321
Exercise ...................................................................................................................................................................................... 326
Heap Spray Case Study: When 1bit = Shell ............................................................................................................... 327
Exercise ...................................................................................................................................................................................... 330
Wrapping Up .......................................................................................................................................................................... 331

Page 7 of 331
Module 0x00 Introduction

Exploiting software vulnerabilities in order to gain code execution is probably the most powerful and
direct attack vector available to a security professional. Nothing beats whipping out an exploit and
getting an immediate shell on your target.
As the IT industry matures and security technologies advance, exploitation of modern popular software
has become more difficult and has definitely raised the bar for penetration testers and vulnerability
researchers alike.
In this course we will examine six recent vulnerabilities in major software, which required extreme
memory manipulation to exploit. We will dive deep into each scenario and gain a firm understanding of
Advanced Windows Exploitation.

Page 8 of 331

Advanced Windows Exploitation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Windows Exploitation

Uploaded by

Copyright:

Available Formats

Advanced

Windows Exploitation Techniques

Copyright 2012 Offensive Security Ltd. All rights reserved.