Modern Windows Userspace Exploitation

Video thumbnail (Frame 0) Video thumbnail (Frame 985) Video thumbnail (Frame 3059) Video thumbnail (Frame 4344) Video thumbnail (Frame 5724) Video thumbnail (Frame 7440) Video thumbnail (Frame 8959) Video thumbnail (Frame 10605) Video thumbnail (Frame 11882) Video thumbnail (Frame 12988) Video thumbnail (Frame 14611) Video thumbnail (Frame 16227) Video thumbnail (Frame 17933) Video thumbnail (Frame 19139) Video thumbnail (Frame 20847) Video thumbnail (Frame 22865) Video thumbnail (Frame 24022) Video thumbnail (Frame 25424) Video thumbnail (Frame 26885) Video thumbnail (Frame 28049) Video thumbnail (Frame 29506) Video thumbnail (Frame 30855) Video thumbnail (Frame 32069) Video thumbnail (Frame 33133) Video thumbnail (Frame 35138) Video thumbnail (Frame 37983) Video thumbnail (Frame 39061) Video thumbnail (Frame 40429) Video thumbnail (Frame 41715) Video thumbnail (Frame 43133) Video thumbnail (Frame 44724) Video thumbnail (Frame 45733) Video thumbnail (Frame 47398) Video thumbnail (Frame 48424) Video thumbnail (Frame 50227) Video thumbnail (Frame 51266) Video thumbnail (Frame 52537) Video thumbnail (Frame 54261) Video thumbnail (Frame 55751) Video thumbnail (Frame 56848) Video thumbnail (Frame 57819) Video thumbnail (Frame 58954) Video thumbnail (Frame 60498) Video thumbnail (Frame 61683) Video thumbnail (Frame 63300) Video thumbnail (Frame 64553) Video thumbnail (Frame 65551) Video thumbnail (Frame 66669) Video thumbnail (Frame 68291) Video thumbnail (Frame 69301) Video thumbnail (Frame 71069) Video thumbnail (Frame 72133) Video thumbnail (Frame 73900) Video thumbnail (Frame 75125)
Video in TIB AV-Portal: Modern Windows Userspace Exploitation

Formal Metadata

Title
Modern Windows Userspace Exploitation
Title of Series
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In this talk we will go through the different mitigations in Windows 10 and see how they affect modern userspace exploitation. We will explain the primary ones and the different ways to bypass them. Finally, we will demo a cool exploit that achieves code execution.
Keywords Security

Related Material

Video is cited by the following resource
Roundness (object) Musical ensemble Semiconductor memory Information security Window Spacetime
Point (geometry) Vulnerability (computing) Functional (mathematics) Code Multiplication sign Memory management Code Process (computing) Pointer (computer programming) Video game Information security Window Hydraulic jump Physical system Vulnerability (computing)
Randomization Code Control flow Process (computing) Finite difference Different (Kate Ryan album) Memory management Order (biology) Process (computing) Maize Vulnerability (computing) Physical system Data integrity Control flow graph
Vulnerability (computing) Message passing Different (Kate Ryan album) Code Real number Multiplication sign Computing platform Window Physical system
Robot Group action Mapping Inheritance (object-oriented programming) Interface (computing) Multiplication sign Interactive television Instance (computer science) Robotics Object (grammar) Operator (mathematics) Interface (computing) Configuration space Information Series (mathematics) Social class Cloning
Robot Vulnerability (computing) Function (mathematics) Constructor (object-oriented programming) Memory management Instance (computer science) Freeware Attribute grammar Number Vulnerability (computing) Software bug Cloning
Point (geometry) Robot Dataflow Trail Vulnerability (computing) Code Multiplication sign Point (geometry) Shared memory Counting Pointer (computer programming) Pointer (computer programming) Different (Kate Ryan album) Object (grammar) Object (grammar) Sinc function
Point (geometry) Robot Vulnerability (computing) Pointer (computer programming) State diagram Semiconductor memory Shared memory
Robot Dataflow Vulnerability (computing) Preconditioner Arithmetic mean Pointer (computer programming) Robotics Semiconductor memory Logic Condition number Right angle Maize Freeware Initial value problem Vulnerability (computing) Cloning
Host Identity Protocol Code Content (media) Continuous function Software bug Mathematics Wave Uniform resource locator Resource allocation Different (Kate Ryan album) Logic Different (Kate Ryan album) Right angle Object (grammar) Block (periodic table) Freeware Resource allocation Theory of everything Window International Date Line Vulnerability (computing) Address space
Email Host Identity Protocol Block (periodic table) Code Multiplication sign Content (media) Continuous function Metadata Resource allocation Internetworking Block (periodic table) Freeware Resource allocation Sinc function Window Spacetime Address space
Point (geometry) Uniform resource locator Virtual machine Table (information) Freeware Window Field (computer science) 19 (number)
Reading (process) Robot Socket-Schnittstelle Information Code Interface (computing) Letterpress printing Streaming media Instance (computer science) Pointer (computer programming) Pointer (computer programming) Semiconductor memory String (computer science) Video game Information Object (grammar) Address space Address space
Axiom of choice Functional (mathematics) Mapping Length Code Multiplication sign Interface (computing) Code Set (mathematics) Instance (computer science) Field (computer science) Writing Pointer (computer programming) Pointer (computer programming) Doubling the cube Function (mathematics) String (computer science) Set (mathematics) Right angle Address space Social class Address space
Point (geometry) Rule of inference Functional (mathematics) Simulation Mapping Multiplication sign Instance (computer science) Parameter (computer programming) Field (computer science) Attribute grammar Semiconductor memory Network socket Right angle Address space God Vulnerability (computing)
State diagram Computer-generated imagery Density of states Sheaf (mathematics) Leak Population density Single-precision floating-point format Information Process (computing) Resource allocation Hydraulic jump Address space Social class Binary code Memory management Instance (computer science) Limit (category theory) Shape (magazine) Uniform resource locator Pointer (computer programming) Vector space Function (mathematics) Video game Object (grammar) Table (information) Speicheradresse Address space Booting
Game controller State diagram Structural load Length Computer-generated imagery Field (computer science) Attribute grammar Number Leak Pointer (computer programming) Semiconductor memory Information Process (computing) Booting Physical system Host Identity Protocol Web page Binary code Code Shape (magazine) Entire function Process (computing) Pointer (computer programming) Vector space Function (mathematics) Spacetime Address space Booting
Image warping Functional (mathematics) Demo (music) Structural load Code Multiplication sign Web page Code Writing Pointer (computer programming) Virtual reality Pointer (computer programming) Function (mathematics) Right angle Gastropod shell Table (information) Hydraulic jump Writing Reading (process) Hydraulic jump Window
Code Lemma (mathematics) Flag Right angle Window
Cache (computing) Demo (music) Operator (mathematics) Binary code Memory management Cuboid Utility software Pivot element Address space Physical system
Randomization Block (periodic table) Multiplication sign Raster graphics Field (computer science) Mathematics Uniform resource locator Resource allocation Memory management Order (biology) Revision control Resource allocation Window Data integrity
Random number State of matter Cartesian closed category Software testing Right angle Chaos (cosmogony) Resource allocation Thresholding (image processing) Window Address space Field (computer science)
Point (geometry) Randomization Random number Randomization Logical constant Code Multiplication sign Bit Raster graphics Symbol table Subject indexing Uniform resource locator Hexagon Pointer (computer programming) Resource allocation Read-only memory Order (biology) Video game Right angle Process (computing) Resource allocation Position operator Address space
Randomization Beat (acoustics) Process (computing) Pointer (computer programming) Hexagon Block (periodic table) Multiplication sign Raster graphics Packet Loss Concealment Resource allocation Position operator
Point (geometry) Uniform resource locator Loop (music) Pointer (computer programming) Flag Raster graphics Packet Loss Concealment Proxy server Resource allocation
Point (geometry) Meta element Email Functional (mathematics) Code Memory management Shape (magazine) Limit (category theory) Resource allocation Function (mathematics) Strategy game Right angle Address space Address space
Bytecode Functional (mathematics) Beat (acoustics) View (database) Code Usability Stack (abstract data type) Parameter (computer programming) Thetafunktion Online service provider Game theory Information security Window Address space
Functional (mathematics) Proxy server Direction (geometry) Multiplication sign Control flow Branch (computer science) System call Symbol table Process (computing) Pointer (computer programming) Kontrollfluss Time evolution Video game Process (computing) Address space Control flow graph
Functional (mathematics) Context awareness System call Proxy server Demo (music) INTEGRAL Primitive (album) Primitive (album) Stack (abstract data type) Leak Chain Video game Hydraulic jump Address space Control flow graph Address space
Code Tape drive Flag Thresholding (image processing)
Binary code Right angle Address space
Wave Code Flag Leak Vulnerability (computing)
Randomization Random number Service (economics) Computer file Link (knot theory) Revision control Primitive (album) Flag Software testing Shape (magazine) Window Twitter
Uniform resource locator Freeware Resource allocation Thresholding (image processing)
Workstation <Musikinstrument> Uniform resource locator Resource allocation Code Mountain pass Multiplication sign Order (biology) Counting Software testing Shape (magazine) Game theory Number
Web page Suite (music) Proxy server GUI widget Key (cryptography) Code Texture mapping Multiplication sign Web page Code Crash (computing) Visualization (computer graphics) Revision control Video game Flag God
Service (economics) Proxy server Code INTEGRAL Texture mapping Structural load Web page Code System call Electronic signature Revision control Revision control Proxy server Address space Sinc function Library (computing) Data integrity
Reading (process) Scripting language Proxy server Link (knot theory) Structural load Content (media) Read-only memory Kernel (computing) Shared memory Operating system Computer worm Process (computing) Digital rights management Proxy server Speicherschutz Control flow graph Parsing Just-in-Time-Compiler Server (computing) Projective plane Code Resource allocation Prediction Personal digital assistant Compiler Compilation album Convex hull Control flow graph Sinc function Probability density function Address space
Point (geometry) Real number Code Chain Mathematics Process (computing) Envelope (mathematics) Logic Calculation Chain Gastropod shell output Video game Gastropod shell Process (computing) Office suite Proxy server Physical system Row (database) Physical system
Type theory IRIS-T Flag Computer worm OSI model Physical system Leak
Point (geometry) Type theory Goodness of fit Semiconductor memory Multiplication sign Flag Computer worm Computer network
Process (computing) Binary code Touch typing Physicalism
Point (geometry) Type theory Process (computing) 1 (number) Source code Control flow Flag Right angle Parameter (computer programming) System call Physical system
Point (geometry) Code Hecke operator Bit System call Chain Process (computing) Kernel (computing) Order (biology) Flag Video game Gastropod shell Process (computing) Implementation Physical system Physical system Vulnerability (computing)
Laptop Dependent and independent variables Flag Right angle
Dot product Link (knot theory) Strut Order (biology) Flag Computer worm Stack (abstract data type) Drop (liquid) Shape (magazine) Electric current Physical system Leak
Binary code Physicalism Right angle Address space
Point (geometry) Intel Proxy server INTEGRAL Multiplication sign Mathematical analysis Twitter Wave Kernel (computing) Cuboid Spacetime Table (information) Control flow graph
Dataflow Process (computing) Software Code Set (mathematics) Acoustic shadow Stack (abstract data type) Address space Condition number
Dataflow Proxy server Canonical ensemble Mathematics Process (computing) Kernel (computing) Ring (mathematics) Computer configuration Kernel (computing) Network topology Video game Spacetime Acoustic shadow Information security Window Condition number Spacetime Control flow graph
Proxy server Programmable read-only memory Maxima and minima Twitter Virtual reality Read-only memory Internetworking Memory management Computer worm Proxy server Control flow graph Data integrity Email Online help Web page Lemma (mathematics) Code Color management Control flow Inclined plane Windows Registry Twitter Plane (geometry) Pi Authorization Information security Physical system Alpha (investment) Address space
Trail Information Software developer Multiplication sign Visual system Combinational logic Software bug Visualization (computer graphics) Compilation album Flag Social class Data structure Window Vulnerability (computing) Social class Default (computer science)
Pointer (computer programming) Message passing Just-in-Time-Compiler Proxy server Link (knot theory) Server (computing) Time evolution Determinism Cartesian closed category Musical ensemble Information security Semiconductor memory
[Music] so our next speaker is going to be talking about modern windows user space exploitation he is a security researcher at nsrc Israel please give a big round of applause to sow [Applause]
[Music]
okay hi so so first of all and thanks a lot for all of you and to come up here I know that there is a great competition so I really really appreciate it and so my name is a llama I'm it's the MSMC and like based in Israel and so actually I'm able to talk with you today like about how we can execute I would record on latest Windows system and so just a little bit like about myself I am a security researcher my whole point in life is about reversing and exploiting vulnerabilities and I'm also highly addicted to CPF I'm in Austin CTF team which I hope that you like probably heard of the husband now and and I actually account to a kick off the talk which very important like a question so like what do you think the point in life is so so of course the point in life is to execute arbitrary code da and and there is actually a very simple and trivial process for that white I mean all you need to do is to find some really awesome cake a zero-day vulnerability and you have something in the middle it'll profit and back then
about 200 years ago it was really really easy I do hope that you all do it all the times that they stuck in the heap will well executable and everything is fixed and you have no SLA whatsoever and you can collapse function pointers and jump to them and basically nothing stops you well those times were fun easy but also really really dangerous well we don't have that anymore right since we
mitigations who have mitigations everywhere and actually we have quite
bunch of them and and they think that I really want to do today is to talk about the internals of the mitigations and they'll spend them and most importantly see all of the all of the equities that you need to gain in order to bypass them since it's
really not it's really not a trivial process and I feel personally that the best way in order to achieve that is to find one single vulnerability and to exploit it on many different operating systems with increasing and increasing amounts of different mitigation so that's exactly what we are going to do right now and so actually my intentions
were to take a real Windows corner
ability and to exploit it because it's fun but certainly I saw that if I would the talk will probably last three hours and we don't have time because there is a great like MCTS that is going right now and I have to go and but instead we will take a like really really awesome Windows CTF challenge from the insomniac CTF diesel from 2017 and on the way we
will send the message that I personally like really want to see more windows CTF challenges is in system so please do that and we are going to achieve code execution on many different unlike many different of any systems and text together the Germany to bypassed many many mitigations okay so what we are
dealing here with the win World Challenge it was a great challenge based on the west-world TV series say they didn't watch it's is I was extremely busy in the last two years just like reversing hyper-v but but the challenge is the clinical it's basically try to implement some kind of narrator which is which basically like ratio creates both robots and humans and you can move them like on some map and you can make them talk to each other in interact with each other and fight and do like awesome stuff and and important note here is that both robots and humans have like M Bey like a best class shared which is person and the interface simply
like let you do those actions those operations on any personal instance each time that I will state instance I mean of course a like both like robot home no human they have simply inheritance from person now this
is not a how to find vulnerabilities doc this is a an exploitation talk so let's cut to the chase and dump all of the vulnerabilities so vulnerability number one we have an an and we have an uninitialized attribute in the person instance and each person has a like a member of a is conscious let's tell you if the person is conscious or it isn't and the person comes then so the person constructor keeps in mind to initialize that value to false but the person copy course facto forgets its so if you can trigger the person copy post facto and of like of course you can you have a nun initials we have an uninitialized value which takes whatever was on the heap
before which is cool and we have also a use after free bug in the challenge we
need to share to like share pointers to post on in some sense and like between many many different objects and like combine like component and but it's kind of like problem since since you have to know when you can free the shank so so the challenge is a short pointers which is kind of some like repair for point L which has like like the M ref count which like simply counts they like amount of objects that took a reference to you so each time some other objects took a reference to it increment the pointer by one each time it Livio it's the a track deck the pointer by one and when the ref count like reaches zero the object can be freed the problem is that there is some flow in the challenge that you can take care about and to transform it to human and now this is really cool but the problem is the decode that does
that use STD move which actually duplicates the object and those duplicate the short pointer now this is
really really one because this actually breaks the whole point of show pointers the right things to do is to intimate the restaurant and that's it and instead you duplicate the
sharepoint l and you have two different shared pointer which points to the same chunk in memory and of course this is really really want since when a one of those share pointer will reach zero the person chunk in memory will be freed and you have a dangling pointer from the other shared pointer to a free chunk and then the fun begins so cool awesome so yeah the problem is that you can say
that you have a vulnerability if you don't have a reflow right you have to trigger the flow so we actually can do it by taking robot into two n to transform into human just like I told you and this happens when you have both robots and human in the center of of the maze okay and you have those preconditions to be met and you see that one of the preconditions is that the person is Corson's will be set meaning not false and we can do that by the first vulnerability of the an initialize value so combine those two abilities together we can make the flow of transform the robots to human and we
have delve in pointer from the other shelter Intel to a free chunk in memory okay and now after that we armed with say use after free vulnerability let's the actual fun begin okay so let's so
let's all talk we start with execute code on Windows 7 the first thing that
we need to do is to understand the alligator right because you have like use after free bug and like trivially the change that we like need to do first is to trigger some allocation some idle object allocation to fall in the exact same spot on the hip that the last person chunk gottfried okay this is usually how it's not used after three bugs and the problem is that you we have many many different Aloka toes and each a locator wave has its own logic in the way tracks free chance and you have to understand the allocator that you're dealing with and if you want to exploit their vulnerability so of course we have in Windows so we work with the lfh the low fragmentation hip and this is the font and allocate Oh in
an accuser space since Windows Vista now I don't want to talk about lfh internals is in highly documented or like basically all over the Internet I will simply say that that is really like the malloc if you are familiar and they and your destruct switch called user blocks which is a pool of same size chunks in the hip and every time you do a malloc you get a charge from there and like every time you free the chunks like goes
back and you have no coalescing no consolidate no fragmentation like like whatsoever and cool the problem is that in back then in Windows 7 we have like a meta data which called free entry offsets which set in the first two bytes inside the free chunk after the header which means that it has no encoding and also and no protection whatsoever and this lack metadata indicates to the allocator which chunk needs to be returned to the to the user in the next allocation and
simply like co-opting this field is like give you extremely strong primitive and the second problem is that the nfh in the windows 7 it allocates chunks continuously in my movie so shopping nfh in like windows 7 is basically not really a problem and you can see it if you take some some tester and execute it
on like a Windows 7 machine and so you can see on the left side that I see misplaced on size on the hip and on and on the right side you can see that all of the chunks all of the locations for one after the other very very nicely everything is like everything is that predictable and the most fun point here is that thanks to the free entry offset the lfh keeps free chunk in last in first out fresh so this table like my Oxley my luck will will actually for sure retelling the same chunk so we can exploit the use after free buggy very very easily okay now that we can
allocate some other objects on the same fleet person name address in memory we can start like any primitives because if
we want and of course we want because it's the goal in life to get arbitrary code execution we need to gain probably an declarative or arbitrary read right so each person has a name is the string name and the interface simply like lets you dump the name it's printed over the
sockets with the info command but the name is that simply is like a steady stream is a pointer in the present instance but I can allocate whatever I want there like string even which I basically can control every single byte still so I can fake the name pointer and set it to fixed address in memory after
the address for my choice and then I can dump it the great thing here is that the length of the name is also a field in the STD strain which it's in the person instance so we basically have arbitrary red with a maternity length and it's an its goal in the very same way in the very same fashion we have out red lights
without revealing right because the interface basically lets you to update a name as well so yeah it's cool and now that's that's that's like not enough because we want to execute code so we can corrupt some pointers but it's actually way way easier we have a function the virtual function in the class is not even in in in the VTA Abell you don't need to deal with double D references its function pointer inside the class called own encounter which get triggered each time two different persons made on mates on the map so by by like basically spray string sets in the relevant offsets fixed address and then move to different persons to the same spots we have the ability to jump to arbitrary address and
again like execute code okay cool but I know that I will probably need to read more than one address right you
will probably need to read like more than once so we can make a really really elegant trick I really like this stuff in exploits is wreckin illegal and you can corrupt the own encounter function to put two points to actually get s and then move persons on the map and each time they meet they get s function will be trigger as their own encounter function but it's really cool since they get s gets the first argument that on encounter with God which is a person address in memory so I can send that over the socket which will write on honor or or like all the fields all the attributes of the person instance and I do that without trigger any other vulnerability whatsoever okay I like sim I like simply like trigger the devil ability once and then I can write on all of the fields of the structure like over the socket which is like a lyrical tricks like that it is the exact stuff that make exploits reliable and it's really really important to make sure that we trigger they will never bility as few times as possible okay fantastic let's keep going and so we have
arbitrary readwrite jump limit Eve's it's cool yeah basically life is easy but we have a salaam everything is under SLR the dll is the main binary the heap the stock we don't know where everything is and so we need to start like flicking pointers the problem is that I don't have the primitive to read something relative to me I read absolute addresses and I don't know which address to put them so I so I probably need to trigger some allocation of some other object which it's the same offset is the ssed name in the person class it has some other pointer to him to start to label way to Lagrangian pointer whatever you want well sed vector actually meets those dos
a as Adam and so by basically trigger SD vector we can do this trick and now apparently person in reality have okay and like person in the challenge also have friends and each person has a vector of all of its friends so but so by simply taking single person and like II D seven different friends to its there's the vector this a containing all of its friends will be the exact same size as the person instance and it's really really important because we are in the lfh and and a chance tagalog organize together when they are in the same size so we can trigger the location of some SED vector dump the name of the person and we get the v table of density vector which is in the other data section of the main binary well that's
easy but the problem is that i from obvious reasons i can control on the fields on the attributes of this V vector so the length of the fake length of the name will be huge number and I don't have any control over that so I do leak the pointer but the process dies during the copy now this is fine because we are in a CTF and the process basically lunches and thanks to the fact that in like use of space and all of the details and all of the binaries get randomized in Boots that's correct but they still but but they still were they are individual memory for the entire system lifetime so the process dies it relaunched in every pointer that you leak stay where it was excess of course for the stock in the hip that gets like randomized in the process creation but all of the details in the main binary
will stay will stay well they will okay now we need to choose the cost to execute I would record right well we can
come out function pointers with tables we can crop the stock in the warp we can basically even load some deal and some unsightly ll with our code and it will be executed and we can we can to allocate a read write execute chant we can do basically what whatever we want in stops us so and let's do the lope okay
and let's say let's let's create some chunk rid of execute the right shellcode and jump to it and now it's time for demo and I do hope that on stage the
devil behave just like they did downstairs if not we I will publish all
of the code and you can execute it at
home please please do so so let's go to the to the
like Windows 7 exploits and I have the IP right here somewhere okay awesome and
let's launch the VM and since we are in a CTF I simply decided that they like arbitrary code that we will execute will be to like read the flag and the flag is I elevator since we all love Ada and let's execute the challenge just to make sure what's happening okay yeah 84 let's hope that again the physics on
stage is like just like down stuff so we leaked the address of the main binary we leave the address of the utility base since I have some like pivots Dale came at 32 they heap the stock and if we do up we have the flag okay so the first demo box thank you
awesome yeah the postal caches of course
it's like a CTF it's it's cool and we go
to the Germany to the next operating
system we understand pressured one so we take the very simple C that we executed like just now we and if you try to execute it trust me it will fail and it will fail since the shapefiles and the
ship failed since we have a lot of change a massive change like between the allocated lfh between Windows 7 and Windows 8 and seriously like a lot of really cool and awesome engineers looking like they invested like a lot of time in deaths and the lfh looks extremely different and first of all we
don't have this free entry offset field which which is really really good
instead we have a bitmap which simply indicates or each ant in the user blocks if it's allocated or if it's freed and moreover all of them all of their locations are randomized the order of the allocations cannot be predicted so easily as it was before and if you take
the very same tester that you had in
Windows 7 and execute it on like Windows 10 threshold 108 yeah it's it's like risk is the same you can see on the right side that all of the addresses are in complete chaos you can't know what comes afterwards and the state is really not predictable it as it was before now since we don't have the free entry offset field they stopped like monochromatic want won't return in the same chunk right because the allocation are randomized so it's not that reveal anymore to calm a lock and to get the last free chunk actually with extremely high probability you won't get this chance ok cool now I want to I pass it
right because we agree together that the point in in in life is to execute arbitrary code so we need to bypass the mitigation and like otherwise we don't have like a reason to live so um in order to bypass the mitigation we have done to like to work understand the implementation and and to see where the random comes from okay so it's really really interesting and from now on we have the bitmap which indicates for each chunk if it's freed or if it up like allocated so the locator choose a random position on the bitmap it scans from there in a linear fashion until it sees bits that indicates free chunk it simply flip the bits and return this chance to the user and there you go and of course since the position in the bitmap is random the allocation order will be random but the question remains how the random position is chosen so we have a looking like a new symbol in a tidy little RTL pillow foggy random data which is a fixed address of a hundred hex values which are random truly random since the guys this is not the issue okay all those values are simply decorated from Krypton 32 and ohm in captivity to the DLL and let's find
there a cryptographic random dip and each time we hold a pointer to this random dot array and every time you do a maroc I take the current like random value from the array and this random value is used as the index for skin in the bitmap so of course you can see from here that the allocation of like audio will be random let's see this happens so sorry so here so here on the lock right
side you see the like user blocks which are the chunks on the hip and and you can see the bitmap which describe it now let's let's call malloc okay so we choose some like random position in the bitmap and we start to scan from there now we like happen to choose 0 which like indicates free chunk we simply fit flip the bits and return on the channel to the user now we call another malach and we take another random value this llegando value like it happens to be a allocated chunk right there so we start to scan from there in in a fashion until we see free chunk and then we flip the beat and return in the trunk to the user now of course there is a serious very serious issue here because they all of the random values are in static array which size of handled Hicks so what's happen if we try to like allocate more than like Heather the hex allocations which basically happen really really fast like even if you don't do it your process will probably does allocations all the time so the pointer will wrap around the array but they've but the values will run them before but they stay intact in this and they're the exact same values so if you try to execute this plc which
which which which like simply does allocation free the chunk and then for FF x do like unlock flee a log 3 a lock free and do the location again the second allocation after the loop will use the exact same random value from the array in the bitmap and those for sure by definition it will return to you the exact same chunk that would like return in the first allocation the whole point of the loop is just to increment the pointer on the random data and to make it available that's it and this is really really deterministic ok this kind of flag bypasses is is like really
really cool it's extremely like makes me happy to see tricks like that and of course this exactly solve my problem since I can execute this PLC and you see that it works perfectly with probability
1 we get the same junk ok awesome so we solve the shape issue and now we
can continue with the exploit because this is the point of the talk right and so yeah and now we need to like execute code so I only want to call to some function which we lick me the like address of the stock since it is easy to lick all of the DNA else and I mean oh and like the main binary just like I did but in the heap of course it's again it's pretty easy to lick this em is like a little more complicated in this challenge so let's call two of TLP get stuck limits in a caddy deal it should make me
the stock crush into 29 and in 29 is the first fill feature we have it since
Windows 8 and basically if you process does that it means hey dude I detected some really inappropriate views or something really really bad happened I don't know like what to do it game over I'm out bye and yeah if if you forces does that something would happen okay and okay let's go simple beats up in the stock and see like where it comes from and it comes from gal check I call F PTR and it's kind of interesting since the first argument to this function was the address that I try to jump to you see that is actual bytecode in anti DLL so
we have safety which is control flow girl and the job of CFG is to basically a make sure that every indirect bunch is
okay in the sense that every time that you try to jump or call to some address to function pointer again in direct branch call of the X caller bakes and symbols in your binary you have a whitelist of function that the address that you try to jump to has to be in this whitelist if he doesn't about and this exactly what's happened here and there are many knowing like why persist and workarounds for it and jovially gave a great an awesome talk about it in the last offensive con about CFG CFI internals issues we have there how to fix them if you are into it please check it out it's really really awesome talk okay but again they put in life execute
arbitrary code and like all of this stuff we need to bypass safe G and it's not that bad because CFG does make the life way way harder because we don't have any people try today I can jump to the middle of function because for sure it's not in the white list I can't jump to up to like out to like LTL Bristol context and all of the functions they'd say give me controlling of all
faded of the RSP or the click it to me and all of the problematic functions of like forbidden now okay but we don't have yet some finger did they check the integrity of the return addresses on the stack so if we lick the stack and use the arbitrary right primitive that we have already and right what it's fine because we don't have yet something that validate the integrity of the return addresses okay so let's do it again it's really it's really really important to see a demo we I had some
random going on with like threshold one
VM Hill and something happened there I
hope that on stage it will be fine if not again the code will be published you can execute it at home and see that it is cool so let's go to threshold one
again we are in like a CTF so we should
have a flag and of course post and because the stem yeah I love either blah blah blah okay so we do have a flag let's try to execute the tape you see
this is the right IP yeah and again let's hope that everything will be fine okay so we leaked the address of them in binary and we leaked the address of the UCL T ntdll whoop oh man okay interesting yeah sometimes the VM does like some problems this try it again yeah okay yeah the VM does does does like some
problems okay sorry but you can execute
it at home and extract it out there let's see if now it will work yeah code his random so this is why we have vulnerabilities right and again the leaks worked fine wave the flag honestly I think that I'm about to have
a heart attack so sorry for that but it works eventually so cool okay fantastic hey I love either so much and hyper V is
the best thing ever is a great flag
indeed okay so let's keep going and
windows 10 let's turn five the less test kind of if we try again to execute this PLC on like a different file you see that it will fail and it will fails deterministically and and this is because the shape fails again and we
fixed the issue in the random in the lfh it's both service of course because it's is a very serious issue and since build 16 179 we don't have this issue anymore and the random got fixed if you want to check it out all of the internals being different stuff you can see in this tweet link I like what about it's you have everything there and please check it out but again we need to bypass the
random now please keep in mind that's the demand that I have here is not really - it's not to restrict right I don't have to take two different chunks and they need to be continuously one after the other all I need is to spray some allocations and I just want to one of them to fall in the person free charge that's it okay so even if you have random I can try to spray and see if it will succeed right now of course the two on a location won't do it 10/10 a location probably not a menial allocations will definitely work so the question is where that where is the
threshold and for Delta is like simply worth some pestle okay those are the
numbers of the locations that I hate to spray in order to catch the last free chunk and you see that the next numbers aren't so bad right and okay so simply try sorry for that
let's try to to to play not FF doubled and that works great
again he liked the times when Chile and practice meet and it's basically work with multiply the two counts of this play in the code and like that's it so the shape works and now we try to
execute arbitrary code just like we did
before when everything should be fine we're not we have in twenty nine again and we crash and in life he said because
we have a CG which stands for arbitrary code god this resignation does exactly what its name suggests okay it's basically for widget to execute I would record by by by like by like introduces two new restrictions the first is the sorry the first one is that you can't allocate and you can aim up a plus X pages at all it will suit film visual Allah key X will fence if you try to give it a the flag of page execute this exactly what would happen if you try to like execute this district you'll say ok I don't have time for that but I will
publish it and the second restriction is is that you can edit the permissions of existing code so come so to so those new restrictions combined you can't execute arbitrary code unless you bypass the mitigations you know there were some some like know and cold bypasses for that in other versions they of course got service and fixed and but gives it but keep in mind that again there is nothing that make sure the integrity of the return addresses on the stack so
whoa so what on the stack walks mm since ago it works today and it's still cool and now it's not really problem right because I can call load library X and try to load some some unsightly ll so I have CAG which is called integrity guard which basically for with you to load and side the Ln okay we make sure that the digital signature is fine and if not about so loads unsightly ll want to do the trick now I really wanted to
talk about edge since edge is a really really cool use case for that edge has CAG CAG a CG CFG and many many XY G's in in its many many guards but I don't have the time and go am a great shout out for
amphoteric from Google project zero I found many bypasses really really cool and and need any like quotes a really cool PDF about it and please check it
out I don't have like time for that it will be he'll I publish the slides and
all of the links so you can see it at home and Alex and ESCO my best buddy I found a really cool Cole bypass for a CG not just for edge okay he found a really cool bypass for a CG inside the operating system and he had a great talk about it every talk of Alex is awesome so check it out Alex I love you and and now we have to
go back to the point in life up with record and stuff so let's bypass a CG and CAG so just to make sure that we can do something let's do hope on the stock but they don't want to do a very don't go up chain because it's not to maintain and officer change and it's cool like in CTF when you have a very short roof chain but in like real war scenario probably you want to do some complex stuff and and try to implement a long logic in envelope it's it's not like it's not like redefine it's very dirty work we do it in like iOS exploits all the time but if I can avoid it I want so let's try to
calculate process shell execute the X system like something like that just to make sure that we still can control what's like going on here so we have the
redstone 5vm let's get let's let's kick
it off and
- less than five and let's try to call
system I have the IPO is something okay and we have the exploitable system and again I I will publish the POC and you
can actually see that the POC is like really really really elegant and and you can see that the what sorry for that and
the vault is simply called system ok system with a command type flag ok so let's do it and this is the VM yeah of
course we don't have memory ok cool good point and are we ready
sorry for the delay come on come on it was possible phone yeah ok so yes oh no
so so the flag right now will be aaaa ok because we don't have time for that and fantastic type flag ok I show that you will see the AAA like once it leaked we have the challenge and we try the POC
out yeah the IP is 93 not 83 ok let's hope again
that the physics is like still fine the base of of them in binary and the base of the UC LT c'mon fantastic and I also need ntdll and now before we execute the
vote please please just let me execute when debug into like a touch the process
because I feeling let's say we will need it and let's break point on system okay where the black ones is I'm I'm so sorry for the team it's it's like inside the VM call vault and we have a Heat's on
system and of course I do expect that the first argument will be type flag now if we do go we need to see the flag right access violation and the process dies and we are inside system are you okay yeah yeah yeah so what's what's the
heck is going on here so of course we
have another mitigation if the sly will
walk in it works fantastic yeah child
process restriction this is the exact behavior that I expect to see because you really don't be allowed to call system in like many processes you don't have a very good reason to do it I mean I have because I exploit vulnerabilities but you at home don't really want this elses will be able to whole system it's
really not points in order to do that and so child process restriction is a really really cool mitigation because it's very very simple it's one bit in the process this forbids the process to create a children is subprocessors that's it it's really really cold because it's kill a lot of these friend exploits and make of course the life way way way way difficult of course I can't say not lick the flag in front of you on
the cliffs on five so let's make sure that we still have the AAA we do and we have an exploit let's make the flag ah sorry thank you and now you should see it okay awesome and yeah the laptop
doesn't response sorry is everything
fine okay so the so so where do we am
entered exploits now you you kind of already know how I like about to lick the flag right we saw all of the mitigations we see how much harder it gets but I always get to the same tech technique I'd do up on the stack so instead of the very simple wolf data that I just show you it's very very
short it's very elegant like one of the shortest swabs I ever did just called system instead of of dots I
have a different drop again the main
looks the same just lick the like address and and like the what but the
Rope now do open wait and put s flash all in order to lick the flag so the
Rope is like way way longer and still
it's fine because it's a city F in will world this kind of like approach to implement everything like in what works
but it's really really kind of last resort right I really want to do more like elegant stuff okay um again physics
on stage like a lot of random should define and let's lick the address of the main binary done you CLT base come on the stake ntdll pop a thank you thank you so much again everything will be published it's a city
of challenge but of course the point is to learn how to do it and to do it like in a good way and so this is for the table okay so what's going on right now before we go back to the city F and there is much
more than I could've told you in this 4560 like mini stock I really wanted to talk about age and about like a lot of stuff but I didn't but somebody but I didn't have the time and you can always like DM me on on twitter come and talk to me like that now come to Tel Aviv wave great food and we can talk and yeah we have containers and like same boxing we are actually like walking right now or some really serious if like improvements from safe G it's it actually be awesome I will keep you posted and I kept telling I kept like telling you that say we yet we have nothing that checks the integrity of the return analysis on the
stock yet we tried our F G which is returning flow guard it just like crap in Linux okay but we had to pull it off actually since we had a very reliable built in rest condition in the future it was really really reliable to export it basically trivial a job really great way to talk about it with the POC with the example internal details again check his talk it's really awesome so we are like waiting for sets by Intel and basically our FG did very very simple trick it's implemented
shadow stack which is a separate strike for only the return addresses in software and then when you do wet in your code you you'll a compel the return address for the main stack and the return other saved on the shadow stack and you don't know where the shadow stack is and if they like addresses are different about and again we hit some
trees condition there so I pulled off but set by Intel is a shadow stock in the process so in the process of itself so it should like mitigate swaps or like
altogether actually I really really like caramel and like below caramels and like hypervisors and we have also stuff going in rings zero we actually introduces nfh in the kernel space which is a life changer for canonical options really seriously a life change of since the lfh is way way secure than the way they like windows supports work before we have VBS and via same which is crazy and we actually have smart only for plus up dispatcher flows because it's kind of
like limited like right now but it is a start and it's works great there is great documentation about it all all over the place all over the Internet's check it out but one importantly is that we want to help so I don't know I just
love to wake up in the morning and talk
to awesome people about awesome stuff that I rebel so if you find some cool
bypass talk to us it's like hella cool
and you can always DME and Twitter mail come to me right now I really really like open to stuff and I and I like love to talk to like cool people about about like whole exploits so do that and there is something else
that that we try to do and it actually works great and there is the approach of try to kill a bug class altogether okay if you saw Joe Bialik tweeted about is in it all mitigation which basically do like memset zero for all of the structures it should kill a lot of information disclosure it Nichole's great and the guy awwe which is awesome great challenge so in his write up he actually wrote that in in the first place the challenge like did it work because Visual Studio 2015 by thief fault is the slash SDL combination flag in which memset zero or of the structure so the first vulnerability of the uninitialized value of the east conscience in depends on didn't work it simply did it happen you have the vulnerability but it's basically have zeros so he heads to disable the flag and so it's a critical to see that we don't intend and cool stuff like that happen so yeah and it's time from shots
out so again a so a so aw is the guy who votes the challenge in the write-up good again like great work and please do more like windows CTF challenges to mosh my best friend for exploits whiskey and the both girls thank you for all of your help and thank you for all of the brilliant engineers that they actually keep track of treat ale see all of the stuff to devote and keep fixing that's it's really cool and we have many many example that I like simply tweet something and like three months later I've been different I see it fixed it's like wasn't even some kind of serious but like vulnerability but they do also some stuff so so keep do that
and you have some some reference for all of the stuff that we did here and I
think that the last link goes down like a week before I send a message to the insomniac I updates it will be hard if not we we we asked them they are really really nice guys and thanks
[Applause]
[Music] [Music]
Feedback