House of Roman: Using Unsorted Bin Attack to achieve a leakless RCE on PIE Binaries

Video thumbnail (Frame 0) Video thumbnail (Frame 2221) Video thumbnail (Frame 2923) Video thumbnail (Frame 3371) Video thumbnail (Frame 4787) Video thumbnail (Frame 5922) Video thumbnail (Frame 7787) Video thumbnail (Frame 9203) Video thumbnail (Frame 10260) Video thumbnail (Frame 11799) Video thumbnail (Frame 14537) Video thumbnail (Frame 16022) Video thumbnail (Frame 16841) Video thumbnail (Frame 17494) Video thumbnail (Frame 18729) Video thumbnail (Frame 19587) Video thumbnail (Frame 22022) Video thumbnail (Frame 22533) Video thumbnail (Frame 24242) Video thumbnail (Frame 25432) Video thumbnail (Frame 26359) Video thumbnail (Frame 26807) Video thumbnail (Frame 28302) Video thumbnail (Frame 29823) Video thumbnail (Frame 30539) Video thumbnail (Frame 32270)
Video in TIB AV-Portal: House of Roman: Using Unsorted Bin Attack to achieve a leakless RCE on PIE Binaries

Formal Metadata

Title
House of Roman: Using Unsorted Bin Attack to achieve a leakless RCE on PIE Binaries
Alternative Title
House of Roman: a Leakless Heap Fengshui to Achieve RCE on PIE Binaries
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Regarding ptmalloc2, many heap exploitation techniques have been invented in the recent years, well documented on the famous how2heap repository, or as writeups of famous CTF challenges (like House of Orange). However, most of them require atleast a libc/heap leak , or fail in non-PIE binaries. My new technique titled House of Roman leverages a single bug to gain shell leaklessly on a PIE enabled Binary. I shall showcase the ease of aligning the heap to perform this attack, thus demonstrating its versatility. Since this a 20 mins talk, attendees should be aware of basic heap exploitation techniques, like fastbin attacks and unsorted bin attacks, and have a general idea of how the ptmalloc2 algorithm works. As a bonus, I also discuss how to land a fastbin chunk in memory regions with no size alignment (like free hook ).
Presentation of a group Internetworking Multiplication sign Autonomic computing Bit Right angle Streaming media
Inclusion map Direct numerical simulation Execution unit Presentation of a group Pi Content (media) Convex hull Hill differential equation Musical ensemble Binary file Twitter
Presentation of a group Root Pi Content (media) Musical ensemble Binary file Information security Information security Routing Metropolitan area network Twitter
Functional (mathematics) Sheaf (mathematics) Letterpress printing Principle of maximum entropy Mereology Software bug Semiconductor memory Memory management output Partial derivative Vulnerability (computing) Patch (Unix) Server (computing) Forcing (mathematics) Bit Calculus Binary file Complete metric space Exploit (computer security) Sample (statistics) Series (mathematics) Partial derivative Musical ensemble Active contour model Force
Game controller Algorithm Functional (mathematics) Host Identity Protocol Memory management Electronic mailing list Binary file XML Computer programming Skeleton (computer programming) Pointer (computer programming) Pointer (computer programming) Sample (statistics) Single-precision floating-point format Quicksort output
Freeware Point (geometry) Electronic mailing list Binary file Thread (computing) Symbol table Symbol table Pointer (computer programming) Pointer (computer programming) Function (mathematics) Quicksort Physical system Physical system
Point (geometry) Constraint (mathematics) Electronic mailing list Data storage device Theory Control flow Focus (optics) Pi Game theory Freeware Address space Metropolitan area network Address space
Email Group action Email Hoax Key (cryptography) Planning Website Musical ensemble Control flow 2 (number)
Point (geometry) Game controller Proxy server Memory management Stack (abstract data type) Ellipse Word Personal digital assistant Semiconductor memory Graph (mathematics) Diagram Quicksort Musical ensemble Address space Address space
Point (geometry) Game controller Memory management Parameter (computer programming) Control flow Dressing (medical) Computer programming Word Loop (music) Hooking Memory management Graph (mathematics) Gastropod shell Lipschitz-Stetigkeit Right angle Gastropod shell Musical ensemble Series (mathematics) Address space Address space
Scripting language Pointer (computer programming) Freeware Point (geometry) Set (mathematics) XML Booting Area Address space
Point (geometry) Game controller Direction (geometry) Closed set Physical law Electronic mailing list Range (statistics) Calculus Calculus Pointer (computer programming) Pointer (computer programming) Hooking Memory management Graph (mathematics) Partial derivative Right angle Musical ensemble Freeware
Source code Proxy server Mapping Real number Source code Memory management Field (computer science) Mathematical analysis Mereology Binary file Revision control Arithmetic mean Pointer (computer programming) Semiconductor memory Series (mathematics) Graph (mathematics) Strategy game Website Quicksort Bounded variation Proxy server
Pointer (computer programming) Proxy server Semiconductor memory Memory management Mathematical analysis Right angle Library catalog XML Mereology Address space
Hooking Structural load Bit Booting
Point (geometry) Random number Electronic mailing list Memory management Range (statistics) Insertion loss Solid geometry Drop (liquid) Term (mathematics) Mereology Binary file Mathematics Pointer (computer programming) Hooking Vector space Pi Memory management Musical ensemble Booting Address space Address space
Point (geometry) Slide rule Functional (mathematics) Closed set Range (statistics) Set (mathematics) Function (mathematics) Crash (computing) Loop (music) Roundness (object) Hooking Statement (computer science) Gastropod shell Partial derivative Musical ensemble Address space Physical system Address space
all right so there's a there's a bit of a bit of a story here that I don't know the full thing but you'll notice that either the speaker is tiny or non-existent which is which which is true he is he well he does exist he is just not here our speaker apparently had enough juice to to convince us that we will now deliver this presentation in an automated way streamed via icloud.com that's right you heard that right we're going to try to stream an entire presentation from the internet right here on stage yeah so so you guys know about autonomous things so this is the this is def cons first autonomous presentation and we also know what might happen if you get into an autonomous vehicle that ship might just completely crash so we have no earthly idea what's gonna happen here we hope it really yeah we hope that it goes really well however there's one thing for sure this is the first time we have used icloud.com as a presentation medium which we think qualifies icloud.com as a first time speaker and presenter so therefore we're all in this together was to icloud.com and without further ado my very small tow presenter hello everyone this is
sundered sorry I couldn't make it to DEFCON apparently my visa are rejected so I have to pre-record my entire talk I hope I can convey the entire content of this presentation to it if you have any question just feel free to reach me out to Twitter my dns are open [Music]
hello everyone this is salad sorry I couldn't make it a deaf man apparently my visa got rejected so I have to prove a court my entire talk I hope I can convey the entire content of this presentation to it if you have any questions just feel free to reach me out to Twitter my D ends are open so I'm a ninety no security engineer and go route based in Berlin Germany and on weekend duplicity as in this you a city Afghan based in Ukraine I know myself on challenges and sometimes upload solution to them and my juice so now let's just start in the talk [Music]
so regarding heath exploitation there been a ton of techniques being published like from 2005 house of spirit house of forces you know allow you to get a chunk anywhere in memory and the death started patching most of them but the research is still going on and there are ton of new exploitation techniques coming up like 2016 House of Orange was a challenging hit contour 2017 North House of rabbit we're using a few Asian GTS also so this year I thought maybe I research and find something that's a little more interesting and universally applicable to many different scenarios which is why this is titled a house of Romans so so as I said this technique is
weakness we just use a seed or partial overwrites to achieve a complete RCE on vine leaves are compared with pi/2 like we only know where that text section is so we can drop and the best part is the sword is not need to send us any data back so even if SCDF was closed we could still get a show and I demonstrated this technique all over the simple UAF but it seemed to me a pretty severe bug so I thought maybe do it was very simple bug like an off by one or something to demonstrate its versatility and also to use calc and sat on my lap because calop mem set at 0 so it makes it a bit more tricky and tough to perform this but yet it's doable so as I said the work is simple off by one and nothing else so as you can see I just made a simple binary which has three functions maroc writing free there's no print function all it does is basically take aside for malloc and then it marks it and [Music]
you enter a bunch of AIDS and it gets stored on the heap as you can see and it's really like a basic skeleton program so this is like a basic recap of
the of how the algorithm works you feel your chunk gets added to it appropriately ways of itself has been eager to have added to that single list if it's a size greater than 0 X 18 Dido gets control it or gets added to an Solomon fevers or small wing largeman which are double linked list with the FD BK and in this program there is no UF as you can see there pointer and there is no doubt they're not by one and the right function so we can change the size of a chunk and we could overlap with the other neighboring chunks and the skin control fdn BK to perform like various sorts of hip attacks so this is your X
t1 size chunk when you're free you get some of your pointers here these are
actually the arena pointers they point ears main arena which is wipsy simple to complete a double linked list so being sort bin list and as I said the main arena is the Lipsy symbol much like the system I took me mama clock and all of these stuff so it shouldn't rush you know that my luck is pretty close so but I'll talk about that more later on so
okay and this is the sort of like a refresher to the audience for those of you don't know what the inaudible attack does is it allows you to write a particularly busy address to anywhere you want now you can't really control what you want to write but it's the address of main arena more importantly it's like a Lipsy address so and then they're fast when chunk recyclate sends your KD there her point is a store in the mania and also determined by the respective sighs you should flee to chunks of the same size then they are in the same free list and it makes it easy really easy to exploit them because it's a single English so less checks and if you find a particular size alignment for fat man free list which matches the size then it's like game over so so that's why you
see the off by one in action this is sort of like the attack plan so I have these as york's 9121 and do you want to sort of like these chunks melt in the heat nothing fishy here just like I just made a bunch of Alex and my plan is to use the seconds you are sending one to also into also into D is your 21 size chunk and make it something like so X eat one and then of course put a fake site header at plus you are se one so that we do we don't feel any Malaga assertions and we bypass all of them and as you can see with this we overlaps your X only one 21 and your 15 one chunk without your Teague one chunk so we could feed them and we could actually control three chunks [Music] so this is what it looks like this duarte one chunk when we return it for us your key one side it overlaps does your ex only one in 21 and there's a fake site header of 0 x a1 and the one thing that to make sure is that @ + nu x a1 there's a good site like here you can see here there's a mile of 2 or 21 this is really important otherwise you will fail a Malik assertion especially when you try to free it so so now this is you know we
have control of the FD of a Salesman felis so now we need to think where we want to attack so the best way to attack is which I've seen is to find these Lipsy addresses or stack addresses because they you start with Zurich sound F and so we can use this your X 71 free list and make it point to somewhere near this how this works is basically we take ellipse e address and we shifted by 5 bytes so when you shift it and it sort of become like 0 0 0 0 T or 7 F which is a valid size for us you're at 71 fever so you actually form a lock into believing that that is a valid has been finished on the heap and you can the consecutive 0 X only one allegation which actually return you that chunk so just in case you don't understand this
for this is how it works so you take Lipsy address and if you have a null Q word in front of it then you can just shift it and you can see in diagram it just keep shifting shifting shifting on you reference your X on F and the memory that you have to make it point to is something something something 9 ad 0 it becomes something somewhere something 9 85 so that's where you actually make it point [Music]
I chose my locker because my Luke is in a place we're just surrounded by a bunch of lip see our dresses and a bunch of nose if you've ever seen this and I think it's possible if we hope to which I also discussed later with an entire band primitive you can actually get two free hooks and feel gives you more control over our di and your arguments but nonetheless Malikov also works to get a sheriff so I mean you've seen this
in a ton of CTF challenging right I was like point this point EFT there and get it but we don't know the loopsy address so we can't really set it to somewhere near malloc hook so we need to find an address which somewhere punched close to it and then maybe we could do a partial overwrite to it that's like the basic idea is to do a series of four partial all right some the heaps I'm in the Lipsy in order to put a loop C address and in order to get an allocation here malloc hook and get your shell I mean it's all of our partial already because we're assuming that the program did not print any data back [Music]
just to show you like if you have like bacd in one run you found out to gdb and so basically in your script Yokote I'm playing back classic CD and then backlash X a and that capital X would be what you both you can set it to be you could set it to one two three four anything you want that's the thing about to boot so imagine we have the scenario
like I said you have 0 X t1 getting over that bite your t1 and so now I just feel like to 3x only one chunk and the FDU points there and but you see here's where you fool malloc is instead of me and here we make it to somewhere at the top like near that 0 XD one chunk so what we basically do is we tell my love hey after the next Direction t1 think that the fielder's is not down there but it's rather up here and then we use the overlapping we change the size of 2 X T 1 2 T or X n 1 so now we made my opting that that's as york's anyone Junkers of course we just changed size and what's more we even made a thing that the 0 h 7f ff7 at resting exactly an F new pointer to the next your X on your own free list of course it's just a pointer to the main arena but we can do a partial overwrite of lower two bites of this address and make it something like [Music] point close to or above Malik hook and of course the Lord Shri nibbles the law would be the same so we just need to build the one right sitting probability that I talked about before this actually
turned out to be a really big problem because once I all lap in order to get control of that overlap I need to return it if calc is the only way to return it and it will just memset the entire region to zero what that means is basically I'm gonna talk about the
Kellogg bypass I only have found this by looking at the source code of Kellogg during a CTF called rz3 CTF it was a real variations TF so anyways the bypass is that Kellogg if it returns sort of memory that's from M map then they think that it's already zeroed out and it is not the operational mulling it out this is more of efficiency thing because you expect a memory region that will return by M map to be throughout so this is the fact that we exploit is we set the lower nibble of every chunk to T or X F basil basically and map it and we'll make a log believe that this chunk is not part of the heap it's part of an M map segment so Talackova ok I don't need to know it out then and we'll still have the arena pointers there so for example
you have zero it's only one chunk so it's not yours only one now it has to either Excel and F this is cool for fast means but when you come to and sorted bins you have to make sure like if you have like 0 X 9 1 it should be Jurek 9 F but you have to also make sure that you allocate X exactly to your x9f because like you know unsorted chunks have sort of this previous size thing in the honks hello so if you allocate a site less than that then you would have a size conflict because it will check their previous sites rather if you allocate exactly the same size then it will use up the entire sort of in and it won't check the previous size so you'll bypass that check again like this is a
simple demonstration where I think the exploit is this is what it looks like this is what it should look like Dirk's 911 any of the arena pointers is a free chunk and a catalog and ER I get
the same chunk back but as you can see all the memory is not no doubt it's still at the arena pointer so I can partially all right of course you wonder more detail analysis I posted it on my gift gist as part of the solution for that particular challenge in our c3 city so this is the first partial all right
where we have 0s on yon felis and we want to make it point somewhere near malloc hook so we all write the load two
bytes with a boot for the four bits and the next occasion for the extend you won't return the second partial over it
is when you want to make malloc believe that that uxd one chunk that we are forging is actually part of this your own free list and to do that you need to use of already made your own free list and make it point to the txt one free list and for that you need to do a partial alright in the heap so like for example I have a pointer here to 1 3 9 8 1 9 0 and but instead I need to make it point one three nine eight one one zero the one which I just over wrote with the pointer to model cook so now Malik thinks after the one three nine eight to d0 the next chunk in the free list is one three nine 8.10 which a is a zero HD one chunk which I change aside and be points tomorrow cook [Music] of course even after you reach malloc
hook we can't drop we can do stack pivoting we can build up change on heap we don't really know that and we can week so so here's the third part while writing and Lipsy address and malloc hook itself so the third step in our tack vector is to do an insertable attakmalac hook so this is a freed and solid bin list the FD NBK both point to main arena because there's only one and we overwrite it with actually partially overwrite the lower two bytes again with the address of Morocco - you x1 0 so you don't even need to boot this time because if you already booted the address to malloc now we're down to the
fourth and final partial all right right which is we have a loop C address and Malik hook and we have a chunk close to it so now all we need to do is partial override the Lipsy address that with your short on metal hook and make it so data points to system or the magic gadget or any flip c function that want to call so of course this is what it
looked like before malikova 0 after it look like the address of main arena of course if you try to malloc here then what we'll do is we'll think the main arena is an address and it will try to execute shellcode a stair which of course it will make crash so you got to do the partial overwrite and then call malloc the best way to trigger shell is basically to use the magic gadget and then trigger a double free which sets of the and correctly fulfills the statement range required to call the magic gadget appropriately [Music] was that as awkward for you guys as it was for me because it was real awkward for me thank you all for staying and how about that for the people that came in and we're probably very confused let's give I guess powerpoints and three clicks for no apparent reason to advance a slide a big round of applause [Applause]
Feedback