stack smashes - Control of EIP (RET instruction) - E.g. strcpy(), gets(), sprintf() - Easy peasy 2nd Generation Exploits - off-by-one - Control of EIP (RET instruction) - E.g. strncat(), strncpy() - No EIP control, EBP manipulation - Hard-to-find in nature 3rd Generation Exploits - Format strings, Heap Structure - E.g. printf(), malloc(), free() - Sometimes trivial to spot - No registers control https://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt
chain vulnerability with Adobe Flash. Full Code Execution Exploitation were trivial to gain. ROP + Info Leak Create ROP chain using UAF vulnerability in browser and chained using Adobe Flash. ASLR bypass required, using info leak method. 03 01 02 Past Exploitation Development
not made any changes, using old framework, etc. Vulnerability Classes Vulnerability types and classes were still exists. Patching Patch introduced new vulnerability. Exploitation Exploitation getting more complex requires chain of vulnerability.
Memory Garbage Collection (MemGC) Focusing on DOM engine and turn UAF in DOM non-exploitable. Type Confusion Protection Additional checks to eliminate recurring bad casts and wrong branching on CTreePos Vulnerability Classes Killer https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf Stack corruption essentially eliminated Use-After-Free attack decreased Raise of Out-of-Bounds, DLL Planting and Type Confusion
info leak, it needs to turn to type confusion. For some cases it doesn’t need to do so. Type Confusion Usually used as part of vulnerability chain. Information Leak To bypass ASLR, an information leak needs to be done. This will help to make the exploit reliable. Full Code Execution Achieve full code execution (including remote) with full mitigation bypasses. Sandbox & Mitigation Bypass Current mitigations in Windows required multiple chains of bypass, including CFG, and ACG. 05 01 02 03 04 Current Exploitation Development
Flash Player ActiveX (184.108.40.206) • Responsible disclosure to vendor (Adobe) • Integer Overflow in ActiveX turns NULL Pointer ◦ Adobe failed to set Kill Bit in registry by default • Exploit attempt failed ◦ Due to memory safety mitigation
Second stack for program that used for control transfer operations ◦ Separate from data stack and can be enable for operation via user mode or supervisor mode ◦ Protecting return address and defend against ROP ➢ Indirect Branch Tracking (bypass?) ◦ New instruction named ENDBRANCH used to mark valid indirect CALL/JMP targets in the program ◦ Protecting free branch against JOP / COP https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
our slide • NanoSec crew • Haroon Meer BlackHat 2010 Paper on Memory Corruption History ◦ https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History -of-Memory-Corruption-Attacks-wp.pdf • ...and many paper that we used as references :) • Ping us on Telegram (OWASP Malaysia) if you want to talk about exploitation and reverse engineering.