this is v0.1 of this post and in this post i’m going to have a review and brief history on exploitation with focus on windows .
this post will be done III part :
- part I : brief history of buffer overflow
- part II : history of windows exploitation from windows 2000 to windows 7
- part III : feature of exploitation
Part I : brief history of buffer overflow
Starring : Robert morris , Aleph_one , Solar designer , Matt Conover , Casper Dik
it’s been long time after :
morris worm in 1988 (first known computer worm that used a buffer overflow to attack)
so he start taking about detailed strcpy exploitation :
Matt Conover wrote first detailed heap overflow tutorial in 1999 heap tut
and solar designer wrote first generic heap exploit on windows netscape exploit
at that times because of really low OS memory protections and also low application specific protections (can also called CPU and compilers problem !) , a poor input validation and an insecure memory copy was enough to corrupting memory (mostly in stack area) and overwriting a function return address and getting control of instruction pointer (IP , EIP) and then by storing malicious code (called shellcode) and using a pointer (mostly stack pointer (ESP)) execution flow can be change and pointer to attacker malicious (or educational ;) ) code.
so OS developers and security guys had to think about memory protections and casper dik in nov 1996 wrote a kernel run-time patch to implement non-executable-stacks for Solaris 2.4 to 2.5.1 http://seclists.org/bugtraq/1996/Nov/57
and later solar designer released same thing to remove executable permission for stack on the linux here
and around ~2000 solar designer made return-to-libc attacks to return in executable page and functions in memory for bypassing non-executable memory. the basic idea was after controlling executing flow return to some function like system() and executing a single command or …. but there was a problem and the attacker was limit in payload selection and can’t use advanced payloads .
so around ~2000 we had :
- basic / intermediate stack overflows
- basic heap overflows
- basic / intermediate format strings (killed so soon !)
- basic memory protections
- basic bypass memory protections
- also some other type of memory corruptions (not so general)
part II : history of windows exploitation from windows 2000 to windows 7
Starring : Alexander Sotirov , Mark Dowd , John McDonald, Chris Valasek , Chris Anley , Brett Moore , David litchfield , Nicolas Waisman , Dave Aitel , Halvar Flake , Cesar Cerrudo , Matt Miller , ken johnson , S.K Chong , Dionysus Blazakis , hd moore , FlashSky , Ruben Santamarta .
welcome to windows world !
i wanna start from windows 2000 final version of NT family because i think older windows are not interesting enough to talk about .
exploit developers golden age : microsoft was is supporting and making money from windows 2k and unfortunately forgot protect you from buffer overflow attacks . so old and classic attacks works like a charm and just maybe in some case we saw very complex and smart vulnerabilities but exploitation by itself was not that hard (maybe just some application specific filters / protections )
so because of that poor protection we saw great worms like :
blaster worm one of historic worms ever that used a RPC vuln for attack and fixed in http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
and maybe you can remember : “billy gates why do you make this possible ? Stop making money and fix your software!! “
and this cool picture :
slammer worm a great and fast worm that used an SQL Server buffer overflow for attack. that fixed after 6 month !!! in :
sasser worm another great worm that used lsass remote overflow vulnerability and fixed in: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
but there is a question these worms targeted windows XP and 2003 as well too ? yes !
because microsoft did that great job in windows XP service pack 0 and 1 as well as windows 2003 service pack 0.
also we had lots of great and reliable exploits like :
DCOM RCP Exploit here by flashsky (xfocus guy)
MS Windows (RPC DCOM) Remote Exploit here by hd moore
Great Kill Bill exploit here (targeting ANS.1) by Alexander Sotirov
MS Windows Plug-and-Play here by sl0ppy and houseofdabus and others .
also some GUI tools for easy exploitation for those even don’t know how they can compile and run an exploit like : RPC GUI v2 – r3L4x.exe
but why we had lots of juicy and clicky – clicky exploits ? there is two main reasons :
1- poor generic OS / application layer memory protection
2- cool generic public memory exploitation related researches
classic windows stack overflows
lots of great and detailed papers in this area i just wanna link a few of them :
1- Win32 Buffer Overflows (Location, Exploitation and Prevention) by dark spyrit in 1999
2- S.K Chong Win32 Stack Based Buffer Overflow Walkthrough in july 2002
3- Nish Bhalla’s series on Writing Stack Based Overflows on Windows in 2005
if i want to have brief description of them they all are talking about finding a reliable return address in a reliable Dynamic Linked Library (MOST in OS DLL’s kernel32.dll ntdll.dll shell32.dll user32.dll and … ) and then after overwriting a function return address by sending big value to not good checked input variable and getting program execution flow redirect that flow to address in DLL that address is mostly JMP / call / PUSH ESP (stack pointer) or EBP (base pointer) because most of time in classic stack overflow attacker store her / his malicious code in the stack and a JMP / CALL / PUSH ESP RET will lead his / her to jump to start of shellcode .thats all!
classic windows heap overflows
1 – Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002
2- Exploiting the MSRPC Heap Overflow two part by Dave Aitel (MS03-026) sep 2003
3- david litchfield did a great detailed penetration in black hat 2004
if i want to have brief description of them they all are talking about exploiting unlink macro and using write4 (where + what) and actually ability of writing 4byte (32bit ) of selected address in memory by using specific function pointers like :
- TEB Exception Handler
- Application specific function pointer
kernel based Windows overflows (not so classic)
because of Inexorability of this type of attacks i want to share all of most notable history in this area here : (note that i will back to heap and stack with protections after in it)
First noticeable whitepaper that stated how to attack kernel based vulns on
windows was done by a Polish group called “sec-labs” around 2003 .
sec-lab old whitepaper : http://www.artofhacking.com/tucops/hack/windows/live/aoh_win32dcv.htm
sec-lab old exploit : http://www.securityfocus.com/bid/8329/info
(thanks Piotr Bania !)
1- Windows Local Kernel Exploitation by S.K Chong in 2004 (based on sec-lab research)
2-Windows interrupt context kernel overflow exploit BY FLASHSKY in 2004
3- How to exploit Windows kernel memory pool in 2005 by SoBeIt
4- in 2005 eeye security published great paper about exploiting remote kernel overflows in windows
5- later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed
6- in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
7- in 2007 Jonathan Lindsay published and did a presentation in BH US 2007 called Attacking the Windows Kernel
8- same in BH US 2007 Yuriy Bulygin did a peresentiation called Remote and Local Exploitation of Network Drivers
9- in 2007 also Ruben Santamarta wrote Exploiting Comon Flaws In Drivers
10- in 2008 Justin Seitz wrote a paper and called I2OMGMT Driver Impersonation Attack
in that paper Justin talked about new type of kernel attacks and about i2OMGMT bug that founded by ruben.
11- later in 2008 Kostya Kortchinsky did a presentation called Real World Kernel Pool Exploitation
in that presentation kostya talked about how he wrote exploit for ms08-001 (Microsoft marked it as not-exploitable !)
12- later in 2008 Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8
- artice :
- poc 2k3:
- poc 2k8:
13- again later in 2008 mxtone wrote a paper called Analyzing local privilege escalations in win32k
in that paper he analyzed vulnerabilities and exploitation vector of win32k driver .
14- in ucon 2009 Stephen A. Ridley did a presentation called Intro to Windows Kernel Security Development
download it here
15- Tavis Ormandy, Julien Tinnes and great presentation called There’s a party at ring0 and you’re invited
16- in January 2010 Matthew “j00ru” Jurczyk and Gynvael Coldwind, Hispasec wrote a detailed paper called GDT and LDT in Windows kernel vulnerability exploitation.
in that paper they describes some possible ways of exploiting kernel-mode write-what-where vulnerabilities in a stable manner
17- later they did a presentation called Case Study of Recent Windows Vulnerabilities in HITB 2010
Windows memory protections !
due to lots of generic exploitation methods as well as lots of worms ! Microsoft decided to use of memory protections in hardware and software layer. so from windows XP SP2 (Windows XP Tablet PC Edition 2005) , Windows Server 2003 Service Pack 1 (OS level) and from visual studio 2003 (compiler level) added lots of memory protections functionality.
here i’m going to have brief history of them and then i will introduce great researchers and their research against memory protections .
1- Data Execution Prevention (DEP)
DEP is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.
hardware-enforced DEP for CPUs that can mark memory pages as non-executable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support.
in windows XP SP2 and windows 2003 sp1 and sp2 you can get access on DEP setting by editing boot.ini in noexecute section.
there is four options :
1- OptIn : DEP only will work for all of windows services as well as necessary programs.
2- OptOut: DEP will work for all of windows services as well as all of 3d-party installed program but you can add some process as exception from controll panel.
3- AlwaysOn : fully protected by DEP no exception is acceptable.
4- AlwaysOff : Go to hell DEP , turns DEP off .
most of CPUs those are made after 2004 (AMD , Intel) can support hardware DEP.
read more on DEP : http://support.microsoft.com/kb/875352
/GS (Buffer Security Check)
GS (a.k.a stack cookie) is a compiler option that added from visual studio 2003 and will detects some buffer overruns that overwrite the return address, a common technique for exploiting code that does not enforce buffer size restrictions. This is achieved by injecting security checks into the compiled code.
so by using /GS flag compiler will add __security_init_cookie() function to your program and each time you want to overwrite a function return address you actually overwrite cookie as well and so comparison of cookie will fall so process will be terminate and you can’t use your return address.
for more detail read : http://msdn.microsoft.com/en-us/library/Aa290051
a linked option also system functionality added in visual studio 2005. when a program is linked with /SAFESEH in header of file will be contain of a acceptable Exception Handler Table. so each time an exception occurs and attacker wants overwrite a record from exception handler the ntdll dispatcher will understand this and will terminate program execution.
for more detail read : http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx
for more detail read : here
used in most modern windows operation systems like 2008 and 7 . the idea beyond this new mitigation comes from matt miller article called Preventing the Exploitation of SEH Overwrites. for detailed explanation of this protection just read flowing link :
Microsoft also introduce to some new heap protections like heap meta cookie , safe unlinking , and in newer systems (after vista) function pointer obfuscation and so on …
Advanced Windows Exploitation (bypassing filter and protections )
after 2005 exploitation getting harder and harder and number of public and “white-hat” hackers who can made a reliable multi platform exploit for modern windows OS was not too much.
in this section i want to have review on most important and noticeable researches against protections.
1- Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002
windows 2k heap exploitation.
2- chris anley wrote Creating Arbitrary Shellcode In Unicode Expanded Strings
this was first public article about unicode based shellcode and is also known as “Venetian” shellcode. the method explained in this paper was good enough to making poor ASCII shellcodes .
3- Dave aitel advanced windows exploitation in 2003
in that talk dave talked about no so typical windows exploitation and start making game more advanced .
4- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by david litchfield
this paper actually was first detailed paper about abusing SEH (structured exception handler) and the generic way to bypass /GS and also write not lots of public exploit are using this method for exploitation so it also can called one of most important research in windows exploitation history.
5- reliable heap exploits (matt Conover in cansecwest 2004 ) and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)
i think that was one of most important heap related research in history of windows exploitation a great and gentle introduction to overwrite a chunk on lookaside list for bypassing safe unlinking and also give lots of great information about windows heap manager internals .
6- later in 2004 matt miller wrote an article Safely Searching Process Virtual Address Space
this article was first great and public article about using egg-hunter shellcode and it’s about when we have limited memory space for our shellcode and we can store our big and main shellcode some-where in memory. this can be also called practical introduction to search shellcodes .
7- later in 2004 skylined wrote on IE exploit and used a technology called Heap Spray
heap spray is one of most important technologies even in modern exploitation and it’s about code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run.
for a few years heap spray was just used in java script and mostly in browsers but today modern attackers are using anything possible to allocate more heap for sparing . like action script , silver light , bmp files and … and not just in browsers ! from my point of view heap spray is like cheating in modern exploitation !
8- bypassing hardware-enforced DEP skape (matt miller) Skywing (ken johnson) (in October 2005)
yay ! they finally did it . hardware enforced DEP bypassed by using a return to libc style attack . in simple explanation the problem was in not CPU the problem and weakness was in windows related API that was used for setting DEP for various process. and the API was NtSetInformationProcess. but there was some simple problem in that article like they forget talk about it we need to to have EBP always writable.
9- Exploiting Freelist On XP Service Pack 2 by brett moore (dec 2005)
this is was another great example of bypassing heap protections by using Freelist and really useful is some case .
10 - later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed
this article was great article for porting exploits to kernel-land.
11- in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
good example of real-world driver exploitation.
12- in 2007 Ruben Santamarta wrote Exploiting Comon Flaws In Drivers
note that before ruben we can find lots of great research about this topic but ruben makes it different . he made a tool that called kartoffel which is a great driver fuzzer for finding IOCTL vulnerabilities in drivers. but kartoffel was not main reason to make it different.
after he wrote kartofell and published lots of detailed advisories in various vendor drivers , windows driver exploitation got speed and changed to one of focusable area in exploitation .
notable improvements to skylined heap spray technology . heap spray was good but blind and not so reliable is some case. Heap Feng Shui is great research about doing advanced FU in heap (heap manipulation) it will lead you to have more control on heap.
14- Understanding and bypassing Windows Heap Protection by Nicolas Waisman (2007)
nico is one of a few guys that focused on windows heap he also developed immunity debugger heaplib and did lots of great heap related researches. he is one of world leading heap !
15- Heaps About Heaps by brett moore (in 2008)
that was one of most complete researches about heap. yes that is just a few slides but great hint if you want do something on heap !
16- Bypassing browser memory protections in Windows Vista by Mark Dowd and Alex Sotirov (in 2008)
one of most greatest exploitation related research with a focus on bypassing browsers memory protections in vista .
great generic .net shellcode trick (loading a .net dll and use shellcode in it), java spraying , deep into combined protections and great ways to bypassing them.
17 – Attacking the Vista Heap by ben hawkes (in 2008)
great research about vista heap internals and some ways to bypassing vista heap protections.
18- Return oriented programming Exploitation without Code Injection by Hovav Shacham (and others ) (in 2008)
not a so new technology. it’s just our old code reuse ! but with great official introduction he call it Return-Oriented-Programming (now known as ROP ). this technology is great to bypass permanent DEP (vista / 7 / 2008) (because you can’t use return-to-libc style attack anymore)
19- Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 (2008)
20- Defeating DEP Immunity Way by Pablo sole (2008)
first automation of ROP . thats it ;)
21- Practical Windows XP2003 Heap Exploitation (bh 2009) by John McDonald and Chris Valasek.
if you want write a heap exploit for modern OS . you should read this one . most complete heap related article .
22- Bypassing SEHOP by Stefan Le Berre Damien Cauquil (in 2009)
cool and good research ! but ALSR will make it not so useful because SEHOP = SEHOP + ASLR
23- Interpreter Exploitation : Pointer Inference and JIT Spraying by Dionysus Blazakis (2010)
Great ! exploitation is still alive . generic exploitation method for bypassing DEP and ASLR together . if you read and understand it you can write lots of exploits for windows 7 !
24- write-up of Pwn2Own 2010 by Peter Vreugdenhil (2010)
a great and short article about how to own DEP+ASLR without any 3rd-party plugin
(used two vulnerability and toke around 4 minutes)
25- ruben santamarta all in one 0day presented in rootedCON (2010)
some great idea for bypassing IE XSS Filter and protected mod not exploitation specific but it’s great for being combined with other exploitation methods .
history of some not so typical windows exploits:
in this section i’m going to archive some of interesting exploits i saw you can learn lots of things from them !
1- one of first real-world HW-DEP bypass Exploit by devcode : here
2- bypassing DEP by returning into HeapCreate by toto : here
3- first public ASLR bypass exploit by using partial overwrite by skape (matt miller) : here
4- heap spray and bypassing DEP by skylined : here
5- first public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability : here (is this case ASLR bypass is possible !)
6- exploit codes of bypassing browsers memory protections : here
8- Tavis Ormandy KiTra0d an exploit works from win 3.1 to win 7 . PoC here (metasploit updated module works more interesting !)
9- old ms08-067 metasploit module multi-target and DEP bypass PoC here
10- PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass (using ROP and Brute Forcing ASLR) PoC here
11- Stephen Fewer SMBv2 Exploit . PoC here
note 2: i saw lots of other great and advanced exploits in commercial packages . (they are commercial so forget them ;) )
history of related windows exploitation books !
in this section i’m going to archive some books about windows exploitation.
1- Exploiting Software How to Break Code By (Greg Hoglund, Gary McGraw)
3- Buffer Overflow Attacks: Detect, Exploit, Prevent (by James C. Foster)
4- Windows Internals (by Mark Russinovich , David A. Solomon, Alex Ionescu)
5- The Shellcoders Handbook Discovering and Exploiting Security
(by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell)
6- Software Vulnerability Guide ( by HERBERT H. THOMPSON , SCOTT G. CHASE)
7- ADVANCED WINDOWS DEBUGGING (by Mario Heward , Daniel Pravat)
8- Reversing: Secrets of Reverse Engineering
9- great step by step exploit writing tutorials by my friend Peter Van Eeckhoutte :
- Exploit writting tutorial part 1:Stack Based Overflows – here
- Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – here
- Exploit writting tutorial part 3: SEH Based Exploits – here
- Exploit writting tutorial part 3b: SEH Based Exploits - just another example - here
- Exploit writting tutorial part 4: From Exploit to Metasploit – here
- Exploit writting tutorial part 5: speed up basic exploit development – here
- Exploit writting tutorial part 6: Bypassing GS, SafeSeh, SEHOP, HW DEP and ASLR – here
- Exploit writting tutorial part 7: Unicode – from 0×00410041 to calc – here
- Exploit writting tutorial part 8: Win32 Egg Hunting - here
- Exploit writting tutorial part 9: Introduction to Win32 shellcoding – here
also he wrote a cool immunity debugger PyCommand called PveFindAddr i think this python script is necessary for speed-up exploit development for newbie or expert exploit developers and i found it so useful , it have some cool features like finding instructions for code reuse and ROP also finding state of memory protections and finding best return address in your situation.
this is not complete lits of exploitation related book / articles list i just listed those had at least one windows specific chapter .
PART III : Future of exploitation
Starring : T.B.A
1- exploitation is not and will not die.
2- just will change and being more harder also won’t be ” just for fun” like before.
3- writing reliable exploits will take time and time == money and now exploit development is acceptable specific job in security area !
4- fame == money as well (also is lovely by itself) . so you will see other great researches in various security fields ;)
5- if you read all of resources exist in post you can be a great exploit developer ; )
PS1 : during writing this post due to lots of links and peoples on it maybe i forgot some notable people / article you can alert me about them just by shahin [at] abysssec.com
PS2 : i wrote this post so fast (and took long time !) i will edit my Misspellings and grammatical in good time.
i need to go and take 0XCC00FFEE .
have fun .