Hacking Windows Internals
Transcript of Hacking Windows Internals
-
8/12/2019 Hacking Windows Internals
1/31
-
8/12/2019 Hacking Windows Internals
2/31
www.appsecinc.com
Hacking Shared Sections
Shared Section definitionUsing Shared SectionsTools
ProblemsSearching for holesExploitation
ConclusionsReferences
-
8/12/2019 Hacking Windows Internals
3/31
-
8/12/2019 Hacking Windows Internals
4/31www.appsecinc.com
Using Shared Sections
Loading binary images by OS.Process creation.Dll loading.
Mapping kernel mode memory into user address space !?.Used to avoid kernel transitions.
Sharing data between processes.GDI and GUI data, pointers !?, counters, any data.
-
8/12/2019 Hacking Windows Internals
5/31www.appsecinc.com
Using Shared Sections
Creating a shared section
HANDLE CreateFileMapping (HANDLE hFile, // handle to file ( file mapping )
//or 0xFFFFFFFF ( shared memory )LPSECURITY_ATTRIBUTES lpAttributes, // securityDWORD flProtect, // protectionDWORD dwMaximumSizeHigh, // high-order DWORD of sizeDWORD dwMaximumSizeLow, // low-order DWORD of size
LPCTSTR lpName // object name ( named )//or NULL ( unnamed ));//returns a shared section handle
-
8/12/2019 Hacking Windows Internals
6/31
www.appsecinc.com
Using Shared Sections
Opening an existing shared section
HANDLE OpenFileMapping (DWORD dwDesiredAccess , // access mode ( FILE_MAP_WRITE
// FILE_MAP_READ , etc.)BOOL bInheritHandle, // inherit flagLPCTSTR lpName // shared section name
);//returns a shared section handle
-
8/12/2019 Hacking Windows Internals
7/31
www.appsecinc.com
Using Shared Sections
Mapping a shared section
LPVOID MapViewOfFile (HANDLE hFileMappingObject , // handle to created/opened
// shared section
DWORD dwDesiredAccess , // access mode( FILE_MAP_WRITE// FILE_MAP_READ , etc.)
DWORD dwFileOffsetHigh, // high-order DWORD of offsetDWORD dwFileOffsetLow, // low-order DWORD of offsetSIZE_T dwNumberOfBytesToMap // number of bytes to map
); // returns a pointer to begining of shared section memory
-
8/12/2019 Hacking Windows Internals
8/31
www.appsecinc.com
Using Shared Sections
Ntdll.dll Native API
NtCreateSection() Creates a new sectionNtOpenSection() Opens an existing sectionNtMapViewOfSection() Map a section on memoryNtUnmapViewOfSection() Unmap a section from memoryNtQuerySection() Returns section sizeNtExtendSection() Change section size
-
8/12/2019 Hacking Windows Internals
9/31
www.appsecinc.com
Using Shared Sections
Mapping unnamed Shared Sections.
OpenProcess(PROCESS_DUP_HANDLE,...)DuplicateHandle(...)MapViewOfFile(...)
Need permissions on target process
-
8/12/2019 Hacking Windows Internals
10/31
-
8/12/2019 Hacking Windows Internals
11/31
www.appsecinc.com
Tools
Process Explorer Shows information about processes (dlls, handles, etc.).
WinObjShows Object Manager Namespace information (objectsinfo, permissions, etc.)
ListSSLists Shared Sections names (local and TS sessions).
DumpSSDumps Shared Section data.
TestSSOverwrites Shared Section data (to detect bugs)
-
8/12/2019 Hacking Windows Internals
12/31
-
8/12/2019 Hacking Windows Internals
13/31
www.appsecinc.com
Problems
Input validation
Applications don't perform data validation before using thedata.Processes trust data on shared sections.
-
8/12/2019 Hacking Windows Internals
14/31
-
8/12/2019 Hacking Windows Internals
15/31
www.appsecinc.com
Problems
Weak permissionsDemo
-
8/12/2019 Hacking Windows Internals
16/31
www.appsecinc.com
Problems
Synchronization
Not built-in synchronization.Synchronization must be done by processes in order tonot corrupt data.There isn't a mechanism to force processes tosynchronize or to block shared section access.
Any process (with proper rights) can alter a sharedsection data while another process is using it.
-
8/12/2019 Hacking Windows Internals
17/31
www.appsecinc.com
Problems
Synchronization
Communication between Process A and B
Process
A
ProcessB
ProcessC
SharedSection
2- Writedata.
3- Dataready.
4- Replacedata.
5- Read data.
1- Send medata.
-
8/12/2019 Hacking Windows Internals
18/31
www.appsecinc.com
Searching for holes
Look for shared sections using Process Explorer orListSS.
Attach a process using the shared section to adebugger.
Run TestSS on shared section.Interact with process in order to make it use(read/write) the shared section.
Look at debugger for crashes :).
-
8/12/2019 Hacking Windows Internals
19/31
www.appsecinc.com
Searching for holes
Demo
-
8/12/2019 Hacking Windows Internals
20/31
www.appsecinc.com
Exploitation
Elevating privileges.Reading data.
Altering data.Shared section exploits.
Using shared sections on virus/rootkits/ etc.
-
8/12/2019 Hacking Windows Internals
21/31
www.appsecinc.com
Exploitation
Reading data.From high privileged processes (services).From local logged on user processes, services and othersessions on Terminal Services.This leads to unauthorized access to data.
-
8/12/2019 Hacking Windows Internals
22/31
www.appsecinc.com
Exploitation
Reading data.Reading Internet Explorer cookies and history information.(Demo)
-
8/12/2019 Hacking Windows Internals
23/31
www.appsecinc.com
Exploitation
Altering data.On high privileged processes (services).On local logged on user processes, services and othersessions on Terminal Services.This leads to arbitrary code execution, unauthorized
access, processes or kernel crashing (DOS).
-
8/12/2019 Hacking Windows Internals
24/31
www.appsecinc.com
Exploitation
Altering data.IIS 5 DOS. (Demo)
-
8/12/2019 Hacking Windows Internals
25/31
www.appsecinc.com
Exploitation
Shared section exploits.When overwriting shared section data allow us to takecontrol of code execution.Some shared sections start addresses are pretty static onsame OS and Service Pack.
Put shellcode on shared section.Build exploit to jump to shellcode on shared section atstatic location.
-
8/12/2019 Hacking Windows Internals
26/31
www.appsecinc.com
Exploitation
Shared section exploits.MS05-012 - COM Structured Storage Vulnerability
Exploit (Demo)
-
8/12/2019 Hacking Windows Internals
27/31
www.appsecinc.com
Exploitation
Using shared sections on virus/rootkits/etc.Some shared sections are used by many processes
(InternatSHData used for Language Settings) others are used byall processes :).Write code to shared section and the code will be instantly mappedon processes memory and also on new created processes.Use SetThreadContext() or CreateRemoteThread() to startexecuting code.Similar to WriteProcessMemory() - SetThreadContext() techniqueor DLL Injection.
-
8/12/2019 Hacking Windows Internals
28/31
www.appsecinc.com
Exploitation
Using shared sections on virus/rootkits/etc.Some shared sections have execute access.
It would be possible to avoid WinXP sp2 NX .
-
8/12/2019 Hacking Windows Internals
29/31
-
8/12/2019 Hacking Windows Internals
30/31
www.appsecinc.com
References
MSDNProgramming Applications for MS Windows - FourthEditionProcess Explorer ( www.sysinternals.com )
WinObj ( www.sysinternals.com )Rattle - Using Process Infection to Bypass WindowsSoftware Firewalls (PHRACK #62)
Crazylord - Playing with Windows /dev/(k)mem(PHRACK #59)
-
8/12/2019 Hacking Windows Internals
31/31
Click to edit Master title style
Click to edit Master subtitle style
Briefing for:
FIN
Questions? Thanks. Contact: sqlsec>atdot