Even the most well-encrypted harddrive with the best chosen password may fall for a very simple, very low-tech attack employing a hardware keylogger. This paper shows a potential way to defend against these devices.
This paper provides a general introduction to the topic of understanding security vulnerabilities that affect ActiveX controls. A brief description of how ActiveX controls are exposed to Internet Explorer is given along with an analysis of three example ActiveX vulnerabilities that have been previously disclosed.
Sophisticated methods are currently being developed and implemented for mitigating the risk of exploitable bugs. The process of researching and discovering vulnerabilities in modern code will require changes to accommodate the shift in vulnerability mitigations. Code coverage analysis implemented in conjunction with fuzz testing reveals faults within a binary file that would have otherwise remained undiscovered by either method alone. This paper suggests a research method for more effective runtime binary analysis using the aforementioned strategy. This study presents empirical evidence that despite the fact that bug detection will become increasingly difficult in the future, analysis techniques have an opportunity to evolve intelligently.
Breaking encrypted passwords has been of interest to hackers for a long time, and protecting them has always been one of the biggest security problems operating systems have faced, with Microsoft's Windows being no exception. Due to errors in the design of the password encryption scheme, especially in the LanMan(LM) scheme, Windows has a bad track in this field of information security. Especially in the last couple of years, where the outdated DES encryption algorithm that LanMan is based on faced more and more processing power in the average household, combined with ever increasing harddisk size, made it crystal clear that LanMan nowadays is not just outdated, but even antiquated.
This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows.
The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits.
Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable.
This article was posted to volume 1 of the uninformed journal under the Engineering in Reverse column:
During the course of this paper the reader will be (re)introduced to many concepts and tools essential to understanding and controlling native Win32 applications through the eyes of Windows Debugger (WinDBG). Throughout, WinMine will be utilized as a vehicle to deliver and demonstrate the functionality provided by WinDBG and how this functionality can be harnessed to aid the reader in reverse engineering native Win32 applications. Topics covered include an introductory look at IA-32 assembly, register significance, memory protection, stack usage, various WinDBG commands, call stacks, endianness, and portions of the Windows API. Knowledge gleaned will be used to develop an application designed to reveal and/or remove bombs from the WinMine playing grid.
This paper is part of the Uninformed Journal.
Malicious code is so common in today's Internet that it seems impossible for an average user to keep his or her system clean. It's estimated that several hundred thousand machines are infected by trojans to be abused in a variety of ways, including the theft of money and confidential data as well as extortion, spam, and a whole plethora of further ways. Most often the infected hosts are linked into simple botnets to provide an easy way for the botnet manager to command his zombie army. This article describes ways to form far more effective networks than the ones in use today by the means of stealth, deception, and cryptography.
This article was posted to volume 1 of the uninformed journal under the What Were They Thinking column:
This installation of What Were They Thinking illustrates some of the annoyances that can be caused when developing software that has to inter-operate with third-party applications. Two such cases will be dissected and discussed in detail for the purpose of showing how third-party applications can fail when used in conjunction with software that performs certain tasks. The analysis of the two cases is meant to show how complex failure conditions can be analyzed and used to determine inter-operability problems.
When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS.
This paper discusses the Meterpreter, short for The Meta-Interpreter, which is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.
These are the slides which were prepared for my talk at toorcon 2004 in San Diego, CA.
Hooking the Linux ELF Loader takes a look at the linking and loading functionality in Linux with a focus on the kernel's ELF loading process. The key structures and optimal hooking points are discussed as ways for adding functionality to the ELF loader.
Some example code demonstrating hooking the ELF loader in kernel space is available in the code section including a module that adds md5 based binary integrity checking and a kernel resident ELF virus injector.
This paper was co-authored by myself and Peter Silberman and was accepted by Blackhat and Defcon as a conference topic. The slides and paper may be found at the supplied link.
In the world of information security, buffer overflows remain the leading cause of software vulnerabilities. In recent years, the industry has seen an elevated rate of exploitation of these vulnerabilities due to readily available worm generation software and mass exploitation toolkits. This increasing exposure to buffer overflow attacks requires a technological solution that applies a protective layer against automated exploitation attempts.
This paper will examine two approaches to applying a generic protection against buffer overflow attacks and critique the effectiveness of available buffer overflow protection mechanisms on the Linux and Microsoft Windows platforms. An analysis of each technology will explain the methods by which a protection mechanism has been implemented and the technology’s effectiveness in defending against automated attacks as well as targeted attacks which specifically try to circumvent that specific protection method. Finally, a matrix will be presented which will define each technology’s ability to protect against multiple classes of buffer overflow attacks including format strings, stack overflows, and heap overflows.
A problem that is sometimes encountered when implementing an exploit is that the buffer size left over for shellcode after successful exploitation is not large enough to throw in your typical bind shell or reverse shell payload. Instead, a smaller payload can be used to search process memory for a large payload that can be tucked away somewhere else prior to exploitation. This paper discusses multiple implementations of this type of memory searching payload on both Windows and Linux and attempts to outline some of the optimizations that were made along the way.
This is a paper on blindly killing TCP connections, originally released in 2001. It describes what it requires, and how to speed it up, like making use of the window size. All of a sudden this technique is "hot" and "new" now, 2.5 years later. Seems nologin.org was ahead of its time.
This paper discusses the implementation, pros, and cons of being able to inject a library into a remote process through a given medium, such as an exploit. The ability to inject a library into a remote process provides an exploit writer with the ability to develop very powerful, automated features that would otherwise be tedious to write in assembly. When combined with the ability to inject a library without even touching the filesystem, library injection becomes a completely automated, virtually undetectable (at the host level) backdoor into the remote machine.
This paper takes a look at the concept of 'Memory Analysis' as it pertains to reverse engineering. Memory analysis is the process of inspecting the memory layout of a given process while it is running to gain insight into how it functions and, potentially, modifying locations in memory to cause the program to do something unexpected or to see how the program reacts.
Perhaps no other operating system to date requires someone to jump through as many hurdles as does Windows when it comes to writing reliable, portable shellcode. This paper outlines many of the common, and some of the not so common, techniques and implementations used to write shellcode for Windows.
A major feature that is lacked in the open source community is the ability to sign and verify trusted binaries. The main reason for this is that the open source community itself is quite de-centralized, and, as such, establishing a trusted 3rd party signer with which to use is quite challenging. Regardless, this paper outlines the principles and concepts behind ELF binary signing.