It seems that for a bit of time now, HIPS products are taking off and being installed in organizations. HIPS is still a relatively young technology with the way technology goes. There are some mature products out on the market, and the features and abilities are ever changing. Lately we here at the BL have been working on HIPS evasion techniques, lots of interesting things to think of, and lots of interesting techniques to try out. Since most HIPS are utilizing hooking techniques, it's fun to see exactly where they hook and what they leave out. Hidden or little utilizes APIS, and/or calls can be fun vectors to look at.
We'll be posting more here when we finalize our research. Perhaps a neat evasion tool, hrmm, I'll have to check with the ninja monkies on that one..
[commonly hooked dll]
ntdll.dll
kernel32.dll
core.dll
ADVAPI32.dll
RPCRT4.dll
NETAPI32.dll
msvcrt.dll
PSAPI.dll
SHLWAPI.dll
GDI32.dll
USER32.dll
MSVCR71.dll
WININET.dll
CRYPT32.dll
MSASN1.dll
OLEAUT32.dll
ol32.dll
msi.dll
urlmon.dll
SHELL32.dll
------ and the list goes on!
Monday, April 16, 2007
Friday, April 6, 2007
Smashing SEH
Ok so recently i have been working on a couple of Buffer Overflows where EIP is gained through smashing SEH so here is a quick mini primer on smashing SEH for fun and profit
So here is the short definition when a win32 program runs it sets on the stack and address of the SEH the program will jmp to this address if there is ever an exception that causes the program to die Thus the reason it is called the Standard Exception Handler.
So on occasion you will have a program that you can overflow the buffer thus overwriting data on the stack but and exception fires during the copy or something else in the data stream causes an exception causing the program to fire the SEH before you get code execution (thats overly simplified but you get the point) So what is a researcher to do? how bout overwrite the address that SEH is pointing to 
So if we overwrite the buffer we will eventualy get to 2 address on the stack the first is the “Pointer to the Next SEH” and then the next address after that is the current SEH so coceptualy our buffer looks somewhat like this
so if we send a buffer and fill the top buffer space with A’s then set the Pointer to the Next SEH to BBBB set the SEH to CCCC and the second buffer space to DDDD our buffer will look something like this (again this is just an example)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDDDDDDDDDDD
now remember this is just an example in the real world the buffers hopefully will be much bigger
so when the exception fires what you will see is eip set to CCCC and then 2 addresses down from EBP (stack base pointer) you will see a address that contains this
BBBBCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
now thats kinda interesting thats our buffer but how do we get to it?
Bring on the pop pop ret . If we can set the SEH to an opcode that contains a Pop Pop Ret when it fires it should pop 2 addresses off the stack and return into our buffer. ok so now we can get into the buffer but how do we get to shellcode from here? after all the buffer doesnt just contain our shellcode of DDDDDD it also contains BBBB and CCCC so what are we to do? Well up until this point we havnt used the Pointer To the Next SEH address for anything (the BBBB space) so what we do is we set BBBB to \xEB\x06\xFF\xFF what is \xEB\x06? in assembly it is Jmp Short 6 bytes so when we pop pop ret into this space the execution flow will hit this jump over our CCCC return address directly into our DDDDDDDD shellcode YaY!!!!
so now we have code execution by Busting the SEH on win32 programs
Some things to think about….
The buffer space after the return address may be to small for a full payload which means we may have to use a staged payload that jumps back into our main buffer
In windows XP sp2 microsoft introduced SafeSEH which limits where the SEH can point to. this can be overcome by pointing back into the binary itself for a pop pop ret provided the binary hasnt also been compiled with /SafeSEH
Just some things to think about and mabey get the brain juices flowing
Thursday, April 5, 2007
Subscribe to:
Posts (Atom)