Welcome    Why?    Training    Games    ChangeBlog    External Resources    Submit Content

 

Exploits 2: Exploitation in the

Windows Environment

Creator:     Corey Kallenberg  @CoreyKal 


License:    Creative Commons: Attribution, Share-Alike

(http://creativecommons.org/licenses/by-sa/3.0/)


Class Prerequisites: Introduction to x86, Exploits 1


Lab Requirements:

Windows XP SP3 Virtual Machine with the following installed:

Windows Platform SDK 7.0 or 7.1 (optional debugging tools need to be installed)

Microsoft Visual C++ express 2008

HXD hex editor


Class Textbook: "The Shellcoder's Handbook: Discovering and Exploiting Security Holes" (2nd edition) by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte


Class Prereqs: Must have a basic understanding of the C programming language, as this class will show how C code can be exploited. Must have taken Intro x86 and Exploits 1. Some knowledge of the PE header format from Life of Binaries would be useful as well.


Recommended Class Duration: 3 days


Creator Available to Teach In-Person Classes: Yes


Author Comments:


This course covers the exploitation of stack corruption vulnerabilities in the Windows environment. Stack overflows are programming flaws that often times allow an attacker to execute arbitrary code in the context of a vulnerable program. There are many nuances involved with exploiting these vulnerabilities in Windows. Window's exploit mitigations such as DEP, ASLR, SafeSEH, and SEHOP, makes leveraging these programming bugs more difficult, but not impossible. The course highlights the features and weaknesses of many the exploit mitigation techniques deployed in Windows operating systems. Also covered are labs that describe the process of finding bugs in Windows applications with mutation based fuzzing, and then developing exploits that target those bugs.


Topics covered in the labs for this class include:

* Exploiting a vanilla Windows stack overflow with no mitigations turned on

* Using WinDbg to analyze our crashes

* Removing bytes from your payload (such as nulls) which would prevent exploitation

* Finding functions to call by walking the Thread Execution Block to find kernel32.dll’s location in memory so we can call functions like LoadLibrary() and GetProcAddress()

* Hashing strings to use for comparison when searching for functions, in order to minimize the size of the payload

* Overwriting Structured Exception Handlers (SEH) as a means to bypass stack cookies (/GS compile option) and bypassing the SafeSEH mitigation

* Overwriting virtual function table function pointers in C++ code as another way around stack cookies

* Using Return Oriented Programming (ROP) to defeat Data Execution Prevention (DEP) aka non-executable (NX) stack

* Using libraries which opt out of Address Space Layout Randomization (ASLR) and SafeSEH to bypass these mitigations

* Using Python to mutationally fuzz the custom, never-before-analyzed, Corey’s Crappy Document Format and Crappy Document Reader in order to find and exploit the numerous bugs within


Author Biography:

Corey Kallenberg is a security researcher with an interest in operating system and PC firmware security. In 2012 he coauthored work on using timing based attestation to detect Windows kernel hooks at DEFCON and IEEE S&P. In 2013 his focus shifted to the BIOS, where he coauthored work pointing out problems in current PC trusted computing approaches. During this time frame he was also involved in discovering and exploiting vulnerabilities that allowed bypassing of the signed BIOS enforcement on a number of systems. These results were presented at NoSuchCon, Blackhat USA, EkoParty, HITB, ACM CCS, and other conferences. Corey is also the author of OpenTPM, the open source Trusted Platform Module (TPM) driver for Windows. Corey is currently continuing to investigate BIOS/UEFI and trusted computing implementations for security vulnerabilities.



Class Materials


(.odp is best viewed with LibreOffice)

Slides (224 slides)


Exercise Code (.zip) - ~25MB, password = password,

md5: 1ed93402bd2a2c0cc640a6308abb3222



Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org:

Day 1 Part 1 (1:17:34, 1.08 GB)

Day 1 Part 2 (41:33, 804 MB)

Day 1 Part 3 (32:18, 635 MB)

Day 1 Part 4 (37:19, 645 MB)

Day 1 Part 5 (26:16, 493 MB)

Day 2 Part 1 (51:26, 575 MB)

Day 2 Part 2 (44:12, 568 MB)

Day 2 Part 3 (1:27:56, 696 MB)

Day 2 Part 4 (37:00, 472 MB)

Day 3 Part 1 (49:11, 583 MB)

Day 3 Part 2 (42:34, 569 MB)

Day 3 Part 3 (32:05, 696 MB)

Day 3 Part 4 (1:24:29, 472 MB)

(10:43:53 total, sans a lot of lab time)


The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides.



Revision History:


11-11-2012 - Day 3 videos uploaded to Youtube & Archive.org

09-30-2012 - Day 2 videos uploaded to Youtube & Archive.org

08-25-2012 - Day 1 videos uploaded to Youtube & Archive.org

08-25-2012 - Initial class content upload


If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes.