Top Banner
SMASHING THE STACK WITH HYDRA Pratap Prabhu, Yingbo Song and Sal Stolfo Columbia University Intrusion Detection Systems Lab 1
22

Smashing the stack with Hydra

Jun 25, 2015

Download

Documents

pratap21

Presented this at DEFCON 17

yingbo song

veryu randomcipheroperaaons

hydra pratap prabhu

pushdword subreg

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Smashing the stack with Hydra

SMASHING THE STACK WITH HYDRA

Pratap Prabhu, Yingbo Song and Sal Stolfo

Columbia University Intrusion Detection Systems Lab

1

Page 2: Smashing the stack with Hydra

Overview

•  Hydraisapolymorphicshellcodeengineforx86.

•  Goal:tobypasssignature,staAsAcal,andemulator‐basedIDS.

•  IntegratesseveralobfuscaAontechniquesintooneengine.Self‐cipher,staAsAcalmimicry,fork()code,andmore...

1 2

Page 3: Smashing the stack with Hydra

LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLE

Address of Calling function

INSTRUCTIONS

LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLEINSTRUCTIONS

NOPSLED PAYLOAD RETURNZONE

NOPSLED PAYLOAD RETURNZONE

“ret” jumps here

Overwrites EIP

2 3

Page 4: Smashing the stack with Hydra

PolymorphicShellcode

•  IDSsignatures:“\x90\x90\x90\x90”,“/bin/sh”

•  Useanencoderandcipherthepayloadwitharandomkey.

•  Doesn’tworkiftheIDScandetectthedecoder.

•  WhataboutstaAsAcalIDSwhichlooksatbytedistribuAons?

•  Networkemulator,anddynamicdisassembly‐basedIDS?

3 4

Page 5: Smashing the stack with Hydra

HydraFeatures

•  NOPinstrucAonsgenerator.•  RecursiveNOPsled.•  RandomizedregisterselecAon

andclearing.

•  RandomizedmulA‐layerciphering.

•  Inlinejunkcode/datainserAon.

•  MulA‐parAtedecoders.

•  MulA‐gramstaAsAcalmimicry.

•  Randomizedreturnzone.•  fork()’ingshellcode.•  Time‐lockedcipheringforanA‐

emulatorandanA‐disassembly.

•  Alphanumericencoding.

4 5

Page 6: Smashing the stack with Hydra

NOPSledObfuscaAon

•  NOPdoesn’thavetobe\x90.‘A’,‘B’,‘C’,..,’Z’allwork

•  Hydracontainsa“NOPgenerator”thatcanbuildalibraryofpossibleNOPinstrucAons.

•  Testmethod:

–  Addcodetosetupstack/registercanaryvariables.–  AddasledbuiltwithNOPinstrucAontobetested.–  AddvalidaAoncodetocheckstack/registervariables.–  Execute.

•  FindsNOPequivalentinstrucAons.5 6

Page 7: Smashing the stack with Hydra

NOPSledObfuscaAon

•  Notjustsingle‐byteNOPS.MulA‐byteNOPinstrucAonsbywayofrecursiveNOP.(Phrack,CLET)

•  Findall1‐byteNOPinstrucAonsbybrute‐force,thenfindtwo‐byteNOPswhere2ndbyteisaone‐byteNOP.Repeat.

•  LargerNOPinstrucAonrecursivelycontainssmallerNOPs.ExecuAoncanlandanywhereintheinstrucAon.

6 7

Page 8: Smashing the stack with Hydra

NOPSledObfuscaAon

•  HydrauAlizestwotypesofNOPinstrucAons.

1. BasicNOPequivalentinstrucAonswhichcanbeusedtobuildasledandsafelypassexecuAonintothepayload.

2. NOPswhichcanbesafelyinsertedbetweeninstrucAons.

•  Secondcase:“State‐safe”NOPsdonotcontaininstrucAonswhichmodifythestack,registers,controlflow,etc.

•  1.9MtotalNOPequivalentinstrucAonsfound.30,000state‐safeNOPs.

7 8

Page 9: Smashing the stack with Hydra

RandomregisteroperaAons

•  DifferentsynonymousinstrucAonsperinvocaAon.

•  HydraprovidesalargelibraryofsuchinstrucAonsandaplamormtoaddmore.

•  ForsomeoperaAons,thekeyusedisrandomlygeneratedtofurtherobfuscatethepayload.

Twoexamplewaystocleararegister

Method1:

movreg,<key>subreg,<key>

Method2:

pushdword<key>popregsubreg,<key>

8 9

Page 10: Smashing the stack with Hydra

MulA‐parAteDecoding

•  Hydrageneratesnon‐con)guousdecoders.

•  Thepaddeddecodercipherloopissplitapartandintermixedwiththeencodedpayload.

•  Currentlyonlybi‐parAtedecodingisimplemented:halfofthedecoderinstrucAonsareinfrontofthepayload,halfaperit.

•  DecoderinstrucAonsjumpbetweeneachotherwhiledecodingthepayload.

9 10

Page 11: Smashing the stack with Hydra

MulA‐LayerCiphering

•  MulAplecipheroperaAons,subsetsselectedatrandomperinvocaAon.Veryusefultechnique(ADMmutate,CLET,..)

•  RandomcipheroperaAons:ROR/ROL,XOR,ADD/SUB,etc…

•  CipherorderisrandomeachAme.

•  Arandomlychosen32‐bitkeyisgeneratedpercipher.

•  Sixroundsofcipheringbydefault–usercanspecifynumber.

10 11

Page 12: Smashing the stack with Hydra

InlineJunkCodeInserAon

•  HydraautomaAcallyaddsspacebetweeninstrucAons.Arbitrarydatacanbeinserted:

[instr1][junk][instr2][junk][instr3][junk][instr4]

•  Amountofdatatobeinsertedcanbespecified.

•  CaninsertNOPinstrucAons,anA‐disassemblycode,randomjunk,etc.Thecipherswillskiptheseareasduringdecoding.

•  CanalsoinsertcertainbytesforstaAsAcalmimicry.

11 12

Page 13: Smashing the stack with Hydra

StaAsAcalMimicry

•  StaAsAcalIDS–typicallyworkbylearningfrequenciesfornormalcontentthendetecAngexploitsasanomalies.

•  Hydrausesmachinelearning‐basedtechniquestomakeshellcodemimicnormaltraffic.

•  LearnastaAsAcalmodelforthedistribuAonofn‐gramswithinlegiAmatenetworkcontent.

•  SamplefromthisdistribuAon,andusepaddingandinlinepadding(junkinserAon)toskewthedistribuAonofshellcodetoappearnormal.

12 13

Page 14: Smashing the stack with Hydra

RandomizedAddressZone

•  Sequenceofrepeatedtargetaddresses.

•  Usedtooverwrites%ESPonthestacktopointtoNOPsled.

•  AnIDScanlookforastructuralsignaturesuchastheexistenceofNOPinstrucAonsandrepeatednumbers(sled+returnzone.)

•  Breaksignaturesbyaddingrandomoffsetstoeachaddresselementinthereturnaddresszone.

14 1414

Page 15: Smashing the stack with Hydra

Time‐CipherShellcode

•  EmulatorIDS?Buildstrippeddownx86emulatoranddynamicallyexecuteALLnetworktraffic.Lookforself‐decrypAonbehaviorand/orlargebasicblocks.

•  SoluAon?Usesyscall‐basedciphering.Exploitthefactthatemulatorscan’thandlefullOSfuncAonality.

•  HydrausestheAme()syscall.MostsignificantbitsusedaskeytodecodethemaincipherinstrucAons(ROR,XOR,etc).

•  Syscallnothandled?Timerunsout?Shellcodeisdecodedincorrectly–nopolymorphicbehaviorisobserved.

15

Page 16: Smashing the stack with Hydra

Time‐CipherShellcode

•  Goodforauser‐definedperiodofAme.Usercanadjustthe“shell‐life”windowbythenumberofbitsused.

•  NetworkIDScan’temulateallpossiblesyscalls.

•  Time‐cipheredshellcodewillpassthroughtheemulatorsandarriveonthetargethostwherethesyscallscanbehandled.

•  Bypassessomeemulatoranddisassemblybasedmethods,andslowsdownhumanreverseengineers.

16

Page 17: Smashing the stack with Hydra

ForkingShellcode

•  Exploitcouldcausethetargetprocesstohang.Notgood–couldbepickedupbyanIDS.Gracefulrecovery(SkylerCanSecWest’09.)

•  SoluAon:fork()’ingshellcode.Childexecutespayload,parenta1emptstorecovertheexploitedprocess.

•  Recoveryishard–correct%EIPisnormallylostduringexploit.

•  Needtoknowtargetprocessaddressspace–relaAveoffset.

•  Hydrafork()syourshellcodeforyouautomaAcally.17 17

Page 18: Smashing the stack with Hydra

AlphanumericEncoding

•  Hydraalsoincorporatesthealpha2encoder.

•  AutomaAcallyselectsalphanumericNOPsfromtheNOP‐generatortoconstructsled.Choiceofmorethan4000ASCIIinstrucAons.

•  AlphaNOPsareinsertedinbetweendecoderinstrucAonsandshellcodetofurtherobfuscatebothcontentandsize.

•  ModularnatureoftheengineallowstheAlphaencodingtocombinewithalloftheotheropAons.

18

Page 19: Smashing the stack with Hydra

NOPSLED PAYLOAD RETURNZONE

Traditional shellcode:

Hydra shellcode:

RECURSIVESLED

PAYLOAD

RandomizedRETURNZONE

DECODERMimicryBytes

MimicryBytesPAYLOAD

DECODER

Time‐lockCipherFork()

MimicryBytes

MimicryBytes

•  Hydra is designed to be modular.

•  Shellcode and mimicry bytes intermixed.

•  Only ciphers shellcode instructions, mimicry bytes kept in the clear.

ALPHADECODER

19

Page 20: Smashing the stack with Hydra

DEMO

20

Page 21: Smashing the stack with Hydra

THANKYOUDEFCON

Codetobereleasedinthefuture.

PratapPrabhu([email protected])YingboSong([email protected])SalvatoreStolfo([email protected])

21

Page 22: Smashing the stack with Hydra

•  Hydraaccept“trainingsamples”fornormaldataandlearnsmodelsfornormaltraffic.

•  Inline‐padshellcodetomakeitlookstaAsAcallysimilar.

StaAsAcalMimicry

Song, et al. Machine Learning Journal. 2009.

Markov chains and Monte-Carlo simulation.

13 22


Related Documents
Stack Smashing Vulnerabilities in the UNIX Operating System

Stack Smashing Vulnerabilities in the UNIX Operating System

Category: Documents
Smashing the Stack for Fun and Profit by Aleph One

Smashing the Stack for Fun and Profit by Aleph One

Category: Documents
Buffer overflow – Smashing The Stack

Buffer overflow – Smashing The Stack

Category: Software
An Introduction to Full-Stack JavaScript _ Smashing Coding

An Introduction to Full-Stack JavaScript _ Smashing Coding

Category: Documents
Smashing The Stack - University of RichmondSummer 2017 Roadmap 1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph

Smashing The Stack - University of RichmondSummer 2017...

Category: Documents
openbsd - Inertia Warinertiawar.com/openbsd/hawkes_openbsd.pdf3 SSP/ProPolice Stack Smashing Protector adopted by OpenBSD to provide stack frame canaries SSP also rearranges stack

openbsd - Inertia...

Category: Documents
Smashing the Stack Overview The Stack Region Buffer Overflow Shell Program Notes Avoiding Buffer Overflows Conclusion.

Smashing the Stack Overview The Stack Region Buffer Overflow...

Category: Documents
Stack Smashing as of Today - Black Hat | Home

Stack Smashing as of Today - Black Hat | Home

Category: Documents
Smashing The Stack For Fun And Profit Aleph One Introduction

Smashing The Stack For Fun And Profit Aleph One Introduction

Category: Documents
Smashing The Stack For Fun And Profit - Home | EECS .... 1 Process Memory Regions What Is A Stack? A stack is an abstract data type frequently used in computer science. A stack of

Smashing The Stack For Fun And Profit - Home | EECS .... 1.....

Category: Documents
Smashing the Stack

Smashing the Stack

Category: Documents
VoIPER: Smashing the VoIP stack while you sleep

VoIPER: Smashing the VoIP stack while you sleep

Category: Technology