<<  Lessons learned from past notable disasters the Philippines Porphyrins Super-molecules of the Future and the Sinister Molecules of the Past  >>
The past, the present and the future of software exploitation
The past, the present and the future of software exploitation
Agenda
Agenda
Introduction
Introduction
The past
The past
Kick-off
Kick-off
fingerd stack-based buffer overflow
fingerd stack-based buffer overflow
November 08, 1996 (Phrack 49) Smashing The Stack For Fun And Profit
November 08, 1996 (Phrack 49) Smashing The Stack For Fun And Profit
Bypassing the non-exec Stack (ret-2-libc) - 8/10/1997
Bypassing the non-exec Stack (ret-2-libc) - 8/10/1997
Bypassing the non-exec Stack (ret-2-libc)
Bypassing the non-exec Stack (ret-2-libc)
Bypassing the non-exec Stack (ret-2-libc)
Bypassing the non-exec Stack (ret-2-libc)
1/31/1999 - w00w00 on Heap Overflows
1/31/1999 - w00w00 on Heap Overflows
9/20/1999 - Format String bug in proftpd
9/20/1999 - Format String bug in proftpd
7/25/2000 - JPEG Com Marker vulnerability in Netscape
7/25/2000 - JPEG Com Marker vulnerability in Netscape
9/9/2000 - Format String Attacks
9/9/2000 - Format String Attacks
6/18/2001 - IIS
6/18/2001 - IIS
7/13/2001 - Code Red Worm in the Wild
7/13/2001 - Code Red Worm in the Wild
11/8/2001 VUDO malloc tricks
11/8/2001 VUDO malloc tricks
11/8/2001 Once upon a free
11/8/2001 Once upon a free
2/7/2002 - Third Generation Exploits
2/7/2002 - Third Generation Exploits
7/28/2002 - Advances in Format String Exploitation
7/28/2002 - Advances in Format String Exploitation
7/10/2003 - "Variations in Exploit methods between Linux and Windows"
7/10/2003 - "Variations in Exploit methods between Linux and Windows"
8/2/2003 - Win32 device drivers communication vulnerabilities
8/2/2003 - Win32 device drivers communication vulnerabilities
9/8/2003 - "Defeating the Stack Based Buffer Overflow Prevention
9/8/2003 - "Defeating the Stack Based Buffer Overflow Prevention
9/30/2003 - /SAFESEH introduced into Visual Studio
9/30/2003 - /SAFESEH introduced into Visual Studio
4/21/2004 Reliable Windows Heap Exploits
4/21/2004 Reliable Windows Heap Exploits
7/28/2004 Windows Heap Overflows
7/28/2004 Windows Heap Overflows
10/25/2004 - On the effectiveness of ASLR
10/25/2004 - On the effectiveness of ASLR
"Heap Spraying" against Internet Explorer is demonstrated - 11/2/2004
"Heap Spraying" against Internet Explorer is demonstrated - 11/2/2004
1/21/2005 - "Defeating Microsoft Windows XP SP2 Heap protection and
1/21/2005 - "Defeating Microsoft Windows XP SP2 Heap protection and
2/17/2005 - Remote Windows Kernel Exploitation
2/17/2005 - Remote Windows Kernel Exploitation
7/20/2005 - "Windows Kernel Pool Overflow Exploitation"
7/20/2005 - "Windows Kernel Pool Overflow Exploitation"
8/31/2005 - Critical Section Heap Exploit Technique
8/31/2005 - Critical Section Heap Exploit Technique
10/5/2005 - Technique published to bypass hardware DEP
10/5/2005 - Technique published to bypass hardware DEP
11/30/2005 - Microsoft ships Visual Studio 2005 with GS v2
11/30/2005 - Microsoft ships Visual Studio 2005 with GS v2
12/7/2005 - Technique published to exploit Freelist[0] on XP-SP2
12/7/2005 - Technique published to exploit Freelist[0] on XP-SP2
10/31/2006 - "Memory Retrieval Vulnerabilities"
10/31/2006 - "Memory Retrieval Vulnerabilities"
1/19/2007 - "Double Free Vulnerabilities"
1/19/2007 - "Double Free Vulnerabilities"
3/1/2007 - "GS and ASLR in Windows Vista"
3/1/2007 - "GS and ASLR in Windows Vista"
3/27/2007 - "Heap Feng Shui in JavaScript"
3/27/2007 - "Heap Feng Shui in JavaScript"
7/6/2007 - "Understanding and Bypassing Windows Heap Protection"
7/6/2007 - "Understanding and Bypassing Windows Heap Protection"
4/14/2008 - "Application-Specific Attacks - Leveraging the
4/14/2008 - "Application-Specific Attacks - Leveraging the
7/1/2008 "Real World Kernel Pool Exploitation"
7/1/2008 "Real World Kernel Pool Exploitation"
7/29/2008
7/29/2008
8/8/2008 "Attacking the Vista Heap"
8/8/2008 "Attacking the Vista Heap"
2/3/2010 - Pointer Inference and JIT Spray
2/3/2010 - Pointer Inference and JIT Spray
The present
The present
Drive-By-Download attacks
Drive-By-Download attacks
Privilege Escalation attacks
Privilege Escalation attacks
The future
The future
Thank you for listening
Thank you for listening

: The past, the present and the future of software exploitation techniques. : Tarakanov, Nikita. : The past, the present and the future of software exploitation techniques.pptx. zip-: 822 .

The past, the present and the future of software exploitation techniques

The past, the present and the future of software exploitation techniques.pptx
1 The past, the present and the future of software exploitation

The past, the present and the future of software exploitation

techniques

Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014

2 Agenda

Agenda

Introduction The past The present The (nearest) future Q&A

3 Introduction

Introduction

This talk is very high-level overview of past and present software exploitation techniques (and their first appearances) Mostly about memory corruptions and binary vulnerabilities The (nearest) future section is just thoughts of speaker

4 The past

The past

5 Kick-off

Kick-off

!! 2 October 1988 Morris Worm

Fingerd Sendmail Password bruting via rsh

6 fingerd stack-based buffer overflow

fingerd stack-based buffer overflow

Picture source: http://www.youtube.com/watch?v=xdnwR_T-qx0

7 November 08, 1996 (Phrack 49) Smashing The Stack For Fun And Profit

November 08, 1996 (Phrack 49) Smashing The Stack For Fun And Profit

http://phrack.org/issues/49/14.html

8 Bypassing the non-exec Stack (ret-2-libc) - 8/10/1997

Bypassing the non-exec Stack (ret-2-libc) - 8/10/1997

http://seclists.org/bugtraq/1997/Aug/63 Solar Designer

9 Bypassing the non-exec Stack (ret-2-libc)

Bypassing the non-exec Stack (ret-2-libc)

10 Bypassing the non-exec Stack (ret-2-libc)

Bypassing the non-exec Stack (ret-2-libc)

11 1/31/1999 - w00w00 on Heap Overflows

1/31/1999 - w00w00 on Heap Overflows

http://www.w00w00.org/files/articles/heaptut.txt

12 9/20/1999 - Format String bug in proftpd

9/20/1999 - Format String bug in proftpd

http://seclists.org/bugtraq/1999/Sep/328

13 7/25/2000 - JPEG Com Marker vulnerability in Netscape

7/25/2000 - JPEG Com Marker vulnerability in Netscape

http://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability

14 9/9/2000 - Format String Attacks

9/9/2000 - Format String Attacks

http://seclists.org/bugtraq/2000/Sep/214

15 6/18/2001 - IIS

6/18/2001 - IIS

ida ISAPI filter Vulnerability

Remove this slide?

16 7/13/2001 - Code Red Worm in the Wild

7/13/2001 - Code Red Worm in the Wild

Remove this slide?

17 11/8/2001 VUDO malloc tricks

11/8/2001 VUDO malloc tricks

http://phrack.org/issues/57/8.html

18 11/8/2001 Once upon a free

11/8/2001 Once upon a free

http://phrack.org/issues/57/9.html

19 2/7/2002 - Third Generation Exploits

2/7/2002 - Third Generation Exploits

https://www.blackhat.com/presentations/bh-europe-01/halvar-flake/bh-europe-01-halvarflake-1.ppt

20 7/28/2002 - Advances in Format String Exploitation

7/28/2002 - Advances in Format String Exploitation

http://phrack.org/issues/59/7.html

21 7/10/2003 - "Variations in Exploit methods between Linux and Windows"

7/10/2003 - "Variations in Exploit methods between Linux and Windows"

http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf

22 8/2/2003 - Win32 device drivers communication vulnerabilities

8/2/2003 - Win32 device drivers communication vulnerabilities

http://seclists.org/fulldisclosure/2003/Aug/86 Arbitrary memory overwrite via ioctl METHOD_NEITHER

23 9/8/2003 - "Defeating the Stack Based Buffer Overflow Prevention

9/8/2003 - "Defeating the Stack Based Buffer Overflow Prevention

Mechanism of MS Windows 2003 Server"

https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-litchfield.pdf

24 9/30/2003 - /SAFESEH introduced into Visual Studio

9/30/2003 - /SAFESEH introduced into Visual Studio

Remove this slide?

25 4/21/2004 Reliable Windows Heap Exploits

4/21/2004 Reliable Windows Heap Exploits

https://cansecwest.com/core04/cansecwest04.iso

26 7/28/2004 Windows Heap Overflows

7/28/2004 Windows Heap Overflows

http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt

27 10/25/2004 - On the effectiveness of ASLR

10/25/2004 - On the effectiveness of ASLR

http://dl.acm.org/citation.cfm?id=1030124

28 "Heap Spraying" against Internet Explorer is demonstrated - 11/2/2004

"Heap Spraying" against Internet Explorer is demonstrated - 11/2/2004

29 1/21/2005 - "Defeating Microsoft Windows XP SP2 Heap protection and

1/21/2005 - "Defeating Microsoft Windows XP SP2 Heap protection and

DEP bypass"

http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf

30 2/17/2005 - Remote Windows Kernel Exploitation

2/17/2005 - Remote Windows Kernel Exploitation

http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

31 7/20/2005 - "Windows Kernel Pool Overflow Exploitation"

7/20/2005 - "Windows Kernel Pool Overflow Exploitation"

http://packetstormsecurity.com/files/download/39742/Xcon2005_SoBeIt.pdf

32 8/31/2005 - Critical Section Heap Exploit Technique

8/31/2005 - Critical Section Heap Exploit Technique

http://www.symantec.com/connect/articles/new-way-bypass-windows-heap-protections

33 10/5/2005 - Technique published to bypass hardware DEP

10/5/2005 - Technique published to bypass hardware DEP

Uninformed Journal 2, Matt Miller (skape) and Ken Johnson (skywing) NtProtectVirtualMemory NtSetInformationProcess

34 11/30/2005 - Microsoft ships Visual Studio 2005 with GS v2

11/30/2005 - Microsoft ships Visual Studio 2005 with GS v2

Remove this slide?

35 12/7/2005 - Technique published to exploit Freelist[0] on XP-SP2

12/7/2005 - Technique published to exploit Freelist[0] on XP-SP2

http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist[0]%20On%20XP%20Service%20Pack%202.pdf

36 10/31/2006 - "Memory Retrieval Vulnerabilities"

10/31/2006 - "Memory Retrieval Vulnerabilities"

http://alphastar.nl/corruption/2006/eeye-memretrievalbugs-Oct2006.pdf

37 1/19/2007 - "Double Free Vulnerabilities"

1/19/2007 - "Double Free Vulnerabilities"

http://www.symantec.com/connect/blogs/double-free-vulnerabilities-part-1

38 3/1/2007 - "GS and ASLR in Windows Vista"

3/1/2007 - "GS and ASLR in Windows Vista"

39 3/27/2007 - "Heap Feng Shui in JavaScript"

3/27/2007 - "Heap Feng Shui in JavaScript"

https://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

40 7/6/2007 - "Understanding and Bypassing Windows Heap Protection"

7/6/2007 - "Understanding and Bypassing Windows Heap Protection"

https://www.immunityinc.com/downloads/Heap_Singapore_Jun_2007.pdf

41 4/14/2008 - "Application-Specific Attacks - Leveraging the

4/14/2008 - "Application-Specific Attacks - Leveraging the

ActionScript Virtual Machine"

http://www.inf.fu-berlin.de/groups/ag-si/compsec_assign/Dowd2008.pdf

42 7/1/2008 "Real World Kernel Pool Exploitation"

7/1/2008 "Real World Kernel Pool Exploitation"

http://www.80sec.com/syscanhk/KernelPool.pdf

43 7/29/2008

7/29/2008

Net controls used to exploit IE

https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf

44 8/8/2008 "Attacking the Vista Heap"

8/8/2008 "Attacking the Vista Heap"

https://www.blackhat.com/presentations/bh-usa-08/Hawkes/BH_US_08_Hawkes_Attacking_Vista_Heap.ppt

45 2/3/2010 - Pointer Inference and JIT Spray

2/3/2010 - Pointer Inference and JIT Spray

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

46 The present

The present

47 Drive-By-Download attacks

Drive-By-Download attacks

Heap manipulation Turning Memory Corruption to Information leakage (ASLR bypass) ROP

48 Privilege Escalation attacks

Privilege Escalation attacks

Arbitrary memory overwrites Simple jump to shellcode located in r3 address space ROP (seen not a lot)

49 The future

The future

More chained exploits More Inter-Ring exploits Firmware/Hardware bugs

50 Thank you for listening

Thank you for listening

Any questions?

The past, the present and the future of software exploitation techniques
http://900igr.net/prezentacija/anglijskij-jazyk/the-past-the-present-and-the-future-of-software-exploitation-techniques-87730.html
c

23

29
900igr.net > > > The past, the present and the future of software exploitation techniques