Hacking Windows Internals

8/12/2019 Hacking Windows Internals

1/31


2/31

www.appsecinc.com

Hacking Shared Sections

Shared Section definitionUsing Shared SectionsTools

ProblemsSearching for holesExploitation

ConclusionsReferences


3/31


4/31www.appsecinc.com

Using Shared Sections

Loading binary images by OS.Process creation.Dll loading.

Mapping kernel mode memory into user address space !?.Used to avoid kernel transitions.

Sharing data between processes.GDI and GUI data, pointers !?, counters, any data.


5/31www.appsecinc.com


Creating a shared section

HANDLE CreateFileMapping (HANDLE hFile, // handle to file ( file mapping )

//or 0xFFFFFFFF ( shared memory )LPSECURITY_ATTRIBUTES lpAttributes, // securityDWORD flProtect, // protectionDWORD dwMaximumSizeHigh, // high-order DWORD of sizeDWORD dwMaximumSizeLow, // low-order DWORD of size

LPCTSTR lpName // object name ( named )//or NULL ( unnamed ));//returns a shared section handle


6/31

www.appsecinc.com


Opening an existing shared section

HANDLE OpenFileMapping (DWORD dwDesiredAccess , // access mode ( FILE_MAP_WRITE

// FILE_MAP_READ , etc.)BOOL bInheritHandle, // inherit flagLPCTSTR lpName // shared section name

);//returns a shared section handle


7/31

www.appsecinc.com


Mapping a shared section

LPVOID MapViewOfFile (HANDLE hFileMappingObject , // handle to created/opened

// shared section

DWORD dwDesiredAccess , // access mode( FILE_MAP_WRITE// FILE_MAP_READ , etc.)

DWORD dwFileOffsetHigh, // high-order DWORD of offsetDWORD dwFileOffsetLow, // low-order DWORD of offsetSIZE_T dwNumberOfBytesToMap // number of bytes to map

); // returns a pointer to begining of shared section memory


8/31

www.appsecinc.com


Ntdll.dll Native API

NtCreateSection() Creates a new sectionNtOpenSection() Opens an existing sectionNtMapViewOfSection() Map a section on memoryNtUnmapViewOfSection() Unmap a section from memoryNtQuerySection() Returns section sizeNtExtendSection() Change section size


9/31

www.appsecinc.com


Mapping unnamed Shared Sections.

OpenProcess(PROCESS_DUP_HANDLE,...)DuplicateHandle(...)MapViewOfFile(...)

Need permissions on target process


10/31


11/31

www.appsecinc.com

Tools

Process Explorer Shows information about processes (dlls, handles, etc.).

WinObjShows Object Manager Namespace information (objectsinfo, permissions, etc.)

ListSSLists Shared Sections names (local and TS sessions).

DumpSSDumps Shared Section data.

TestSSOverwrites Shared Section data (to detect bugs)


12/31


13/31

www.appsecinc.com

Problems

Input validation

Applications don't perform data validation before using thedata.Processes trust data on shared sections.


14/31


15/31

www.appsecinc.com

Problems

Weak permissionsDemo


16/31

www.appsecinc.com

Problems

Synchronization

Not built-in synchronization.Synchronization must be done by processes in order tonot corrupt data.There isn't a mechanism to force processes tosynchronize or to block shared section access.

Any process (with proper rights) can alter a sharedsection data while another process is using it.


17/31

www.appsecinc.com

Problems

Synchronization

Communication between Process A and B

Process

A

ProcessB

ProcessC

SharedSection

2- Writedata.

3- Dataready.

4- Replacedata.

5- Read data.

1- Send medata.


18/31

www.appsecinc.com

Searching for holes

Look for shared sections using Process Explorer orListSS.

Attach a process using the shared section to adebugger.

Run TestSS on shared section.Interact with process in order to make it use(read/write) the shared section.

Look at debugger for crashes :).


19/31

www.appsecinc.com

Searching for holes

Demo


20/31

www.appsecinc.com

Exploitation

Elevating privileges.Reading data.

Altering data.Shared section exploits.

Using shared sections on virus/rootkits/ etc.


21/31

www.appsecinc.com

Exploitation

Reading data.From high privileged processes (services).From local logged on user processes, services and othersessions on Terminal Services.This leads to unauthorized access to data.


22/31

www.appsecinc.com

Exploitation

Reading data.Reading Internet Explorer cookies and history information.(Demo)


23/31

www.appsecinc.com

Exploitation

Altering data.On high privileged processes (services).On local logged on user processes, services and othersessions on Terminal Services.This leads to arbitrary code execution, unauthorized

access, processes or kernel crashing (DOS).


24/31

www.appsecinc.com

Exploitation

Altering data.IIS 5 DOS. (Demo)


25/31

www.appsecinc.com

Exploitation

Shared section exploits.When overwriting shared section data allow us to takecontrol of code execution.Some shared sections start addresses are pretty static onsame OS and Service Pack.

Put shellcode on shared section.Build exploit to jump to shellcode on shared section atstatic location.


26/31

www.appsecinc.com

Exploitation

Shared section exploits.MS05-012 - COM Structured Storage Vulnerability

Exploit (Demo)


27/31

www.appsecinc.com

Exploitation

Using shared sections on virus/rootkits/etc.Some shared sections are used by many processes

(InternatSHData used for Language Settings) others are used byall processes :).Write code to shared section and the code will be instantly mappedon processes memory and also on new created processes.Use SetThreadContext() or CreateRemoteThread() to startexecuting code.Similar to WriteProcessMemory() - SetThreadContext() techniqueor DLL Injection.


28/31

www.appsecinc.com

Exploitation

Using shared sections on virus/rootkits/etc.Some shared sections have execute access.

It would be possible to avoid WinXP sp2 NX .


29/31


30/31

www.appsecinc.com

References

MSDNProgramming Applications for MS Windows - FourthEditionProcess Explorer ( www.sysinternals.com )

WinObj ( www.sysinternals.com )Rattle - Using Process Infection to Bypass WindowsSoftware Firewalls (PHRACK #62)

Crazylord - Playing with Windows /dev/(k)mem(PHRACK #59)


31/31

Click to edit Master title style

Click to edit Master subtitle style

Briefing for:

FIN

Questions? Thanks. Contact: sqlsec>atdot

Hacking Windows Internals

Documents

Transcript of Hacking Windows Internals