Smashing the stack with Hydra
description
Transcript of Smashing the stack with Hydra
SMASHING THE STACK WITH HYDRA
Pratap Prabhu, Yingbo Song and Sal Stolfo
Columbia University Intrusion Detection Systems Lab
1
Overview
• Hydraisapolymorphicshellcodeengineforx86.
• Goal:tobypasssignature,staAsAcal,andemulator‐basedIDS.
• IntegratesseveralobfuscaAontechniquesintooneengine.Self‐cipher,staAsAcalmimicry,fork()code,andmore...
1 2
LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLE
Address of Calling function
INSTRUCTIONS
LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLEINSTRUCTIONS
NOPSLED PAYLOAD RETURNZONE
NOPSLED PAYLOAD RETURNZONE
“ret” jumps here
Overwrites EIP
2 3
PolymorphicShellcode
• IDSsignatures:“\x90\x90\x90\x90”,“/bin/sh”
• Useanencoderandcipherthepayloadwitharandomkey.
• Doesn’tworkiftheIDScandetectthedecoder.
• WhataboutstaAsAcalIDSwhichlooksatbytedistribuAons?
• Networkemulator,anddynamicdisassembly‐basedIDS?
3 4
HydraFeatures
• NOPinstrucAonsgenerator.• RecursiveNOPsled.• RandomizedregisterselecAon
andclearing.
• RandomizedmulA‐layerciphering.
• Inlinejunkcode/datainserAon.
• MulA‐parAtedecoders.
• MulA‐gramstaAsAcalmimicry.
• Randomizedreturnzone.• fork()’ingshellcode.• Time‐lockedcipheringforanA‐
emulatorandanA‐disassembly.
• Alphanumericencoding.
4 5
NOPSledObfuscaAon
• NOPdoesn’thavetobe\x90.‘A’,‘B’,‘C’,..,’Z’allwork
• Hydracontainsa“NOPgenerator”thatcanbuildalibraryofpossibleNOPinstrucAons.
• Testmethod:
– Addcodetosetupstack/registercanaryvariables.– AddasledbuiltwithNOPinstrucAontobetested.– AddvalidaAoncodetocheckstack/registervariables.– Execute.
• FindsNOPequivalentinstrucAons.5 6
NOPSledObfuscaAon
• Notjustsingle‐byteNOPS.MulA‐byteNOPinstrucAonsbywayofrecursiveNOP.(Phrack,CLET)
• Findall1‐byteNOPinstrucAonsbybrute‐force,thenfindtwo‐byteNOPswhere2ndbyteisaone‐byteNOP.Repeat.
• LargerNOPinstrucAonrecursivelycontainssmallerNOPs.ExecuAoncanlandanywhereintheinstrucAon.
6 7
NOPSledObfuscaAon
• HydrauAlizestwotypesofNOPinstrucAons.
1. BasicNOPequivalentinstrucAonswhichcanbeusedtobuildasledandsafelypassexecuAonintothepayload.
2. NOPswhichcanbesafelyinsertedbetweeninstrucAons.
• Secondcase:“State‐safe”NOPsdonotcontaininstrucAonswhichmodifythestack,registers,controlflow,etc.
• 1.9MtotalNOPequivalentinstrucAonsfound.30,000state‐safeNOPs.
7 8
RandomregisteroperaAons
• DifferentsynonymousinstrucAonsperinvocaAon.
• HydraprovidesalargelibraryofsuchinstrucAonsandaplamormtoaddmore.
• ForsomeoperaAons,thekeyusedisrandomlygeneratedtofurtherobfuscatethepayload.
Twoexamplewaystocleararegister
Method1:
movreg,<key>subreg,<key>
Method2:
pushdword<key>popregsubreg,<key>
8 9
MulA‐parAteDecoding
• Hydrageneratesnon‐con)guousdecoders.
• Thepaddeddecodercipherloopissplitapartandintermixedwiththeencodedpayload.
• Currentlyonlybi‐parAtedecodingisimplemented:halfofthedecoderinstrucAonsareinfrontofthepayload,halfaperit.
• DecoderinstrucAonsjumpbetweeneachotherwhiledecodingthepayload.
9 10
MulA‐LayerCiphering
• MulAplecipheroperaAons,subsetsselectedatrandomperinvocaAon.Veryusefultechnique(ADMmutate,CLET,..)
• RandomcipheroperaAons:ROR/ROL,XOR,ADD/SUB,etc…
• CipherorderisrandomeachAme.
• Arandomlychosen32‐bitkeyisgeneratedpercipher.
• Sixroundsofcipheringbydefault–usercanspecifynumber.
10 11
InlineJunkCodeInserAon
• HydraautomaAcallyaddsspacebetweeninstrucAons.Arbitrarydatacanbeinserted:
[instr1][junk][instr2][junk][instr3][junk][instr4]
• Amountofdatatobeinsertedcanbespecified.
• CaninsertNOPinstrucAons,anA‐disassemblycode,randomjunk,etc.Thecipherswillskiptheseareasduringdecoding.
• CanalsoinsertcertainbytesforstaAsAcalmimicry.
11 12
StaAsAcalMimicry
• StaAsAcalIDS–typicallyworkbylearningfrequenciesfornormalcontentthendetecAngexploitsasanomalies.
• Hydrausesmachinelearning‐basedtechniquestomakeshellcodemimicnormaltraffic.
• LearnastaAsAcalmodelforthedistribuAonofn‐gramswithinlegiAmatenetworkcontent.
• SamplefromthisdistribuAon,andusepaddingandinlinepadding(junkinserAon)toskewthedistribuAonofshellcodetoappearnormal.
12 13
RandomizedAddressZone
• Sequenceofrepeatedtargetaddresses.
• Usedtooverwrites%ESPonthestacktopointtoNOPsled.
• AnIDScanlookforastructuralsignaturesuchastheexistenceofNOPinstrucAonsandrepeatednumbers(sled+returnzone.)
• Breaksignaturesbyaddingrandomoffsetstoeachaddresselementinthereturnaddresszone.
14 1414
Time‐CipherShellcode
• EmulatorIDS?Buildstrippeddownx86emulatoranddynamicallyexecuteALLnetworktraffic.Lookforself‐decrypAonbehaviorand/orlargebasicblocks.
• SoluAon?Usesyscall‐basedciphering.Exploitthefactthatemulatorscan’thandlefullOSfuncAonality.
• HydrausestheAme()syscall.MostsignificantbitsusedaskeytodecodethemaincipherinstrucAons(ROR,XOR,etc).
• Syscallnothandled?Timerunsout?Shellcodeisdecodedincorrectly–nopolymorphicbehaviorisobserved.
15
Time‐CipherShellcode
• Goodforauser‐definedperiodofAme.Usercanadjustthe“shell‐life”windowbythenumberofbitsused.
• NetworkIDScan’temulateallpossiblesyscalls.
• Time‐cipheredshellcodewillpassthroughtheemulatorsandarriveonthetargethostwherethesyscallscanbehandled.
• Bypassessomeemulatoranddisassemblybasedmethods,andslowsdownhumanreverseengineers.
16
ForkingShellcode
• Exploitcouldcausethetargetprocesstohang.Notgood–couldbepickedupbyanIDS.Gracefulrecovery(SkylerCanSecWest’09.)
• SoluAon:fork()’ingshellcode.Childexecutespayload,parenta1emptstorecovertheexploitedprocess.
• Recoveryishard–correct%EIPisnormallylostduringexploit.
• Needtoknowtargetprocessaddressspace–relaAveoffset.
• Hydrafork()syourshellcodeforyouautomaAcally.17 17
AlphanumericEncoding
• Hydraalsoincorporatesthealpha2encoder.
• AutomaAcallyselectsalphanumericNOPsfromtheNOP‐generatortoconstructsled.Choiceofmorethan4000ASCIIinstrucAons.
• AlphaNOPsareinsertedinbetweendecoderinstrucAonsandshellcodetofurtherobfuscatebothcontentandsize.
• ModularnatureoftheengineallowstheAlphaencodingtocombinewithalloftheotheropAons.
18
NOPSLED PAYLOAD RETURNZONE
Traditional shellcode:
Hydra shellcode:
RECURSIVESLED
PAYLOAD
RandomizedRETURNZONE
DECODERMimicryBytes
MimicryBytesPAYLOAD
DECODER
Time‐lockCipherFork()
MimicryBytes
MimicryBytes
• Hydra is designed to be modular.
• Shellcode and mimicry bytes intermixed.
• Only ciphers shellcode instructions, mimicry bytes kept in the clear.
ALPHADECODER
19
DEMO
20
THANKYOUDEFCON
Codetobereleasedinthefuture.
PratapPrabhu([email protected])YingboSong([email protected])SalvatoreStolfo([email protected])
21
• Hydraaccept“trainingsamples”fornormaldataandlearnsmodelsfornormaltraffic.
• Inline‐padshellcodetomakeitlookstaAsAcallysimilar.
StaAsAcalMimicry
Song, et al. Machine Learning Journal. 2009.
Markov chains and Monte-Carlo simulation.
13 22