Note: Page numbers in italics indicate figures and tables.
A
Access Control Entries (ACEs), 286
Access control list (ACL), 286, 290
Access token, 286, 292–295
locating, 299
patching, 299–300
Alloc algorithm, 144
AMD64, 57
APCs. See Asynchronous procedure calls
Application Binary Interface (ABI), 53
Arbitrary memory overwrite, 71–74, 229–239, 277
exploiting architecture, 73–74
global structures' function pointers, 72
Architecture level, kernel, 48, 48–58
Architecture-assisted software tables, 94–95, 95
Asynchronous interrupts, 365
Asynchronous procedure calls (APCs), exploiting Windows, 381–383
B
Brute forcing, 7
BSD
derivatives, 125
of XNU kernel, 197
Buffer overflow, 24, 28
Buffered I/O data transfer, 279
Bug, 21, 420
guest kernel security, 433–434
hypervisor security, 432
virtualization, 432–434
BugCheck code, 320, 321
C
C++, implementation of, 214, 214
Cache, 28
Cache-pointer, 75
CALL instruction, 349
Calling conventions, 53, 312, 312, 351
Closed source operating systems, 18
Complex Instruction Set Computer (CISC) architecture, 8, 49, 55
Computer architectures, 49
config commands, 114
Corrupted pointer, 24
Countermeasures, 8, 9, 11
Counters, 94
CPU, 48–50
physical addressing, 50, 51
virtual-to-physical address translation, 52
CrashReporter, 200
CVE-2009-1046, 163–165
CVE-2009-3234
exploiting, 190–193
revisiting, 184–193
D
Damn Vulnerable Windows Driver (DVWD), 276–277
Driver.c file, 277
Overwrite.c file, 277
StackOverflow.c file, 277
Data model, 22
data type sizes in, 23
DDK. See Driver Development Kit
Dead memory, 24
Debugger, 204
GDB, 112
Debugging, kernel, 200–208
Linux, 108–114
Mac OS X, 200–208
OpenSolaris, 116–125
print-based, 116
Windows, 282–285
Deferred context, 366
Demand paging, 14
Design flaw, 21
Development bits, 115
Direct I/O technique, 188–190, 279
Domain identifier, 288
Driver Development Kit (DDK), 277
DTrace, 116–122
dumpadm command, 124
DVWD. See Damn Vulnerable Windows Driver
E
EPROCESS structure, 292, 306, 307
locating, 298
token address within, 293, 293
ETHREAD (Executive Thread Block) structure, 298
Exceptions, 50
F
Fast virtual system calls, 406
FAT binary, 196
Forward Transmission Sequence Number (FWD-TSN), 388
Free algorithm, 144
Function Boundary Tracing (FBT), 117
G
gdb command, 113
GDB debugger, 113
Generic exploit, 6
gettimeofday() function, 411–412
Global Descriptor Table Register (GDTR), 56
GRSecurity, 97
H
Hardware Abstraction Layer (HAL), 271, 311
Heap addresses/values, 97
Heap allocator, 74–76
Heap layout, remotely adjusting, 395–397
Heap overflow, 35
HyperText Transfer Protocol (HTTP), 10
Hypervisor, 432
security, 432–433
I
Image Packaging System (IPS), 115
In-cache controlling structures, 78, 79
Infoleak bug, 91, 96–98
In-object controlling structures, 78
In-slab fake object, 173
Instruction byte sequences, finding, 352–353
Instruction pointer (IP), 49, 71
Instruction set, 48
Instruction Set Architecture (ISA), 3
Integer-related bugs, 29–33
integer overflows, 27, 29–31
sign conversion issues, 31–33
Interprocess communications (IPC), 41, 197
Interrupt context, 366
Interrupt Descriptor Table (IDT), 73, 74
descriptors, 74
Interrupt Descriptor Table Register (IDTR), 56
Interrupt service routines (ISRs), 365
Interrupt stacks, 26
Interrupt vector table, 50
Interrupts, 50
Intimate Shared Memory (ISM), 188
IOCTL, 217, 219, 220, 221
IOKit, 197–198, 214
iostat command, 214
IP. See Instruction pointer
IRETQ instruction, 69, 70
J
Jprobes, 110–112
K
KEP. See Kernel execution path context
Kernel
heap exploitation, 138–139
heap memory corruption, 27–29, 74–82
controlling heap allocator behavior, 74–76
overflow exploiting techniques, 76–77
overwriting adjacent object, 77
overwriting adjacent page, 80–82, 83
overwriting controlling structures, 78–80
preemption and scheduler, 87–88
space versus separated address spaces, 16–17
stack corruption, 26–27, 83–86
overwriting local variable, 86
overwriting return address, 84–85
stack overflows, attacking, 177–183
Kernel attacks, 420–425
levels of read access, 420, 421
principles of information security
availability, 425
confidentiality, 420–422
integrity, 422–424
Kernel data segment, 97
Kernel defense, 425–432
kernel assurance, 428–432
kernel threat analysis and modeling, 425–427
mechanisms, 427–428
Kernel execution path (KEP) context, 364–367
Kernel Executive, 271, 311
base address of, 275, 276
name and version, 273
Kernel exploitation, 3–9
execution step in, 58–71
fixating system, 59
gaining privileges, 58
information-gathering step in, 90–98
infoleaks, 91, 96–98
information from architecture, 94–96
information from operating system, 92–94
simplifying exploitation process, 90
triggering step in, 71–90
Kernel extensions (KEXT), 208–227
auditing, 215–227
directory structure of, 209
Kernel Mode Code Signing (KMCS), 291
Kernel Modular Debugger (kmdb), 122–125
Kernel Processor Control Block (KPRCB), 298
Kernel Processor Control Region (KPCR), 298
Kernel security, 433–434
Kernel symbol, 93, 94
Kernel-generated user-land vulnerabilities, 41–43
Kernel-land exploits versus user-land exploits, 11–13, 12–13
Kernel-land memory, 4
Kernel-land multiple page mappings, 372
Kernel-land stack, 26
Kernel-mode APCs, 381
types of, 382
Kernel-mode shadow mapping, 373
Kernel-mode stack, 83
KEXT. See Kernel extensions
kextload command, 211, 212
KGDB, 114
KLD API, 213
Kprobes, 110–112
Kretprobe, 110, 112
kstat command, 140, 140
L
Last in, first out (LIFO) approach, 54, 77
Linux, 104–114
arbitrary memory overwrite primitive, 394–402
execution step, 126–138
memory segments, disabling, 409–410
privilege model, 126–138
post-2.6.29, 135–138
pre-2.6.29, 126–135
remote exploitation, 393–394
Linux 2.6 SLAB allocator, attacking, 160–177, 160–163
Linux kernel
debugging, 108–114
stack buffer overflows, exploiting, 180–183
versions, 106
Linux SLUB allocator, 139
Linux Vsyscall page, 362
Loadable Kernel Module (LKM), 171, 172
Load-store architecture. See Reduced Instruction Set Computer (RISC) architecture
Local exploit, 6
Logic bugs, 39–43
M
Mac OS X, 195
arbitrary memory overwrite, 229–239
execution step, 227–228
exploitation notes, 228–266
fat binaries, 196
kernel debugging, 200–208
kernel extensions, 208–227, 215–227
memory allocator exploitation, 253–266
race conditions, 266
stack-based buffer overflows, 239–253
Mach of XNU kernel, 197
Machine Specific Registers (MSRs), 70
Memory
allocator exploitation, 253–266
corruption vulnerabilities, 26–29, 71–86, 94
management, 50–53
Memory descriptor list (MDL), 279
Memory management unit (MMU), 52
Modular kernels, 92
Multistage shellcode, 375–378
interrupt-to-process-context migration, 375–377
process-context-to-user-land migration, 377–378
three-phase, 367
two-phase, 367, 378–383
N
Neither buffered nor direct I/O method, 279
Non-Uniform Memory Access (NUMA), 162
Nonvalidated pointer, 24
NULL pointer dereference, 22, 40
nvram command, 201, 205
O
Objdump, 357
Object-pointer, 75
Open source operating systems, 18
OpenSolaris, 103, 114–125
OpenSolaris kernel debugging, 116–125
OpenSolaris slab allocator, 138, 143
attacking, 139–160
mandatory concepts, 139–146
Operating systems
kernel core load virtual address for, 346
open source versus closed source, 18
Overwrite-into-free-object-metadata technique, 166–172
P
Padding bytes for alignment, 370
Page cache for fun and profit, exhausting, 185–188
Page Directory Table (PDT), 56
Page fault handler, 36
Page Table Entry (PTE), 57
Page tables, 14, 361
Partial Reliable Stream Control Transmission Protocol (PR-SCTP), 386
Payload migration, 364–383
design considerations, 367–375
KEP context, 364–367
types, 367
Payload protocol identifier, 388
Per-processor data structure (PDA), 128
Physical Address Extension (PAE), 271
Physical device input validation, 40–41
Physical page allocator, 80
Plug and Play (hotplug) technology, 41
Pointer, 22–26
PowerPC architecture, 195
Print-based debugging, 116
Privileges, authorization mechanism, 286, 291–292
patching routine, 300–305
kernel-mode elevation, 300–302
user-mode elevation, 300
Program counter (PC). See Instruction pointer
R
Race condition, 33–38, 86–87, 266
example of, 35
exploitation techniques, 88–90
synchronization primitives, 34
Reduced Instruction Set Computer (RISC) architecture, 8, 49, 55
Redzoning, 29
Reference counter overflow, 39–40
Registers, 48–50
Relative identifier (RID), 289, 289
Relative virtual address (RVA), 276
Reliable slab overflow exploit, 148–160
Remote kernel exploitation, 6, 343, 344, 393–394
executing first instruction, 343, 344
arbitrary write of kernel memory, 360–362
direct execution flow redirection, 349–360
Remote kernel payloads, 362–383
Remote user-land payloads, 363
Remote vulnerabilities, attacking, 344–348
lack of control over remote target, 347–348
lack of exposed information, 344–347
Return into kernel text technique, 64–66, 84, 93
Return probes. See Kretprobe
Return-to-text technique, 359–360
RID. See Relative identifier
Rings, 56
RISC architecture. See Reduced Instruction Set Computer architecture
RtlCopyMemory() function, 335–337
S
SCTP, 386–388
data packet, 387
FWD chunk heap memory corruption, 386–393, 388
vulnerable path, 389–393
message building, 397–402
SSNMAP
structure, 392
TSN packet, 401–402, 402
Security descriptor, 286
Security identifier (SID), 286, 287–291
deny-only, 289
IdentifierAuthority, 288
integrity level, 290
internal structure, 288
list patching approach, 296–300
fixing token group, 300
locating access token, 299
locating EPROCESS structure, 298
patching access token, 299–300
logon, 289
restricted, 289, 294
Revision, 287
service, 290
SubAuthority, 288
SubAuthorityCount, 287
SEH. See Structured exception handling
set_selection()
case study, 172–177
memory corruption, 163–165
Shellcode, 6
example of two-stage, 63
executing, 410–414
installation of, 403–410
in kernel land, 62
mixed/multiple-stage, 62–64
multistage See Multistage shellcode
NOP landing zone on, 60, 61
placing, 59–66, 369–373
raising credentials, 67–68
recovering kernel state, 68–71
three-phase multistage, 367
two-phase multistage, 367, 378–383
in user land, 60–62
user-mode process, 403–410
showallkmods command, 205
showcurrentthreads command, 205
SID. See Security identifier
Slab allocator, 103
OpenSolaris See OpenSolaris Slab allocator
SLUB allocator, 162, 163, 166
Linux, 139
SMP systems. See Symmetric multiprocessing systems
Snow Leopard, 195, 266
Solaris, 114–125
Stack, 53–55, 372
addresses/values, 96
canary, 85, 319, 321, 322, 325
frame, 55
overflow, 35, 83, 84
pointer, 26
POP operation, 54
PUSH operation, 54
Stack-based buffer overflows, 239–253
Store Interrupt Descriptor Table (SIDT), 96
Stream identifier (SI), 387
Stream Sequence Number (SSN), 388
Structured exception handling (SEH), 322, 323, 325, 334
Super privileges, 287
Super user, 4, 5
Symmetric multiprocessing (SMP) systems, 33, 49, 88
Synchronous interrupts, 365
T
tail command, 212
target command, 206
Three-phase multistage shellcode, 367
Time Of Check Time Of Use (TOCTOU), 423
Time Stamp Counter (TSC), 88
Token-stealing technique, 305–308
touch command, 252
Trampoline sequences, 349
redirecting saved instruction pointer to, 352
Translation lookaside buffer (TLB), 52, 53, 431
Transmission Sequence Number (TSN), 387, 388
Traps, 50
Two-phase multistage shellcode, 367, 378–383
U
udevd, 42, 43
uname -a command, 115
uname -r command, 105
Undefined behavior, 29
Uninitialized pointer dereference, 22, 23
Uniprocessor (UP) systems, 33, 49, 88
Universal binary. See FAT binary
Unix, 104–125
exploitation, 138–193
User-land
buffer, 280, 304, 310
execution, 367
exploitation, 9–13
versus kernel-land exploits, 11–13, 12–13
memory, 4
multiple page mappings, 372
processes and scheduler, 13–14
stack, 26
User-land-to-kernel interface, 314
User-mode
APC, 381
buffer, accessing, 279, 280
mapping, 373
stack, 83
User-space
buffer, 280, 282, 328
on kernel space, 16–17
V
Virtual address space, 14, 15
Virtual Dynamically Linked Shared Object (vDSO), 403–407
Virtual memory, 14–17
Virtual memory management (VMM), 197
Virtual remote memcpy() primitive, 400
Virtual System Call Page (Vsyscall)
overwriting, 407–410
recovering, 413–414
vmlinux, 113
VMware, 283
Vulnerable dummy driver, 146–148
W
WDK. See Windows Driver Kit
WinDbg commands, 282, 284, 285, 285, 328
Windows Server 2003 32-bit overflow scenario, 321–334
fixing object table, 331–334
triggering exception, 326–331
user-space memory layout, 329
Windows Server 2008 64-bit overflow scenario, 334–339
index-based buffer overflow, 337
parent frame, 337–339
RtlCopyMemory() implementation, 335–337
Windows Server 2008 R2 64-bit, token structure, 294
Windows authorization model, 286–295
Windows Driver Kit (WDK), 277, 322
Windows kernel, 271–285
building shellcode, 295–308
debugging, 282–285
device I/O control, 278–279, 309, 310
information gathering, 272–276
I/O request packet dispatching, 278–279
user to kernel/kernel to user mode, 279–282
Windows kernel exploitation, 308–339
arbitrary memory overwrite, 308–319
leaking KPROCESS address, 314–319
one byte overwrite case study, 313
overwriting kernel control structures, 314–319
overwriting kernel dispatch tables, 311–313
stack buffer overflow, 319–339
Windows NT 5.x kernels, 295
Windows NT 6.x kernels, 295, 300, 304
Windows operating system, 270
version, detection of, 272
Windows SharedUserData area, 373–375, 379
Wireshark, 401–402
X
x86-32 architecture, 55–57, 361
x86-64 architecture, 53, 57–58, 88, 95, 361
interrupt/trap gate entry, 73
Xcode, 210, 211
XNU kernel, 195, 196–200
BSD component of, 197
IOKit in, 197–198, 214
Mach component of, 197
system call tables, 198–200
Z
Zone allocator, 253, 265