Automatic Shellcode Transplant for Remote Exploits

This research delves into the intricate world of exploiting vulnerabilities in software systems, focusing on topics like control flow hijacking and shellcode transplanting. The study uncovers methods to manipulate the flow of vulnerable programs to execute malicious code and strategies for integrating new code into existing exploits.

• Shellcode
• Exploits
• Vulnerabilities
• Control Flow Hijacking
• Software Security

melv Follow

Uploaded on Feb 17, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits Tiffany Bao, Fish Wang, Yan Shoshitaishvili, David Brumley Carnegie Mellon University & UC Santa Barbara

2. Exploits Denial of Service Exploits Web Applications Exploits Remote Exploits 1

3. Control Flow Hijacking A control flow hijacking exploit: Deviates the control flow of the vulnerable program, and Leads the program to carry out the malicious computation controlled by the attacker. 2

4. Control Flow Hijacking A control flow hijacking exploit: Deviates the control flow of the vulnerable program, and Leads the program to carry out the malicious computation controlled by the attacker. Shellcode 3

5. Steal a File Shellcode Existing Exploit 4

6. Steal a File Shellcode Install Malware Shellcode Existing Exploit Replacement Shellcode 5

7. Shellcode Transplant Steal a File Shellcode Install Malware Shellcode Existing Exploit Modified Exploit 6

8. Shellcode Transplant Steal a File Shellcode Install Malware Shellcode Existing Exploit Modified Exploit Replacement Shellcode 7

9. Shellcode Transplant f(S) S S While Executing Shellcode Existing Exploit 8

10. Previous Approach[1]: Symbolic Execution 9 [1] D. K. Sean Heelan. Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities.

11. Previous Approach: Symbolic Execution Captured Exploit 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. 10

12. Previous Approach: Symbolic Execution Captured Exploit 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. 23 f(s1) 90 f(s2) f(sn-1) f(sn) Memory 45 a0 11

13. Previous Approach: Symbolic Execution Captured Exploit 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. 23 f(s1) 90 f(s2) f(sn-1) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 12

14. Previous Approach: Symbolic Execution Captured Exploit 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. f(sn-1) 23 f(s1) 90 f(s2) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 Path Constraints Shellcode Constraints sk == 2 f(s2) == 0x89, 3. Solve the constraints. s1=0x80, s2=0x72, s3=0x08, s4=0xc3, 13

15. Previous Approach: Limitation Captured Exploit sk 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. f(sn-1) f(sk) 23 f(s1) 90 f(s2) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 Path Constraints Shellcode Constraints if (sk == 2) vuln(); f(s2) == 0x89, Contradiction sk == 2 sk == 1 14

16. Previous Approach: Limitation Captured Exploit sk 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. f(sn-1) f(sk) 23 f(s1) 90 f(s2) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 Path Constraints if (sk == 2) blah(); vuln(); Shellcode Constraints f(s2) == 0x89, Contradiction sk == 2 sk == 1 15

17. Our Work: ShellSwap Captured Exploit sk 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. f(sn-1) f(sk) 23 f(s1) 90 f(s2) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 Path Constraints if (sk == 2) blah(); vuln(); Path Kneading Shellcode Constraints f(s2) == 0x89, Layout Remediation sk == 2 sk == 1 16

18. Our Work: ShellSwap Captured Exploit sk 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. f(sn-1) f(sk) 23 f(s1) 90 f(s2) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 Path Constraints if (sk == 2) blah(); vuln(); Path Kneading Shellcode Constraints f(s2) == 0x89, Layout Remediation sk == 2 sk == 1 17

19. Layout Remediation Replacement Shellcode xor %esi,%esi mov %eax,0 push %ecx int 80 jmp jmp jmp jmp 18

20. Layout Remediation Path Constraints sk == 1 Replacement Shellcode 2 sk 19

21. Layout Remediation Path Constraints sk == 1 Replacement Shellcode 2 sk 20

22. Layout Remediation Path Constraints Shellcode Constraints sk == 1 sk == 2 Replacement Shellcode 2 sk 21

23. Layout Remediation Path Constraints Shellcode Constraints sk == 1 sk == 2 Replacement Shellcode 2 sk jmp 22

24. Layout Remediation Path Constraints Shellcode Constraints sk == 2 sk+3 == 2 sk == 1 Replacement Shellcode sk 2 jmp 23

25. Layout Remediation May Fail Replacement Shellcode sk 2 jmp Not Enough Space! 24

26. Our Work: ShellSwap Captured Exploit sk 23 s1 s2 sn-1 a0 sn 90 45 1. Execute the program with symbolic inputs. f(sn-1) f(sk) 23 f(s1) 90 f(s2) f(sn) Memory 45 a0 2. Concretize the input with the replacement shellcode. 23 f(s1) 90 0x89 0xc4 f(sn) 45 a0 Path Constraints if (sk == 2) blah(); vuln(); Path Kneading Shellcode Constraints f(s2) == 0x89, Layout Remediation sk == 2 sk == 1 25

27. Path Kneading Path Constraints Shellcode Constraints sk == 1 sk == 2 2 sk if (sk == 1) blah(); vuln(); foo(); return(0); Path Exploration 26

28. Restricting Path Exploration Explored paths are only allowed to deviate once. if (sk == 1) Original Path Explored Path yes no blah() vuln() foo() return(0) 27

29. Path Kneading Path Constraints Shellcode Constraints sk == 1 sk == 2 2 sk if (sk == 1) blah(); vuln(); foo(); return(0); Path Exploration 28

30. Path Kneading Path Constraints Shellcode Constraints sk != 1 sk == 2 2 sk if (sk == 1) blah(); vuln(); foo(); return(0); Path Exploration 29

31. Evaluation 20 original exploits from the Cyber Grand Challenge 5 new shellcodes from 3 different authors 20 * 5 = 100 different cases 30

32. Effectiveness Previous Work 100 80 60 40 31 20 0 31 [1] D. K. Sean Heelan. Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities.

33. Effectiveness Previous Work Layout Remediation 100 85 80 Path Kneading 57 60 40 31 31 20 0 32

34. Efficiency 60/85 (>70%) exploits were generated within 3 minutes. Time for Shellcode Transplant 100000 Time in Seconds 10000 1000 100 10 1 1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 Generated Exploits (Sorted by Time in Ascending Order) 33

35. Conclusion Reusing control flow hijacking exploits can be done automatically. Symbolic execution extensions made this possible. Layout Remediation Path Kneading ShellSwap: 85% vs. Previous method: 31% 70%+ of the successful exploits can be automatically generated in 3 minutes. 34

36. Thank You! Questions? 35

37. Wait, Are We Too Evil? Automatic Proof-of-Vulnerability generation based on detected exploits from the wild Think about collateral damage 36

38. Effectiveness Previous Work 100 80 60 40 31 20 0 Previous Work[1] 39 [1] D. K. Sean Heelan. Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities.