The Art of Reverse-Engineering Flash Exploits [email protected]
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Heap Feng Shui in Javascript
Heap Feng Shui in JavaScript Alexander Sotirov <[email protected]> Introduction The exploitation of heap corruption vulnerabilities on the Windows platform has become increasingly more difficult since the introduction of XP SP2. Heap protection features such as safe unlinking and heap cookies have been successful in stopping most generic heap exploitation techniques. Methods for bypassing the heap protection exist, but they require a great degree of control over the allocation patterns of the vulnerable application. This paper introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. We present a JavaScript library with functions for setting up the heap in a controlled state before triggering a heap corruption bug. This allows us to exploit very difficult heap corruption vulnerabilities with great reliability and precision. We will focus on Internet Explorer exploitation, but the general techniques presented here are potentially applicable to any other browser or scripting environment. Previous work The most widely used browser heap exploitation technique is the heap spraying method developed by SkyLined for his Internet Explorer IFRAME exploit. This technique uses JavaScript to create multiple strings containing a NOP slide and shellcode. The JavaScript runtime stores the data for each string in a new block on the heap. Heap allocations usually start at the beginning of the address space and go up. After allocating 200MB of memory for the strings, any address between 50MB and 200MB is very likely to point at the NOP slide. Overwriting a return address or a function pointer with an address in this range will lead to a jump to the NOP slide and shellcode execution. -
A Defense Against Heap-Spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan Benjamin Livshits and Benjamin Zorn Cornell University Microsoft Research Ithaca, NY Redmond, WA November 19, 2008 Microsoft Research Technical Report MSR-TR-2008-176 nnoozzllee 1 Abstract Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage their ability to allocate arbitrary objects in the heap of a type-safe language, such as JavaScript, literally filling the heap with objects that contain danger- ous exploit code. In recent years, spraying has been used in many real security exploits, especially in web browsers. In this paper, we describe Nozzle, a runtime monitoring infrastructure that detects attempts by attackers to spray the heap. Nozzle uses lightweight emulation techniques to detect the presence of objects that contain executable code. To reduce false positives, we developed a notion of global “heap health”. We measure the effectiveness of Nozzle by demonstrating that it successfully detects 12 published and 2,000 synthetically generated heap-spraying exploits. We also show that even with a detection threshold set six times lower than is required to detect published ma- licious attacks, Nozzle reports no false positives when run over 150 popular Internet sites. Using sampling and concurrent scanning to re- duce overhead, we show that the performance overhead of Nozzle is less than 7% on average. While Nozzle currently targets heap-based spraying attacks, its techniques can be applied to a more general class of attacks in which an attacker attempts to fill the address space with dangerous code objects. -
Archons (Commanders) [NOTICE: They Are NOT Anlien Parasites], and Then, in a Mirror Image of the Great Emanations of the Pleroma, Hundreds of Lesser Angels
A R C H O N S HIDDEN RULERS THROUGH THE AGES A R C H O N S HIDDEN RULERS THROUGH THE AGES WATCH THIS IMPORTANT VIDEO UFOs, Aliens, and the Question of Contact MUST-SEE THE OCCULT REASON FOR PSYCHOPATHY Organic Portals: Aliens and Psychopaths KNOWLEDGE THROUGH GNOSIS Boris Mouravieff - GNOSIS IN THE BEGINNING ...1 The Gnostic core belief was a strong dualism: that the world of matter was deadening and inferior to a remote nonphysical home, to which an interior divine spark in most humans aspired to return after death. This led them to an absorption with the Jewish creation myths in Genesis, which they obsessively reinterpreted to formulate allegorical explanations of how humans ended up trapped in the world of matter. The basic Gnostic story, which varied in details from teacher to teacher, was this: In the beginning there was an unknowable, immaterial, and invisible God, sometimes called the Father of All and sometimes by other names. “He” was neither male nor female, and was composed of an implicitly finite amount of a living nonphysical substance. Surrounding this God was a great empty region called the Pleroma (the fullness). Beyond the Pleroma lay empty space. The God acted to fill the Pleroma through a series of emanations, a squeezing off of small portions of his/its nonphysical energetic divine material. In most accounts there are thirty emanations in fifteen complementary pairs, each getting slightly less of the divine material and therefore being slightly weaker. The emanations are called Aeons (eternities) and are mostly named personifications in Greek of abstract ideas. -
How Superman Developed Into a Jesus Figure
HOW SUPERMAN DEVELOPED INTO A JESUS FIGURE CRISIS ON INFINITE TEXTS: HOW SUPERMAN DEVELOPED INTO A JESUS FIGURE By ROBERT REVINGTON, B.A., M.A. A Thesis Submitted to the School of Graduate Studies in Partial Fulfillment of the Requirements for the Degree of Master of Arts McMaster University © Copyright by Robert Revington, September 2018 MA Thesis—Robert Revington; McMaster University, Religious Studies McMaster University MASTER OF ARTS (2018) Hamilton, Ontario, Religious Studies TITLE: Crisis on Infinite Texts: How Superman Developed into a Jesus Figure AUTHOR: Robert Revington, B.A., M.A (McMaster University) SUPERVISOR: Professor Travis Kroeker NUMBER OF PAGES: vi, 143 ii MA Thesis—Robert Revington; McMaster University, Religious Studies LAY ABSTRACT This thesis examines the historical trajectory of how the comic book character of Superman came to be identified as a Christ figure in popular consciousness. It argues that this connection was not integral to the character as he was originally created, but was imposed by later writers over time and mainly for cinematic adaptations. This thesis also tracks the history of how Christians and churches viewed Superman, as the film studios began to exploit marketing opportunities by comparing Superman and Jesus. This thesis uses the methodological framework of intertextuality to ground its treatment of the sources, but does not follow all of the assumptions of intertextual theorists. iii MA Thesis—Robert Revington; McMaster University, Religious Studies ABSTRACT This thesis examines the historical trajectory of how the comic book character of Superman came to be identified as a Christ figure in popular consciousness. Superman was created in 1938, but the character developed significantly from his earliest incarnations. -
The Sinking Man Richard A
Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 1990 The sinking man Richard A. Malloy Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Part of the Fiction Commons, Literature in English, North America Commons, and the Poetry Commons Recommended Citation Malloy, Richard A., "The sinking man" (1990). Retrospective Theses and Dissertations. 134. https://lib.dr.iastate.edu/rtd/134 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. The sinking man by Richard Alan Malloy A Thesis Submitted to the Graduate Faculty in Partial Fulfillment of the Requirements for the Degree of MASTER OF ARTS Major: English Approved: Signature redacted for privacy Signature redacted for privacy Signature redacted for privacy For the Graduate College Iowa State University Ames, Iowa 1990 Copyright @ Richard Alan Malloy, 19 9 0. All rights reserved. ----~---- -~--- -- ii TABLE OF CONTENTS page CATERPILLARS 1 ONE ACRE FARM 7 CLIFFS 11 DUMPS 14 DOWN OUT OF UP 21 THE GIVER 22 TWELVE-PACK JUNKER 36 RELUCTANT SHOOTER 45 TAR YARD 50 IDLE AFTER HOURS AT MY DESK 57 SOMETHING UNDER MY FOOT 59 WINNOCK 61 PALE MEADOW 66 NOBILITY 76 THE SINKING MAN 78 DUMBBELLS 84 A LATE SHARED VISION 90 THE COMMITMENT 92 1 CATERPILLARS Bill kneaded the thin skin over his sternum. -
Jitdefender: a Defense Against JIT Spraying Attacks
JITDefender: A Defense against JIT Spraying Attacks Ping Chen, Yi Fang, Bing Mao, and Li Xie State Key Laboratory for Novel Software Technology, Nanjing University Department of Computer Science and Technology, Nanjing University, Nanjing 210093 {chenping,fangyi,maobing,xieli}@nju.edu.cn Abstract. JIT spraying is a new code-reuse technique to attack virtual machines based on JIT (Just-in-time) compilation. It has proven to be capable of circum- venting the defenses such as data execution prevention (DEP) and address space layout randomization(ASLR), which are effective for preventing the traditional code injection attacks. In this paper, we describe JITDefender, an enhancement of standard JIT-based VMs, which can prevent the attacker from executing arbi- trary JIT compiled code on the VM. Thereby JITDefender can block JIT spraying attacks. We prove the effectiveness of JITDefender by demonstrating that it can successfully prevent existing JIT spraying exploits. JITDefender reports no false positives when run over benign actionscript/javascript programs. In addition, we show that the performance overhead of JITDefender is low. 1 Introduction In recent years, attackers have resorted to code-reuse techniques instead of injecting their own malicious code. Typical techniques are Return-oriented Programming (ROP) [21], BCR [12] and Inspector [11]. Different code-reuse attacks launch the attack based on different codebases, including the application, shared libraries or even the kernel. However, all the techniques need to find useful instruction sequence in the codebase, and the task is tedious and costly in practice. Recently, a new code-reuse attack named JIT (Just-In-Time) spraying was proposed by Blazakis [10]. -
Running Order
Runnnig Order 2018 Master National Flights (Dogs Listed in Numeric Order) FLIGHT # DOGNAME OWNER BR SEX HANDLER Flight A A 1 Oakview Rough And Tough Enough MH Laurice Williams Lab M Stephen Durance A 2 Big Muddy's Rivers Rising Fast MH Randy McLean Lab F Scott Greer A 3 Banjo's Fever Is Boomin MH Adam Gonzalez Lab M Adam Gonzalez A 4 Stickponds Abra-Ca-Dabra MH Becky Williams Lab F Becky Williams A 5 DMR Golden Boy's Black Magic MH Lillian Logan Lab F Doug Shade A 6 Black Dude's Sergeant Pepper MH Hunter Lamar Lab M Stephen Durrence A 7 Bustin' Water's She's No Mirage MH Gary Metzger Lab F Lauren Springer A 8 Black Powder Cali Tnt's Blasting Cap MH A Christy Lab M Scott Greer A 9 Island Acres Stitch and Glue MH Brian Norman Lab F Brian Norman A 10 Silver State's Home Means Nevada MH Carole Gardner Lab F Carole Gardner A 11 Brody Cooper Oakridge Fender MH James Fender Lab M Stephen Durrence A 12 SUNRISE RUBY RAYNE MH MNH5 Sidney Sondag Lab F Sid Sondag A 13 Island Acres Hot Shot MH Lynn & Jack Loacker Golden F Doug Shade A 14 Rough'N Tumble MH Kenneth McCune Lab M Caroline Davis A 15 Cape Rock's Every Which Way But Loose MH Randy Lampley Lab M Scott Greer A 16 Cannon's Big League Trouble MH Chris Cannon Lab F Stephen Durrence A 17 Cooter Holand III "Tres" MH Joseph Holand Lab M Lauren Springer A 18 Healmarks Sam I Am MH Becky Williams Lab M Becky Williams A 19 Gator Points Miss TAMU MH R Bower/J Bower Lab F Mandy Cieslinski A 20 Castile Creeks Have Gun Will Travel MH Art Stoner Lab M Art Stoner A 21 CH Rippling Waters Miss Francine MH -
Fighting the War in Memory
Fighting the War in Memory Software Vulnerabilities and Defenses Today Antonio Hüseyin Barresi 2014 2 MorrisMorris WormWorm 3 Long ago – late 1980s • On November 2, 1988 the Morris Worm was released • Mainstream media attention • Conviction under the Computer Fraud and Abuse Act • First well-known program exploiting a buffer overflow http://en.wikipedia.org/wiki/Morris_worm 4 25 years later Memory errors and memory corruption vulnerabilities are still an issue! 5 This talk is about • Why these bugs are still a concern • How exploits work • Modern defenses 6 MotivationMotivation 7 Today, 2014 • Memory errors are still a problem • “Unsafe“ languages like C/C++ very popular • Prediction: C/C++ will be with us for a long time • Yes, there are alternatives... sometimes • Criminals found ways of monetization • Software systems are gaining complexity http://www.langpop.com/ http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html 8 Terminology Exploit “An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to...“ Zero-Day Attack “A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, ...“ http://en.wikipedia.org/wiki/Exploit_(computer_security) http://en.wikipedia.org/wiki/Zero-day_attack 9 Attacks Victim Attacker Runs a malicious web server serving HTML documents that trigger a memory error within the web browser Runs a vulnerable web browser or PDF reader Sends a malicious PDF attachement by email Exploits memory error within vulnerable victim software GET /index.html HTTP/1.1 Host: www.vulnsite.com Keep-Alive: 300 Connection: keep-alive $>./exploit 192.168.1.28 Cookie: CID=r2t5uvjq43 5r4q7ib3vtdjq120f83jf8 .. -
Flashdetect: Actionscript 3 Malware Detection
FlashDetect: ActionScript 3 malware detection Timon Van Overveldt1, Christopher Kruegel23, and Giovanni Vigna23 1 Katholieke Universiteit Leuven, Belgium, [email protected] 2 University of California, Santa Barbara, USA, {chris,vigna}@cs.ucsb.edu 3 Lastline, Inc. Abstract. Adobe Flash is present on nearly every PC, and it is in- creasingly being targeted by malware authors. Despite this, research into methods for detecting malicious Flash files has been limited. Similarly, there is very little documentation available about the techniques com- monly used by Flash malware. Instead, most research has focused on JavaScript malware. This paper discusses common techniques such as heap spraying, JIT spraying, and type confusion exploitation in the context of Flash mal- ware. Where applicable, these techniques are compared to those used in malicious JavaScript. Subsequently, FlashDetect is presented, an off- line Flash file analyzer that uses both dynamic and static analysis, and that can detect malicious Flash files using ActionScript 3. FlashDetect classifies submitted files using a naive Bayesian classifier based on a set of predefined features. Our experiments show that FlashDetect has high classification accuracy, and that its efficacy is comparable with that of commercial anti-virus products. Keywords: Flash exploit analysis, malicious ActionScript 3 detection, Flash type confusion 1 Introduction Adobe Flash is a technology that provides advanced video playback and anima- tion capabilities to developers through an advanced scripting language. The files played by Flash, called SWFs, are often embedded into webpages to be played by a browser plugin, or are embedded into a PDF file to be played by a copy of the Flash Player included in Adobe’s Acrobat Reader. -
Towards Automated Generation of Exploitation Primitives for Web
Towards Automated Generation of Exploitation Primitives for Web Browsers Behrad Garmany Martin Stoffel Robert Gawlik Ruhr-Universität Bochum Ruhr-Universität Bochum Ruhr-Universität Bochum [email protected] [email protected] [email protected] Philipp Koppe Tim Blazytko Thorsten Holz Ruhr-Universität Bochum Ruhr-Universität Bochum Ruhr-Universität Bochum [email protected] [email protected] [email protected] ABSTRACT ACM Reference Format: The growing dependence on software and the increasing complexity Behrad Garmany, Martin Stoffel, Robert Gawlik, Philipp Koppe, Tim Blazytko, of such systems builds and feeds the attack surface for exploitable and Thorsten Holz. 2018. Towards Automated Generation of Exploitation Primitives for Web Browsers. In 2018 Annual Computer Security Applications vulnerabilities. Security researchers put up a lot of effort to de- Conference (ACSAC ’18), December 3–7, 2018, San Juan, PR, USA. ACM, New velop exploits and analyze existing exploits with the goal of staying York, NY, USA, 13 pages. https://doi.org/10.1145/3274694.3274723 ahead of the state-of-the-art in attacks and defenses. The urge for automated systems that operate at scale, speed and efficiency is 1 INTRODUCTION therefore undeniable. Given their complexity and large user base, Software vulnerabilities pose a severe threat in practice as they web browsers pose an attractive target. Due to various mitigation are the root cause behind many attacks we observe on the In- strategies, the exploitation of a browser vulnerability became a ternet on a daily basis. A few years ago, attackers shifted away time consuming, multi-step task: creating a working exploit even from server-side vulnerabilities to client-side vulnerabilities. -
"Superman" by Wesley Strick
r "SUPERMAN" Screenplay by Wesley Strick Jon Peters Entertainment Director: Tim Burton Warner Bros. Pictures July 7, 1997 y?5^v First Draft The SCREEN is BLACK. FADE IN ON: INT. UNIVERSITY CORRIDOR - LATE NIGHT A YOUNG PROFESSOR hurries down the empty hall — hotly murmuring to himself, intensely concerned ... A handsome man, about 30, but dressed strangely — are we in some other country? Sometime in the past? Or in the future? YOUNG PROFESSOR It's switched off ... It can't be ... But the readings, what else — The Young Professor reaches a massive steel door, like the hatch of a walk-in safe. Slides an ID card, that's emblazoned with a familiar-looking "S" shield: the door hinges open. The Young Professor pauses — he hadn't noted, till now, the depths of his fear. Then, enters: INT. UNIVERSITY LAB - LATE NIGHT Dark. The Professor tries the lights. Power is off. Cursing, he's got just enough time, as the safe door r swings closed again, to find an emergency flashlight. He flicks it on: plays the beam over all the bizarre equipment, the ultra-advanced science paraphernalia. Now he hears a CREAK. He spins. His voice quavers. YOUNG PROFESSOR I.A.C. ..? His flashlight finds a thing: a translucent ball perched atop a corroding pyramid shape. It appears inanimate. YOUNG PROFESSOR (cont'd) Answer me. And finally, from within the ball, a faint alow. Slyly: BALL How can I? You unplugged me, Jor- El ... Remember? Recall? The Young Professor -- JOR-EL -- looks visibly shaken. y*fi^*\ (CONTINUED) CONTINUED: JOR-EL I did what I had to, I.A.C. -
A M E R I C a N C H R O N I C L E S the by JOHN WELLS 1960-1964
AMERICAN CHRONICLES THE 1960-1964 byby JOHN JOHN WELLS Table of Contents Introductory Note about the Chronological Structure of American Comic Book Chroncles ........ 4 Note on Comic Book Sales and Circulation Data......................................................... 5 Introduction & Acknowlegments................................. 6 Chapter One: 1960 Pride and Prejudice ................................................................... 8 Chapter Two: 1961 The Shape of Things to Come ..................................................40 Chapter Three: 1962 Gains and Losses .....................................................................74 Chapter Four: 1963 Triumph and Tragedy ...........................................................114 Chapter Five: 1964 Don’t Get Comfortable ..........................................................160 Works Cited ......................................................................214 Index ..................................................................................220 Notes Introductory Note about the Chronological Structure of American Comic Book Chronicles The monthly date that appears on a comic book head as most Direct Market-exclusive publishers cover doesn’t usually indicate the exact month chose not to put cover dates on their comic books the comic book arrived at the newsstand or at the while some put cover dates that matched the comic book store. Since their inception, American issue’s release date. periodical publishers—including but not limited to comic book publishers—postdated