Pages

Saturday, March 8, 2014

Bypass Anti-Executable Protection

This shows some methods to bypass client-side anti-executable protection, with examples from EXE Radar Pro software. To do this, we can:
  • Use Thread Local Storage callbacks, which were not blocked, to run arbitrary code. 
  • Masquerade as a white-listed library to execute code past the filters. 
  • Execute 16-bit executables, which were not blocked or registered by the ERP application filters.

1 TLS Callbacks

1.1 Description

Processes and Threads

An application consists of one or more processes. A process is an executing program. One or more threads run in the context of the process. A thread is the basic unit to which the operating system allocates processor time. A thread can execute any part of the process code, including parts currently being executed by another thread.

Thread Local Storage

All threads of a process share its virtual address space. The local variables of a function are unique to each thread that runs the function. However, the static and global variables are shared by all threads in the process. Thread local storage (TLS) enables multiple threads of the same process to use a global index allocated by the TlsAlloc function to store and retrieve a value that is local and unique to each thread.

TLS Callbacks

The TLS area can also be used to store code. Functions can be defined per thread that will be called before execution. When Windows loads the binary into memory, if there is any code defined in TLS it will execute it, before starting executing instructions from main entry point of the executable.

Detect

We can use PEview to inspect the TLS Directory, locate in the .DATA section:

1.2 Bypass

There is no simple official way of programatically create TLS callbacks. Nynaeve's tutorial on compiling and linking support for TLS reveals important details. The compiler and linker use a variable of type IMAGE_TLS_DIRECTORY (declared in tlssup.c) that is statically linked into every program to represent the TLS directory. The TLS directory is part of the PE header of an executable. The linker looks for a variable by the name of _tls_used and ensures that in the on-disk image, it overlaps with the actual TLS directory in the final image. More information regarding the members of the IMAGE_TLS_DIRECTORY structure are available online. 
The created program will register two TLS callbacks. The second one calls ExitProcess() at the end, so the code of the main() function is actually never executed
The program will execute the code in the two TLS callbacks and exit, without being detected:


2 Whitelisted NVCPL.DLL

2.1 Description

The default whitelist contains a section with allowed command lines. The first command string allowed to run is specified like this:

rundll32 NVCPL.DLL,NvCplHandleHotplugEvents *


NVCPL is the NVidia driver. The syntax for rundll32 is:

> Rundll32.exe DLL_NAME,Entry_Point Optional_Argument

Parameters:

DLL_NAME - If DLL_NAME is not specified with full path, Rundll32 will search for it in the directories defined in the %PATH% environment variable. To ensure the correct DLL is called, it’s recommended to specify it in full path.

Entry_Point - The name of the exported function, that’s to be called by Rundll32.exe.

Optional Argument - Non-compulsory parameters to be passed to the function.

2.2 Bypass

We can create a DLL with the same name in the current folder, with a function named “NvCplHandleHotplugEvents”. In case the NVIDIA driver doesn't exist, the function from our crafted DLL will be called. We can then execute code without being blocked by ERP, by using the same command line mentioned in the whitelist:
This event is listed as a whitelisted command being run:


3 16 bit .COM executables

3.1 Description

COM files are a type of executables. The .COM executable has no header and contains only code and data. It lacks relocation information and it is loaded by the operating system at a pre-set address, at offset 0100h. Support for legacy DOS and 16-bit Windows programs is available in 32-bit versions of Windows through NTVDM (Virtual DOS Machine).

3.2 Bypass

It is possible to run a .com executable without being detected by ERP. Some tests revealed that NTVDM.exe was registered as an allowed process in the events list. The following simple executable prints a message and exits without even being registered in the events list:


The source code for the demos can be found here.


Time-line


08/09/2013 - Vendor notified about TLS Callbacks vulnerability

09/09/2013 - Vendor acknowledged TLS Callbacks issue
09/09/2013 - TLS Callbacks issue is addressed in a new beta version - 3.0
16/09/2013 - Vendor notified about NVCPL library issue and 16-bi COM files code execution
19/09/2013 - Vendor acknowledged the previous 2 issues. These are reported as corrected in 3.0 version which will be released 

References
A Quick Look At TLS Callbacks
R4ndoms Tutorial #23: TLS Callbacks
Thread Local Storage, part 3: Compiler and linker support for implicit TLS
Thread Local Storage - MSDN
COM file - Wikipedia
Virtual DOS Machine - Wikipedia
 

Sunday, March 2, 2014

Cracking the Perimeter - Course and Exam Review

After OSCP exam, I was eager to start the CTP training as soon as possible. The course is mostly assembly based. I've spent most of the time in OllyDbg. Besides that, the course has a also web based module, and a networking module. All of them are very interesting and require extra reading and practice to fully understand and be able to reproduce the techniques (during the stressful exam hours!).

Before being able to register for the CTP training, you're required to pass a short, fun, multi-staged challenge. You can attempt the challenge before paying for the actual course. The challenge starts on the web and finishes with some low-level assembly stuff. If you liked the challenge you'll definitely love the course.

Reading through other reviews, I didn't dive straight into the course after the challenge. I prepared by going through various exploit development resources. The following sites group together a lot of techniques and are very detailed and relevant:
Corelan exploit development tutorials
FuzzySecurity Exploit tutorials

One month of lab time is more than enough to complete the exercises from all the chapters in the course, but extra work will prove very useful. Also, as a prerequisite, python and some reverse engineering skills helped a lot. Especially for the manual shellcode encoding module, which requires some automation. Fun times!

The exam is not easy and requires concentration (and inspiration:), not only a good understanding of the techniques used in the lab. The problems cover all the topics from the lab (including the one you're thinking "I won't get this, it's impossible to get it done in time!"). Some problems have small tricks (which may seem bigger, depending on how confident you are about the topic and ultimately how much you've practised).
I've used both the allocated days for the exam, with a lot of sleep in between (~8h). It's very important not to panic and, if something doesn't work, keep hammering :)

Overall, I learned a lot while preparing for the exam. The course is stimulating and very interesting, even though some may say that now there are new techniques.

In the end you get out what you put in. If you need motivation, find your dinosaur and do it!