Exploit Developer’s Corner: Mr_me and Aurora DEP bypass

Exploit code: aurora-ie7-dep-bypass (WARNING: AV may report as malware)

Myne-us: Hello, This is the first interview for exploit developers corner on securabit and we are honored to have mr_me from net-ninja.net with us today. Hello mr_me how are you today?

Mr_me: Hello, thank you for the warm welcome I am good thanks and yourself?

Myne-us: doing great :)

Myne-us: so how long have you been doing exploit development?

Mr_me: I started exploit development approximately a year and a half ago now

Myne-us: In that time you have provided a large number of proof of concepts for everyone. If you visit Mr_me EDB you will see over last year and a half mr_me has been very busy

Myne-us: what got you started in exploit development?

Mr_me: ahh yes, well I got started from taking Offensive Securities backtrack spin class “OSCP”. Once I learn’t the basics of what debugging a stack overflow was I became hooked and it became like an obsession for me.

Mr_me: I generally provide working exploit code or PoC’s so that maybe other researchers can share ideas and thus, we heighten our knowledge of software security.

Myne-us: sounds great, an excellent course. So today we are going to talk about your revision of the aurora exploit that has DEP bypass. This is the famous aurora attack that hit Google in 2010.

Myne-us: So lets start out with how did you discover where the vulnerability is in IE to build this POC (proof of concept).

Mr_me: The vulnerability was discovered in the wild by an unknown person, I began with a blank canvas of a simple crash where the virtual function table is copied over from the ESI register

Myne-us: did you have a POC at the time you wrote this or did you have to dig for it?

Mr_me: There was a public PoC crash and exploit, however I re-engineered it to perform a dep bypass

Myne-us: So the DEP bypass causes this exploit to work in more modern systems where the execution of malicous code is denied, DEP wikipedia. So because you were able to re-engineer this exploit to work in this way, pentesters are now able to use this in a pentest with a reliable protection bypass.

Mr_me: exactly

Myne-us: So can you give us the mile high overview of the exploit then we will dig deeper.

Mr_me: So basically the concept is to inject your shellcode into the heap through a heap spray, load an object with a pointer to the shellcode, delete that object, call the object through a virtual function which directs us to our shellcode.

Mr_me: So during a pentest I had a hardened environment and had to demonstrate that vulnerabilities were still a critical security issue.

Myne-us: Ok so lets break this down into smaller chunks so first heap spray, can you give an explanation of why you used Heap Spray Wikipedia

Mr_me: ok so the reason why the heap spray was used was to spray enough heap blocks to be able to find a reliable location for the call to the shellcode later on.

Mr_me: By doing this, I can force the windows heap manager to allocate multiple chunks of heap data containing our shellcode at a predictable address

Mr_me: With a decent spray and a consistent allocation size, an address that points to our shellcode is going to be highly accurate.

Myne-us: and in exploit world that is very important. Reliability means testers do not crash your systems by accessing incorrect parts of memory.

Mr_me: exactly

Myne-us: What are some of the biggest challenges you came by when writing this ?

Mr_me: well reliability, and hitting the correct location in the heap for my ROP code. Because the DEP bypass relies on pointers in memory, accuracy is a must.

Mr_me: If the return address was one byte off, the exploit will fail (no room for a sled)

Mr_me: Additionally, finding the correct gadgets and ensuring they are reliable is the second biggest hurdle. I had to ensure that the windows library that I choose, was not patched too often by Microsoft

Myne-us: ROP return-oriented programming Zynamics introduction to ROP is a popular technique used to bypass DEP and jump to alternate memory locations by using code that already exists in memory. This basically allows you to use what the developer gave you to build out system calls to bypass DEP. Some challenges in ROP can be finding reliable addresses to use for your ROP gadgets and finding libraries that do not use ASLR ASLR wikipedia.

Myne-us: So how did you get a reliable address loaded to jump to in memory for your shellcode and what ROP techniques did you use?

Mr_me: The technologies are what I call complimentary in operation. ASLR will prevent you from using return oriented techniques which is often needed to bypass DEP.

Mr_me: In my case I was presenting the attack under an environment where ASLR was not a problem, Windows XP SP3 does not have ASLR enable default.

Mr_me: However, if I had the restrictions of ASLR, I would be forced to possibly use a third party DLL or the common mscorie.dll from the .NET Framework version 2 which is installed by default on Windows 7

Mr_me: Then I would have fixed address locations that I could use to develop a ROP payload and bypass ASLR & DEP in a single shot

Myne-us: This is a very nice proof of concept for the aurora attack that shows how using multiple development concepts can make a reliable exploit. This version mr_me wrote is going to be released here on the securabit site for readers to learn from and take notes.

Myne-us: What are your goals in exploit development?

Mr_me: Primarily it is to learn, I like to learn how software will behave a certain way, or how memory will work based on my input.

Mr_me: In terms of outcomes, i like to ensure that I have a reliable exploit and that will attack many technology layers if required.

Myne-us: What do we have to look forward to from you in the future?

Mr_me: Well I will continue my own learning curve, (its steep i promise) and continue to share knowledge where I can.

Mr_me: Quite possibly I will share some of my own ideas for bypassing certain mitigation in the near future

Mr_me: but I have to make it to immunities master class first!

Myne-us: Sounds great and if you want to find out more information on mr_me you can always visit net-ninja.net and to see his work in action you can view his edb page at Mr_me EDB page

Myne-us: Any closing remarks or anything you would like to promote?

Mr_me: Thanks for having me aboard

Mr_me: Just like to say thanks to everyone at securabit and everyone that has contributed to helping me learn these techniques.

Myne-us: thank you for being on :)

One Response to “Exploit Developer’s Corner: Mr_me and Aurora DEP bypass”

  1. hadji Samir says:

    yes  Mr_me !!!

Leave a Reply