Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution
• Carl Svensson, 27 • MSc in Computer Science, KTH • Head of Security, Kry • CTF-player, HackingForSoju 1 About me • calle.svensson@zeta-two.com • @zetatwo • https://zeta-two.com
• Pro: Explore ”all” paths • Symbols vs. concrete values • Con: Exponential complexity 2 Symbolic execution
• ”python framework for analyzing binaries” • ”both static and dynamic symbolic (concolic)” • Computer Security Lab at UC Santa Barbara • Uses Z3 internally 3 Once again, with fee... angr
• Satisfy condition • IP control 4 Exploitation
• Constrain execution • Find execution path • Satisfy condition 5 Exploitation with angr
• Index OOB • Function pointer lookup • Hook messy function 6 Example from Security Fest CTF
7 angr exploitation example
8 angr exploitation example
9 angr exploitation example
10 angr exploitation example
11 angr exploitation example > python exploit_angr.py Choice: 2147483648 RDX: fffffffffffffffe > ./bowrain_581bbadaafd23051a25ccb4adc80b670 ... : 2147483648 [1] 17059 segmentation fault (core dumped)
12 Deobfuscation Deobfuscation
• Make code hard to read • for humans • for computers • Control flow flattening • Packer • Dropper • VM • Dead code 13 Obfuscation
• Hard problem • Undo the mess 14 Deobfuscation in general
• Prove uniqueness of value • Prove that dead code is dead 15 Deobfuscation of dead code with angr
16 Example: indirect jmp deobfuscator
• Find ”jmp reg” • Search callgraph backwards • Search forward • Simplify expression • Replace code 17 Example from mobile app
18 Example: indirect jmp deobfuscator
19 Example: indirect jmp deobfuscator
20 Example: indirect jmp deobfuscator
21 Example: indirect jmp deobfuscator
21 Thanks for listening!
Recommend
More recommend