yrp604

It’s time for Degenerate Fat Bear Week, the week where we degenerately gamble and talk shit on the results of an anonymous online poll! (for charity)

FAQ

What is fat bear week?

Katmai National Park in Alaska has a lot of bears in it. Every year they put a bunch of bears into a bracket, and everyone on the internet can vote for who they think is the fattest. We gamble on the results of this anonymous online voting, because we are degenerates. This year you can see the bracket here:

yrp604

#unlifted instructions
#
from collections import defaultdict
from binaryninja.enums import LowLevelILOperation

unlifted = defaultdict(list)

print('unlifted instructions in bndb')

for ll in bv.llil_instructions:

yrp604

Instructions for compiling the IDA 6.95 SDK on macOS 10.12 with Xcode 8

I have no idea if this is the best way to do this (is it really required to compile QT?) but it works for me. This is also reconstructed from the history of a few terminal windows, so it's entirely possible I'm forgetting something.

Start by following the install_linux.txt instructions. You'll need to copy libida.dylib and libida64.dylib into bin in the SDK root. Additionally, that bin directory should be in you PATH. Finally make bin/idamake.pl executable. All of these is covered in the SDK docs.

yrp604

XNU syscall path

Chart

             +------------------+
             |These push their  |                                  +-----------------------+
             |respective syscall|                                  |This overwrites the    |
             |dispatch functions|                                  |saved dispatch function|
             |onto the stack    |                                  |with hndl_alltraps     |

yrp604

Starting in clang 3.7 they've introduced a new argument -fsanitize=cfi which aims to protect indirect calls from overwrites.

All the code and binaries I used can be downloaded here

Protecting C Function pointers

First, I thought I would look at how CFI applied to simple C structs with function pointers. After fighting with the compiler to get it to stop optimizing my code, (i.e. call <puts> instead of call rcx because clang realized that rcx was always going to be puts(3)) I got it calling things from memory. However, there was no CFI protection on the call. I played around with this a bit (interestingly, clang will optimize use of un-initialized memory to the ud2 instruction) but was unable to get any CFI protection in place.

Protection C++ virtual calls

Reading a bit of the clang manual, it talked a lot about C++ virtual methods, so I thought I would look at those. I also played around with non virtual calls, those were replaced with static cal

yrp604

Note: I've only briefly read the related CPI paper (PDF), this is just initial impressions after playing around with it a bit.

All the code and binaries I used can be downloaded here. Note that I removed -DFORTIFY_SOURCE=2 to make the examples a bit simpler.

-fsanitize=safe-stack basically seems to move stack based buffers off the actual stack, onto another segment of memory (I'll call it the fake stack). The actual stack then stores references to this segment. For example:

char buf[20];
printf("%p\n", buf);

yrp604

Kreading klist:

Attack the Core - http://www.amazon.com/Guide-Kernel-Exploitation-Attacking-Core/dp/1597494860
Kernel Exploitation Notes - http://phrack.org/issues/64/6.html#article
Stack Jacking - https://jon.oberheide.org/blog/2011/04/20/stackjacking-your-way-to-grsec-pax-bypass/
Smashing the Kernel Stack for Fun and Profit- http://phrack.org/issues/60/6.html
A XNU Hope - http://phrack.org/issues/64/11.html
Core Security OpenBSD IPv6 Remote Kernel Exploit - http://www.coresecurity.com/content/open-bsd-advisorie
802.11 Wireless Vulnerabilities on Windows - http://www.uninformed.org/?v=6&a=2&t=sumry
Abusing Mach on OS X - http://www.uninformed.org/?v=4&a=3&t=sumry