logo

E²VA: Stack Buffer Overflow Module (Part 3)

Exploitation of EasyStackBufferOverflowModule

This article describes exploitation of the EasyStackBufferOverflowModule. During exploitation, various Android - specific caveats are discussed.

Assumptions

We will assume that we have successfully grabbed a copy of the .apk file of damnvulnerableapp. Also, we will not discuss how to unpack an .apk file, but rather assume that we have access to libEasyStackBufferOverflowModule.so and the EasyStackBufferOverflowModule class. If it is unclear how to get access to these components when only given an .apk file, read the previous blog posts first!

9 minutes to read
Pascal Kühnemann

E²VA: Android Basics (Part 2)

Android Binary Exploitation

In this post, we will examine security mechanisms that Android 12 employs in order to make binary exploitation a bit harder. Also, we will discuss how to get to certain information like shared - object files that are necessary for successful exploitation. The latter will be generalized to getting limited source code access to an app given a corresponding .apk file.

Environment

Before diving into details, the technical setup has to be clarified. All of the following observations on security mechanisms were encountered on a x86_64 Pixel 3 emulator running Android 12 (build number is SE1A.220203.002.A1 ). When referencing source code from Android Open Source Project (AOSP), it will be w.r.t. Android 12.0.0_r31 . The build variant for damnvulnerableapp is currently only debug. Also there is no GooglePlay enabled as we require root on the device for debugging purposes only.

20 minutes to read
Pascal Kühnemann

PowerView is evil, but PowerVi and ew are legit, right? - Missing signature-based detections due to PowerShell Script Block Logging Fragmentation

Sigma offers more than 3000 rules for signature-based threat detection. 140 of these rules aim to detect suspicious/malicious PowerShell scripts by looking into PowerShell script block logs. Fragmentation of script blocks during Script Block Logging results in varying number of alerts when loading the same script multiple times. On the one hand, there is a trend of more alerts being generated when the script is split into more fragments (which is fine), but on the other hand, the fragmentation of scripts into blocks may result in missed detections.
8 minutes to read
Louis Hackländer-Jansen

BPF Memory Forensics with Volatility 3

BPF Memory Forensics with Volatility 3

Introduction and Motivation

Have you ever wondered how an eBPF rootkit looks like? Well, here’s one, have a good look:

ubuntu-20.04-LTS-focal-ebpfkit.png

Upon receiving a command and control (C2) request, this specimen can execute arbitrary commands on the infected machine, exfiltrate sensitive files, perform passive and active network discovery scans (like nmap), or provide a privilege escalation backdoor to a local shell. Of course, it’s also trying its best to hide itself from system administrators hunting it with different command line tools such as ps, lsof, tcpdump an others or even try tools like rkhunter or chkrootkit.

49 minutes to read
Valentin Obst and Martin Clauß

Diving into the art of userspace exploitation under Android - Introducing E²VA (Part 1)

Investigating Binary Exploitation for JNI on Android

This post aims to be an introduction into a blog series about binary exploitation on Android. It tries to describe how the environment that runs vulnerable modules is set up and how the damnvulnerableapp supports the process of binary exploitation on Android.

Warning

The following app is intended to be vulnerable to specific attacks and can result in arbitrary code execution in the context of the app. Therefore, beware of this and do not use this app on a device/emulator that contains personal information whatsoever. Always launch the app in a controlled environment. No authentication is necessary to connect to the app and talk to vulnerable modules. Assuming the app is free of bugs, there is a guarantee that only one client can connect at a time.

8 minutes to read
Pascal Kühnemann and Daniel Baier

friTap - Decrypting TLS on the fly

Encryption - a curse and a blessing at the same time

Digital communication in today’s world has a particularly high status in our society. Financial transactions are conducted via online banking, private communication is increasingly limited to digital messenger services, and even health data is experiencing a shift to digital form. Due to the growth of such sensitive digital data, the need for secure transmission of such data has become increasingly important over the past decades. With the introduction of high-performance and digitally secure cryptographic methods, such as SSL/TLS, today’s digital communications are predominantly encrypted. Whereas back then, for example, an attacker could hang himself between the client and the server and read the data traffic without encryption, today all he sees is a jumble of letters. Encryption is truly a boon for protecting sensitive personal data, but it also has its drawbacks, as with almost everything. Encrypted communications negate the ability to analyze communications, which is very relevant when reverse engineering malware or researching vulnerabilities.

16 minutes to read
Daniel Baier and Francois Egner

Make Frida Great Again

Make Frida Great Again

In order to analyse binaries on e.g. Android systems, one is offered a plethora of tools to use to figure out what a binary is doing, whether it is malicious or just buggy. One way to figure out the behaviour of a binary is to utilise the strength of dynamic analysis. Under linux, i.e. Android in particular, Frida is a tool that is used for automated instrumentation of binaries, to inspect memory, function calls etc.

28 minutes to read
Pascal Kühnemann

Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)

Intro

This blog post reflects our exploration of the Dirty Pipe Vulnerability in the Linux kernel. The bug was discovered by Max Kellermann and described here . If you haven’t read the original publication yet, we’d suggest that you read it first (maybe also twice ;)). While Kellermann’s post is a great resource that contains all the relevant information to understand the bug, it assumes some familiarity with the Linux kernel. To fully understand what’s going on we’d like to shed some light on specific kernel internals. The aim of this post is to share our knowledge and to provide a resource for other interested individuals. The idea of this post is as follows: We take a small proof-of-concept (PoC) program and divide it into several stages. Each stage issues a system call (or syscall for short), and we will look inside the kernel to understand which actions and state changes occur in response to those calls. For this we use both, the kernel source code (elixir.bootlin.com , version 5.17.9) and a kernel debugging setup (derived from linux-kernel-debugging ). The Dirty Pipe-specific debugging setup and the PoC code is provided in a GitHub repository.

38 minutes to read
Valentin Obst and Martin Clauß

Exploiting CVE-2021-43247

In this blog post I will go in depth into the inner workings of CVE-2021-43247 , which was fixed on the 14th of December 2021. This bug was classified as “Windows TCP/IP Driver Elevation of Privilege Vulnerability”. The vulnerability itself was probably dormant for a long time, but became exploitable when the AF_UNIX address family was first introduced in 2019.

I will also take this as an excuse to explain in detail, what drivers are, how user space communicates with drivers, what a Local Privilege Escalation (LPE) is and what how we can achieve it in this case.

16 minutes to read
Pascal Beyer

Installing new .NET versions on a Windows 7 VM

Installing new .NET versions on a Windows 7 VM

In this post, I will explain how to install .NET Framework 4.8 on a Windows 7 VM.

Motivation

Virtual Machines running Microsoft Windows are frequently used for dynamic analysis of Windows executables. Windows 7 is still used for analysis VM, although it is no longer supported by Microsoft and ships with an outdated .NET version. If a sample requires a .NET version which is not present on the analysis VM, the execution fails and the file cannot be analysed. For this reason it might be required to install a recent .NET version on a Windows 7 VM.

2 minutes to read
Manuel Blatt