In The Zone: OSX Heap Exploitation

yeah so I have a couple designate spots in the talk to ask questions there's three or four points I broken that have you give me question at that point that'd be great I work at Alice and I saw Telus like a huge sponsor here and I still got except it's I'm the reason I'm not sure so I think I might just got accepted because I work with Telus but that's okay anyway this is in the zone or CCD backing station the title is a little deceiving we're gonna talk about a heap exploit that I wrote to attack iPhone and Safari but really what we're gonna do is we're gonna dive into the internals of the OS

X heap and the different strategies that it has and how that whole thing works this is the obligatory Talos slide that's the team of Talas people again I'm the one if we're talking you guys but every person here and every person on Talos team has helped me one way or the other to have this talk I couldn't be doing ends without them I don't know it just made its way over to Ireland but a couple weeks ago there was a pretty big apple patch that came out and people had this big Highline like Oh stage-fright for Apple States right for Apple well what do they mean what is that how was that going so I had over

100 hundred blog post about this bug and people didn't quite understand what it meant but here's the - here's two CDs from Apple that effect that this Expo is actually gonna use and I don't think I've ever given a proof of concept of this out but then this is all patch and stuff if you guys wanna prove a concept later I'd be more than willing to give it to you so you can check it out so why did I do this researchers so I'm trying to find bugs I found a really juicy bug a real nice bug I I'm fuzzing I already have our IP control the second I look at my crash so I'm thinking this is a win I

got already control I can access it from Safari I get the game over right what else is there to do so I go look up documentation on OSX I find a bunch of people written a lot of stuff in like 2004 and like 2005 back when I was sex with PowerPC that's great you know that's awesome but that's I can help me much so we have heat spraying that's not reliable Hogan so I first made this exploit I just JIT sprayed I did jet spray jumped or jet spray I had 10 percent accuracy I mean 10 percent reliability boom that's a pretty good exploit I don't know if anybody saw this but at blackhat Apple actually came out

the talk and they told us that they'd actually they're redoing their jet engine so now they're jet engine if anybody's ever seen a jet engine is a jet engine for JavaScript's just in time to violations so when you put JavaScript now there has to compile that code and it makes a page readable writable executable so if you jump to that I can put shellcode there JIT code and that's executed what Apple is doing now is they're gonna separate the JIT they're gonna separate data from the actual instructions themselves so I can no longer just throw data in there that's not gonna be an executable page anymore now that's on the writable page so heap spraying is now gone on the latest

versions yeah so we need an in-depth knowledge of the heap algorithm because a couple things we're gonna see there's a couple safety checks in here that are gonna try to prevent us from doing a sieve overflow but with the nice limit with a good in-depth knowledge we can bypass some of those this is just slide just showing I'm not the first person to reverse engineer heap there's been a million people reverse engineer before my favorite is probably Chris valasek or denied I so V those guys are the man and this all just work is modeled up to them so I have to give credit where credit's to and like I said this is all the if you google OS I keep and this is

what you're gonna find cocoa with malloc blog post that's like 100 word blog post that's probably the best blog post at all of them it's super small super easy but it had a lot of great information and it's highly recommend checking it out so all this research was on ten point one point five we're on ten point one point six now everything is still good I also have a sierra beta which is coming out soon I don't know how much you guys know about Apple if you've any question about anything but Sierra's coming out in like a month and the oct p.m. station is the same in Sierra as it is here so all the work I

did it's still applicable so here's what we're gonna talk about the structures I'm fortunate I have to give you a little background on what these teachers look like and it's boring and I'm sorry but if you could just bear with me if you can even someone out it's okay but you could bear with me I appreciate it then we're gonna talk about some heap strategies and how I had heap overflow right Hebrew flows are great but they're tough to exploit I think anybody's exporting Hebrew flow knows that's not an easy bug well what's an easier bug I'll use after free right if I have you self to free that's a pretty that's a pretty standard exploit I mean I pretty

much I understand how to do that so how can I take my Hebrew flow into it you have to free and that's that that section song and then I have a few slides if I make it to I make it to him about X actually explains the part itself I'm hoping you guys have a little bit of knowledge of the heap I'm gonna go to a super rudimentary version here these are a bunch of alligators but what I'd like to do here is you divide them into two types you have link based links let's pick that alligators and you have arena base alligators a linked list based alligator that one is essentially it's just all the free blocks gets thrown

together and they put this metadata their self preview size next size and so they get to next block are you gonna do is gonna walk down and find the next one that fits and this is what leads to the Doug Liman like standard 4x4 by right anywhere old school on the heap on linking attack that's what this comes from what this is great in everything but the problem with this is if you want to deallocate memory it's very intensive because you have to walk this entire linked list so how do we fix that we go with something called an arena allocator and whatever beam allocators do is they allocate things based on size so the

most famous and most Asian this is a low fragmentation need on Windows which if you allocate 12 things at the same size it starts to bucket them so now everything everything of size 10 it goes in bucket then everything in size 11 goes in bucket 11 and that makes it much easier for deallocation you can now allocate objects almost instantly and that kind of looks like this so you can see if we want to allocate something from slot 4 here we would just go and say hey Soph or oh there is cool let me take that and that's just so it's a more modern he permutation and that's how most human agents are these days okay

we're gonna talk about two seconds on OSX so anybody to see before it's probably use lips see anybody's program I was sex before that's probably the core foundation core foundation is the basis of all objective-c it's handles all of the handles all of the graphical setups it handles all the cross process communication handles all that kind of rendering things and so you're asking you probably wondering why is this useful well WebKit is Safari WebKit can build on Windows it can build on Linux it can build on OSX so it has to have its own internal heating applications to work so I have a heap overflow in OSX I don't have heat overflow and WebKit so we're

gonna have to figure out how to get around that and this core foundation turns out to be the way to get around that I'll go into that more as we go along and just a real quick I want to tell you about the things that OSX gives you to help make your life a little easier because OS X was based on PSD it has a similar BSC style allocator they called garden malloc it's essentially seen as a cheap or live dislocator if you say FL essentially just marks pages as not accessible and as soon as you free something it makes marks as nice as well as well so that's gonna catch all your set of fries it puts guard pages

around heap overflows it's very very helpful OSX also gives you malloc stock logging out of the box you can turn on stack logging and you get full back traces on all your malloc on all your malloc calls there's another command called malloc history which is gonna give you a little more output as a little more verbose and you have to use it from the command line you can't use it for melody B but I wrote a tool they can make a user melody B and it's infinitely better because malloc info crashes oh let me be 5 times out of 10 so if you're working with something for an hour and use the stupid thing and I

just crashed and they're done and you just wasted so much time so I usually use history and I'd recommend that as well if I'm Sam I talking too fast everybody ok ok all right so I like to think of this as a large umbrella like a big golf umbrella imagine you and your 5 buddies right you're standing it's pouring outside and only one of you guys got an umbrella so what are you gonna do you're all gonna try to huddle under there and hundl and rubella that's what this malloc zovut idea is we have a giant overarching zone structure and we have individual Malik's inside that zone structure so something like WebKit is WebKit is version 2 so WebKit malloc

sits inside the same zone that OSX malloc does but it's in its own version so this this overarching umbrella kind of manages all these different value invitations this is gonna make things like Safari possible so I can have four or five six seven different he panels Asians all at once and this zone algorithm takes care of all that so the magazine allocator which is the mac the magazine ok is default OSX malik the not to be confused the WebKit malloc which is slightly different we'll get to that more you can see it's used by basically everything color sync safarik you know it anything that's on everything anything that's on OSX that's not WebKit uses it

and WebKit uses a little bit and that's pretty much that all right so the way I showed you to free this a little bit it's just a reading base allocator so it's a bucket list it's pretty straightforward and here's a here is the worst part of this exploit and the best of defense mechanism apples ever come up with and it's the fact that they bind a magazine to a core so what a magazine is I mean was over the region is where the actual memory comes from so I allocate something comes from region well a region is down to the core of your computer and what happens is that as you go along and you block to the kernel it

can switch cores on you so if I if I did I'm doing a heat massage and you may keep spraying on core one I then do some file reading and that gives a chance to the kernel to block well now it comes back and I'm encore to so all the heap sprang edge did all that work I just did it's gone it's not there anymore I'm on core to core one set up perfectly for me to exploit core twos not set up at all this particular laptop has a course that's eight different malloc invitations that I have to try to massage and try to get around that's not gonna happen it's it's nearly impossible I needed I need a way around that

you

[Music]

and backward Cola sighs remember our Dudley Malick invitation that we talked about the beginning of this we had our unlink we had a four byte overwrite unlike that you could do that's very similar what you can do here let's implore you to think about what you could do if you can control forward coalesce size and Agricola size I haven't told you anything else about it keep that in the back your mind that's gonna be a real key for this exploit is those four word coalesce and Agricola size if I can control those two I can win okay we can control the whole program okay so this is but this is showing a tiny a tiny region notice this

turn pretty six Lots but only 64 filled it's kind of a silly choice for the do but that's what they decided to and this is what a small region looks like notice it fills up all all 206 it takes care of everything okay regions so we have magazine so may recap this one more time we're overarching some structure we have our magazine Malick that's inside the overarching zone instructor and that's where our magazines are and inside a magazine is a region the region is where the actual code but actual memory comes from so when you when you allocate them something it goes zone magazine magazines is hey I got a region I got space take something from my

region and that's where it all comes from so that's what this region T is is that we're the actual memory itself comes from so I think I'd beat this to death already but we have tiny regions and we're small regions so you have tiny magazines and you're small magazines so again remember I talked about this earlier but if you have an exploit and you're exporting on and you're setting up your exploit on tiny and for whatever reason something happens you have to go small everything you did is gone you know all the work you just did is no longer there so you have to ensure that you're massaging and doing them hitting the right the region the right

invitation yeah so region metadata describes chunk size is it describes that full it is we have tiny mini their thing and let's move forward to this one so this is generally what the bitmap looks like so to see if a block is in it you see how big a block is so this block is gonna be 3 cuando okay this one and two zeroes that's three quantum okay this second one means that it's a huge block this one is what was to quantum size but because it's zero that means it's a free block so if we look at our free list we didn't see there at E Street and that's our tiny regions our small regions are nearly identical but

they decided to put it all in one so they put it all in one in one thing and the top bit determines whether it's free or in use these are in use these are free the top bit decides I'm not sure why they decided to do one different retaining versus one difference before fall and here's some more information about the large region that you guys are more than welcome to check out on your own or you can talk to me about it later I'll be more than one to talk to you about all right every region knows it's it's magazine knows what magazine is supposed to be attached to who owns me what quorum I on I told you you cannot

switch course unless you go to the depot if you pin yourself to the depot that means you now relinquish yourself you're not being used anymore and you can be put on a different core so if you have a region it's always gonna be on the same core alright and that's it for that's it for the de structures I know I probably went overhead require didn't understand all of it and that's okay it's not that most important thing the world but if you have any questions feel free to ask at this moment a little bit yes everything on Apple is open-source but what you'll find about Apple open-source is it's open source and that means that

like it's there but it's not correct so like the gender general ideas is this document yes but we had a reverse engineer the entire lives this and malloc four weeks to get everything perfect because the open source invitation is missing things I'm assuming it's missing things because of prior to airy proprietary knowledge and things like that they just didn't put everything in there but what I do give you guys if you're interested in replicating my work is I give you an entire marked up live system Alec id be on on my github the whole things marked up the whole to every structure is defined everything is set up perfect again it's ten point one point ten point one one point five

temple one point six is the same sierra the beta is the same but there's a chance that's gonna change that's gonna segue into this I wrote a tool well I I'm not allowed to say his name he doesn't want to be you guys want to talk to me and a good friend of mine wrote a tool and we call it Mac keep and it's LT Python script that allows you to access everything I just told you you can look at any of these pieces information is talked about you can analyze all of them you can do anything you want what's great about the zillion Python script there's probably 700 lines give or take and if they make any change its their

structures just change my structures my structures are very easily set up it's very easy to modify we set this thing up so for the future it's gonna be very easy I have planned support this iOS so then we'll have the same introspection tools on iOS we set it up very modular very easy to adjust so anything that any uh malloc changes shouldn't really affect our tool too much like I said Apple does have a patent on this they're not gonna just change your malloc conversation completely because they do spend a lot of time and research making it allocation scheme any demo would give or whatever I'll be showing you this mat keep tool and that's really the meat of

my talk that's where I could most of my time and I would appreciate anything I say or any I do want you guys to understand or whatever please just shout out I'll try to explain the best I can okay so strategies I talked about the my main strategy for here is we need we need to position things right that's that's that's problem one cuz I have these always checks on I have a lot of checks on problems I can't run in any of those problems so I need to I need to have a spot where I'm open with no free blocks more difficult than you think I need said things over right and I need

to do my metadata unlinking attack remember you're supposed to be thinking in the back of your mind if you control the coalesce size what can we do so that's that's the part that was I've given this talk before and people didn't quite understand that so it's what I'm trying to emphasize that just to kind of think about that the forward size how big that's now big that block is and how far back the next free block is is controlled directly by metadata and we can overflow that so let's just keep that in mind as we go along so I talked about this already but the only key the point say going home home here most people are windows people windows

cache works if you any if you allocate a size smaller sivaiah and my cache is full of 200 bytes and I allocate hundred bytes well it's gonna take it off the cash always X keep it does not do that they exact only exact so free list we talked about already but it's linked list indexed by quantum size so if you want to allocate a for quantum but block you go to you go to slot 4 if there's nothing there you go to stop 5 if there's nothing there you go to saw 6 so on and so forth until you find a slot that's open and when you find this lot that's open you it'll cut that block

open coalesce device that blocks together and that's how that works it's important because if the cache is full and you're trying to set up you're trying to say if you spray or shiny said things like that and it starts pulling off the cache not the free list not somewhere you expect well then you're kind of in a bad predicament so I like to clear the cache almost instant so the person wanted the first thing we did in our exploit is clear off the cache all right so here we go I think I'm gonna yes I'll try the pointer I'm gonna do my best it's tough to explain ok so let's say we control blue block I can overflow blue

block as much as I want okay and I have red block here and red blocks a 3x3 block free block 1 means it's in use 0 means it's free ok so if I overwrite blue block I over write them all the way to backward Co that's right to my back Ricola size let's ignore the checksum problems ignore all those problem to this point and let's say we can overwrite it's backwards size what happens if I point it's backwards size to another free block I so instead of pointing it's free its backward size points that's busy block so it knows when it tries to coalesce hey but block behind you busy I can't call this a busy

block that's a busy block what am I supposed to do I'm gonna stay with my by myself but if I overrode this backwards size and said hey you know what you actually are this big your backer size is actually back to here to this free block when the coalescing algorithms goes through its gonna say hey the block behind me is free let's mark everything between me and that block that's free those are all free blocks so what that's gonna do is it's gonna take all these ones all these ones and you're gonna get it you can actually allocate two objects on top of each other and by allocating to offices objects on top of each other by

overriding the backward size we now return to keyboard three two hours and top of each other I mean is it's the same that same scenarios are you start to create so what we do here is where you taking the heat overflow over writing some mated metadata to turn this into yourself to free so we can get a standard a more standard exploit out of it that's that's backwards the next slide is for words I'm not gonna thank slides for words and it's the same idea you're just gonna overwrite these yeah just gonna write these and you're gonna point this guy you're gonna point this guy forward into this next free block up here the same

way that happens I've had much more luck with backward coalescing I think back row hasn't got much more reliable that works a lot better forward coalescing is extreme rare scenario it's not super useful not super useful for the use of degree type idea that I was looking for so we didn't go in this too deep but the same idea could be applied there's any questions in there that's like that's the probably that that's the most difficult thing to understand it's like the most important part to understand on how we got this how we took Ebola flow to a full exponent sorry that this is the magic this is the Voodoo this the part that people this is the part that people are

like oh how do I explain right here to it how does it happens that's it that was the Voodoo that so if you don't get questions about it please it's not super difficult it just took a really long time to figure out nothing okay alright so we talked about already but it also has also the four byte metadata overwrite that you still have that same Doug Liman like overwrite I could overwrite info over the next corner the blinker blink and get a four byte overwrite well what's wrong with that seven percent chance to get in the correct checksum oh that's pretty terrible but you know dies oh he had a cool technique for Snow Leopard I

believe is the operators name and you would just overwrite everything with know instead of overwriting the pointers used over everything with null so then you can get to know better metadata so if I overwrite if I over all these guys were here no no no no backward emphasize better when it goes into a checksum what's the checksum of null have you checked them no that's this gonna be no right well Apple thought about this already and what they do is it everything is null it goes in the region it marks there's an on use block it says you cannot use a block anymore this block is no longer good so you have to do some coalescing to get that block

back in use it turns out that that's unfortunately it's not quite possible with the way that our heap overflow is set up but that would be ideas you overwrite everything with null you think a coalesce again and get this block back in use and pass all the check all the checks and pointers what we ended up doing we end up doing is that the checks and pointers they come out to be 1 3 or 7 like that was it they were 1 3 or 7 so I started two percent chance I'll take that chance that's that's where we left it at all override the corner I just try over 1/3 or 7 and that's where we that's

where we left it obviously if I want the weapon great exploit I've wanted this to be better if I wanted to be the best of the best you need to figure out a way to get around that and that's a serious problem that the office XP past for exportation ok so does anybody audience feel brave or on talk or just want me to talk I like to talk it's not a big deal no ok that's fine let's say for instance we want to allocate 5 quantum allocation what are we gonna do we're gonna go to 5 right and there's nothing there so what are we gonna do next we're gonna go to 6 and we're gonna go

down 6 we're gonna walk to the end of it and I'm gonna give you this block this is gonna be the block you get returned and that's that's crazy how it is if I want an allocated block that was 15 it would go to the end and it was say I don't have anything there so what do you do if you don't have any in there so we look in the cache so start looking cached is an exact match sure great allocate that is it is their spot in the free list sure allocated awesome walk up the free list do we find anything ok great allocated if all those things fail we allocate from the reason how do you

allocate from region well it's pretty straightforward you go to the mag bytes for you and say hey I have this much many buddies available give me some bytes there's a couple metadata there's no metadata pieces in the region itself that determine where you're gonna get more bites from and we're going to I'm going to demo this and show you guys how we can accurately predict all any allocation well before it happens where it's coming from where it's gonna be how it's gonna line up we can predict all those things so I'm trying a new thing here I'm not demoing till the end I'm just gonna do one long demo at the end to try to make

this whole thing a little more cohesive again if I ask questions as you get I try to put this in here just so you guys understand what this does this is a stupid Python script what this does is it forces every allocation on the magazine one you can i mean maybe somebody can but it's extremely difficult to debug an application using those X key but with LD be if you don't do this because every breakpoint my every breakpoint my core was gonna switch every single breakpoint doesn't matter so every time I would do anything it would switch all this does is it goes through and makes it in sure that goes in core one it's always on core one and

every switches from core map core one all right so that's everything from that's all our allocation stuff do we have any question on how to allocate you got will go with that okay so the last thing before we go into a demo and before we talk about that do you guys want a demo I'm a demo this stuff and then we'll talk about I thought the exploit I'll demo how stuff works don't talk about anyway okay so this is a bitmap I see most bitmap is but this is how it represents the entire malloc range itself okay so we have a region it may region bitmap and every one is a block in use in every 0 is a block

that's not in use so if you look at your free list you can see where the free list objects line up why is this useful when I'm having it overflow and have an exploit I need these others to be next to each other if this is my vulnerable buffer I need to know what what I have next so this region bitmap isn't very important to understand so I can place my objects next to each other so Alex Todorov came up with the idea of heating heating Shui and 2006 and the whole idea behind that did you flatten the heap the whole idea is you're gonna you're gonna flatten the entire heap and then every allocation

you make after you flattened it is gonna be next to show that's just that that's just the way it works if I flatten it there's nowhere else for her to go as we've said before where they're gonna come from it's gonna come from megabytes for you to end so if I flatten this entire thing it's all in use and I like a 2 objects they're gonna be right next to each other because they're right they both came from the same part in the region so how do we fly in the bitmap this is just saying that there's 56 quantum of free free slots and if you have a large number is up equals 36 as

well I said don't do math in public so what we need you just makes 56 single corner allocations of flattened bitmap okay we made 56 quantum allocations it's still length 901 I go back a couple slides and it's length 901 here I think 901 it's also like 901 but now there is no those are free slots anymore so now in the next allocation I make is coming from the back of this and I make a 25 quantum allocation 24 quantum allocation and now you can see the length is 29 25 and this whole thing is bigger so if I made another allocation right there another one right there right there so now I can put on if I can control objects and I

can control what I'm doing I have overflows I can actually get this - I actually positioned things perfectly with this double freeze not possible they there's a busy flag that checks for if there's been a treat already or not and they took for that immediately so keep spraying this is my personal opinion this is not any but he's praying is kind of dead on oh s X it's the 64-bit address space it's just too large and there's a lot of these spaces they're dead because of these magazine structures and things and we tried the heap spray and it just since it was not reliable it seems it wasn't reliable and it wasn't gonna work for us all right

521 I got 20 minutes left so I'm gonna talk about this project Mac keep great project wonderful it was fun but what happened during Mac heap is I use this tool called LOD be has anybody in here ever use LD be if anybody think it's good I don't think anybody thinks it's good it's a terrible piece of software I mean it's great it's wonderful but does everything it does but it's extremely difficult to use it's not user friendly at all so duro Co has a great LD beam it's awesome it's cool it does it does some interesting stuff but it doesn't do what I want it to do I came from window bug I like me in the

bug I want to be able to IPO IRIX and get some get some information back I want to be able to do DW p OIRA x plus BC plus this plus that and have all these commands together and do all stuff LD be you can only one command a time that's it you can't you can't have script callbacks there's all these massive the patience LD be that we have or we could never come where two guys would come from window window more of a windows background trying to do this we couldn't overcome it so what I did what we did is we wrote a this is just showing you this is just showing you how to make a

breakpoint like if I wanted to make a breakpoint that prints out our X like that's crazy as it looks insane if I want to make a breakpoint at mean I can't say break main like gdb says break me and that's how it work how do breakpoint set - a tilde whatever that thing is ' thing avoid name like see casting styles and like I don't want to type see casting I'm doing a low D beat stuff that's just that's crazy so it lacks functionality it does the Python functionality it's terrible this there's so many problems you had so we just created a generic way of adding functions we added alias and breakpoint managers entire full expression parser

we have an entire ability to parse with them now we can do stuff like this we can ask a local variable one with our ax with me and tell me what's what is that address and I could do DW on that I can do whatever I want we took reported almost every window bug command we wanted and we ported it to l DB what happened before that before is I didn't tell anybody about it and so nobody's seen it after the last like I put it online but nobody looked at it so this time I talked to you about it more so I'm gonna take a quick break and we're gonna do a demo I'm gonna demo you we're

gonna predict where allocations are gonna come from we're gonna predict one off the cache we're gonna predict one off the free list then we're gonna put a critical amount to region and we can watch the region grow up a little bit and then imma show you one of the cool stuff we did with LD be in it and I got 20 minutes left and then from there I got 15 slides on equitation on how we exploit Safari with this bug and that's I think I'll have just the right amount I'm

if you can't see your I'm doing something wrong just shut up please all right unable to find an executable where am I [Music] you guys are you guys interesting the coder your GPA can you just believe me I'll show you the code I guess you guys aren't very trustworthy huh I know I got a black eye and stuff but that's not trustworthy all right I guess you gotta watch you BIM to everybody all right all this is gonna do is initialization what an installation is simply doing is this calling freedom a like a bunch you can't you can't do a heap of stuff without having some initialization code think about when you wanted Safari starts up

for instance how much stuff does it do on the back end is set up the heap and set up things so that's all this is this is I mean I know it's kind of crazy buy something special just calling malloc and free a few times to pull some information out of our region it's that way we have a full list to deal with and what we're gonna do here is we're gonna allocate we're gonna allocate 10 blocks and then we're gonna free recall blocks this isn't even the right code my code I mean that in that image stuff is still fine but it's ridiculous all right so we're gonna do is we're going to allocate 10 blocks and we have free 10

blocks and then we hit a breakpoint the reason we hit the breakpoint is I'm going to show you what the cache looks like at that point and they notice we're allocating a 9 quantum allocation well is 10 means I was gonna stop at 9 so the last quantum allocation it freed was 9 quantum that's gonna be in the cache that's gonna come off the cache from there we're gonna allocate another 9 content allocation off the free list and then from there I'm going to clear the free list I'm gonna wipe the whole thing and we'll allocate one off of the well like it wants the reason so let me get this back to the wrong one

I slept like one hour last night so I'm sorry I was a little I'm a little I'm a little off but that's okay I hope you guys are enjoying the talk alright so let's do Ron get this whole thing set up a little bit okay so write a breakpoint and notice it says simple stuff malloc there and we're gonna remove 0 X 90 0 X 90 is a 9 quantum allocation that's just 16 times 9 so let's take a look so we do script exact file the OL Odom file and my file is called load PI it's just going to set up with the set us up with a few basic structures so we unscripted

gonna have Z I'm breezy is our overarching golf umbrella that all your friends are standing in there well ok so one of our friends is called the magazine malloc and that's a inside the magazine malloc he has a mega the magazine entries and I set that up for us because it said we're all in the first magazine so that's T C is our first magazine and you can see T has a bitmap and T is a cache you see this guy right here mag last 3 9 plus 144 this is right here mag glass free is the cache okay so let's take notice address one zero zero one zero two zero zero you guys believe me that's where the

next allocations gonna come from I hope so so let's just do this let's do H okay so you can see we're gonna call malloc right here of 90 I'm gonna continue on and notice a king exact what we said was gonna come from that's pretty good also check out this so forward disassembly is great right everybody likes forward disassembly but when you reverse engineer and you're trying to phone every researcher you trying to exploit something you want to know where you came from not where you are you know you don't necessarily care where you are going you care where you came from well how the hell do you do backwards assembly in ella debe you could do

something you do something like this you can do this ass - ass - on our IP mine's 8 and that's gonna do something like that but that's not even looks weird that's a crazy why would I do that so we brought a little crazy we were a little thing and there's called backward disassemble and so you can just assemble backwards and they will want to backwards assemble ten lines I came back with two simple ten lines or 120 you can do whatever I want it's much simpler it's much easier because when you do more our IP - a value that offset might be wrong and because off codes aren't uh because our cars aren't aren't aligned eight might

not be the right number if I do I apply to our ap minus nine their code I'm gonna gets different like that's not that's not valid code anymore like what is what does this move ABS that's not valid code but backward dissemble takes care of all that for you and this is one small thing that we have inside of our okay what's next we're calling another ninety five allocation let's loaded back of our script so I really like my algae being it's unjust okay and so then we look at T again and that's do print T dump and all that is it just dumps the free list though so we have three five one zero so let's continue on you'll see

that here in a second and as you see the screen being Mallik looks free list three five one zero okay that's you told me you could do that toilet does not that's not super impressive that's fine but let's clear the free list let's do something a little more difficult let's do a little math let's have some challenging here so now I do my duty check out T's bitmap remember I told you it only holds 64 or when something goes to 64 slide gets stuck instead there so that's what that last free list allocation is this is a dead spot on that very end of the free list but if I do print T dump you're gonna see there

ain't nothing there so what you can do is you can take this address I think okay you can take this address and you Matt you mask off the mask off the bits you mask off the lower bits I have a function though though this I just don't remember it is mask off the lower bits and then you're gonna add the mag bytes free at end and then you do number Vice magazine number by a magazine - number bag - number bytes period end and that's gonna give us number you take the hexadecimal of that number again I wrote a function for this I just don't know what it was you wrote you get that number

and that's wrong Oh cuz I did the why don't you guys tell me I'm being silly I just put the same number twice come on guys I told you I haven't slept all right so we take this and we take this number and now a 3 B a zero so what I did was I took the bytes free at the end versus the whole all the bytes so I'd say I have a hundred bytes and there's 80 bytes free at the end well that means I have I have to move forward 20 bytes and a Barbie that's all I did just a simple basic math equation you mask off the bits as where comes from three be a

zero there's nothing on the free list there's nothing in there's nothing that I that we can predict you come from that's coming directly from the region and yeah that's coming directly from the region and let's continue on real quick and we know this region pointer 3 be a zero see I [ __ ] up the math and I still is able to get right present all right so that's there's any questions about that do you guys want I mean so that we can we can I can show you the bitmap and I can show you how that works I'll tell you why I don't want to do that while I do it how about that so the

problem with this is prom with this is it loads 65,000 python objects in 65,000 python objects takes a long time to load so when I wrote all this code I wrote it on my iMac that has a super processor and it's super awesome and then I moved to my laptop and I'm like wait I probably shouldn't at all 65,000 objects there's like 40 objects in use and I'm loading 65,000 so that's what makes sense I tried to fix this morning but I said it'd asleep so it was hard to fix but this just takes just a minute to load up but I'll just give you guys a peak what a bitmap it looks like and

another cool little feature I think the coolest feature the coolest feature I think is you can give me that address and I'll tell you exactly the bitmap artists so you are that app and it tells you that's a block 954 so if I look at map other my map looks like I look at that map 954 and that's my that's my that's my apply for navigation for 10 quondam allocation right there and so by that point if I have a free decide of my objects I can query exactly where they are in this so I can see what I'm what am I going to overflow next what am I gonna hit next so for my coalescing thing here I need

to position my block directly behind the free block but and I could then by looking at the bitmap I can see what other free blocks I can write it back into so on this bitmap becomes very useful we're gonna do it one more time cuz that's why I show you what a bitmap looks like when it's full I'm not full but that one was fun once you what it looks like when it has a few items in the free list so he was afraid alike and then it's a bit touch string is just too stupid I don't know bitter strange this is stupid thing I wrote that takes a bitmap it makes it a nice string format

so like that's for instance say I have I want overflows 23 quantum allocations like what we want to see you might say where is the allocation and then we want to do where the allocation is we'll look at it okay I'll take another second alright or twelve minutes I think we're good

come on all right cool so I lost at 8:49 let's take a look our map and you'll notice that so there were 23 23 block allocation there and you'll notice that all these allocations are here you can see them all the zeros it's very easy to see but if I do map 954 849 sorry 849 okay MIT block 849 you'll notice there's that free block there so let's hypothetically hypothetically speaking so this is gonna if I or flow this will block to here I overflow the whole thing I overwrite the backwards M sighs well what happens if I put the backwards m sighs here I pointed back here well when they got when the coalescing

algorithm happens what's gonna happen is it's gonna think all these plates are now free so if I allocate another allocation it's gonna get allocated right in here and so what you can actually do not only can you allocate things on top of each other well you can actually do is you can allocate things that are way too large for small regions so I've actually been able to get 120 130 140 quantum allocations coming out of tiny regions even though that maximum tiny region is 512 so I you can actually trick the whole time you region allocation scheme to think it has way more space and actually does and you can really muck around with it

with that little bit of coalescing I think that's it for my demo and the rest of it is gonna be talking about problems we had well explained sorry cool

I'm just a little hard of hearing oh I'll check some issues fixed so the checks machine is fixed exactly so what we did was we did analysis we yes how can you get past this checksum problem and I mentioned just a touch what I did was I ran millions and millions and millions of these iterations and I took statistics on what the checksums were and thus it's the checksums are not random they are somewhat deterministic yeah occasionally you get an outlier but for the most part I've run this thing millions millions of times it's usually 1 3 or 7 those are the three numbers it usually is that's 30% chance I'm not an attacker I'm a vulnerable researcher my

job is not to get a hundred percent reliable exploit my job to prove something exploitable and I get a patch to move forward get us a little bit of a Palissy show that we can do this show our skills but it would take it would probably take me another month or two to get a full hundred percent I can pass this checksum every time we'd have to come up with a new novel technique and it's not necessarily worth it for my position and my current they have a current job like if I was a weapons-grade exploit developer I for sure would want to be better at that checksum problem I lost my mouse

all right eight minutes cool oh man [ __ ] one second sorry [ __ ] it's really forgot all right what I want to show you was this cool stock okay so let's take an H so there's no other relative unit in the world that does this they start draw a little beam it's cool but it doesn't use this amazing hex dump like that there's no color code output I don't like color I'm more of a white kind of guy we have a full color setup all you have to do is say color on and it would I've heard be white always a definite pretty standard the stack except took forever this showed you already took forever

let's just say one look at the stack let's look at words on stack so we go these nice words normally what you do is you do something like this and it looks like [ __ ] it's like kind of weird-looking it doesn't quite fit and you say okay what if I don't want words I want double words great awesome well what if I don't want what do I want to look at the pointer at RSP plus 16 so then you can do something like this you could do Pui I know this doesn't this doesn't look that impressive but this is like ridiculously awesome compared to like what LDV does myself so I know QD I

can dump words of the pointer at RSP plus 16 which is gonna let you looking forward doing all that good stuff that is stuff that's really hard to do in ldb there's no way to script that it's almost unscripted ball without stuff like this I talked about Malik history before I don't think I have stack logging on but you can just type history from the from the command like this and it'll it'll run it'll run that Malik history command for you you can run proc Maps I don't let any you guys are Linux people there's maps that tell you the whole the whole memory layout and all this X is something very similar to that

so you but you can't clear it melody B so I can't you there's no possible way to find page permissions on the DB so when I do go to do my x point I'm trying to figure out what the patient is there's something that'll be has no functionality to do that so there's a small things like that that really made it them hard alright five minutes left no I burn through this real quick and we'll call it a day cool all right so the problem with Safari it has five Mallik zones what the [ __ ] what are you doing man like five mattek-sands you kidding me well I have a heap over floor of our EP

control I can hit this to Safari I want I'm like I'm the champion I'm the best person in the world I got the best exploit ever I get to this thing and it's crazy so what we have is we have default my luck well guess what WebKit doesn't use the fall not for really anything they have WebKit mark they have WTF Malik why wouldn't they why would they use my Malik when they can use their own this is typically what it looks like you can see they use WebKit malloc and default marks so I just told you that don't use WebKit doesn't heed to fall not for anything so why is the pollak so large well it's that core

foundation stuff we talked about the beginning I know if anybody remembers that but core foundation is the way that the WebKit is able to interact with OS X and operating system itself so between that interaction were able to get things in our malloc zone we're able to coalesce our Malik's together where I would call as our heap all through this core foundation idea so have an image base here overflow core foundation working as I oh that's fall malloc zone blob so what do we need I mean information we need an object override the obvious override was really easy there's I mean core foundation allocates so many objects that was really simple the difficult part was information leak

but pretty much every allocation you control from JavaScript falls in WebKit malloc but every call to new falls in default Mac so what do we do we went through and we found we traced every single called a new inside of every uh every shared library that WebKit uses charge upon every colony we burst every call we search the entire memory space for any pointers that might fall into some of these things to try to find any object we could possibly use to coalesce our ep so we found a couple heat massaging primitives the audio context object it doesn't offer arbitrary it does not offer arbitrary allocation but you cannot do allocation size of three four

or five quantum just by calling audio context with a couple different parameters so that was pretty easy to start that's that's how we were able to massage a heap into a state that works pretty well and the other another super hard problem here is we had a write a server if you send that you can write back to it and it makes new TIF files that's not easy to do it's not easy like you go out you get your information and now you call back to your server he makes new TIF files to adjust this like it just was really really hard to get that all set up properly all right and here is the

here's the hand wavy magic I told you about we found one string I don't even know if it's there anymore because Apple saw this and I don't think they probably I don't think they left it there but there's one string and it's allocated in the default song it's called date that prototype of to locale you have like a three-second window to hit this string so this string is allocated on a default zone and then immediately following that it gets copied it's a webcam a lock you have to hit it before it goes to webcam a lock we have core issues with corrugation issues we have a lot of issues here that have to be overcome to make this perfect

you have like a split second to overwrite that no bite on that thing on that date to prototype Luke at locale string so that way when it gets copied over it copies too much data and you get your information leak out again I'm not a weapon created I'm not a weapons-grade exploit writer and it's not the most reliable technique in the world but it works and it's pretty impressive it was a pretty good find and it was pretty hard to do so just as a general recap we have our three quantum allocation we empty your quantum we do our backwards colas I've talked so much about we get to chunk freeze you remove that null

terminator and then when you in JavaScript read back that date he gives you back more information you know have an information leak that you can use I told you before our IP control no problem there's a lot of objects overwrite and that's what we got code execution and that's how we're able to tack Safari I would show it to you now but I say it's like 20 it's like 1 in 20 so like 5 percent reliable I guess is a coordinate and nobody wants to see me though 20 exploit that's of our so well beam you on anyway that's it for me but if you guys could all if you guys are any interested at all everything this

whole slide deck all my tools on Mac heap I just released that LD be in it today on github as well so all that's up there I am one blank well one and that's the top

got any questions or anything this is about three months with the work yeah give or take I just want to show you guys one more thing I know I know so it's like three more things come on all right so let me let's say this I wanted I want to reverse engineer Malick right okay so how do I find where Malik is okay well let me tell you you do image list just an image list and it'll tell you Ramallah is right so your image list okay what's that's cool okay well what I don't know let me just do command F Ramallah alright I can just come in after my terminal that's gonna find Malik or isn't it look cool they found

Malik for me that's wonderful but if you have more and you have more Malik's and you have more stuff they can't find Malik for you anymore so we carried a little thing called this module so now I can su LM Malik it gives me right away perfect okay let's say that's awesome I know the module is now I want to know every function that has the word Malik in it how am I going to find out every function has a word Malik and I don't know what Malik I need I have no idea well now you can do something like this LS Malik and it's gonna come back these are all the places and all the offsets

where Malik is used in anywhere this program again things that LD be simply can't do one last thing I'll get off the stage I promise this is this is main right what if I want to know what every call in mean because I know a lot of you verse engineers our call reversing here that's that's how you taught you first call to call to call to try to understand the flow of programs okay what if I want to see all the calls okay well I can do this I can again a command F call right I can I can kind of go through but now you saw it wasn't super far up now I'm I don't know where I am

anymore like this is terrible okay well so my next option is I can copy all this I can copy all this data and put it in sublime text or something look for call that way or we can do something called theis search and you do - and main and used to call I'm gonna go because of all the calls format like all the calls are free any call that that program makes it shows you where it is how it's done you can do it for anything you do that instead of call you wants you jumped on equals it shows you all the jumped on equals instead of jumping to equal you want ads it shows you all the ads like

so you can do it for any any you can search through any program for that and that works extremely well another being able to do any of that that's my la buena pitch I hope you check it out thank you so much for listening I appreciate it I'll be around for a while if anybody any crepitus questions or any I could stop or if you wanna talk about more or if you want to see me throw x-play 20 times feel free to come off do that too thank you so much