64 Hijacked ARMs

As discussed in A Hijack Revival, libhijack is under active development again. Today, I'm announcing version 0.8.0, which breaks both API and ABI from 0.7.0. The breakage is worth it, though. With version 0.8.0, libhijack now works on arm64. This marks a milestone achievement in libhijack: the first port to a non-x86 architecture.

It's interesting to note that during development, a local kernel DoS for arm64 was found, reported upstream, and subsequently fixed..

Download the source from GitHub here.

Here's the highlights of libhijack 0.8.0:

  • New architecture supported: arm64
  • Add ERROR_NOTSUPPORTED error code
  • Make the memory mapping code architecture-dependent
  • Add API for getting/setting various registers in an architecture-agnostic fashion
  • Add API for querying instruction alignment
  • Detect the base address better
  • Switching from ptrace(PT_READ_D) to ptrace(PT_IO) for reading data
  • Add sample exit(55) shellcode for arm64
  • Add various sanity checks and clean up a bit of code

Next item to knock off the TODO list: anonymous injection of shared objects.

 Makefile.inc                                 |   1 +
 README.md                                    |  17 +++++++---
 hijack/Makefile                              |   6 ++--
 hijack/hijack.c                              |  18 +++++++++--
 include/hijack.h                             |  24 +++++++-------
 libhijack/Makefile                           |  13 +++++---
 libhijack/arch/aarch64/hijack_machdep.h      |  37 ++++++++++++++++++++++
 libhijack/arch/aarch64/inst.c                |  46 +++++++++++++++++++++++++++

A Hijack Revival

Over a decade ago, while standing naked and vulnerable in the comfort of my steaming hot shower, I gathered my thoughts as humans typically attempt to do in the wee hours of the morning. Thoughts of a post-exploitation exercise raced in my mind, the same thoughts that made sleeping the night before difficult. If only I could inject into Apache some code that would allow me to hook into its parsing engine without requiring persistance. Putting a file-backed entry into /proc/pid/maps would tip off the security team to a compromise.

The end-goal was to be able to send Apache a special string and have Apache perform a unique action based on the special string.

FelineMenace's Binary Protection Schemes whitepaper provided inspiration. Silvio Cesare paved the way into PLT/GOT redirection attacks. Various Phrack articles selflessly contributed to the direction I was to head.

Alas, in the aforementioned shower, an epiphany struck me. I jumped as an awkward stereotypical geek does: like an elaborate Elaine Benes dance rehearsal in the air. If I used PTrace, ELF, and the PLT/GOT to my advantage, I could cause the victim application to allocate anonymous memory mappings arbitrarily. In the newly-created memory mapping, I could inject arbitrary code. Since a typical operating system treats debuggers as God-like applications, the memory mapping could be mapped without write access, but as read and execute only. Thus enabling the stealth that I sought.

The project took a few years to develop in my spare time. I ended up creating several iterations, taking a rough draft/Proof-of-Concept style code and rewriting it to be more efficient and effective.

I had toyed with FreeBSD off-and-on for over a decade by this point, but by-and-large I was still mostly using Linux. FreeBSD gained DTrace and ZFS support, winning me over from the Linux camp. I ported libhijack to FreeBSD, giving it support for both Linux and FreeBSD simultaneously.

RoboAmp 1.0.3 Released

Due to some changes to google voice, RoboAmp 1.0.2 stopped working. RoboAmp has been updated to adapt to these changes, as well as a few other minor changes. You can get the new version here. If you would like to see more changes to RoboAmp or any of our other SX Labs releases, please drop by our IRC.

SOLDIERX.COM Reaches Over 15,000 Active Members

Congratulations everybody, our community is finally at over 15,000 active user accounts. Technically speaking we just had our 22,006 sign up - but over 7,000 of those were determined to be inactive/spammers and have had their accounts removed. We actively prune accounts that spam as well as accounts that never log into the site. We believe that our hardware upgrades have accounted for the increased traffic. Our next goal is to have over 20,000 active members. Thanks to everybody who has been active in our community and to everybody that has helped to spread the word about soldierx.com.

lattera to Present HardenedBSD Talk at THOTCON

lattera will be giving a talk about HardenedBSD titled "Pissing off the bad guys by porting grsecurity to HardenedBSD" at THOTCON in Chicago at 12:00PM CST on Thursday, May 4th 2017 in Track X. Please contact him if you plan on attending and he might be willing to meet up. The details of the talk are as follows:
Work on HardenedBSD began around three years ago, with HardenedBSD becoming official two years ago. We've implemented the strongest form of Address Space Layout Randomization (ASLR) in all the BSDs. We've ported over a number of grsecurity features. FreeBSD, upon which HardenedBSD is based, serves at least 36% of all peak North American Internet traffic, thanks to Netflix. Juniper, Cisco, NetApp, iXsystems, and others all use FreeBSD under-the hood. Yet FreeBSD lacks any low-level exploit mitigation technologies. Exploiting vulnerable applications has never been easier. The NSA must love FreeBSD-based systems. HardenedBSD aims to implement low-level exploit mitigations and security hardening technologies, starting with porting the grsecurity patchset. We've come a long way, and we have even longer to go.This presentation discusses in detail the advancements we've made, including comparisons to Linux and OpenBSD. Attendees will understand why exploit mitigation is an absolute must and will learn the technical details of each feature.

Amp Commissioned For "Don't Copy That: No Longer Floppy"

Amp has been commissioned by the SIIA for the role of Disc Protector Junior in a new Don't Copy That sequel. The new anti-copyright infringement campaign will be called "Don't Copy That: No Longer Floppy". The SIIA decided on Amp due to his freaky eyes, as well as the poor performance of "Don't Copy That". Amp has decided to take the campaign back to its roots, donning the original outfit of the Disk Protector from 1992. We have included a small snippet below:

If you want to see more footage, please see Full Scene, Full Scene (half size), and Amp Dancing

We hope that he'll talk about SOLDIERX and his OFACE Project in the video, but we'll have to wait for the full release to see if he does. Please feel free to comment if you have any ideas to make the video better than the original "Don't Copy That Floppy" as well as the seqel, "Don't Copy That".

Syndicate content