Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers.

Published byAleesha Wood Modified over 10 years ago

Similar presentations

Presentation on theme: "Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers."— Presentation transcript:

1 Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers

2 Agenda Exploitation Overview Reverse Engineering Tools Case Study MS08-067

3 Exploitation Overview Software vulnerabilities exist Reliable exploitation techniques exist Stack overflow Heap overflow Exploit mitigation Prevent or impede a class of vulnerabilities Patch the vulnerability Disable the service Generic mitigations

4 Reverse Engineering Tools IDA Pro Bindiff Plugin for IDA Ollydbg or Immunity Debugger or Windbg Debugging Symbols Sysinternals tool suite Any scripting language to write PoC (Python, Ruby etc)

5 MS08-067 Windows Server Service Vulnerability Out of band release Details: Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com

6

7 Structure of X86 stack frame Local VariablesSaved EBPSaved IPArguments Stack grows towards lower addresses

8 Classical Overflow Local VariablesSaved EBPSaved IPArguments Return address overwritten with address of shellcode

9 Reverse engineering the patch Demo

10 The Bug Decompiled by Alexander Sotirov Visual demo of the bug

11 The Bug(contd..) ptr_path \\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash 1.ptr_path points to the beginning of the buffer 2.Parses to find current slash and previous slash‘\\’ 3.Finds “..”, so the current slash pointer moves forward 4.Data from Current slash pointer is copied to ptr_path 5.If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address

12 path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP 1.ptr_path points to the beginning of the buffer 2.Parses to find current slash and previous slash‘\\’ 3.Finds “..”, so the current slash pointer moves forward 4.Data from Current slash pointer is copied to ptr_path 5.If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAA \\..\\ AAAA AAAA AAA (ptr1 – 1)ptr2 ptr1 ptr_path \\c\\..\\.. \\AAA AAAA AAAA AAAA Shell Code

13 The Bug (contd..) Not a classical buffer overflow The destination buffer is large enough to copy the contents from source The hunt for “\\” if the pointer points to the beginning of the buffer makes it a BUG

14 Ready for PoC Identify the vector of exploitation 3 possible ways o wcslen of path o Predictable location of “\\” in the stack after repeated interaction o Metasploit way of calculating the device_length

15 Mass Exploitation If no NX, return to stack and execute shellcode If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows Hardware-enforced Data Execution Prevention” In Vista, ASLR makes return addresses unpredictable.

16 Thank You Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizers Thanks to all the attendees

17 Ready for Phase 2 ?

Download ppt "Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers."

Similar presentations

State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation.

State of the Exploit Matt Miller / Trust Boundary VulnerabilityExploitation.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights 2014 13st of November 2014.

The past, the present and the future of software exploitation techniques Nikita Tarakanov, Moscow, Russia ZeroNights st of November 2014.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
91.661 Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.

Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.

Buffer Overflow sailaja yagnavajhala sailaja yagnavajhala.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.

Part 3: Advanced Dynamic Analysis Chapter 8: Debugging.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Similar presentations

Ads by Google