190 likes | 454 Views
IDA Pr0wned. Jason Geffner, NGS jason@ngssoftware.com 8/25/10. Background.
E N D
IDA Pr0wned Jason Geffner, NGS jason@ngssoftware.com 8/25/10
Background • “The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.” • -- http://hex-rays.com/idapro/overview.htm
How IDA LOADS FILES • IDA supports dozens of file formats • One DLL per file format in IDA’s “loaders” subdirectory • Each DLL exports the following two functions: • accept_file(…) – Does loader recognize file format? • load_file(…) – Load the file into the database
How IDA LOADS FILES • IDA calls each loader DLL’s accept_file(…) function on the input file • IDA then asks the user which loader to use to load the file
QNX • “QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market.” • -- http://en.wikipedia.org/wiki/QNX • IDA Pro includes a QNX program file loader • A code snippet from its accept_file(…) function follows…
The data for all structures below are read in from the input file. • Code below iterates through each “ex.lmf_data” structure in the input file, advancing the file pointer based on “sizeof(lmf_data) + lmf_data.offset”. • However, if “lmf_data.offset” == “-sizeof(lmf_data)” then “at” is never increased and this code will run in an infinite loop. for (uint32 at = sizeof(ex.lmf_header) + ex.lmf_header.data_nbytes; lmf_data.segment_index != _LMF_EOF_REC; at += sizeof(lmf_data) + lmf_data.offset) { qlseek( li, at, 0 ); if ( sizeof(_lmf_data) != qlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0; switch(lmf_data.segment_index) { ... case _LMF_COMMENT_REC: break; ... } }
The code below shows the checks made before the vulnerable loop. The structure to the right shows the fields with required values.
We can make a COM file containing raw 16-bit assembly code. The NTVDM (NT Virtual DOS Machine) initializes AX to 0x0000, but since we’re in virtualized real-mode, we can write to that address without throwing an exception.
DEMO • Running the COM file • Opening the COM file in IDA Pro
Icing on the Cake • We can rename the .com file to a .exe file and Windows will still run it (and IDA will still fail to load it)