170 likes | 193 Views
Explore reverse engineering tools, case study MS08-067, and exploitation techniques - from software vulnerabilities to exploit mitigations. Learn about Windows Server Service Vulnerability, stack frame structures, and the process of reverse engineering security patches. Discover the bug, its decompilation, and implications on system security. Dive into the intricacies of ptr_path manipulation and potential exploitation vectors. Get insights on mass exploitation methods with and without NX protection. Stay ahead in securing systems with tips on countering DEP/NX bypass techniques in Vista.
E N D
Reverse Engineering for Exploit Writers Nibin Varghese iViZ Security, Kolkata
Agenda • Exploitation Overview • Reverse Engineering Tools • Case Study MS08-067
ExploitationOverview • Software vulnerabilities exist • Reliable exploitation techniques exist • Stack overflow • Heap overflow • Exploit mitigation • Prevent or impede a class of vulnerabilities • Patch the vulnerability • Disable the service • Generic mitigations
Reverse Engineering Tools • IDA Pro • Bindiff Plugin for IDA • Ollydbg or Immunity Debugger or Windbg • Debugging Symbols • Sysinternals tool suite • Any scripting language to write PoC (Python, Ruby etc)
MS08-067 • Windows Server Service Vulnerability • Out of band release • Details: Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com
Structure of X86 stack frame Local Variables Saved EBP Saved IP Arguments Stack grows towards lower addresses
Classical Overflow Local Variables Saved EBP Saved IP Arguments Return address overwritten with address of shellcode
The Bug • Decompiled by Alexander Sotirov • Visual demo of the bug
The Bug(contd..) ptr_current_slash ptr_previous_slash \\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA \\..\\AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address • ptr_path points to the beginning of the buffer • Parses to find current slash and previous slash‘\\’ • Finds “..”, so the current slash pointer moves forward • Data from Current slash pointer is copied to ptr_path • If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. • 5a. Results in access violation if no “\\” are found • 5b. Copies to the new destination if “\\” is found ptr_path
Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) AAAA Saved EBP AAAA Return Address of wcscpy AAAA • ptr_path points to the beginning of the buffer • Parses to find current slash and previous slash‘\\’ • Finds “..”, so the current slash pointer moves forward • Data from Current slash pointer is copied to ptr_path • If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. • 5a. Results in access violation if no “\\” are found • 5b. Copies to the new destination if “\\” is found ptr2 (ptr1 – 1) ptr1 \\..\\AAAAAA ptr_path Shell Code Saved EBP Return Address of vulnerable_function \\c\\..\\.. \\AAAAAAAAAAA \\..\\AAAAAAAAAAA path
The Bug (contd..) • Not a classical buffer overflow • The destination buffer is large enough to copy the contents from source • The hunt for “\\” if the pointer points to the beginning of the buffer makes it a BUG
Ready for PoC • Identify the vector of exploitation • 3 possible ways • wcslen of path • Predictable location of “\\” in the stack after repeated interaction • Metasploit way of calculating the device_length
Mass Exploitation • If no NX, return to stack and execute shellcode • If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. • Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows Hardware-enforced Data Execution Prevention” • In Vista, ASLR makes return addresses unpredictable.
Thank You • Thanks to Research Team@iViZ Security • Thanks to Clubhack 08 organizers • Thanks to all the attendees