Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers
May 20, 2015
Nibin VargheseiViZ Security, Kolkata
Reverse Engineering for Exploit Writers
Agenda
Exploitation OverviewReverse Engineering ToolsCase Study MS08-067
Exploitation Overview
Software vulnerabilities existReliable exploitation techniques exist
Stack overflowHeap overflow
Exploit mitigationPrevent or impede a class of vulnerabilitiesPatch the vulnerabilityDisable the serviceGeneric mitigations
Reverse Engineering Tools
IDA ProBindiff Plugin for IDAOllydbg or Immunity Debugger or WindbgDebugging SymbolsSysinternals tool suiteAny scripting language to write PoC
(Python, Ruby etc)
MS08-067
Windows Server Service VulnerabilityOut of band releaseDetails:
Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com
Structure of X86 stack frame
Local Variables Saved EBP Saved IP Arguments
Stack grows towards lower addresses
Classical Overflow
Local Variables Saved EBP Saved IP Arguments
Return address overwritten with address of shellcode
Reverse engineering the patch
Demo
The Bug
Decompiled by Alexander SotirovVisual demo of the bug
The Bug(contd..)
ptr_path
\\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA
ptr_previous_slash ptr_current_slash
1. ptr_path points to the beginning of the buffer
2. Parses to find current slash and previous slash‘\\’
3. Finds “..”, so the current slash pointer moves forward
4. Data from Current slash pointer is copied to ptr_path
5. If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”.
5a. Results in access violation if no “\\” are found5b. Copies to the new destination if “\\” is found
\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA
Lower Address
Higher Address
path
Return Address of vulnerable_function
Saved EBP
Netapi32!NetpwPathCanonicalize
vulnerable_function( wchar *path ) wcscpy(dst,src)
Return Address of wcscpy
Saved EBP
1. ptr_path points to the beginning of the buffer
2. Parses to find current slash and previous slash‘\\’
3. Finds “..”, so the current slash pointer moves forward
4. Data from Current slash pointer is copied to ptr_path
5. If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”.
5a. Results in access violation if no “\\” are found5b. Copies to the new destination if “\\” is found
\\..\\AAAAAA
\\..\\AAAAAAAAAAA
(ptr1 – 1)ptr2ptr1ptr_path
\\c\\..\\..\\AAAAAAAAAAA
AAAA
AAAA
AAAA
Shell CodeShell Code
The Bug (contd..)
Not a classical buffer overflowThe destination buffer is large enough to
copy the contents from sourceThe hunt for “\\” if the pointer points to the
beginning of the buffer makes it a BUG
Ready for PoC
Identify the vector of exploitation3 possible ways
o wcslen of patho Predictable location of “\\” in the stack after
repeated interactiono Metasploit way of calculating the device_length
Mass Exploitation
If no NX, return to stack and execute shellcode
If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal
“Bypassing Windows Hardware-enforced Data Execution Prevention”
In Vista, ASLR makes return addresses unpredictable.
Thank You
Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizersThanks to all the attendees
Ready for Phase 2 ?