Nibin - Reverse Engineering for exploit writers - ClubHack2008

Nibin VargheseiViZ Security, Kolkata

Reverse Engineering for Exploit Writers

Agenda

Exploitation OverviewReverse Engineering ToolsCase Study MS08-067

Exploitation Overview

Software vulnerabilities existReliable exploitation techniques exist

Stack overflowHeap overflow

Exploit mitigationPrevent or impede a class of vulnerabilitiesPatch the vulnerabilityDisable the serviceGeneric mitigations

Reverse Engineering Tools

IDA ProBindiff Plugin for IDAOllydbg or Immunity Debugger or WindbgDebugging SymbolsSysinternals tool suiteAny scripting language to write PoC

(Python, Ruby etc)

MS08-067

Windows Server Service VulnerabilityOut of band releaseDetails:

Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com

Structure of X86 stack frame

Local Variables Saved EBP Saved IP Arguments

Stack grows towards lower addresses

Classical Overflow

Local Variables Saved EBP Saved IP Arguments

Return address overwritten with address of shellcode

Reverse engineering the patch

Demo

The Bug

Decompiled by Alexander SotirovVisual demo of the bug

The Bug(contd..)

ptr_path

\\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA

ptr_previous_slash ptr_current_slash

1. ptr_path points to the beginning of the buffer

2. Parses to find current slash and previous slash‘\\’

3. Finds “..”, so the current slash pointer moves forward

4. Data from Current slash pointer is copied to ptr_path

5. If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”.

5a. Results in access violation if no “\\” are found5b. Copies to the new destination if “\\” is found

\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA

Lower Address

Higher Address

path

Return Address of vulnerable_function

Saved EBP

Netapi32!NetpwPathCanonicalize

vulnerable_function( wchar *path ) wcscpy(dst,src)

Return Address of wcscpy

Saved EBP

1. ptr_path points to the beginning of the buffer

2. Parses to find current slash and previous slash‘\\’

3. Finds “..”, so the current slash pointer moves forward

4. Data from Current slash pointer is copied to ptr_path

5. If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”.

5a. Results in access violation if no “\\” are found5b. Copies to the new destination if “\\” is found

\\..\\AAAAAA

\\..\\AAAAAAAAAAA

(ptr1 – 1)ptr2ptr1ptr_path

\\c\\..\\..\\AAAAAAAAAAA

AAAA

AAAA

AAAA

Shell CodeShell Code

The Bug (contd..)

Not a classical buffer overflowThe destination buffer is large enough to

copy the contents from sourceThe hunt for “\\” if the pointer points to the

beginning of the buffer makes it a BUG

Ready for PoC

Identify the vector of exploitation3 possible ways

o wcslen of patho Predictable location of “\\” in the stack after

repeated interactiono Metasploit way of calculating the device_length

Mass Exploitation

If no NX, return to stack and execute shellcode

If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal

“Bypassing Windows Hardware-enforced Data Execution Prevention”

In Vista, ASLR makes return addresses unpredictable.

Thank You

Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizersThanks to all the attendees

Ready for Phase 2 ?