Intro to Reading & Reversing Assembly Code
Download
Report
Transcript Intro to Reading & Reversing Assembly Code
Independent Study
End of Semester Presentation
‘Windows Exploitation’
Spring 2014
By: Markus Gaasedelen
Markus Gaasedelen - 5/7/2014
Windows Exploitation
1
Goals of This Study
‘… This course will explore the tools, a number of mitigations,
and their associated bypass techniques that are utilized in most
modern exploits on the Windows platform. The outcome of this
course will leave one with the ability to analyze real world
vulnerabilities and develop reliable exploits from end to end for
Windows XP – Windows 7 systems.’
-Course Abstract
Markus Gaasedelen - 5/7/2014
Windows Exploitation
2
Course Details & Materials
• http://gaasedelen.blogspot.com/
– My security related blog
– Includes extended homework write-ups
• http://security.cs.rpi.edu/~gaasem/winexp/
– Includes my course syllabus & plan of study
– graded deliverables for the course
Markus Gaasedelen - 5/7/2014
Windows Exploitation
3
Deliverable #4
REAL BUGS, REAL CRASHES
Markus Gaasedelen - 5/7/2014
Windows Exploitation
4
Deliverable #4
• ‘Unique Bugs & Crashes’
– Find a piece of shareware, or some other
application that you feel should have some bugs
that aren’t too crazy to discover and see what you
can find.
Markus Gaasedelen - 5/7/2014
Windows Exploitation
5
Target: Fortissimo
http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fortissimo.shtml
Markus Gaasedelen - 5/7/2014
Windows Exploitation
6
Attack surface
•
•
•
•
Media files, .mp3 & .wav files
Playlist files
Media Player skins
… others?
Markus Gaasedelen - 5/7/2014
Windows Exploitation
7
Dumb fuzzing for crashes
KEEP IT SIMPLE STUPID
Markus Gaasedelen - 5/7/2014
Windows Exploitation
8
Dumb Fuzzing
1.
2.
3.
4.
Given a sample file, change random data in it
Use corrupted files as input to target
????
Repeat
Markus Gaasedelen - 5/7/2014
Windows Exploitation
9
Visual Representation
Sample.mp3
Fortissimo.exe
Sample.mp3
Markus Gaasedelen - 5/7/2014
Windows Exploitation
10
Visual Representation
MiniFuzz.exe
Sample.mp3
Sample.mp3
Fortissimo.exe
Sample.mp3
Excuse me, your file is
corrupt.
Markus Gaasedelen - 5/7/2014
Windows Exploitation
11
Visual Representation
MiniFuzz.exe
Sample.mp3
Sample.mp3
SEGFAULT
Fortissimo.exe
Sample.mp3
Markus Gaasedelen - 5/7/2014
Windows Exploitation
12
Using MiniFuzz to Find Bugs
Markus Gaasedelen - 5/7/2014
Windows Exploitation
13
Enhance!
Markus Gaasedelen - 5/7/2014
Windows Exploitation
14
MiniFuzz output
Markus Gaasedelen - 5/7/2014
Windows Exploitation
15
Closer Look at the Crashes
• None in Fortissimo … but id3lib.dll?
– Wat
• Id3lib.dll is the one .dll that Fortissimo includes
Markus Gaasedelen - 5/7/2014
Windows Exploitation
16
What is id3lib.dll?
Markus Gaasedelen - 5/7/2014
Windows Exploitation
17
A Crash
Markus Gaasedelen - 5/7/2014
Windows Exploitation
18
Another Crash
Markus Gaasedelen - 5/7/2014
Windows Exploitation
19
At the Top Level – Fortissimo.exe
We crash in this call
(ID3_Tag object initialization)
Markus Gaasedelen - 5/7/2014
Windows Exploitation
20
id3lib.dll
• There must be issues in id3lib.dll’s ability to
parse malformed .MP3 headers
– Open source!
– Start from the ID3_Tag() initialization routine and
work your way down, looking for its parsing calls
– … or try static analysis tools!
– http://sourceforge.net/projects/id3lib/
Markus Gaasedelen - 5/7/2014
Windows Exploitation
21
Conclusion
• Dumb fuzzing works, can be slow
– Use targeted fuzzing next time (eg. PeachFuzz)
• Fortissimo – Its basic media handling at least stands up to short
term dumb fuzzing
– I’m sure there’s bugs in the skin & playlist handling
• The id3lib.dll library definitely has issues
Markus Gaasedelen - 5/7/2014
Windows Exploitation
22