Transcript Reverse Engineering for Exploit Writers

Reverse Engineering for Exploit
Writers
Nibin Varghese
iViZ Security, Kolkata
Agenda
 Exploitation Overview
 Reverse Engineering Tools
 Case Study MS08-067
Exploitation Overview
 Software vulnerabilities exist
 Reliable exploitation techniques exist


Stack overflow
Heap overflow
 Exploit mitigation




Prevent or impede a class of vulnerabilities
Patch the vulnerability
Disable the service
Generic mitigations
Reverse Engineering Tools
 IDA Pro
 Bindiff Plugin for IDA
 Ollydbg or Immunity Debugger or Windbg
 Debugging Symbols
 Sysinternals tool suite
 Any scripting language to write PoC (Python, Ruby etc)
MS08-067
 Windows Server Service Vulnerability
 Out of band release
 Details:
Error in netapi32.dll when processing directory traversal character sequence in path names.This can
be exploited to corrupt stack memory by example sending RPC requests containing specially crafted
path names to the Server service component – secunia.com
Structure of X86 stack frame
Local Variables
Saved EBP
Saved IP
Arguments
Stack grows towards lower addresses
Classical Overflow
Local Variables
Saved EBP
Saved IP
Arguments
Return address overwritten with address of shellcode
Reverse engineering the patch
 Demo
The Bug
 Decompiled by Alexander Sotirov
 Visual demo of the bug
The Bug(contd..)
ptr_previous_slash
ptr_current_slash
\\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA
\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA
Lower
Address
ptr_path
1. ptr_path points to the beginning of the buffer
2. Parses to find current slash and previous slash‘\\’
3. Finds “..”, so the current slash pointer moves
forward
4. Data from Current slash pointer is copied to
ptr_path
5. If the pointer is at the beginning of the buffer, a
pointer moves backward to find previous slash“\\”.
5a. Results in access violation if no “\\” are found
5b. Copies to the new destination if “\\” is found
Higher
Address
Netapi32!NetpwPathCanonicalize
vulnerable_function( wchar *path )
wcscpy(dst,src)
AAAA
AAAA
1. ptr_path points to the beginning of the buffer
2. Parses to find current slash and previous
slash‘\\’
3. Finds “..”, so the current slash pointer moves
forward
4. Data from Current slash pointer is copied to
ptr_path
5. If the pointer is at the beginning of the buffer, a
pointer moves backward to find previous
slash“\\”.
5a. Results in access violation if no “\\” are
found
5b. Copies to the new destination if “\\” is
found
AAAA
ptr2
ptr1
ptr_path
Shell Code
Saved EBP
Return Address of
wcscpy
(ptr1 – 1)
\\..\\AAAAAA
Saved EBP
Return Address of
vulnerable_function
\\c\\.
\\..\\
.\\..
AAAA
\\AAA
AAAA
AAAA
AAA
AAAA
path
The Bug (contd..)
 Not a classical buffer overflow

The destination buffer is large enough to copy the contents
from source
 The hunt for “\\” if the pointer points to the beginning of the
buffer makes it a BUG
Ready for PoC
 Identify the vector of exploitation

3 possible ways
o wcslen of path
o Predictable location of “\\” in the stack after repeated interaction
o Metasploit way of calculating the device_length
Mass Exploitation
 If no NX, return to stack and execute shellcode
 If NX enabled, disable DEP/NX by abusing Win32 API
NtSetInformationProcess and return to stack and execute
shellcode.

Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows
Hardware-enforced Data Execution Prevention”
 In Vista, ASLR makes return addresses unpredictable.
Thank You
 Thanks to Research Team@iViZ Security
 Thanks to Clubhack 08 organizers
 Thanks to all the attendees
Ready for Phase 2 ?