SlideShare a Scribd company logo

Reverse Engineering for exploit writers

A
amiable_indian

The document summarizes a presentation about reverse engineering the MS08-067 Windows Server Service vulnerability to enable exploitation. It covers the vulnerability discovered in netapi32.dll, how the bug allows overwriting the return address on the stack, identifying vectors for proof of concept exploitation, and techniques for reliable mass exploitation on different Windows versions.

TechnologySports
1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers
Agenda Exploitation Overview Reverse Engineering Tools Case Study MS08-067
Exploitation Overview Software vulnerabilities exist Reliable exploitation techniques exist Stack overflow Heap overflow Exploit mitigation Prevent or impede a class of vulnerabilities Patch the vulnerability Disable the service Generic mitigations
Reverse Engineering Tools IDA Pro Bindiff Plugin for IDA Ollydbg or Immunity Debugger or Windbg Debugging Symbols Sysinternals tool suite Any scripting language to write PoC (Python, Ruby etc)
MS08-067 Windows Server Service Vulnerability Out of band release Details: Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com
 
Structure of X86 stack frame Stack grows towards lower addresses Local Variables Saved EBP Saved IP Arguments
Classical Overflow Return address overwritten with address of shellcode Local Variables Saved EBP Saved IP Arguments
Reverse engineering the patch Demo
The Bug Decompiled by Alexander Sotirov Visual demo of the bug
The Bug(contd..) ptr_path \\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address
path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAA \\..\\AAAAAAAAAAA (ptr1 – 1) ptr2 ptr1 ptr_path \\c\\..\\.. \\AAAAAAAAAAA AAAA AAAA AAAA Shell Code
The Bug (contd..) Not a classical buffer overflow The destination buffer is large enough to copy the contents from source The hunt for “\\” if the pointer points to the beginning of the buffer makes it a BUG
Ready for PoC Identify the vector of exploitation 3 possible ways wcslen of path Predictable location of “\\” in the stack after repeated interaction Metasploit way of calculating the device_length
Mass Exploitation If no NX, return to stack and execute shellcode If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows Hardware-enforced Data Execution Prevention” In Vista, ASLR makes return addresses unpredictable.
Thank You Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizers Thanks to all the attendees
Ready for Phase 2 ?

More Related Content

Similar to Reverse Engineering for exploit writers (20)

PDF
Exploitation Crash Course
UTD Computer Security Group
 
PPTX
Apache Spark Structured Streaming + Apache Kafka = ♡
Bartosz Konieczny
 
PDF
JavaScript on the GPU
Jarred Nicholls
 
PPTX
Driver Debugging Basics
Bala Subra
 
PPT
NOSQL and Cassandra
rantav
 
PPTX
Avro
Eric Turcotte
 
PDF
Software Security
Roman Oliynykov
 
PDF
Riding the Overflow - Then and Now
Miroslav Stampar
 
PDF
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
PDF
Genomic Analysis in Scala
Ryan Williams
 
PPTX
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
PPT
Choosing a Templating System
Perrin Harkins
 
PDF
How to use Parquet as a Sasis for ETL and Analytics
DataWorks Summit
 
PPT
Buffer Overflows
Sumit Kumar
 
PDF
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
NETFest
 
PDF
Dive into exploit development
Payampardaz
 
PPTX
Self-Aligning Return Address Stack Power Point
RisingStar52
 
PDF
Scalable up genomic analysis with ADAM
fnothaft
 
PPTX
Keeping Spark on Track: Productionizing Spark for ETL
Databricks
 
PPTX
Spark r under the hood with Hossein Falaki
Databricks
 
Exploitation Crash Course
UTD Computer Security Group
 
Apache Spark Structured Streaming + Apache Kafka = ♡
Bartosz Konieczny
 
JavaScript on the GPU
Jarred Nicholls
 
Driver Debugging Basics
Bala Subra
 
NOSQL and Cassandra
rantav
 
Avro
Eric Turcotte
 
Software Security
Roman Oliynykov
 
Riding the Overflow - Then and Now
Miroslav Stampar
 
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
Genomic Analysis in Scala
Ryan Williams
 
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
Choosing a Templating System
Perrin Harkins
 
How to use Parquet as a Sasis for ETL and Analytics
DataWorks Summit
 
Buffer Overflows
Sumit Kumar
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
NETFest
 
Dive into exploit development
Payampardaz
 
Self-Aligning Return Address Stack Power Point
RisingStar52
 
Scalable up genomic analysis with ADAM
fnothaft
 
Keeping Spark on Track: Productionizing Spark for ETL
Databricks
 
Spark r under the hood with Hossein Falaki
Databricks
 

More from amiable_indian (20)

PDF
Phishing As Tragedy of the Commons
amiable_indian
 
PDF
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
PDF
Secrets of Top Pentesters
amiable_indian
 
PPS
Workshop on Wireless Security
amiable_indian
 
PDF
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPS
State of Cyber Law in India
amiable_indian
 
PPS
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
PPS
Reverse Engineering v/s Secure Coding
amiable_indian
 
PPS
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
PPS
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
PPS
Immune IT: Moving from Security to Immunity
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Web Exploit Finder Presentation
amiable_indian
 
PPT
Network Security Data Visualization
amiable_indian
 
PPT
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
PDF
Top Network Vulnerabilities Over Time
amiable_indian
 
PDF
What are the Business Security Metrics?
amiable_indian
 
PPT
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
amiable_indian
 
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
amiable_indian
 
Network Security Data Visualization
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
amiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Ad

Recently uploaded (20)

PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
Q2 Leading a Tableau User Group - Onboarding
lward7
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Q2 Leading a Tableau User Group - Onboarding
lward7
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
July Patch Tuesday
Ivanti
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Ad

Reverse Engineering for exploit writers

  • 1. Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers
  • 2. Agenda Exploitation Overview Reverse Engineering Tools Case Study MS08-067
  • 3. Exploitation Overview Software vulnerabilities exist Reliable exploitation techniques exist Stack overflow Heap overflow Exploit mitigation Prevent or impede a class of vulnerabilities Patch the vulnerability Disable the service Generic mitigations
  • 4. Reverse Engineering Tools IDA Pro Bindiff Plugin for IDA Ollydbg or Immunity Debugger or Windbg Debugging Symbols Sysinternals tool suite Any scripting language to write PoC (Python, Ruby etc)
  • 5. MS08-067 Windows Server Service Vulnerability Out of band release Details: Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com
  • 6.  
  • 7. Structure of X86 stack frame Stack grows towards lower addresses Local Variables Saved EBP Saved IP Arguments
  • 8. Classical Overflow Return address overwritten with address of shellcode Local Variables Saved EBP Saved IP Arguments
  • 10. The Bug Decompiled by Alexander Sotirov Visual demo of the bug
  • 11. The Bug(contd..) ptr_path \\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address
  • 12. path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAA \\..\\AAAAAAAAAAA (ptr1 – 1) ptr2 ptr1 ptr_path \\c\\..\\.. \\AAAAAAAAAAA AAAA AAAA AAAA Shell Code
  • 13. The Bug (contd..) Not a classical buffer overflow The destination buffer is large enough to copy the contents from source The hunt for “\\” if the pointer points to the beginning of the buffer makes it a BUG
  • 14. Ready for PoC Identify the vector of exploitation 3 possible ways wcslen of path Predictable location of “\\” in the stack after repeated interaction Metasploit way of calculating the device_length
  • 15. Mass Exploitation If no NX, return to stack and execute shellcode If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows Hardware-enforced Data Execution Prevention” In Vista, ASLR makes return addresses unpredictable.
  • 16. Thank You Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizers Thanks to all the attendees