SlideShare a Scribd company logo

Reverse engineering – debugging fundamentals

Eran Goldstein
Eran Goldstein

This document discusses debugging fundamentals and provides an overview of different debuggers. It summarizes how debuggers like Immunity Debugger, WinDbg, and OllyDbg work to test and troubleshoot target programs. The document also introduces security fuzzers and describes how they work with debuggers to detect vulnerabilities by providing unexpected input data to programs and monitoring for exceptions or memory leaks. An example is provided of using the Immunity Debugger and Infigo FTPStress Fuzzer to analyze and attempt to crash an FTP server.

1 of 6
Downloaded 17 times
Reverse Engineering – Debugging Fundamentals The debugger concept and purpose is to test and troubleshoot another written program. Whether the debugger is a simple script, tool or a more complex computer program the idea is to utilize it in order see and verify the functionality of the “target” program / application in such a form that one can see and understand via the debugger what is happening while the “target” program / application runs and especially when it stops. The “target” program’s / application’s code that is examined (by the debugger) might al-ternatively be running on an Instruction Set Simulator (ISS). The ISS is a certain form of tech-nique that gives the ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code di-rectly on the appropriate (or the same) processor. When the “target” program / application reach-es a running condition or when the program can-not normally continue due to a programming bug (what is commonly known as a “crash”) the debug-ger typically shows the location in the original code whether it is a source-level debugger (which gives the line or expression within the source code that resulted from the debugger’s actions.) or symbolic debugger (which displays procedure and variable names that are stored in the debugger). The Various Debuggers There are many debuggers available for the pur-pose in question, among the more common names are; WinDbg, Valgrind, LLDB Debugger, GNU De-bugger (GDB), Immunity Debugger, OllyDbg and many more. As the list is quite long and this ar-ticle’s purpose is to focus on the fundamentals of the debugger concept we’ll put an emphasis on three debugger types this time: The immunity De-bugger, WinDbg and OllyDbg. The first is the Immunity Debugger. This debug-ger has both interfaces types; the GUI and a com-mand line. The command line can be seen at all times on the bottom of the GUI. The Immunity De-bugger can write exploits, analyze malware, and reverse engineer binary files. The base platform of this tool is a solid user interface with graphing function and a fine analysis tool built especially for heap creation. This debugger has a well-support-ed Python API on top of its other features. The second debugger we’ll review is the WinDbg – this is a multipurpose tool for Microsoft’s Win-dows operation system. The WinDbg can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. The third and last debugger tool we’ll review is the OllyDbg. This is an x86 debugger who can trace reg-isters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locate rou-tines from object files and libraries. The main focus for this debugger is the binary code analysis which is useful when the source code is unavailable. Launching the environment Pre-Requisites • Microsoft windows XP/Vista/7 machine. • Immunity Debugger – http://debugger.immuni-tyinc. com/ 50 02/2013
EXTRA • Vulnerable FTP Server – http://frogteam.go-zure. com/FTP-Server.zip • FTP Fuzzer – http://frogteam.gozure.com/ Infigo.zip In this section we’ll show the basic actions re-quired to work with the debugger. Prior to starting this section please note that you’ll need to estab-lish the environment based on the pre-requisites listed above. Once you’ve completed the relevant actions you should have a windows machine with all the files from the links above, and you have in-stalled the Immunity Debugger which we will be used during this section. Once the machine is up and running, you may launch the Immunity Debugger. Immunity Debugger is a debugger with function-ality designed specifically for the security industry. Once the Immunity Debugger is up and running as can be seen in the image below we can start our FTP Server and then attach the Immunity De-bugger to the FTP Server process (Figure 1). In order to attach the Immunity Debugger to the FTP Server process we’ll need to perform the fol-lowing actions: • On Windows machine, extract the ‘FTP-Server. zip’ compressed file you’ve downloaded. • Double-click on ‘FTPServer.exe’ to start the FTP Server. • Return to the Immunity Debugger and click on File -> Attach (or Ctrl+F1) • On the Process list, select the “FTPServer” (TCP: 21) and click on the Attach button. When you attach the debugger to a running pro-cess it will pause. In the Immunity Debugger up-per bar, you can resume the process by click the “Play” button or create a new thread by choos-ing the “Restart” button and then the “Play” button (Figure 2 and Figure 3). In order to connect and authenticate the FTP Server simply flow up on the standard procedure and type the relevant username and password (e.g. user credentials). One should assume that these variables need to be passed from the client to the server and there-fore, the program needs to store them somehow Figure 1. Immunity Debugger Started Figure 2. Attaching the “FTPServer” Process Figure 3. New thread Created and FTPServer is Ready for Connections Figure 4. Connect and Authenticate to the FTP Server www.hakin9.org/en 51
in memory. For our analysis we need to ask our-selves the following questions: • What kind of information it should contain (user info, program info, etc...)? • Which type of data they are able to accept (In-teger, String, etc...)? • How many characters should there be (there is a chance for Buffer-Overflow)? • Are there any characters that the variables should ignore (Bad-Characters)? In order to find these answers, we need to find a vulnerable FTP function or command- this can be done automatically or manually. For an easy start (which will save time) it is sometimes recom-mended to use automated tools. Once a “buffer-overflow” vulnerability exists, we have to find the amount of “junk data” that, when sent to the appli-cation, will overwrite the register. Stack-based buffer overflows techniques Users may exploit stack-based buffer overflows to manipulate the program to their advantage in one of the following ways: • By overwriting a local variable which is near the memory‘s buffer on the stack to change the behavior of the program which may benefit the attacker. • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as it was specified by the at-tacker. Usually a user’s input fills the buffer. • By overwriting a function pointer, or exception handler, which is subsequently executed. With a method called trampolining, if the address the user-supplied is listed as data unknown and the location will still be stored in a register, then the return address can be overwritten with the ad-dress of an opcode (operation code, a part of a language instruction that specifies the operation which will be performed) – this will cause the exe-cution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause ex-ecution of user supplied data. The locations of suit-able opcodes, or bytes in memory, can be found in DLLs or the executable itself. Please note that the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. Security Fuzzer Another important term is the fuzzer. Security Fuzzer is a tool used by security professionals and profes-sional hackers to test a parameter of an application. Typical fuzzers test an application for buffer over-flows, format string vulnerabilities, and error handling. Both fuzzer and debugger work together to de-tect security problems on a system, and it’s soft-ware. The fuzzer provides invalid, unexpected, or random data to the inputs of the target program and then monitors for exceptions such as failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test and exploit development tools. More advanced fuzzers incorporate function-alities to test for directory traversal attacks, com- Figure 5.*OñHP'514USFTT'V[[FSW Figure 6. FTPStress Fuzzer Detected the Vulnerable Commands 52 02/2013
EXTRA mand execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Infigo FTPStress Fuzzer is a specific fuzzer for finding vulnerabilities in FTP server products. Al-though it is a simple tool, it has proved its efficiency by the number of vulnerabilities discovered in dif-ferent FTP server software tested with this tool. The parameters which are used for the fuzzing process are configurable. User can precisely de-fine which FTP commands will be fuzzed along with the size and type of the fuzzing data. On the windows machine from before we’ll acti-vate the “Infigo FTPStress Fuzzer” and try to crash the FTP server: • Extract the ‘Infigo.zip’ compressed file you’ve downloaded. • Double-click on the ‘ftpfuzz.exe’ file. You can try to crash the FTP Server from any oth-er external machine and to perform this step us-ing instance of ftpfuzz.exe running on deferent computer (Figure 5). Once The Fuzzer is up we’ll need to find the commands that are supported by the FTP server: • Enter the IP Address of the computer Host on which the FTP server is running (e.g. 127.0.0.1). • Next, click on Discover button. FTP Fuzzer detected the FTP commands sup-ported by FTP server. See example in Figure 6. Next we need to examine the behavior of these commands while sending “junk data”, Therefore we will configure the amount of “junk data” we want to send to the FTP server: • Click on Config button • On the configuration window, go to Fuzzing da-ta tab and click Deselect All • Check the “A” letter and then click on OK. Figure 7. FTPStress Fuzzer Configuration Window Figure 8. The Outcome Can Be Seen as the FTP Server Has Crashed Table 1.YQFDUFE3FTQPOTFJTi3$7u Total FTP commands: 2 FTP commands to fuzz: 2 Number of Fuzz tests: 26 [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 30 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 70 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood www.hakin9.org/en 53
Assuming your Infigo Fuzzer looks like the im-age below, the fuzzing process can start. Click on Start button (Figure 7). The outcome can be seen as the FTP Server has crashed (Figure 8). The Analysis Phase In this section we’ll review on the procedure of an-alyzing the log data. The normal flow of the fuzzer is to connect to the target FTP Server, get the 220 Hello Message and then, send the “A”s junk data in different amounts (1 “A” = 1 Byte) each time fol-lowed by the “FEAT” command, while the expected response is RECV: 500 (Table 1). In order to understand what actually happened in the memory process, we can look at the diagram on the next page (Table 2). Next we can observe that after 330 bytes of junk data sent the FTP fuzzer was not able to receive 520 bytes of junk data and disconnected. This indicates that if we send junk data of a size between 330 and 520 bytes, the FTP server will crash (Table 3). Now, that we know the amount of junk bytes to send to overwrite EIP register we’ll try to find the exact amount of data that will overwrite EIP register. The Following Table Describes What Actually Happened in the Process Memory (Table 4). After examining the FTP Fuzzer log we can return to Immunity Debugger and see what happened to the process during the fuzzing test (Figure 9). In the Immunity Debugger main window we can see that our x41 (“A”s) floods the memory stack until the EIP register and modified the address so it’s x41x41x41x41 (“AAAA”) as can be seen in the “Registers window” – this helped us find the “JMP” but leads to an access violation as we can see in the Immunity Debugger status bar. Table 2. #ZUFTPGKVOLEBUB Table 3. The crash of ftp server [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 330 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 520 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 700 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 1400 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). 54 02/2013
EXTRA To summarize our actions, we’ve found a stack-based buffer overflow in the FTP Server. In order to better understand the procedure we need to modify the exact register (4 bytes EIP in that case) with JMP value so we are able to hit an accessible register. In the upcoming articles we’ll learn how to write our first exploit test script that will help us to control the data we send to the target. ERAN GOLDSTEIN Eran Goldstein is the founder of Frogteam|Security, a cyber securi-ty vendor company in USA and Israel. He is also the creator and developer of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software devel-oper with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability assessments. Eran has a vast experience in leading and tutoring courses in appli-cation security, software analysis and secure develop-ment as EC-Council Instructor (C|EI). For more informa-tion about Eran and his company you may go to: http:// www.frogteam-security.com. Table 4.#ZUFTPGKVOLEBUB Figure 9. Examine the Buffer Overflow Immunity Debugger www.hakin9.org/en 55
Ad

Recommended

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
Eran Goldstein
 
Hacking ingress
Hacking ingressHacking ingress
Hacking ingress
Eran Goldstein
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debugging
n|u - The Open Security Community
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzing
PacSecJP
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
D4rk357 a
 
Secure Ftp Java Style Rev004
Secure Ftp Java Style Rev004Secure Ftp Java Style Rev004
Secure Ftp Java Style Rev004
Rich Helton
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av software
Thomas Pollet
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
Rich Helton
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
martacax
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Infinum
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
Rich Helton
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
PVS-Studio
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
Tetsuyuki Kobayashi
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
Nutan Kumar Panda
 
Debugging over tcp and http
Debugging over tcp and httpDebugging over tcp and http
Debugging over tcp and http
Kaniska Mandal
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
Anup Singh
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
Nutan Kumar Panda
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
Eric alleshouse
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
Eric alleshouse
 
Ss debuggers
Ss debuggersSs debuggers
Ss debuggers
sweety enit
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programming
sonalikharade3
 
Ad

More Related Content

What's hot (20)

C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
Rich Helton
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
martacax
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Infinum
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
Rich Helton
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
PVS-Studio
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
Tetsuyuki Kobayashi
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
Nutan Kumar Panda
 
Debugging over tcp and http
Debugging over tcp and httpDebugging over tcp and http
Debugging over tcp and http
Kaniska Mandal
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
Anup Singh
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
Nutan Kumar Panda
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
Eric alleshouse
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
Eric alleshouse
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
Rich Helton
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
martacax
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Infinum
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
Rich Helton
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
PVS-Studio
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
Tetsuyuki Kobayashi
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
Nutan Kumar Panda
 
Debugging over tcp and http
Debugging over tcp and httpDebugging over tcp and http
Debugging over tcp and http
Kaniska Mandal
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
JongWon Kim
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
Rodolpho Concurde
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
Anup Singh
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
Martin Hron
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
Bala Subra
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
Ishan Girdhar
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
Nutan Kumar Panda
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
Eric alleshouse
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
Eric alleshouse
 

Similar to Reverse engineering – debugging fundamentals (20)

Ss debuggers
Ss debuggersSs debuggers
Ss debuggers
sweety enit
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programming
sonalikharade3
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
n|u - The Open Security Community
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
IDAPRO
IDAPROIDAPRO
IDAPRO
Matt Vieyra
 
computing networks and operating system
computing networks and operating system computing networks and operating system
computing networks and operating system
porfinencuentrounodisponible
 
Presentation1
Presentation1Presentation1
Presentation1
porfinencuentrounodisponible
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
Aditya K Sood
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory Manual
Dwight Sabio
 
Embedded systems designUNIT 4 PART 2.pdf
Embedded systems designUNIT 4 PART 2.pdfEmbedded systems designUNIT 4 PART 2.pdf
Embedded systems designUNIT 4 PART 2.pdf
vmspraneeth
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
IRJET Journal
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Fuzz
FuzzFuzz
Fuzz
Sunny Summer
 
Programming C ppt for learning foundations
Programming C ppt for learning foundationsProgramming C ppt for learning foundations
Programming C ppt for learning foundations
ssuser65733f
 
Parallel port programming
Parallel port programmingParallel port programming
Parallel port programming
mangal das
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system software
gayathri ravi
 
E.s unit 6
E.s unit 6E.s unit 6
E.s unit 6
Sneha Chopra
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Avi Sharma
 
Ss debuggers
Ss debuggersSs debuggers
Ss debuggers
sweety enit
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programming
sonalikharade3
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
n|u - The Open Security Community
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
IDAPRO
IDAPROIDAPRO
IDAPRO
Matt Vieyra
 
computing networks and operating system
computing networks and operating system computing networks and operating system
computing networks and operating system
porfinencuentrounodisponible
 
Presentation1
Presentation1Presentation1
Presentation1
porfinencuentrounodisponible
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
Aditya K Sood
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory Manual
Dwight Sabio
 
Embedded systems designUNIT 4 PART 2.pdf
Embedded systems designUNIT 4 PART 2.pdfEmbedded systems designUNIT 4 PART 2.pdf
Embedded systems designUNIT 4 PART 2.pdf
vmspraneeth
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
IRJET Journal
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
IOSR Journals
 
Fuzz
FuzzFuzz
Fuzz
Sunny Summer
 
Programming C ppt for learning foundations
Programming C ppt for learning foundationsProgramming C ppt for learning foundations
Programming C ppt for learning foundations
ssuser65733f
 
Parallel port programming
Parallel port programmingParallel port programming
Parallel port programming
mangal das
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system software
gayathri ravi
 
E.s unit 6
E.s unit 6E.s unit 6
E.s unit 6
Sneha Chopra
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Avi Sharma
 
Ad

Recently uploaded (20)

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Ad

Reverse engineering – debugging fundamentals

  • 1. Reverse Engineering – Debugging Fundamentals The debugger concept and purpose is to test and troubleshoot another written program. Whether the debugger is a simple script, tool or a more complex computer program the idea is to utilize it in order see and verify the functionality of the “target” program / application in such a form that one can see and understand via the debugger what is happening while the “target” program / application runs and especially when it stops. The “target” program’s / application’s code that is examined (by the debugger) might al-ternatively be running on an Instruction Set Simulator (ISS). The ISS is a certain form of tech-nique that gives the ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code di-rectly on the appropriate (or the same) processor. When the “target” program / application reach-es a running condition or when the program can-not normally continue due to a programming bug (what is commonly known as a “crash”) the debug-ger typically shows the location in the original code whether it is a source-level debugger (which gives the line or expression within the source code that resulted from the debugger’s actions.) or symbolic debugger (which displays procedure and variable names that are stored in the debugger). The Various Debuggers There are many debuggers available for the pur-pose in question, among the more common names are; WinDbg, Valgrind, LLDB Debugger, GNU De-bugger (GDB), Immunity Debugger, OllyDbg and many more. As the list is quite long and this ar-ticle’s purpose is to focus on the fundamentals of the debugger concept we’ll put an emphasis on three debugger types this time: The immunity De-bugger, WinDbg and OllyDbg. The first is the Immunity Debugger. This debug-ger has both interfaces types; the GUI and a com-mand line. The command line can be seen at all times on the bottom of the GUI. The Immunity De-bugger can write exploits, analyze malware, and reverse engineer binary files. The base platform of this tool is a solid user interface with graphing function and a fine analysis tool built especially for heap creation. This debugger has a well-support-ed Python API on top of its other features. The second debugger we’ll review is the WinDbg – this is a multipurpose tool for Microsoft’s Win-dows operation system. The WinDbg can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. The third and last debugger tool we’ll review is the OllyDbg. This is an x86 debugger who can trace reg-isters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locate rou-tines from object files and libraries. The main focus for this debugger is the binary code analysis which is useful when the source code is unavailable. Launching the environment Pre-Requisites • Microsoft windows XP/Vista/7 machine. • Immunity Debugger – http://debugger.immuni-tyinc. com/ 50 02/2013
  • 2. EXTRA • Vulnerable FTP Server – http://frogteam.go-zure. com/FTP-Server.zip • FTP Fuzzer – http://frogteam.gozure.com/ Infigo.zip In this section we’ll show the basic actions re-quired to work with the debugger. Prior to starting this section please note that you’ll need to estab-lish the environment based on the pre-requisites listed above. Once you’ve completed the relevant actions you should have a windows machine with all the files from the links above, and you have in-stalled the Immunity Debugger which we will be used during this section. Once the machine is up and running, you may launch the Immunity Debugger. Immunity Debugger is a debugger with function-ality designed specifically for the security industry. Once the Immunity Debugger is up and running as can be seen in the image below we can start our FTP Server and then attach the Immunity De-bugger to the FTP Server process (Figure 1). In order to attach the Immunity Debugger to the FTP Server process we’ll need to perform the fol-lowing actions: • On Windows machine, extract the ‘FTP-Server. zip’ compressed file you’ve downloaded. • Double-click on ‘FTPServer.exe’ to start the FTP Server. • Return to the Immunity Debugger and click on File -> Attach (or Ctrl+F1) • On the Process list, select the “FTPServer” (TCP: 21) and click on the Attach button. When you attach the debugger to a running pro-cess it will pause. In the Immunity Debugger up-per bar, you can resume the process by click the “Play” button or create a new thread by choos-ing the “Restart” button and then the “Play” button (Figure 2 and Figure 3). In order to connect and authenticate the FTP Server simply flow up on the standard procedure and type the relevant username and password (e.g. user credentials). One should assume that these variables need to be passed from the client to the server and there-fore, the program needs to store them somehow Figure 1. Immunity Debugger Started Figure 2. Attaching the “FTPServer” Process Figure 3. New thread Created and FTPServer is Ready for Connections Figure 4. Connect and Authenticate to the FTP Server www.hakin9.org/en 51
  • 3. in memory. For our analysis we need to ask our-selves the following questions: • What kind of information it should contain (user info, program info, etc...)? • Which type of data they are able to accept (In-teger, String, etc...)? • How many characters should there be (there is a chance for Buffer-Overflow)? • Are there any characters that the variables should ignore (Bad-Characters)? In order to find these answers, we need to find a vulnerable FTP function or command- this can be done automatically or manually. For an easy start (which will save time) it is sometimes recom-mended to use automated tools. Once a “buffer-overflow” vulnerability exists, we have to find the amount of “junk data” that, when sent to the appli-cation, will overwrite the register. Stack-based buffer overflows techniques Users may exploit stack-based buffer overflows to manipulate the program to their advantage in one of the following ways: • By overwriting a local variable which is near the memory‘s buffer on the stack to change the behavior of the program which may benefit the attacker. • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as it was specified by the at-tacker. Usually a user’s input fills the buffer. • By overwriting a function pointer, or exception handler, which is subsequently executed. With a method called trampolining, if the address the user-supplied is listed as data unknown and the location will still be stored in a register, then the return address can be overwritten with the ad-dress of an opcode (operation code, a part of a language instruction that specifies the operation which will be performed) – this will cause the exe-cution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause ex-ecution of user supplied data. The locations of suit-able opcodes, or bytes in memory, can be found in DLLs or the executable itself. Please note that the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. Security Fuzzer Another important term is the fuzzer. Security Fuzzer is a tool used by security professionals and profes-sional hackers to test a parameter of an application. Typical fuzzers test an application for buffer over-flows, format string vulnerabilities, and error handling. Both fuzzer and debugger work together to de-tect security problems on a system, and it’s soft-ware. The fuzzer provides invalid, unexpected, or random data to the inputs of the target program and then monitors for exceptions such as failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test and exploit development tools. More advanced fuzzers incorporate function-alities to test for directory traversal attacks, com- Figure 5.*OñHP'514USFTT'V[[FSW Figure 6. FTPStress Fuzzer Detected the Vulnerable Commands 52 02/2013
  • 4. EXTRA mand execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Infigo FTPStress Fuzzer is a specific fuzzer for finding vulnerabilities in FTP server products. Al-though it is a simple tool, it has proved its efficiency by the number of vulnerabilities discovered in dif-ferent FTP server software tested with this tool. The parameters which are used for the fuzzing process are configurable. User can precisely de-fine which FTP commands will be fuzzed along with the size and type of the fuzzing data. On the windows machine from before we’ll acti-vate the “Infigo FTPStress Fuzzer” and try to crash the FTP server: • Extract the ‘Infigo.zip’ compressed file you’ve downloaded. • Double-click on the ‘ftpfuzz.exe’ file. You can try to crash the FTP Server from any oth-er external machine and to perform this step us-ing instance of ftpfuzz.exe running on deferent computer (Figure 5). Once The Fuzzer is up we’ll need to find the commands that are supported by the FTP server: • Enter the IP Address of the computer Host on which the FTP server is running (e.g. 127.0.0.1). • Next, click on Discover button. FTP Fuzzer detected the FTP commands sup-ported by FTP server. See example in Figure 6. Next we need to examine the behavior of these commands while sending “junk data”, Therefore we will configure the amount of “junk data” we want to send to the FTP server: • Click on Config button • On the configuration window, go to Fuzzing da-ta tab and click Deselect All • Check the “A” letter and then click on OK. Figure 7. FTPStress Fuzzer Configuration Window Figure 8. The Outcome Can Be Seen as the FTP Server Has Crashed Table 1.YQFDUFE3FTQPOTFJTi3$7u Total FTP commands: 2 FTP commands to fuzz: 2 Number of Fuzz tests: 26 [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 30 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 70 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood www.hakin9.org/en 53
  • 5. Assuming your Infigo Fuzzer looks like the im-age below, the fuzzing process can start. Click on Start button (Figure 7). The outcome can be seen as the FTP Server has crashed (Figure 8). The Analysis Phase In this section we’ll review on the procedure of an-alyzing the log data. The normal flow of the fuzzer is to connect to the target FTP Server, get the 220 Hello Message and then, send the “A”s junk data in different amounts (1 “A” = 1 Byte) each time fol-lowed by the “FEAT” command, while the expected response is RECV: 500 (Table 1). In order to understand what actually happened in the memory process, we can look at the diagram on the next page (Table 2). Next we can observe that after 330 bytes of junk data sent the FTP fuzzer was not able to receive 520 bytes of junk data and disconnected. This indicates that if we send junk data of a size between 330 and 520 bytes, the FTP server will crash (Table 3). Now, that we know the amount of junk bytes to send to overwrite EIP register we’ll try to find the exact amount of data that will overwrite EIP register. The Following Table Describes What Actually Happened in the Process Memory (Table 4). After examining the FTP Fuzzer log we can return to Immunity Debugger and see what happened to the process during the fuzzing test (Figure 9). In the Immunity Debugger main window we can see that our x41 (“A”s) floods the memory stack until the EIP register and modified the address so it’s x41x41x41x41 (“AAAA”) as can be seen in the “Registers window” – this helped us find the “JMP” but leads to an access violation as we can see in the Immunity Debugger status bar. Table 2. #ZUFTPGKVOLEBUB Table 3. The crash of ftp server [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 330 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 520 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 700 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 1400 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). 54 02/2013
  • 6. EXTRA To summarize our actions, we’ve found a stack-based buffer overflow in the FTP Server. In order to better understand the procedure we need to modify the exact register (4 bytes EIP in that case) with JMP value so we are able to hit an accessible register. In the upcoming articles we’ll learn how to write our first exploit test script that will help us to control the data we send to the target. ERAN GOLDSTEIN Eran Goldstein is the founder of Frogteam|Security, a cyber securi-ty vendor company in USA and Israel. He is also the creator and developer of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software devel-oper with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability assessments. Eran has a vast experience in leading and tutoring courses in appli-cation security, software analysis and secure develop-ment as EC-Council Instructor (C|EI). For more informa-tion about Eran and his company you may go to: http:// www.frogteam-security.com. Table 4.#ZUFTPGKVOLEBUB Figure 9. Examine the Buffer Overflow Immunity Debugger www.hakin9.org/en 55