SlideShare a Scribd company logo

Reverse Engineering for exploit writers

A
amiable_indian

The document summarizes a presentation about reverse engineering the MS08-067 Windows Server Service vulnerability to enable exploitation. It covers the vulnerability discovered in netapi32.dll, how the bug allows overwriting the return address on the stack, identifying vectors for proof of concept exploitation, and techniques for reliable mass exploitation on different Windows versions.

TechnologySports
1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers
Agenda Exploitation Overview Reverse Engineering Tools Case Study MS08-067
Exploitation Overview Software vulnerabilities exist Reliable exploitation techniques exist Stack overflow Heap overflow Exploit mitigation Prevent or impede a class of vulnerabilities Patch the vulnerability Disable the service Generic mitigations
Reverse Engineering Tools IDA Pro Bindiff Plugin for IDA Ollydbg or Immunity Debugger or Windbg Debugging Symbols Sysinternals tool suite Any scripting language to write PoC (Python, Ruby etc)
MS08-067 Windows Server Service Vulnerability Out of band release Details: Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com
 
Structure of X86 stack frame Stack grows towards lower addresses Local Variables Saved EBP Saved IP Arguments
Classical Overflow Return address overwritten with address of shellcode Local Variables Saved EBP Saved IP Arguments
Reverse engineering the patch Demo
The Bug Decompiled by Alexander Sotirov Visual demo of the bug
The Bug(contd..) ptr_path \\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address
path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAA \\..\\AAAAAAAAAAA (ptr1 – 1) ptr2 ptr1 ptr_path \\c\\..\\.. \\AAAAAAAAAAA AAAA AAAA AAAA Shell Code
The Bug (contd..) Not a classical buffer overflow The destination buffer is large enough to copy the contents from source The hunt for “\\” if the pointer points to the beginning of the buffer makes it a BUG
Ready for PoC Identify the vector of exploitation 3 possible ways wcslen of path Predictable location of “\\” in the stack after repeated interaction Metasploit way of calculating the device_length
Mass Exploitation If no NX, return to stack and execute shellcode If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows Hardware-enforced Data Execution Prevention” In Vista, ASLR makes return addresses unpredictable.
Thank You Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizers Thanks to all the attendees
Ready for Phase 2 ?

More Related Content

Similar to Reverse Engineering for exploit writers (20)

PDF
Exploitation Crash Course
UTD Computer Security Group
 
PPTX
Apache Spark Structured Streaming + Apache Kafka = ♡
Bartosz Konieczny
 
PDF
JavaScript on the GPU
Jarred Nicholls
 
PPTX
Driver Debugging Basics
Bala Subra
 
PPT
NOSQL and Cassandra
rantav
 
PPTX
Avro
Eric Turcotte
 
PDF
Software Security
Roman Oliynykov
 
PDF
Riding the Overflow - Then and Now
Miroslav Stampar
 
PDF
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
PDF
Genomic Analysis in Scala
Ryan Williams
 
PPTX
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
PPT
Choosing a Templating System
Perrin Harkins
 
PDF
How to use Parquet as a Sasis for ETL and Analytics
DataWorks Summit
 
PPT
Buffer Overflows
Sumit Kumar
 
PDF
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
NETFest
 
PDF
Dive into exploit development
Payampardaz
 
PPTX
Self-Aligning Return Address Stack Power Point
RisingStar52
 
PDF
Scalable up genomic analysis with ADAM
fnothaft
 
PPTX
Keeping Spark on Track: Productionizing Spark for ETL
Databricks
 
PPTX
Spark r under the hood with Hossein Falaki
Databricks
 
Exploitation Crash Course
UTD Computer Security Group
 
Apache Spark Structured Streaming + Apache Kafka = ♡
Bartosz Konieczny
 
JavaScript on the GPU
Jarred Nicholls
 
Driver Debugging Basics
Bala Subra
 
NOSQL and Cassandra
rantav
 
Avro
Eric Turcotte
 
Software Security
Roman Oliynykov
 
Riding the Overflow - Then and Now
Miroslav Stampar
 
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
Genomic Analysis in Scala
Ryan Williams
 
Search for Vulnerabilities Using Static Code Analysis
Andrey Karpov
 
Choosing a Templating System
Perrin Harkins
 
How to use Parquet as a Sasis for ETL and Analytics
DataWorks Summit
 
Buffer Overflows
Sumit Kumar
 
.NET Fest 2018. Maarten Balliauw. Let’s refresh our memory! Memory management...
NETFest
 
Dive into exploit development
Payampardaz
 
Self-Aligning Return Address Stack Power Point
RisingStar52
 
Scalable up genomic analysis with ADAM
fnothaft
 
Keeping Spark on Track: Productionizing Spark for ETL
Databricks
 
Spark r under the hood with Hossein Falaki
Databricks
 

More from amiable_indian (20)

PDF
Phishing As Tragedy of the Commons
amiable_indian
 
PDF
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
PDF
Secrets of Top Pentesters
amiable_indian
 
PPS
Workshop on Wireless Security
amiable_indian
 
PDF
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
PPS
Workshop on BackTrack live CD
amiable_indian
 
PPS
State of Cyber Law in India
amiable_indian
 
PPS
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
PPS
Reverse Engineering v/s Secure Coding
amiable_indian
 
PPS
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
PPS
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
PPS
Immune IT: Moving from Security to Immunity
amiable_indian
 
PPS
Reverse Engineering for exploit writers
amiable_indian
 
PPS
Hacking Client Side Insecurities
amiable_indian
 
PDF
Web Exploit Finder Presentation
amiable_indian
 
PPT
Network Security Data Visualization
amiable_indian
 
PPT
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
PDF
Top Network Vulnerabilities Over Time
amiable_indian
 
PDF
What are the Business Security Metrics?
amiable_indian
 
PPT
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
amiable_indian
 
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
amiable_indian
 
Network Security Data Visualization
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
amiable_indian
 
No Substitute for Ongoing Data, Quantification, Visualization, and Story-Telling
amiable_indian
 
Ad

Recently uploaded (20)

PPTX
Practical Applications of AI in Local Government
OnBoard
 
PDF
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
PPTX
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PDF
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
DOCX
Daily Lesson Log MATATAG ICT TEchnology 8
LOIDAALMAZAN3
 
PDF
Next level data operations using Power Automate magic
Andries den Haan
 
PDF
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
PDF
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
PDF
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
PPSX
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
PPTX
Smart Factory Monitoring IIoT in Machine and Production Operations.pptx
Rejig Digital
 
PPTX
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
PPTX
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
PDF
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
PDF
Unlocking FME Flow’s Potential: Architecture Design for Modern Enterprises
Safe Software
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
Practical Applications of AI in Local Government
OnBoard
 
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
01_Approach Cyber- DORA Incident Management.pptx
FinTech Belgium
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
How to Visualize the ​Spatio-Temporal Data Using CesiumJS​
SANGHEE SHIN
 
Daily Lesson Log MATATAG ICT TEchnology 8
LOIDAALMAZAN3
 
Next level data operations using Power Automate magic
Andries den Haan
 
Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools Case
Safe Software
 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
Usergroup - OutSystems Architecture.ppsx
Kurt Vandevelde
 
Smart Factory Monitoring IIoT in Machine and Production Operations.pptx
Rejig Digital
 
Paycifi - Programmable Trust_Breakfast_PPTXT
FinTech Belgium
 
Enabling the Digital Artisan – keynote at ICOCI 2025
Alan Dix
 
Darley - FIRST Copenhagen Lightning Talk (2025-06-26) Epochalypse 2038 - Time...
treyka
 
Unlocking FME Flow’s Potential: Architecture Design for Modern Enterprises
Safe Software
 
Kubernetes - Architecture & Components.pdf
geethak285
 
Ad

Reverse Engineering for exploit writers

  • 1. Nibin Varghese iViZ Security, Kolkata Reverse Engineering for Exploit Writers
  • 2. Agenda Exploitation Overview Reverse Engineering Tools Case Study MS08-067
  • 3. Exploitation Overview Software vulnerabilities exist Reliable exploitation techniques exist Stack overflow Heap overflow Exploit mitigation Prevent or impede a class of vulnerabilities Patch the vulnerability Disable the service Generic mitigations
  • 4. Reverse Engineering Tools IDA Pro Bindiff Plugin for IDA Ollydbg or Immunity Debugger or Windbg Debugging Symbols Sysinternals tool suite Any scripting language to write PoC (Python, Ruby etc)
  • 5. MS08-067 Windows Server Service Vulnerability Out of band release Details: Error in netapi32.dll when processing directory traversal character sequence in path names. This can be exploited to corrupt stack memory by example sending RPC requests containing specially crafted path names to the Server service component – secunia.com
  • 6.  
  • 7. Structure of X86 stack frame Stack grows towards lower addresses Local Variables Saved EBP Saved IP Arguments
  • 8. Classical Overflow Return address overwritten with address of shellcode Local Variables Saved EBP Saved IP Arguments
  • 10. The Bug Decompiled by Alexander Sotirov Visual demo of the bug
  • 11. The Bug(contd..) ptr_path \\computername\\..\\..\\AAAAAAAAAAAAAAAAAAAAAAAAA ptr_previous_slash ptr_current_slash ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAAAAAAAAAAAAAAAAAAAAA Lower Address Higher Address
  • 12. path Return Address of vulnerable_function Saved EBP Netapi32!NetpwPathCanonicalize vulnerable_function( wchar *path ) wcscpy(dst,src) Return Address of wcscpy Saved EBP ptr_path points to the beginning of the buffer Parses to find current slash and previous slash‘\\’ Finds “..”, so the current slash pointer moves forward Data from Current slash pointer is copied to ptr_path If the pointer is at the beginning of the buffer, a pointer moves backward to find previous slash“\\”. 5a. Results in access violation if no “\\” are found 5b. Copies to the new destination if “\\” is found \\..\\AAAAAA \\..\\AAAAAAAAAAA (ptr1 – 1) ptr2 ptr1 ptr_path \\c\\..\\.. \\AAAAAAAAAAA AAAA AAAA AAAA Shell Code
  • 13. The Bug (contd..) Not a classical buffer overflow The destination buffer is large enough to copy the contents from source The hunt for “\\” if the pointer points to the beginning of the buffer makes it a BUG
  • 14. Ready for PoC Identify the vector of exploitation 3 possible ways wcslen of path Predictable location of “\\” in the stack after repeated interaction Metasploit way of calculating the device_length
  • 15. Mass Exploitation If no NX, return to stack and execute shellcode If NX enabled, disable DEP/NX by abusing Win32 API NtSetInformationProcess and return to stack and execute shellcode. Refer Skape and Skywing paper on Uninformed Journal “Bypassing Windows Hardware-enforced Data Execution Prevention” In Vista, ASLR makes return addresses unpredictable.
  • 16. Thank You Thanks to Research Team@iViZ Security Thanks to Clubhack 08 organizers Thanks to all the attendees