Bug Hunter Diary

Recommendations

Info

7A <strong>Bug</strong> Older Than 4.4BSDSaturday, March 3, 2007Dear <strong>Diary</strong>,Last week my Apple MacBook finally arrived. After getting acquaintedwith the Mac OS X platform, I decided to take a closer look at theXNU kernel of OS X. After a few hours of digging through the kernelcode, I found a nice bug that occurs when the kernel tries to handlea special TTY IOCTL. The bug was easy to trigger, and I wrote a POCcode that allows an unprivileged local user to crash the system via kernelpanic. As usual, I then tried to develop an exploit to see if the bugallows arbitrary code execution. At this point, things got a bit morecomplicated. To develop the exploit code, I needed a way to debugthe OS X kernel. That’s not a problem if you own two Macs, but Ionly had one: my brand-new MacBook.
Page 6 and 7:
A Bug Hunter’s Diary. Copyright
Page 10 and 11:
Chapter 3: Escape from the WWW Zone
Page 12 and 13:
B.2 The Windows Debugger (WinDbg) .
Page 15 and 16:
IntroductionWelcome to A Bug Hunter
Page 17 and 18:
1Bug HuntingBug hunting is the proc
Page 19 and 20:
After I’ve found a bug, I want to
Page 21 and 22:
Table 1-1: Debuggers Used in This B
Page 23:
2Back to the ’90sSunday, October
Page 26 and 27:
16361637 /* clear the SEQ table */1
Page 28 and 29:
If a TiVo file is loaded by VLC, th
Page 30 and 31:
Get the →vulnerableWindows versio
Page 32 and 33:
EIP = 41414141 . . . Mission EIP co
Page 34 and 35:
NoteTo configure Process Explorer t
Page 36 and 37:
See the following excerpt from the
Page 38 and 39:
3. Immunity Debugger is a great Win
Page 40 and 41:
NoteInput/output controls (IOCTLs)
Page 42 and 43:
msgbb_datapdatabb_rptrdb_basedatabu
Page 44 and 45:
8180 /*8181 * Null terminate the st
Page 46 and 47:
26736 /*26737 * SIOC[GS]TUNPARAM ap
Page 48 and 49:
19165 * are also rejected as they i
Page 50 and 51:
01 #include 02 #include 03 #include
Page 52 and 53:
fffffe8000f7e4b0 unix:die+da ()ffff
Page 54 and 55:
zero pagenot mappedzero pageis mapp
Page 56 and 57:
gaining full control over EIP/RIP a
Page 58 and 59:
112 return 1;113 }114115 printf ("O
Page 60 and 61:
solaris$ isainfo -b64I then compile
Page 62 and 63:
ip_output+0x10()ip_wput+0x37()putne
Page 64 and 65:
Notes1. The source code of OpenSola
Page 66 and 67:
4.1 Vulnerability DiscoveryTo find
Page 68 and 69:
167 if (current_track + 1 > fourxm-
Page 71 and 72:
Step 1: Find a Sample 4X Movie File
Page 73 and 74:
Next, I modified the values of trac
Page 75 and 76: Table 4-2: List of the Assembler In
Page 77 and 78: 63 #elif defined (HAVE_MEMALIGN)64
Page 79 and 80: linux$ gdb -q ./ffmpeg_g(gdb) run -
Page 81 and 82: (UINT_MAX / sizeof(AudioTrack) - 1)
Page 83 and 84: 7ebe000-b7ec0000 r--p 0015c000 08:0
Page 85 and 86: 5Browse and You’re OwnedSunday, A
Page 87 and 88: {SWI.ClassId_q.ClassId clsid = new
Page 89 and 90: 27 except KeyboardInterrupt:28 prin
Page 91 and 92: Figure 5-4: Defining a breakpoint a
Page 93 and 94: Figure 5-7: User-controlled argumen
Page 95 and 96: Next, I tried to retrieve the size
Page 97 and 98: 05 06 arg = String(232, "A") + Stri
Page 99: iDefense VCPnotifiedVulnerability d
Page 102 and 103: 6.1 Vulnerability DiscoveryI used t
Page 104 and 105: Step 3: Check the Device Security S
Page 106 and 107: Below, the elements of the MajorFun
Page 108 and 109: At address .text:00010748, a pointe
Page 110 and 111: [..][..]//// Current stack location
Page 112 and 113: The transfer type is specified usin
Page 114 and 115: If the requested IOCTL code matches
Page 116 and 117: Figure 6-5: Graph view of the vulne
Page 118 and 119: .text:00010DBA push 1 ; _DWORD.text
Page 120 and 121: 99 // .text:00010DEF cmp dword ptr
Page 122 and 123: nt!RtlpBreakWithStatusInstruction:8
Page 124 and 125: After I gained control over EIP, I
Page 128 and 129: 7.1 Vulnerability DiscoveryFirst I
Page 130 and 131: DESCRIPTIONThe ioctl() function man
Page 132 and 133: 30 caddr_t data = "\xff\xff\xff\xff
Page 134 and 135: 01 #include 0203 int04 main (void)0
Page 136 and 137: I then started the Mac OS X target
Page 138 and 139: The OS X system froze immediately,
Page 140 and 141: If 0x10203040 pointed to the value
Page 142 and 143: adjusted the MEMLOC defined in line
Page 144 and 145: 7.4 Lessons LearnedAs a programmer:
Page 147 and 148: 8The Ringtone MassacreSaturday, Mar
Page 149 and 150: 08 int09 main (int argc, char *argv
Page 151 and 152: 22 let "off+=1"23 let "cnt+=1"24 do
Page 153 and 154: 22 do23 if [ $i -eq 10 ];24 then25
Page 155 and 156: iphone# uname -aDarwin localhost 9.
Page 157 and 158: (gdb) info registers r0 r1 r2r0 0x6
Page 159 and 160: I printed the current call stack:(g
Page 161 and 162: sl 0xf40100 15991040fp 0x80808005 -
Page 163 and 164: AHints for HuntingThis appendix des
Page 165 and 166: the buffer, the SFP, the RET, and a
Page 167 and 168: This was only a short introduction
Page 169 and 170: [..]char cbuf[] = "AAAA";signed int
Page 171 and 172: unsigned intsigned int00 00 00 0000
Page 173 and 174: the stack, and execution is redirec
Page 175: linux$ objdump -R gotWe have achiev
Page 178 and 179:
General CommandsCommand::run argume
Page 180 and 181:
General CommandsCommandgDescription
Page 182 and 183:
Figure B-1: Output to named pipeFig
Page 184 and 185:
Figure B-4: New boot menu optionSte
Page 186 and 187:
BreakpointsCommandbreak functionbr
Page 188 and 189:
Step 2: Get the Necessary Software
Page 190 and 191:
78 //typedef union {79 // char __mb
Page 193 and 194:
CMitigationThis appendix contains i
Page 195 and 196:
Detecting Exploit Mitigation Techni
Page 197 and 198:
To check the system-wide configurat
Page 199 and 200:
I then tried to overwrite the GOT a
Page 201 and 202:
confined to the restricted set of a
Page 203 and 204:
solaris# mkdir /export/homesolaris#
Page 205 and 206:
IndexNumbers4.4BSD, 1304X movie fil
Page 207 and 208:
input/output controls (IOCTL),26, 8
Page 209 and 210:
UpdatesVisit http://nostarch.com/bu
Page 212:
“Give a man an exploit and you ma
show all

Bug Hunter Diary

Create successful ePaper yourself

Delete template?

Save as template?