Bug Hunter Diary

Recommendations

Info

08 p[0] = 0x41414141;09 printf (“RELRO: %p\n”, p);1011 return 0;12 }Listing C-1: Example code used to demonstrate RELRO (testcase.c)I compiled the program with Partial RELRO support:linux$ gcc -g -Wl,-z,relro -o testcase testcase.cI then checked the resulting binary with my checksec.sh script: 11linux$ ./checksec.sh --file testcaseRELRO STACK CANARY NX PIE FILEPartial RELRO No canary found NX enabled No PIE testcaseNext I used objdump to gather the GOT address of the printf()library function used in line 9 of Listing C-1 and then tried to overwritethat GOT entry:linux$ objdump -R ./testcase | grep printf0804a00c R_386_JUMP_SLOT printflinux$ gdb -q ./testcaseI started the test program in gdb in order to see exactly what washappening:(gdb) run 0804a00cStarting program: /home/tk/BHD/testcase 0804a00cProgram received signal SIGSEGV, Segmentation fault.0x41414141 in ?? ()(gdb) info registers eipeip 0x41414141 0x41414141Result: If only Partial RELRO is used to protect an ELF binary, itis still possible to modify arbitrary GOT entries to gain control of theexecution flow of a process.Test Case 2: Full RELROThis time, I compiled the test program with Full RELRO support:linux$ gcc -g -Wl,-z,relro,-z,now -o testcase testcase.clinux$ ./checksec.sh --file testcaseRELRO STACK CANARY NX PIE FILEFull RELRO No canary found NX enabled No PIE testcase184 Appendix C
I then tried to overwrite the GOT address of printf() again:linux$ objdump -R ./testcase | grep printf08049ff8 R_386_JUMP_SLOT printflinux$ gdb -q ./testcase(gdb) run 08049ff8Starting program: /home/tk/BHD/testcase 08049ff8Program received signal SIGSEGV, Segmentation fault.0x08048445 in main (argc=2, argv=0xbffff814) at testcase.c:88 p[0] = 0x41414141;This time, the execution flow was interrupted by a SIGSEGV signalat source code line 8. Let’s see why:(gdb) set disassembly-flavor intel(gdb) x/1i $eip0x8048445 : mov DWORD PTR [eax],0x41414141(gdb) info registers eaxeax 0x8049ff8 134520824As expected, the program tried to write the value 0x41414141 at thegiven memory address 0x8049ff8.(gdb) shell cat /proc/$(pidof testcase)/maps08048000-08049000 r-xp 00000000 08:01 497907 /home/tk/testcase08049000-0804a000 r--p 00000000 08:01 497907 /home/tk/testcase0804a000-0804b000 rw-p 00001000 08:01 497907 /home/tk/testcaseb7e8a000-b7e8b000 rw-p 00000000 00:00 0b7e8b000-b7fcb000 r-xp 00000000 08:01 181222 /lib/i686/cmov/libc-2.11.2.sob7fcb000-b7fcd000 r--p 0013f000 08:01 181222 /lib/i686/cmov/libc-2.11.2.sob7fcd000-b7fce000 rw-p 00141000 08:01 181222 /lib/i686/cmov/libc-2.11.2.sob7fce000-b7fd1000 rw-p 00000000 00:00 0b7fe0000-b7fe2000 rw-p 00000000 00:00 0b7fe2000-b7fe3000 r-xp 00000000 00:00 0[vdso]b7fe3000-b7ffe000 r-xp 00000000 08:01 171385 /lib/ld-2.11.2.sob7ffe000-b7fff000 r--p 0001a000 08:01 171385 /lib/ld-2.11.2.sob7fff000-b8000000 rw-p 0001b000 08:01 171385 /lib/ld-2.11.2.sobffeb000-c0000000 rw-p 00000000 00:00 0[stack]The memory map of the process shows that the memory range08049000-0804a000, which includes the GOT, was successfully set toread-only (r--p).Result: If Full RELRO is enabled, the attempt to overwrite aGOT address leads to an error because the GOT section is mappedread-only.Mitigation 185
Page 6 and 7:
A Bug Hunter’s Diary. Copyright
Page 10 and 11:
Chapter 3: Escape from the WWW Zone
Page 12 and 13:
B.2 The Windows Debugger (WinDbg) .
Page 15 and 16:
IntroductionWelcome to A Bug Hunter
Page 17 and 18:
1Bug HuntingBug hunting is the proc
Page 19 and 20:
After I’ve found a bug, I want to
Page 21 and 22:
Table 1-1: Debuggers Used in This B
Page 23:
2Back to the ’90sSunday, October
Page 26 and 27:
16361637 /* clear the SEQ table */1
Page 28 and 29:
If a TiVo file is loaded by VLC, th
Page 30 and 31:
Get the →vulnerableWindows versio
Page 32 and 33:
EIP = 41414141 . . . Mission EIP co
Page 34 and 35:
NoteTo configure Process Explorer t
Page 36 and 37:
See the following excerpt from the
Page 38 and 39:
3. Immunity Debugger is a great Win
Page 40 and 41:
NoteInput/output controls (IOCTLs)
Page 42 and 43:
msgbb_datapdatabb_rptrdb_basedatabu
Page 44 and 45:
8180 /*8181 * Null terminate the st
Page 46 and 47:
26736 /*26737 * SIOC[GS]TUNPARAM ap
Page 48 and 49:
19165 * are also rejected as they i
Page 50 and 51:
01 #include 02 #include 03 #include
Page 52 and 53:
fffffe8000f7e4b0 unix:die+da ()ffff
Page 54 and 55:
zero pagenot mappedzero pageis mapp
Page 56 and 57:
gaining full control over EIP/RIP a
Page 58 and 59:
112 return 1;113 }114115 printf ("O
Page 60 and 61:
solaris$ isainfo -b64I then compile
Page 62 and 63:
ip_output+0x10()ip_wput+0x37()putne
Page 64 and 65:
Notes1. The source code of OpenSola
Page 66 and 67:
4.1 Vulnerability DiscoveryTo find
Page 68 and 69:
167 if (current_track + 1 > fourxm-
Page 71 and 72:
Step 1: Find a Sample 4X Movie File
Page 73 and 74:
Next, I modified the values of trac
Page 75 and 76:
Table 4-2: List of the Assembler In
Page 77 and 78:
63 #elif defined (HAVE_MEMALIGN)64
Page 79 and 80:
linux$ gdb -q ./ffmpeg_g(gdb) run -
Page 81 and 82:
(UINT_MAX / sizeof(AudioTrack) - 1)
Page 83 and 84:
7ebe000-b7ec0000 r--p 0015c000 08:0
Page 85 and 86:
5Browse and You’re OwnedSunday, A
Page 87 and 88:
{SWI.ClassId_q.ClassId clsid = new
Page 89 and 90:
27 except KeyboardInterrupt:28 prin
Page 91 and 92:
Figure 5-4: Defining a breakpoint a
Page 93 and 94:
Figure 5-7: User-controlled argumen
Page 95 and 96:
Next, I tried to retrieve the size
Page 97 and 98:
05 06 arg = String(232, "A") + Stri
Page 99:
iDefense VCPnotifiedVulnerability d
Page 102 and 103:
6.1 Vulnerability DiscoveryI used t
Page 104 and 105:
Step 3: Check the Device Security S
Page 106 and 107:
Below, the elements of the MajorFun
Page 108 and 109:
At address .text:00010748, a pointe
Page 110 and 111:
[..][..]//// Current stack location
Page 112 and 113:
The transfer type is specified usin
Page 114 and 115:
If the requested IOCTL code matches
Page 116 and 117:
Figure 6-5: Graph view of the vulne
Page 118 and 119:
.text:00010DBA push 1 ; _DWORD.text
Page 120 and 121:
99 // .text:00010DEF cmp dword ptr
Page 122 and 123:
nt!RtlpBreakWithStatusInstruction:8
Page 124 and 125:
After I gained control over EIP, I
Page 127 and 128:
7A Bug Older Than 4.4BSDSaturday, M
Page 129 and 130:
Here are some examples:Source code
Page 131 and 132:
1094 return (ENXIO);1095 if (t != t
Page 133 and 134:
4. The assumed address of l_open()
Page 135 and 136:
osx$ cat /Library/Logs/panic.logSat
Page 137 and 138:
Back on the Linux host, I started t
Page 139 and 140:
0x35574c, the value is used to calc
Page 141 and 142:
48 define search_memloc49 set $max_
Page 143 and 144:
As the debugger output shows, the E
Page 145:
ApplenotifiedApple asks formore det
Page 148 and 149: I performed the following steps whe
Page 150 and 151: I then began fuzzing files of the A
Page 152 and 153: Figure 8-1: Playing the unmodifiedA
Page 154 and 155: • Line 40 copies the current proc
Page 156 and 157: As the debugger output shows, media
Page 158 and 159: The manipulated byte (0xff) that ca
Page 160 and 161: (gdb) x/12x 0x1301bfc0x1301bfc: 0x0
Page 162 and 163: ApplenotifiedApple confirmsthe vuln
Page 164 and 165: Every function of a process that is
Page 166 and 167: eip 0x43434343 0x43434343eflags 0x1
Page 168 and 169: The access violation is caused when
Page 170 and 171: is less than 12. If it is, the stri
Page 172 and 173: The program in Listing A-4 calls th
Page 174 and 175: 0x080483f3 : mov DWORD PTR [esp+0x4
Page 177 and 178: BDebuggingThis appendix contains in
Page 179 and 180: Information CommandsCommandDescript
Page 181 and 182: Information CommandsCommandrkbu add
Page 183 and 184: Figure B-3: Configuration settings
Page 185 and 186: Figure B-6: Attaching the kernel de
Page 187 and 188: Other CommandsCommandset disassembl
Page 189 and 190: linux# pwd/home/tk/gdb-292/srclinux
Page 191: Notes1. See the Solaris Modular Deb
Page 194 and 195: The many mitigation techniques coul
Page 196 and 197: Figure C-1: DEP and ASLR status sho
Page 200 and 201: ConclusionIn case of a buffer overf
Page 202 and 203: zonecfg:wwwzone> set autoboot=truez
Page 204 and 205: Notes1. See Rob King, “New Leopar
Page 206 and 207: COMRaider, 72coordinated disclosure
Page 208 and 209: Rreadelf, 161RELRO, 67-69, 183-186r
Page 210: A Bug Hunter’s Diary is set in Ne
show all

Bug Hunter Diary

Create successful ePaper yourself

Delete template?

Save as template?