Bug Hunter Diary

Recommendations

Info

If a TiVo file is loaded by VLC, the following execution flow istaken (all source code references are from vlc-0.9.4\modules\demux\Ty.cof VLC). The first relevant function that’s called is Demux():[..]386 static int Demux( demux_t *p_demux )387 {388 demux_sys_t *p_sys = p_demux->p_sys;389 ty_rec_hdr_t *p_rec;390 block_t *p_block_in = NULL;391392 /*msg_Dbg(p_demux, "ty demux processing" );*/393394 /* did we hit EOF earlier? */395 if( p_sys->eof )396 return 0;397398 /*399 * what we do (1 record now.. maybe more later):400 * - use stream_Read() to read the chunk header & record headers401 * - discard entire chunk if it is a PART header chunk402 * - parse all the headers into record header array403 * - keep a pointer of which record we're on404 * - use stream_Block() to fetch each record405 * - parse out PTS from PES headers406 * - set PTS for data packets407 * - pass the data on to the proper codec via es_out_Send()408409 * if this is the first time or410 * if we're at the end of this chunk, start a new one411 */412 /* parse the next chunk's record headers */413 if( p_sys->b_first_chunk || p_sys->i_cur_rec >= p_sys->i_num_recs )414 {415 if( get_chunk_header(p_demux) == 0 )[..]After some sanity checks in lines 395 and 413, the functionget_chunk_header() is called in line 415.[..]112 #define TIVO_PES_FILEID ( 0xf5467abd )[..]1839 static int get_chunk_header(demux_t *p_demux)1840 {1841 int i_readSize, i_num_recs;1842 uint8_t *p_hdr_buf;1843 const uint8_t *p_peek;1844 demux_sys_t *p_sys = p_demux->p_sys;1845 int i_payload_size; /* sum of all records' sizes */18461847 msg_Dbg(p_demux, "parsing ty chunk #%d", p_sys->i_cur_chunk );18481849 /* if we have left-over filler space from the last chunk, get that */1850 if (p_sys->i_stuff_cnt > 0) {14 Chapter 2
1851 stream_Read( p_demux->s, NULL, p_sys->i_stuff_cnt);1852 p_sys->i_stuff_cnt = 0;1853 }18541855 /* read the TY packet header */1856 i_readSize = stream_Peek( p_demux->s, &p_peek, 4 );1857 p_sys->i_cur_chunk++;18581859 if ( (i_readSize < 4) || ( U32_AT(&p_peek[ 0 ] ) == 0 ))1860 {1861 /* EOF */1862 p_sys->eof = 1;1863 return 0;1864 }18651866 /* check if it's a PART Header */1867 if( U32_AT( &p_peek[ 0 ] ) == TIVO_PES_FILEID )1868 {1869 /* parse master chunk */1870 parse_master(p_demux);1871 return get_chunk_header(p_demux);1872 }[..]In line 1856 of get_chunk_header(), the user-controlled datafrom the TiVo file is assigned to the pointer p_peek. Then, in line 1867,the process checks whether the file data pointed to by p_peek equalsTIVO_PES_FILEID (which is defined as 0xf5467abd in line 112). If so, thevulnerable function parse_master() gets called (see line 1870).To reach the vulnerable function using this code path, the TiVosample file had to contain the value of TIVO_PES_FILEID. I searched theTiVo sample file for the TIVO_PES_FILEID pattern and found it at fileoffset 0x00300000 (see Figure 2-3).00300000h: F5 46 7A BD 00 00 00 02 00 02 00 00 00 01 F7 04 ; õFz½..........÷.00300010h: 00 00 00 08 00 00 00 02 3B 9A CA 00 00 00 01 48 ; ........;šÊ....HFigure 2-3: TIVO_PES_FILEID pattern in TiVo sample fileBased on the information from the parse_master() function (seethe following source code snippet) the value of i_map_size should befound at offset 20 (0x14) relative to the TIVO_PES_FILEID pattern foundat file offset 0x00300000.[..]1641 stream_Read(p_demux->s, mst_buf, 32);1642 i_map_size = U32_AT(&mst_buf[20]); /* size of bitmask, in bytes */[..]At this point, I had discovered that the TiVo sample file I downloadedalready triggers the vulnerable parse_master() function, so itwouldn’t be necessary to adjust the sample file. Great!Back to the ’90s 15
Page 6 and 7: A Bug Hunter’s Diary. Copyright
Page 10 and 11: Chapter 3: Escape from the WWW Zone
Page 12 and 13: B.2 The Windows Debugger (WinDbg) .
Page 15 and 16: IntroductionWelcome to A Bug Hunter
Page 17 and 18: 1Bug HuntingBug hunting is the proc
Page 19 and 20: After I’ve found a bug, I want to
Page 21 and 22: Table 1-1: Debuggers Used in This B
Page 23: 2Back to the ’90sSunday, October
Page 26 and 27: 16361637 /* clear the SEQ table */1
Page 30 and 31: Get the →vulnerableWindows versio
Page 32 and 33: EIP = 41414141 . . . Mission EIP co
Page 34 and 35: NoteTo configure Process Explorer t
Page 36 and 37: See the following excerpt from the
Page 38 and 39: 3. Immunity Debugger is a great Win
Page 40 and 41: NoteInput/output controls (IOCTLs)
Page 42 and 43: msgbb_datapdatabb_rptrdb_basedatabu
Page 44 and 45: 8180 /*8181 * Null terminate the st
Page 46 and 47: 26736 /*26737 * SIOC[GS]TUNPARAM ap
Page 48 and 49: 19165 * are also rejected as they i
Page 50 and 51: 01 #include 02 #include 03 #include
Page 52 and 53: fffffe8000f7e4b0 unix:die+da ()ffff
Page 54 and 55: zero pagenot mappedzero pageis mapp
Page 56 and 57: gaining full control over EIP/RIP a
Page 58 and 59: 112 return 1;113 }114115 printf ("O
Page 60 and 61: solaris$ isainfo -b64I then compile
Page 62 and 63: ip_output+0x10()ip_wput+0x37()putne
Page 64 and 65: Notes1. The source code of OpenSola
Page 66 and 67: 4.1 Vulnerability DiscoveryTo find
Page 68 and 69: 167 if (current_track + 1 > fourxm-
Page 71 and 72: Step 1: Find a Sample 4X Movie File
Page 73 and 74: Next, I modified the values of trac
Page 75 and 76: Table 4-2: List of the Assembler In
Page 77 and 78: 63 #elif defined (HAVE_MEMALIGN)64
Page 79 and 80:
linux$ gdb -q ./ffmpeg_g(gdb) run -
Page 81 and 82:
(UINT_MAX / sizeof(AudioTrack) - 1)
Page 83 and 84:
7ebe000-b7ec0000 r--p 0015c000 08:0
Page 85 and 86:
5Browse and You’re OwnedSunday, A
Page 87 and 88:
{SWI.ClassId_q.ClassId clsid = new
Page 89 and 90:
27 except KeyboardInterrupt:28 prin
Page 91 and 92:
Figure 5-4: Defining a breakpoint a
Page 93 and 94:
Figure 5-7: User-controlled argumen
Page 95 and 96:
Next, I tried to retrieve the size
Page 97 and 98:
05 06 arg = String(232, "A") + Stri
Page 99:
iDefense VCPnotifiedVulnerability d
Page 102 and 103:
6.1 Vulnerability DiscoveryI used t
Page 104 and 105:
Step 3: Check the Device Security S
Page 106 and 107:
Below, the elements of the MajorFun
Page 108 and 109:
At address .text:00010748, a pointe
Page 110 and 111:
[..][..]//// Current stack location
Page 112 and 113:
The transfer type is specified usin
Page 114 and 115:
If the requested IOCTL code matches
Page 116 and 117:
Figure 6-5: Graph view of the vulne
Page 118 and 119:
.text:00010DBA push 1 ; _DWORD.text
Page 120 and 121:
99 // .text:00010DEF cmp dword ptr
Page 122 and 123:
nt!RtlpBreakWithStatusInstruction:8
Page 124 and 125:
After I gained control over EIP, I
Page 127 and 128:
7A Bug Older Than 4.4BSDSaturday, M
Page 129 and 130:
Here are some examples:Source code
Page 131 and 132:
1094 return (ENXIO);1095 if (t != t
Page 133 and 134:
4. The assumed address of l_open()
Page 135 and 136:
osx$ cat /Library/Logs/panic.logSat
Page 137 and 138:
Back on the Linux host, I started t
Page 139 and 140:
0x35574c, the value is used to calc
Page 141 and 142:
48 define search_memloc49 set $max_
Page 143 and 144:
As the debugger output shows, the E
Page 145:
ApplenotifiedApple asks formore det
Page 148 and 149:
I performed the following steps whe
Page 150 and 151:
I then began fuzzing files of the A
Page 152 and 153:
Figure 8-1: Playing the unmodifiedA
Page 154 and 155:
• Line 40 copies the current proc
Page 156 and 157:
As the debugger output shows, media
Page 158 and 159:
The manipulated byte (0xff) that ca
Page 160 and 161:
(gdb) x/12x 0x1301bfc0x1301bfc: 0x0
Page 162 and 163:
ApplenotifiedApple confirmsthe vuln
Page 164 and 165:
Every function of a process that is
Page 166 and 167:
eip 0x43434343 0x43434343eflags 0x1
Page 168 and 169:
The access violation is caused when
Page 170 and 171:
is less than 12. If it is, the stri
Page 172 and 173:
The program in Listing A-4 calls th
Page 174 and 175:
0x080483f3 : mov DWORD PTR [esp+0x4
Page 177 and 178:
BDebuggingThis appendix contains in
Page 179 and 180:
Information CommandsCommandDescript
Page 181 and 182:
Information CommandsCommandrkbu add
Page 183 and 184:
Figure B-3: Configuration settings
Page 185 and 186:
Figure B-6: Attaching the kernel de
Page 187 and 188:
Other CommandsCommandset disassembl
Page 189 and 190:
linux# pwd/home/tk/gdb-292/srclinux
Page 191:
Notes1. See the Solaris Modular Deb
Page 194 and 195:
The many mitigation techniques coul
Page 196 and 197:
Figure C-1: DEP and ASLR status sho
Page 198 and 199:
08 p[0] = 0x41414141;09 printf (“
Page 200 and 201:
ConclusionIn case of a buffer overf
Page 202 and 203:
zonecfg:wwwzone> set autoboot=truez
Page 204 and 205:
Notes1. See Rob King, “New Leopar
Page 206 and 207:
COMRaider, 72coordinated disclosure
Page 208 and 209:
Rreadelf, 161RELRO, 67-69, 183-186r
Page 210:
A Bug Hunter’s Diary is set in Ne
show all

Bug Hunter Diary

Create successful ePaper yourself

Delete template?

Save as template?