OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: September 12, 2007 13:34 CDT by rman .

Ill preface this with saying that somewhat competent in reading assembly, and putting together higher level logic from instructions and such, but my "practical" side of things is in its infancy.

Looking at ms07-051, seems the only dll changed was agentdpv.dll. Bindiffing (rocking tool Sabre, so nice) it shows no changed functions between 2.0.0.3426 and 2.0.0.3425, and with that Im just a little stumped as for what to do next? That is, what to do next in the way of static analysis, I guess debugger is an option, but not sure if its the best one.

Wondering if I could get some pointers in the direction to go from some of you more experienced guys who were able to blow through this with little problem.

Thanks,

LordSephiroth		September 12, 2007 16:14.05 CDT
There is a fairly decent analysis of this vulnerability at the lssec website. Take a look at: http://www.lssec.com/advisories/LS-20061102.pdf EDIT: I think you are confusing MS07-52 with MS07-51. The MS07-52 vulnerability is in Crystal Reports, while MS07-51 is in MS Agent in Win2k. According to the Microsoft advisory, the following files were changed in MS07-52: Crqe.dll Crpe32.dll Crdesigner.dll Craxddrt20.dll I can't help you though :( I don't have a spare copy of Win2k anywhere

rman		September 12, 2007 16:25.50 CDT
Doh, I did put the wrong one... 07-051 was the one I meant. Will edit that now if it will let me

nicoP		September 13, 2007 07:50.20 CDT
A diff between both version gives me : 0 ?GetStreamFromUrlCacheEntry@CAgentFileProvider@@A ?GetStreamFromUrlCacheEntry@CAgentFileProvider@@A 74C47616 74C47616 - 0 ?IsAnimationLocal@CAgentFileProvider@@AAEHPAG@Z ?IsAnimationLocal@CAgentFileProvider@@AAEHPAG@Z 74C47290 74C47292 - 0 ?GetWaveFilename@CAgentFileProvider@@UAGJPAG0K@Z ?GetWaveFilename@CAgentFileProvider@@UAGJPAG0K@Z 74C463A0 74C463A0 - And each time the size given to the function pfnInternetCanonicalizeUrl has changed from 0x1000 to 0x800. Now I let you find why this fix a stack overflow :-)

rman		September 13, 2007 15:00.53 CDT
Interesting, worked with some settings and changed a few things around in bindiff (v1) and Im still not having it show up in the changed area, shows up as matched. No 74c47616 sub_74C47616 74c47616 sub_74C47616 Curious what you have your bindiff settings at? Mine are everything except "Initial fixedpoint via address" and my Euclidean distance is at 6. Also, did you chenge the names of those functions? I think I have the correct symbol filed downloaded and not seeing it, but maybe time to look at that again, Im getting all the imports like CreateFileA, GetCurrentDirectoryW, etc, but no exports except standard dll stuff. I have got to be missing something big and simple here... Thanks for any advice. And on that topic, has anyone got a link to a good walkthrough of best of breed tools and such as that specifically looking at MS patches?

nicoP		September 13, 2007 22:11.17 CDT
I don't know bindiff but I'm pretty sure it should have catch those changes. Sure you are not diffing against the same version ? For the windows 2000 symbols you just need to do file->load file->pdb and IDA (5.1) will retrieve the symbols automatically.

jms		September 14, 2007 00:47.12 CDT
I know that Halvar had done a few talks on RE'ing MS patches, you might want to ping him for the slides.

LordSephiroth		September 14, 2007 09:38.10 CDT
I'm no expert, but I'm getting the same results nicoP. I tried fiddling with the Euc. distance and had no luck, however I did manually select the functions and do a visual diff and BinDiff recognized the changes and showed the difference, it just didn't show the functions as changed. Any ideas?

nicoP		September 14, 2007 11:59.17 CDT
Then you should contact directly the SABRE team.

rman		September 14, 2007 12:00.57 CDT
Exactly what Ive got. Anyways, figure out the symbol stuff, despite having all the win2k/sp4/whatever else symbols, had to run symchk directly against the dlls and then all was good. I guess maybe bindiff isn't seeing the 1000h to 800h all that significant of a change, but definitely makes a world of difference. LordSepiroth, can you confirm that we're diffing the same files? aa098785bdd9769a7506fea936c39a79 agentdpv.dll version 2.0.0.3425 1673840a5fdd52db9a60d8b61aab0fce agentdpv.dll version 2.0.0.3426

LordSephiroth		September 14, 2007 12:28.34 CDT
Pre-Patch: File: agentdpv.dll Size: 53008 MD5: AA098785BDD9769A7506FEA936C39A79 Patch: File: agentdpv.dll Size: 53008 MD5: 1673840A5FDD52DB9A60D8B61AAB0FCE

RolfRolles		September 15, 2007 22:40.25 CDT
Try eEye's Binary Diffing Studio when BinDiff fails you; it's free, it works pretty well when you have symbols (at that point, the function-matching question is trivial), it has a decent visualizer, and it ought to catch this. BTW, always use PDBs when diffing patches. Alex from Determina coded a nice PDB plugin, and servil recently released another nice one with some advanced features.

LordSephiroth		September 17, 2007 11:07.06 CDT
that is interesting, nicoP what did you use to get a diff?

nicoP		September 18, 2007 03:05.45 CDT
I coded my own diffing plugin 3 years ago. But basically the problem is the same, I don't catch a difference in a constant too. But in this case it seems the new constant (sizeof()/2 ?) forced the compiler to change the code a little.

b0ne		September 20, 2007 21:09.57 CDT
You have to keep in mind how bindiff matches, it is a little "fuzzy" when it matches subroutines. Try outputting ASM files for both DLLs and comparing them using a regular code differ. You'll probably have a lot better luck.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit