OpenRCE: Blog

BlackHat Europe

Thu, 27 Mar 2008 15:15:41 -0500

Ero and I finished up our two day Reverse Engineering course yesterday and caught up on some much needed sleep after a few drinks at some local pubs. Got a chance to catch some of the talks today prior to flying out tomorrow morning to Barcelona for the weekend.

FX had a well researched talk on Cisco IOS forensics that I greatly enjoyed. It appears the boys over at SABRE/Recurity have put together a pretty robust Cisco core dump analyzer and to my surprise they have made it available for use free of charge:

http://cir.recurity-labs.com

The other event I really enjoyed today was the
Iron Chef challenge. Apparently they had one of these at the Vegas Black Hat show, I had no idea. Essentially 2 teams are presented with a target and given 45 minutes to audit it. Their results are judged at the end of the 45 minutes by the audience and a winner is chosen. The chosen target was JForum, a web forum written in Java. The audience is allowed to play along; Neither Java nor web apps are my forte but I was playing around on Ero's laptop for a few minutes and found a persistent script injection flaw. Nothing too exciting but the contestants didn't do much better coming up with only a few theoretical possibilities. All in all I really like the idea of this Iron Chef track. They should provide a little more time and do something with binary analysis, that could be fun.

There are some great talks lined up for tomorrow that unfortunately I will be missing. I was especially excited about the DTRACE talk but was unable to change my flight.

PyDbg Hacks

Thu, 23 Aug 2007 00:56:17 -0500

Just added some PyDbg based hacks to the public repository (should show up within an hour max of this post). Here is a description of what was added:

just_in_time_debugger.py
PyDbg implementation of a script that can be set as the Just-In-Time debugger. Logs the crash context to disk. I'll be blogging about / giving out a standalone executable based on this script for those of you who want to e-mail all your crash dumps to ... me ;-)

stack_integrity_monitor.py
Automatically locate the source of a stack overflow. This has already been released, just hasn't been previously part of the repo. For more info see the related blog entry.

pydbgc.py
Cody's PyDbg command line interface library. This is pretty cool, you can import it to drop a user into an interactive PyDbg shell at any point during execution. Gives you WinDbg-esque commands. One of the cooler features of this hack is that it allows you to step backwards, really.

push_pop_unpacker.py
This is a quick and dirty PyDbg implementation of a known generic technique for stopping an unpacker at OEP. This script was written during Ero and I's 2007 Reverse Engineering class at BlackHat. It took like 20 minutes to write, gotta love PyDbg.

null_selector_mem_monitor_poc.py
Pydbg implementation of skape's null selector mem-monitor technique. Read more about it on Uninformed Journal

Get all the new goodies at http://paimei.openrce.org.

iPhone Gripes

Tue, 24 Jul 2007 23:20:43 -0500

Based on Apple's history of releasing crappy first-rev products I was going to wait for the next release prior to purchasing the iPhone. An unfortunate drunken phone accident this weekend however accelerated my purchase plans.

First, I'll say something nice. The visual voicemail feature of the iPhone is very elegant. I deplore voicemail, to the point that anyone who knows me well knows to never leave me one. With the iPhone I actually look forward to voicemail now. You get a list of who called and at what time. You can click to play, fast forward, rewind. It's how voicemail should be. None of the nonsense of "hit 1 to listen to new messages, 3 for the next, 7 to erase....".

Now the ugly. What were the iPhone devs smoking when they made the following oversights:

* No custom ring tone. A $650 device with 8 gigs worth of mp3's and I'm limited to choosing between sounds such as a dog bark and a duck?

* Proprietary headphone jack. Why couldn't they make the jack cross-compatible with standard head phones? Probably because they want to up-sell you on cute, white, headphone adapters.

* No copy and paste. Manually typing in WEP keys sucks. Aside from that I could have maybe lived without copy/paste ... until I discovered the next atrocity.

* NO GROUP OR MULTIUSER TEXT MESSAGING! This is completely unacceptable. Every cell phone on the face of the planet has this capability. I'm especially upset about this because I text like a 16 year old girl. Organizing outings, after parties, etc. without group texting is next to impossible.

* Keyboard doesn't flip sideways. Flipping the phone sideways does not flip the keyboard sidways (unless you are in the browser). Typing on the widescreen keyboard is much easier and should be available for texting and e-mails. Retarded.

How's everyone else doing with theirs?

Greatest Book Dedication Ever?

Fri, 06 Jul 2007 19:18:00 -0500

Not to brag or anything, but who can deny this as the greatest book dedication the world has ever seen:

Fuzzing: Brute Force Vulnerability Discovery - Dedication

If you are interested in buying the book:

Amazon

Pin Pointing Stack Smashes

Tue, 08 May 2007 23:35:21 -0500

This was originally posted over on my company blog site (TippingPoint DVLabs). Since the DVLabs blog is new I'm cross posting here to draw some traffic to it. Tracking down stack overflows is tedious work. Especially when the entire stack is blown away leaving you with crash dumps like the excerpt following this paragraph. This crash dump is from an actual process in case you are curious. Specifically, it is from one of the bugs detailed in TPTI-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities. It's pretty obvious that it's game over for our target here. The important question to answer at this juncture is, where is the bug? There are a number of approaches you can take to manually handle this situation. Please add any creative ones you may have as a comment.



    [INVALID]:41414141 Unable to disassemble at 41414141 from thread 568

    caused access violation when attempting to read from 0x41414141

    

    CONTEXT DUMP

      EIP: 41414141 Unable to disassemble at 41414141

      EAX: 00000001 (         1) - N/A

      EBX: 0259eedc (  39448284) - AAAAAAAAAAAAA.....AAAAAAAAAAAAAAAAAAAAA (stack)

      ECX: 00000000 (         0) - N/A

      EDX: ffffffff (4294967295) - N/A

      EDI: 00000000 (         0) - N/A

      ESI: 0259f102 (  39448834) - AAAAAAAAAAAAA.....AAAAAAAAAAAAAAAAAAAAA (stack)

      EBP: 00000001 (         1) - N/A

      ESP: 0259e2d4 (  39445204) - AAAAAAAAAAAAA.....AAAAAAAAAAAAAAAAAAAAA (stack)

      +00: 41414141 (1094795585) - N/A

      +04: 41414141 (1094795585) - N/A

      +08: 41414141 (1094795585) - N/A

      +0c: 41414141 (1094795585) - N/A

      +10: 41414141 (1094795585) - N/A

      +14: 41414141 (1094795585) - N/A

    

    disasm around:

            0x41414141 Unable to disassemble

In this blog entry, I present stack_integrity_monitor.py. A command line utility implemented in under 150 lines of Python code which provides an automated solution to the task of tracking down the source of a stack overflow. This Python utility leverages PyDbg, a pure-Python win32 debugger interface. PyDbg is part of the larger PaiMei Reverse Engineering Framework. If you've never heard of PaiMei before, follow the link to learn more.

The main reason stack overflows are exploitable is because control information is stored in the same medium as volatile user-controllable data. If we can move or mirror the call-chain "out of band", then we can verify the integrity of the stack at run-time. Skipping over the intricate details, here is the high level overview of how the utility works:

   1. Instantiate a debugger object and attach to the target program.
   2. Set a breakpoint where we want the trace to start, this can be as simple as setting a break on recv().
   3. Once the breakpoint is hit, set the active thread to single step.
   4. When a CALL instruction is reached, copy the stack and return addresses to an internal "mirror" list.
   5. When a RET instruction is reached, walk through the "mirror" list and verify that the values match the actual stack.
   6. When the last saved return address is reached, pop it off the internal "mirror" list.

If during the stack integrity check a mismatch is found, then not only do we know that a stack overflow has occurred, but we know which functions frame the overflow originated in and we can pinpoint the cause of the overflow. Using Trend Micro again as a real-world example, the previously shown (and mostly useless) crash dump turns into the following (very useful) output when launching the target under the peering eyes of stack_integrity_monitor.py:



    0259fc24: TmRpcSrv.dll.65741721

    0259e7b4: StRpcSrv.dll.65671190

    0259e7a8: Eng50.dll.61181d8c

    0259e790: Eng50.dll.611819a0

    0259e564: Eng50.dll.61181a50

    0259e2d0: Eng50.dll.61190fa4 -- 41414141

    0259e03c: Eng50.dll.61190fd2

Examining the vicinity of the last return address in the list, we find:



    61190FC7 lea edx, [esp+288h+szShortPath]

    61190FCB push esi

    61190FCC push edx

    61190FCD call _wcscpy  

    61190FD2 add esp, 8

The wcscpy() is the source of the stack overflow. The origin of the overflowed buffer is obvious in this case, it resides in the current function frame with a size of 600 bytes. Had the overflow occurred in a buffer originating further up the call chain the stack_integrity_monitor would have told us. In this case we see the stack mismatch occurred at stack address 0x0259e2d0 which should contain the return address 0x61190fa4 but instead contains 0x41414141. Had even a single byte of the return address been overwritten, stack_integrity_monitor would have detected it.

This handy command line utility has been checked into the PaiMei SVN repository and will be distributed with future releases of the reverse engineering framework. Future improvements may include speed boosts and perhaps additionally mirroring saved frame pointers. This quick hack was written in less than 2 hours and motivated from necessity, on a day where I happened to need to track down a dozen or so stack overflows. Give it a try, let me know what you think.