Reversing For Vulnerabilities

1
Reversing For Vulnerabilities

• Eric Hulse
• Phn1x
• San Antonio Hackers
• Oct 2008

2
Bout me

• Penetration Testing
• Vulnerability Assessments
• Reverse Engineering
• Personal Finance
• Hamsterswheel.com
• Zerodaysolutions.com
• Twentiesmoneymag.com
• Hulsesecurityconsulting.com

3
Objectives

• Define Buffer Overflows
• Discuss Bad calls and their arguments on the
  stack
• Discuss Ida Pro and means to discover Bad Calls

4
Buffer Overflows

• In a Nut Shell
• Happens when a process attempts to store data
  beyond the boundaries of a fixed length buffer.
• Unchecked user input buffer Glass too full

5
What to Look for

• Functions Stack Size
• Identified by function prologue
• Look for places that the pointer to stack space
  is used
• Usually with a LEA instruction (LEA EBP
  0x200)

6
Vulnerable Shizzle

• Functions to Watch For
• Argument Layouts

7
Functions To Watch For

• API Functions to Watch
• strcpy,strncpy,strcat,strncat,printf,sprintf,snpri
  ntf,
• scanf,sscanf, fscanf, gets,fgets,getc,fgetc
• memchr,memrchr
• Places to watch
• RECV, WSARecv, functions

8
Dynamic Analysis

• Dynamic analysis includes running the program and
  strategically setting break points.
• Watching registers
• Watching Stack/heap

9
strcpy/strncpy/strcat/strncat

• strcpy compare length of source and
  destination - dest pointer can be found at
  (ESP 0x4) - source pointer can be found at
  (ESP 0x8)
• strncpy compare length of copy (size_t) to
  destination
• dest pointer can be found at (ESP 0x4)?
• size_t can be found at (ESP 0xc)?

10
Printf/sprintf/snprintf

• Check stack for format string
• ESP 0x8

11
scanf/fscanf/sscanf

• Format Strings?
• scanf's is located at ESP0x4
• sscanf's and fscanf's are at ESP 0x8

12
gets/fgets

• ...

13
getc/fgetc

• Check the Size of loop for getc

14
memchr/memrchr

• check size_t against length of string as in memcpy

15
Static Analysis

• More Difficult Than Dynamic Analysis

16
Static Analysis with IDA Pro

• New Book On IDA by Chris Eagle
• Many scattered tutorials
• Nuances
• Static analysis helps you fuzz better!

17
Finding Functions

• Use Functions Tab
• Hot Key Shift-F3
• Sort Alphabetically Goto Function of Interest
• Press Enter
• Double Click

18
Functions Cont
19
Xrefs

• Loading Xrefs via CTRL-X
• Viewgtopen subviews gt cross references
• Xrefs allow us to see all cross references to a
  given function.
• Definitely pay attention to Bad calls near
  RECV/WSARecv type functions

20
Xrefs Cont
21
Graphing

• Display Flow Chart of Functions
• Xrefs to Functions
• Xrefs From Function
• Display graph of function calls (dont recommend)

22
Graphing Cont Function Flow

• Analysis of function flow allows us to
• Build a better fuzzer
• Trigger overflow
• Target functions/data

23
Graphing Cont
24
Stack Data In IDA