Buffer Overflow Analysis Lesson No. 07: ms06-040 Vulnerability Research-static analysis

Preface

In my previous course, I discussed the vulnerability analysis and utilization in the W32dasm software, because the people who use the software are small groups, so the vulnerability is relatively small. But if the vulnerability appears in Windows systems, then the situation is very different. After all, Windows has ruled more than 90% of the world's computer operating systems, so if there is a loophole in the system, and this vulnerability is exploited by those with ulterior motives, then there will inevitably be hundreds of millions of victims.

ms06-040 Vulnerability Basic information

The loophole we discussed this time is the ms06-040 (Https://technet.microsoft.com/en-us/library/security/ms06-040.aspx), released by Microsoft on August 8, 2006. At Microsoft's Security Technology Center, you can see a report on this vulnerability, which is defined as a "critical" level:

Figure 1

In fact, the vulnerabilities unveiled by Microsoft's Security Technology Center are the areas of greatest interest to all security workers and hackers. Whenever Microsoft releases a patch that fixes a bug, there are always a lot of attackers who go all night to study what bugs have been patched up and write out exploit programs. Because not all users will be able to fix the patch in just a few minutes, this newly released vulnerability can be useful. For these attackers, although their behavior is disgraceful, but their perseverance to exploit the loopholes, it is admirable. After all, Microsoft's vulnerability announcement, just give a general direction, and the specifics of the vulnerability, such as the vulnerability in which function, how to exploit the vulnerability and so on, is not disclosed at all. This is quite different from the W32dasm bug report we discussed earlier, which is specific to a specific function, so we just have to find out where the function is. And through Microsoft's Vulnerability report, we generally can only know the vulnerability in which a dynamic link library, specifically to what is the dynamic link library which function, we need to find ourselves. Because dynamic-link libraries may contain many export functions, it is often a good chance to locate vulnerabilities in a haystack, which requires a lot of patience and even a luck component.

According to the Microsoft Vulnerability report, we know that the problem is Netapi32.dll this dynamic link library:

Figure 2

There is an export function named Netpwpathcanonicalize () in the dynamic link library:

Figure 3

This function has the flaw of buffer overflow, and it is the object that we focus on.

Why static analysis vulnerabilities occurNow that you know the function of the vulnerability, the next step is to use IDA Pro to analyze the cause of the vulnerability. In fact, there is a function called sub_7517fc68 in the Netpwpathcanonicalize () function, and it is inside this function that the overflow is hidden:

Figure 4

Here is an analysis of the disassembly code for this function:

. text:7517fc68; Attributes:bp-based frame.text:7517fc68;               int __stdcall sub_7517fc68 (wchar_t *source, wchar_t *str, int, int, int). text:7517fc68 sub_7517fc68 proc Near ; CODE xref:netpwpathcanonicalize+74p.text:7517fc68 var_416 = Word ptr-416h.text:7517fc68 Dest = Word p           Tr-414h.text:7517fc68 Source = dword ptr 8.text:7517fc68 Str = dword ptr 0ch.text:7517fc68 arg_8  = dword ptr 10h.text:7517fc68 Arg_c = dword ptr 14h.text:7517fc68 arg_10 = dword ptr 18h;                  There are five parameters and two local variables in this function. text:7517fc68 push ebp.text:7517fc69 mov ebp, esp.text:7517fc6b Sub ESP, 414h; Creates a 0x414 byte-sized space to hold the generated string. text:7517fc71 push ebx.text:7517fc72 Push ESI.TEXT:7517FC7 3 xor esi, ESI.TEXT:7517FC75 push edi.text:7517fc76 CMP [EBP+SO Urce], ESI; Verify that the parameter source is 0.text:7517fc79                 mov edi, ds:__imp_wcslen.text:7517fc7f mov ebx, 411h; In this function, the value of EBX is constant, 0x411, to check for cross-border. text:7517fc84 JZ short loc_7517fced; Based on the above Source and 0 comparison results to determine whether to jump. Text:7517fc86 push [Ebp+source]; Str.text:7517fc89 call EDI; __imp_wcslen; Calculate the length of the parameter source, note that this is the length in Unicode form. text:7517fc8b mov esi, eax; ESI holds the length of the Unicode form of the parameter source. text:7517fc8d Pop ecx.text:7517fc8e test esi, Esi.text : 7517FC90 JZ short loc_7517fcf4; Verify that the length of the parameter source is 0.text:7517fc92 cmp esi, ebx; Verify that the length of the parameter source is greater than 0x411.text:7517fc94 ja loc_7517fd3e; If it is greater than, exit the program. TEXT:7517FC9A push [Ebp+source]; source.text:7517fc9d Lea EAX, [EBP+DEST].TEXT:7517FCA3 push eax;  DEST.TEXT:7517FCA4 Call  ds:__imp_wcscpy; Copies the parameter source string to the newly allocated space. It is important to note that this opens up a space of 0x414 bytes; But the code above detects a wide character, and the 0x411 of a wide character is equivalent to the space of 0x822 bytes. It seems that it is possible; Exploit, but before this function is called, the program has used the Netpwpathtype () function to detect the parameter; Number the length of the source so that it cannot exceed 0x206 bytes, so this is not exploited as a vulnerability: TEXT:7517FCAA mov ax, [ebp+esi*2+var_416]; Remove the character and check if it is a slash. TEXT:7517FCB2 pop ecx.text:7517fcb3 cmp ax, 5Ch; 0X5C represents "\". Text:7517fcb7 pop ecx.text:7517fcb8 JZ short LOC_7517FCD5.TEXT:7517FC BA CMP ax, 2Fh; 0X2F represents "/". TEXT:7517FCBE JZ Short loc_7517fcd5.text:7517fcc0 lea eax, [Ebp+dest] . TEXT:7517FCC6 push offset asc_751717b8; "\ \". TEXT:7517FCCB push eax; DEST.TEXT:7517FCCC call Ds:__imp_wcscat; Joins a slash with a string. TEXT:7517FCD2 pop ECX.TEXT:7517FCD3 Inc ESI                     ;                           Due to the addition of slashes, the length of the string increases 1.TEXT:7517FCD4 pop ECX.TEXT:7517FCD5.TEXT:7517FCD5 LOC_7517FCD5: ; CODE XREF:SUB_7517FC68+50J.TEXT:7517FCD5; SUB_7517FC68+56J.TEXT:7517FCD5 mov eax, [EBP+STR].TEXT:7517FCD8 mov ax, [eax].text : 7517FCDB cmp ax, 5Ch;         0X5C represents "\". TEXT:7517FCDF JZ Short Loc_7517fce7.text:7517fce1 cmp ax, 2Fh ;                           0X2F represents "/". Text:7517fce5 jnz short Loc_7517fcf4.text:7517fce7.text:7517fce7 loc_7517fce7: ;  CODE xref:sub_7517fc68+77j.text:7517fce7 Add [ebp+str], 2.TEXT:7517FCEB jmp short loc_7517fcf4.text:7517fced; ------------------------------------------------------------. text:7517fced loc_7517fced:;             CODE xref:sub_7517fc68+1cj.text:7517fced    mov [ebp+dest], si.text:7517fcf4.text:7517fcf4 LOC_7517FCF4:; CODE XREF:SUB_7517FC68+28J.TEXT:7517FCF4; Sub_7517fc68+7dj. TEXT:7517FCF4 push [EBP+STR]; STR.TEXT:7517FCF7 call EDI; __imp_wcslen; Calculate the length of the parameter str, note that this is the length in Unicode form. Text:7517fcf9 add eax, esi; This is calculated by adding a slash to the sum of the length of the parameter source and STR, which is stored in the eax. TEXT:7517FCFB Pop ECX.TEXT:7517FCFC cmp E AX, Ebx.text:7517fcfe ja short loc_7517fd3e; After the concatenated string length is checked, the previous analysis can know that only the parameter source is not able to rely on; Implement the exploit of the vulnerability because its length is limited to 0x206 bytes, but the program does not have a parameter to STR; The length is sufficiently qualified to exploit this by exploiting the vulnerability. TEXT:7517FD00 push [EBP+STR]; SOURCE.TEXT:7517FD03 Lea EAX, [ebp+dest].text:7517fd09 push eax; dest.text:7517fd0a call Ds:__imp_wcscat; A string connection that connects the parameter str to the buffer, which is the function that caused the buffer overflow. Text: 7517fd10 pop ecx.text:7517fd11 lea eax, [ebp+dest].text:7517fd17                 Pop ecx.text:7517fd18 push EAX.TEXT:7517FD19 call sub_7518ae95.text:7517fd1e Lea EAX, [ebp+dest].text:7517fd24 push eax;                 STR.TEXT:7517FD25 Call sub_7518aeb3.text:7517fd2a test eax, EAX.TEXT:7517FD2C JNZ short loc_7517fd43.text:7517fd2e lea eax, [Ebp+dest].text:7517fd34 p                  Ush eax.text:7517fd35 call sub_7518afe2.text:7517fd3a test eax, eax.text:7517fd3c JNZ short loc_7517fd43.text:7517fd3e.text:7517fd3e loc_7517fd3e:; CODE xref:sub_7517fc68+2cj.text:7517fd3e; sub_7517fc68+96j.text:7517fd3e Push 7BH.TEXT:7517FD40 Pop eaX.TEXT:7517FD41 jmp short loc_7517fd7a.text:7517fd43; ------------------------------------------------------------. text:7517fd43 loc_7517fd43:; CODE xref:sub_7517fc68+c4j.text:7517fd43;             SUB_7517FC68+D4J.TEXT:7517FD43 Lea EAX, [ebp+dest].text:7517fd49 push EAX ; STR.TEXT:7517FD4A call EDI; __IMP_WCSLEN.TEXT:7517FD4C Lea EAX, [EAX+EAX+2].TEXT:7517FD50 pop Ecx.text:7517fd5                 1 cmp eax, [ebp+arg_c].text:7517fd54 jbe short loc_7517fd66.text:7517fd56 mov ecx, [ebp+arg_10].text:7517fd59 test ecx, ecx.text:7517fd5b JZ Sho                           RT LOC_7517FD5F.TEXT:7517FD5D mov [ECX], eax.text:7517fd5f.text:7517fd5f loc_7517fd5f: ;       CODE xref:sub_7517fc68+f3j.text:7517fd5f          mov eax, 84bh.text:7517fd64 jmp short loc_7517fd7a.text:7517fd66; ------------------------------------------------------------. Text:7517fd66 Loc_7517fd66:; CODE Xref:sub_7517fc68+ecj.text:7517fd66 Lea EAX, [ebp+dest].text:7517fd6c push EA x; SOURCE.TEXT:7517FD6D push [ebp+arg_8];                 DEST.TEXT:7517FD70 Call ds:__imp_wcscpy.text:7517fd76 Pop ecx.text:7517fd77                           xor eax, eax.text:7517fd79 pop ecx.text:7517fd7a.text:7517fd7a loc_7517fd7a: ; CODE xref:sub_7517fc68+d9j.text:7517fd7a;                 sub_7517fc68+fcj.text:7517fd7a pop edi.text:7517fd7b Pop esi.text:7517fd7c Pop ebx.text:7517fd7d leave.text:7517fd7e retn 14h.text:7517fd7e suB_7517fc68 endp.text:7517fd7e 

As mentioned above, the program's length of the string is limited to Unicode 0x411 characters, that is, 0x822 bytes, and the program only allocates 0x414 bytes of space, so there is a buffer overflow hidden danger.

for function sub_7517fc68, it has two parameters that require special attention, one is source and the other is str. Since the former has been limited to the length, at most only 0x206 bytes, so we can only take the latter to fuss. So what is the pattern of these two parameters in the Netpwpathcanonicalize () function? The analysis shows that the STR parameter is the first parameter of the Netpwpathcanonicalize () function, and the source is the fourth parameter:

Figure 5

That is, we can construct a program, let it load Netapi32.dll this dynamic link library, and call the Netpwpathcanonicalize () function in it, carefully construct the function of the first and fourth parameters of the content, then you can implement the exploit.

function netpwpathcanonicalize () description

In fact, after the above analysis, we can know the approximate function of the netpwpathcanonicalize () function. In fact, about this function, Microsoft did not give us any introduction, now for the function of the explanation, are predecessors through similar to our above-mentioned reverse analysis and summed up. Thus, reverse engineering is indeed one of the most challenging tasks in the field of computing.

The function netpwpathcanonicalize () is used to format the network path string, which is defined as follows:

void Netpwpathcanonicalize (_in_       DWORD Str,                  //+8h_out_      DWORD lpwidecharstr,        //+0ch_in_       DWORD Arg_8,                //+10h_in_       DWORD Source,               //+14h_in_out_  DWORD arg_10,                //+18h_in_       DWORD arg_14                //+1ch);

Parameter description:

STR: A pointer to a Unicode string that is used to generate the second part of the path string.

LPWIDECHARSTR: Pointer to buffer to receive the formatted string.

Arg_8: Indicates the size of the LPWIDECHARSTR

Source: A pointer to a Unicode string that is used to generate the first part of a path string.

ARG_10: Pointer to long.

ARG_14: Flag bit, usually 0.

function is the function of the source refers to the string, plus ' \ ', plus str refers to the string, placed in the LPWIDECHARSTR buffer. That

Source+ ' \ ' + Str = lpwidecharstr[arg_8]

SummaryAfter a series of analyses, we have figured out the cause of the vulnerability and how to use it. So for the actual use of this loophole, I will be in the next tutorial, combined with dynamic debugging, programming implementation.

Buffer Overflow Analysis Lesson No. 07: ms06-040 Vulnerability Research-static analysis