Search for ShellCode Vulnerabilities

Question: I still want to finish this question for a long time. I am not satisfied with the modification of several versions. Today, I will try again, write out what you know as much as possible. learning requires continuous summarization and accumulation. When you ride out on Sunday, you can see that learning is a kind of belief and recorded, as a warning sentence to remind you to learn.
Directory
0x_1. What is a file vulnerability?
0x_2. Classification of file Vulnerabilities
0x_3. How to Find the ShellCode Vulnerability
0x_4. Example
0x_5. Summary
 
0x_1. What is a file vulnerability?
File vulnerabilities are just plain names and are not accurate. Generally, file vulnerabilities mainly include Office software, Adobe Reader, and other PDF viewing and processing software, kingSoft WPS series and other vulnerabilities fall within the scope of file vulnerabilities. the most widely discussed file vulnerabilities on the Internet also fall into this category. I wonder if flash vulnerabilities can be classified as such vulnerabilities, I personally think that the vulnerability triggered by Media Player and other playing software processing files in m3u format is also a File Vulnerability, which should be called a File Format Vulnerability. The cause of this vulnerability is that it triggers an exception when processing some specially constructed samples, which can control the Program Execution Process and smoothly execute it to the specified ShellCode.
The above is purely an individual speculation. If you have any mistakes, you are welcome to know that the calf is not correct. xianguo is grateful here.
0x_2. Classification of file Vulnerabilities
In fact, it cannot be called classification. In this article, the classification of various situations encountered during the ShellCode search for file vulnerabilities is very inaccurate and is for reference only.
0x_2.1 public Vulnerabilities
Which of the following are the major vulnerabilities that have been exposed? On the Internet, you can find the relevant technical documents or vulnerability instructions for analyzing the vulnerability, whether in English or Chinese, the relevant POC documentation is also open. In this case, the ShellCode in the vulnerability analysis will be very simple. When you confirm that the obtained sample has a fixed Vulnerability Number (CVE number or other), you should check whether there is an appropriate analysis on the Internet, if it is stored, you can trace and debug it step by step based on others' analysis, and finally find the ShellCode.
0x_2.2 non-public Vulnerability
If you get a sample of this type of vulnerability, congratulations, you'll get it on a fresh 0-day. Don't forget to send me a copy. You can't go back to the subject, this type can also be categorized if you are not sure which type the vulnerability belongs. Set up the corresponding environment in a virtual machine, run the sample, and record the operations performed on the sample. Generally, file vulnerabilities are bundled with Trojans, so you must have created and executed Trojan operations, breakpoint tracking on the corresponding API. Generally, As long as ShellCode calls the relevant API, it can be disconnected, in this case, you can use the callstack function of the WinDbg debugger or jump out of the currently executed API function flow and view the ShellCode. It is naked in front of you. Let's let it go. Common API functions include CreateFile, WriteFile, ReadFile, and WinExec.
Many vulnerabilities can be classified as this type. Once again, we emphasize that this is your own classification and there is no reference value. If you need to know the correct classification, please refer to Baidu. If Baidu doesn't work, you can change to Google without explanation.
0x_2.3.Office Software Vulnerabilities
For Office processing software vulnerabilities such as Office, ShellCode will exist in the document in hexadecimal format. If there are many analyses on the document format and ShellCode format, shellCode can be pulled out directly in the document without debugging and tracking vulnerabilities, which saves a lot of energy and time. Of course, I cannot do this now. This is my goal. I am waiting for cainiao to seriously debug and track the vulnerability trigger process. In this process, finding ShellCode is the right path. Gao Ren is looking forward to it. Here, I will worship yuan ge,
In addition, a series of Jump addresses are used during the vulnerability exploitation process. These jump addresses are common in multiple system environments. During vulnerability exploitation, these addresses are used to ensure versatility. For example, the general address of jmp esp in the Chinese system is 0x7ffa4512 (excluding Win7). If this address is displayed in the sample document, in this document, the form should be as follows: 12 45 fa 7f. When the address is broken, it will be very close to ShellCode. In some cases, it will jump directly to ShellCode for execution. There are other general addresses, which are not described here. The process is the same. Of course, these addresses will not be used in a specific vulnerability environment, and other addresses will be replaced at this time, this requires analysis in the debugging status, and the conclusion can be obtained by testing multiple systems and software environments.
 
0x_2.4.PDF View software vulnerabilities.
Adobe Reader-based PDF viewing software vulnerabilities are the most prevalent vulnerabilities in recent years. Adobe is also the king of the vulnerabilities. One feature of PDF is that JavaScript sentences can be embedded, therefore, the spray technology used in IE can also be used in PDF, while the ShellCode in PDF is followed by the heap injection code, without the kill-free code, the ShellCode format is "% u9090 % feeb". If the code is encoded, The ShellCode format is diverse and I do not know how to summarize it, if you are familiar with the ShellCode of the IE vulnerability, decoding is still very easy, but it is only a problem of engineering quantity. There are few Office-like vulnerabilities in PDF, most of which require heap injection using JavaScript to execute ShellCode. The CVE-2010-0188Adobe Reader's Tiff Image Processing Buffer Overflow Vulnerability early this year is a special case, shellCode is hidden in Tiff image files. Finding ShellCode in debugging is a way. Of course, decoding a Tiff image and copying ShellCode directly is also a way.
This is just a summary of my own learning. It must be incorrect. Please forgive me a lot.
0x_3. How to Find the ShellCode Vulnerability
In fact, the ShellCode method for finding a file-type vulnerability has been described in the previous description. Here we will summarize this process. It is only a general situation and special treatment is needed in special circumstances.
0x_3.1 determine whether the vulnerability is disclosed and whether there are related technical analysis documents or descriptions. If there is a prompt, tell us where to look, such as the CVE-2010-0188 vulnerability description:
Adobe Reader and Acrobat are popular pdf file readers.
The buffer overflow vulnerability exists in the Open Source TIFF Image Parsing Library libtiff implemented by Adobe Reader and Acrobat,
Remote attackers may exploit this vulnerability to trick users into opening PDF documents that process images containing malicious TIFF and execute arbitrary commands on the user system to control the user system.
This security issue is actually a reproduction of an old Vulnerability (CVE-2006-3459) in Adobe products.
On the Internet, you can find the relevant CVE-2006-3459 trigger exploitation documentation and source programs to lay the foundation for finding ShellCode.
0x_3.2 for undisclosed vulnerabilities, observe the actions performed by the Vulnerability sample in the test environment and select the corresponding API breakpoint based on the actions executed. This may be inaccurate for the first time, you can solve this problem by preparing several more breakpoints,
0x_3.3 check whether there are common jump addresses in the vulnerability sample. These addresses are regular. Of course, you need to remember them. They are not too many or too few, this type of address is widely used in the Office series (only file vulnerabilities are described here, and other types of vulnerabilities are not involved), such as jmp esp and pop ret.
The ShellCode search in 0x_3.4PDF is listed separately because a friend in the Forum asked me how to find the ShellCode in the PDF. Let's repeat it here and check whether the PDF sample contains JavaScript, if ShellCode exists, it is likely to be in ShellCode. There are two ways to extract ShellCode. One is to decode the file stream in PDF, second, disable the JavaScript execution function of PDF (Adobe Reader-edit-preference-JavaScript-remove the JavaScript enable check box), and use the PDF editing software to view the ShellCode contained in the document, in this case, the ShellCode of the PDF file is not executed, but the PDF editing software is also suspended. In this case, you need to disable the vulnerability. There are many methods to solve this problem, for example, if the vulnerability is not used for the PDF software version, haha. It is the easiest to decode a PDF file stream, but you must first find the file stream (obj) corresponding to ShellCode, and complete decoding. This takes time and effort. Of course, decoding JavaScript does not necessarily contain ShellCode. It may be hidden in the file stream triggered by the vulnerability. JavaScript only plays a role in heap injection, at this point, we need to combine the two methods mentioned above. If you don't lie to me, I have encountered such a situation. I have forgotten the specific vulnerability number. If anyone knows, please let me know. The ShellCode search in the debugging tracing process mentioned earlier also applies to PDF. It depends on which method is used by the individual.
0x_4. Example
Originally wanted to find a vulnerability in Office-PPT, the number is MS-09-017, CVE-2009-0556 to give you a demo, but the hand is really not this sample, the demo can not continue, if anyone has this sample, please send it to me. If you can get a sample later, this chapter will be added.
Only take a PDF sample as an example, the vulnerability number is CVE-2009-0027, And the PDF handles the getIcon () JavaScript method Stack Overflow Vulnerability. This vulnerability analysis document can be found on the Internet. It is also Chinese, English or something, which is the most annoying.
If you want to get ShellCode, the simplest way is to disable JavaScript. After AcroBat-advanced-document processing-edit all JavaScript, you can view the JavaScript used in the document, of course, ShellCode is here. ShellCode can also be obtained using other methods. If you observe the ShellCode Execution Process, you still need to track it in the debugging environment. The specific vulnerability principle is not explained here. You can analyze it by yourself. I think there are certainly many people who want to know more about it than I do.
0x_5. Summary
Here, the ShellCode search for the file-type vulnerability is over. I wrote a lot of code, but it was also messy. After reading it, I can organize it myself. In fact, I just wrote a sentence: the ShellCode can be found by debugging tracing. I personally think that in the vulnerability analysis process, unless it is an exercise to write ShellCode, it is not the focus, but how the vulnerability is triggered, how malicious data is carefully constructed and the normal Program Execution Process jumps to the execution process in the ShellCode is the real highlights of vulnerability debugging, from which you can learn a lot of knowledge, we can see many unexpected skills in vulnerability analysis and utilization. For example, the vulnerability of MS-09-017-ppt 300501cd this address is very common, replace with other addresses will be very limited, why is this address, write EXP using people is how to find? It is worth thinking about.

Author: xianguo