open security

by c0ntex | c0ntexb[at]gmail.com www.open-security.org The PEB (Process Environment Block) is a process specific area of userland memory that contains details about each running process. Since PEB information is user modifyable, it runs in the context of the process address space. Information contained in the PEB includes the image base address, heap information, loaded modules and defined environment variables amongst other things. A quick look at the PEB of a vulnerable application shows us this information: 0:000> !peb PEB at 7ffdf000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 004000...

by c0ntex | c0ntexb@gmail.com www.open-security.org This paper will provide a quick overview of how to perform reverse engineering against a simple .exe binary. By using the assembly of a binary, it can be trivial to gain a basic understanding of the executable, which will allow for the source code to be retrieved almost exactly as the developer designed it. In this example we are only using a small program and as such it is easy to do, on a larger exe it would take much longer and a more rigorous review of the assembler would be required. // IDA assembler dump ; seh.exe .text:0040102B push ebp .text:0040102C mov ebp, esp .text:0...

by c0ntex | c0ntex[at]open-security.org www.open-security.org Format string bugs are a method of abusing incorrect usage of the format functions like printf, sprintf, snprintf, fprintf, vfprintf and the likes. When these functions are called they require that a version specifier is used to display the data stored in one or more directives. In the last format paper I discussed how to use a user supplied string to allow for an arbitrary write to any location in memory we wished. By modifying the GOT, DTORS or some other useful memory location, it is trivial to hijack the process completely and execute malicious, arbitrary code. However wit...

by c0ntex | c0ntexb[at]gmail.com www.open-security.org This short paper will discuss the method of overwriting a pointer that is used in a function, to overwrite the associated entry in the Global Offset Table, allowing us to redirect the execution flow of a program. This method is useful when one is unable to modify the address pointed to by EIP with a shellcode address, in situations where there is stack protection of some kind. Rather than overwrite the next instruction with the address of our shellcode, we will patch the functions GOT reference with a function that we can utilise to run system commands. So what is the Global offset T...

by c0ntex | c0ntex[at]open-security.org www.open-security.org *unfinished* Also see http://open-security.org/texts/7 - Further advances in format string exploitation Format string bugs are a method of abusing incorrect usage of the format functions like printf, sprintf, snprintf, fprintf, vfprintf and the likes. When these functions are called they require that a version specifier is used to display the data stored in one or more directives. During this document I will be using the printf function. From the man page we get the following: #include <stdio.h> int printf(const char *format, ...); ... The functions in th...

by c0ntex | c0ntex[at]open-security.org www.open-security.org Returning to libc is a method of exploiting a buffer overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point at a new location that we can control. However since no executable code is allowed on the stack we can't just tag in shellcode. This is the reason we use the return into libc trick and utilise a function provided by the library. We still overwrite the return address with one of a function in libc, pass it the correct arguments and have that execute for us. Since these func...

by c0ntex | c0ntexb[at]gmail.com www.open-security.org This document provides some useful basic commands to use with GDB during debug of applications for vulnerability development and troubleshooting. From the GDB man page: "The purpose of a debugger such as GDB is to allow you to see what is going on ‘‘inside’’ another program while it executes — or what another program was doing at the moment it crashed". Launch GDB against either a binary, a core file or a Process ID $ gdb ./vuln $ gdb ./vuln ./core $ gdb -c ./core $ gdb -silent `pidof vuln` Set arguments for the application to execute with (gdb) set args `perl -e '...

by c0ntex | c0ntexb[at]gmail.com When you think of a search engine, you probably conjure up an image of the handy, html based site that can help you find those RFC's, wiring diagrams, soft-warez, serial keys or questionable images, depending on your taste. You've probably used generic search engines like Google, Yahoo, MSN, Lycos & Hotbot a trillion times without considering even the possibility that it could be used to support an attack attempt. Due to the sheer volume of HTTP based attacks, one has to consider than anything utilising HTTP is a serious theoretical attack vector. Too many people feel happy in the knowledge th...

by c0ntex | c0ntexb@gmail.com www.open-security.org This document shows how to abuse destroyed NULL terminators to an attackers advantage by finding and controlling functional execution of calls that fail to do any type of safe bounds checking. This is an old subject but the methods used in this paper are still valid for exploitation of applications today, this example is based on a real situation I found in mplayer - (05/2004) First, let us find a bug to try. Copy vuln.c into an empty directory and run the following command: /* vuln.c */ #include <stdio.h> #define MAX_SIZE 50 void error(void); int main(int argc, char *...