2. Outline
● Background
– How to patch in IDA (the easy way)
– How to look up instructions
● Fixing the signed vulnerability
● Fixing the format string vulnerability
6. Background
● Change Byte
– Important to notice the size of instructions
– Easy to do with “Change byte”
● How do we figure out the bytes that makeup an
instruction? “mov [esp+4], eax”
– Metasploit!
– metasm_shell.rb
9. Background
● Warning!
– If a new instruction is more or less bytes than the
current instruction, the following instruction(s) will
get messed up
10. Background
● Good resource to lookup instructions :
● http://pdos.csail.mit.edu/6.828/2004/readings/i386/toc.htm
– Can lookup the bytes and operands in any instruction
– Sometimes metasm_shell.rb produces odd output for
jmp and other instructions
12. Fixing the format string vulnerability
● The hard one...
● We need to
– Add a format string parameter (“%s”)
– Setup the stack with the new parameter
– Not destroy any registers / the stack in the process
– Return control flow after the new call
– Space to do all this!!!
13. Fixing the format string vulnerability
● The args are all setup by
this point
● If we could redirect
program flow from here,
we just have to add our
new arg, and rearrange
the existing ones
14. Fixing the format string vulnerability
● Where to jmp to? Where is free space?
● Need an
executable (X)
section
● Need space for
several
instructions
15. Fixing the format string vulnerability
● After poking around... those sections don't have any
extra space to work with
● But... there are 2 debug functions that only get
called if the global variable 'debug' is set, which it
isn't...
● We'll just take over one of those functions
18. Fixing the format string vulnerability
● Coming in at the dotted line from earlier
● We rewrite how the function call should occur
19. Fixing the format string vulnerability
● Redirect program flow into our new space
● Need to jmp 306 bytes backwards
● Using the jmp instruction, E9, our new instruction
becomes xE9xCExFExFFxFF