This document discusses binary patching techniques to fix two vulnerabilities in an echoserver program: a signed integer vulnerability and a format string vulnerability. It outlines how to lookup instruction bytes and use IDA to patch binaries by changing individual bytes. It then walks through patching the vulnerabilities, including adding a format string parameter, rearranging the stack, and redirecting control flow to make the proper function call without disrupting registers or the stack. The document provides examples of the binary diffs before and after each patch.

1. Binary Patching
Fixing the vulnerabilities in echoserver
http://utdcsg.org
Mitchell Adair
2/8/2012

2. Outline
● Background
– How to patch in IDA (the easy way)
– How to look up instructions
● Fixing the signed vulnerability
● Fixing the format string vulnerability

3. Background
● How to patch in IDA (the easy way)

4. Background

5. Background
● Assemble Instruction

6. Background
● Change Byte
– Important to notice the size of instructions
– Easy to do with “Change byte”
● How do we figure out the bytes that makeup an
instruction? “mov [esp+4], eax”
– Metasploit!
– metasm_shell.rb

7. Background

8. Background
● Before and after patch

9. Background
● Warning!
– If a new instruction is more or less bytes than the
current instruction, the following instruction(s) will
get messed up

10. Background
● Good resource to lookup instructions :
● http://pdos.csail.mit.edu/6.828/2004/readings/i386/toc.htm
– Can lookup the bytes and operands in any instruction
– Sometimes metasm_shell.rb produces odd output for
jmp and other instructions

11. Fixing the sign vulnerability
● The easy one...

12. Fixing the format string vulnerability
● The hard one...
● We need to
– Add a format string parameter (“%s”)
– Setup the stack with the new parameter
– Not destroy any registers / the stack in the process
– Return control flow after the new call
– Space to do all this!!!

13. Fixing the format string vulnerability
● The args are all setup by
this point
● If we could redirect
program flow from here,
we just have to add our
new arg, and rearrange
the existing ones

14. Fixing the format string vulnerability
● Where to jmp to? Where is free space?
● Need an
executable (X)
section
● Need space for
several
instructions

15. Fixing the format string vulnerability
● After poking around... those sections don't have any
extra space to work with
● But... there are 2 debug functions that only get
called if the global variable 'debug' is set, which it
isn't...
● We'll just take over one of those functions

16. Fixing the format string vulnerability
● Before
● After

17. Fixing the format string vulnerability
● Our goal

18. Fixing the format string vulnerability
● Coming in at the dotted line from earlier
● We rewrite how the function call should occur

19. Fixing the format string vulnerability
● Redirect program flow into our new space
● Need to jmp 306 bytes backwards
● Using the jmp instruction, E9, our new instruction
becomes xE9xCExFExFFxFF

20. Fixing the format string vulnerability

21. Fixing the format string vulnerability
● Add in our new instructions
● Place a jmp back into the program

22. Fixing the format string vulnerability
● Now a proper snprintf
function call takes place,
with our “%s” format
specifier

23. Fixing the format string vulnerability
● Server Side
● Client Side

24. A little extra
● IDA has a great plugin, patchdiff2
● Well worth checking out
● Won't go into in now, just a small preview

25. A little extra

26. Questions?
Comments?