This document provides an overview of how to find vulnerabilities in software. It discusses different types of vulnerabilities, why vulnerabilities must be found, and techniques for finding vulnerabilities like superficial analysis, internal analysis, and fuzzing. The document also provides examples of how vulnerabilities have been found through source code auditing, including a case study of a buffer overflow vulnerability discovered in the VLC media player through analyzing its MMS streaming code.
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
--- Peter Hlavaty
Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
--- Jin Long 金龙
Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).
Research and Presentation of Bluetooth Vulnerabilities at the 23C3 in Berlin. Release of BTCrack a Bluetooth Pin cracker + FPGA Implementation. Remote Root over Bluetooth demonstration.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
--- Peter Hlavaty
Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
--- Jin Long 金龙
Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).
Research and Presentation of Bluetooth Vulnerabilities at the 23C3 in Berlin. Release of BTCrack a Bluetooth Pin cracker + FPGA Implementation. Remote Root over Bluetooth demonstration.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
In this Lab, we go through the steps to prepare the Raspberry Pi board for the projects in the course. this includes selecting the OS and setting it up on the SD card, connecting the Pi, and booting it.
The Lab also goes through setting up the network interfaces (both wired and wireless) and remote connecting into the Pi
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
The kernel exploit attacks have recently become difficult to be
launched because executing either malicious scripts or
instructions is prohibited by the DEP/NX (Data Execution
Prevention/Not Executable). As an alternative way, returnoriented programming (ROP) could be another option to treat the
prevention. However, despite lots of cost for making ROP gadgets,
it has no guarantee to assemble the proper gadgets. To overcome
this limitation, we introduce Page Table Manipulation Attack
(PTMA) to alter memory attribute through page table
modification. This attack enables an attacker to rewrite memory
attribute of protected memory. We show how to find the page
table entry of interest in Master Kernel Page Table and modify its
attribute in AArch32 and x86-64. The results show that PTMA
effectively circumvents the existing kernel exploitation defenses
that are based on memory permission
Part 02 Linux Kernel Module ProgrammingTushar B Kute
Presentation on "Linux Kernel Module Programming".
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
Containers, known as Dockers, combined with Hewlett Packard Enterprise (HPE) technology can drive IT cost-efficiencies by transforming IT operations. With this reemerging technology, companies can benefit from isolated environments without virtualization.
Read the in-depth guide here: https://www.oneneck.com/containers-for-dummies
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Testing real-time Linux. What to test and how Chirag Jog
This paper describes testing of the real-time (CONFIG_PREEMPT_RT) Linux kernel. It explains how testing the real-time kernel is different from testing the mainline Linux kernel and provides some tips and guidelines about writing test cases for the real-time kernel. It illustrates real-time tests in the Linux Test Project (LTP) suite using examples. It also briefly covers real-time tests that are not part of LTP.
Talk for SCaLE13x. Video: https://www.youtube.com/watch?v=_Ik8oiQvWgo . Profiling can show what your Linux kernel and appliacations are doing in detail, across all software stack layers. This talk shows how we are using Linux perf_events (aka "perf") and flame graphs at Netflix to understand CPU usage in detail, to optimize our cloud usage, solve performance issues, and identify regressions. This will be more than just an intro: profiling difficult targets, including Java and Node.js, will be covered, which includes ways to resolve JITed symbols and broken stacks. Included are the easy examples, the hard, and the cutting edge.
Video: https://www.youtube.com/watch?v=FJW8nGV4jxY and https://www.youtube.com/watch?v=zrr2nUln9Kk . Tutorial slides for O'Reilly Velocity SC 2015, by Brendan Gregg.
There are many performance tools nowadays for Linux, but how do they all fit together, and when do we use them? This tutorial explains methodologies for using these tools, and provides a tour of four tool types: observability, benchmarking, tuning, and static tuning. Many tools will be discussed, including top, iostat, tcpdump, sar, perf_events, ftrace, SystemTap, sysdig, and others, as well observability frameworks in the Linux kernel: PMCs, tracepoints, kprobes, and uprobes.
This tutorial is updated and extended on an earlier talk that summarizes the Linux performance tool landscape. The value of this tutorial is not just learning that these tools exist and what they do, but hearing when and how they are used by a performance engineer to solve real world problems — important context that is typically not included in the standard documentation.
In this Lab, we go through the steps to prepare the Raspberry Pi board for the projects in the course. this includes selecting the OS and setting it up on the SD card, connecting the Pi, and booting it.
The Lab also goes through setting up the network interfaces (both wired and wireless) and remote connecting into the Pi
Controlling Access to IBM i Systems and DataPrecisely
Security best practice and regulations such as SOX, HIPAA, GDPR and others require you to restrict access to your critical IBM i systems and their data, but this is easier said than done. Legacy, proprietary access protocols now co-exist with new, open-source protocols to create access control headaches.
View this webcast on-demand for an in-depth discussion of IBM i access points that must be secured and how exit points can be leveraged to accomplish the task. We’ll cover:
• Securing network access and communication ports
• How database access via open-source protocols can be secured
• Taking control of command execution
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
The kernel exploit attacks have recently become difficult to be
launched because executing either malicious scripts or
instructions is prohibited by the DEP/NX (Data Execution
Prevention/Not Executable). As an alternative way, returnoriented programming (ROP) could be another option to treat the
prevention. However, despite lots of cost for making ROP gadgets,
it has no guarantee to assemble the proper gadgets. To overcome
this limitation, we introduce Page Table Manipulation Attack
(PTMA) to alter memory attribute through page table
modification. This attack enables an attacker to rewrite memory
attribute of protected memory. We show how to find the page
table entry of interest in Master Kernel Page Table and modify its
attribute in AArch32 and x86-64. The results show that PTMA
effectively circumvents the existing kernel exploitation defenses
that are based on memory permission
Part 02 Linux Kernel Module ProgrammingTushar B Kute
Presentation on "Linux Kernel Module Programming".
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
Containers, known as Dockers, combined with Hewlett Packard Enterprise (HPE) technology can drive IT cost-efficiencies by transforming IT operations. With this reemerging technology, companies can benefit from isolated environments without virtualization.
Read the in-depth guide here: https://www.oneneck.com/containers-for-dummies
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Testing real-time Linux. What to test and how Chirag Jog
This paper describes testing of the real-time (CONFIG_PREEMPT_RT) Linux kernel. It explains how testing the real-time kernel is different from testing the mainline Linux kernel and provides some tips and guidelines about writing test cases for the real-time kernel. It illustrates real-time tests in the Linux Test Project (LTP) suite using examples. It also briefly covers real-time tests that are not part of LTP.
Talk for SCaLE13x. Video: https://www.youtube.com/watch?v=_Ik8oiQvWgo . Profiling can show what your Linux kernel and appliacations are doing in detail, across all software stack layers. This talk shows how we are using Linux perf_events (aka "perf") and flame graphs at Netflix to understand CPU usage in detail, to optimize our cloud usage, solve performance issues, and identify regressions. This will be more than just an intro: profiling difficult targets, including Java and Node.js, will be covered, which includes ways to resolve JITed symbols and broken stacks. Included are the easy examples, the hard, and the cutting edge.
Video: https://www.youtube.com/watch?v=FJW8nGV4jxY and https://www.youtube.com/watch?v=zrr2nUln9Kk . Tutorial slides for O'Reilly Velocity SC 2015, by Brendan Gregg.
There are many performance tools nowadays for Linux, but how do they all fit together, and when do we use them? This tutorial explains methodologies for using these tools, and provides a tour of four tool types: observability, benchmarking, tuning, and static tuning. Many tools will be discussed, including top, iostat, tcpdump, sar, perf_events, ftrace, SystemTap, sysdig, and others, as well observability frameworks in the Linux kernel: PMCs, tracepoints, kprobes, and uprobes.
This tutorial is updated and extended on an earlier talk that summarizes the Linux performance tool landscape. The value of this tutorial is not just learning that these tools exist and what they do, but hearing when and how they are used by a performance engineer to solve real world problems — important context that is typically not included in the standard documentation.
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability.
EZ KEY provides an integration of shortcuts of individual software, thereby increasing the efficiency of using shortcuts and improving productivity.
Most updated and developing softwares contain shortcuts. Using shortcuts is very useful for reducing working hours and improving productivity. Most of commonly existing software, on average, contains 200 shortcuts (max over 900). However, most people are using only very minor shortcuts that are well-known (1~10 shortcuts). We conducted a random survey and found that information on shortcuts was insufficient. Our results showed us that user recognition of shortcuts is limited. We found through our research that people are studying and recognizing visually over 70% of the time. Moreover, we studied TRIZ methodology (theory of solving inventive problems) for a more ideal resolution. Consequently, we developed EZ KEY software. EZ KEY software displays various software shortcuts directly onto the screen to match with activated software when the user presses the function key, such as Ctrl, Alt or Shift. The method of displaying EZ KEY can be set two different ways (Pictogram or Text). Also, the user can find shortcuts by using the search tab rapidly. Moreover, the user can customize keyboard shortcuts for their convenience. We are mainly focusing on building a platform based on EZ KEY software for software certificate seeker, office worker and student. In conclusion, our future goal is to have EZ KEY be the solution for education.
[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다GangSeok Lee
2014 CodeEngn Conference 10
열혈 취약점 헌터들의 고분군투기!
취약점을 찾게되면 어떤 일이 벌어질까? 급전이 필요한 외롭고 찌질한 대한민국 해커들의 급전을 위한 취약점 찾기 여행기. 과연 우리는 취약점을 찾고 급전을 만들어 외롭고 찌질한 이 상황을 타개할 수 있을 것인가?
http://codeengn.com/conference/10
http://codeengn.com/conference/archive
A Smart Fuzzing Approach for Integer Overflow DetectionITIIIndustries
Fuzzing is one of the most commonly used methods to detect software vulnerabilities, a major cause of information security incidents. Although it has advantages of simple design and low error report, its efficiency is usually poor. In this paper we present a smart fuzzing approach for integer overflow detection and a tool, SwordFuzzer, which implements this approach. Unlike standard fuzzing techniques, which randomly change parts of the input file with no information about the underlying syntactic structure of the file, SwordFuzzer uses online dynamic taint analysis to identify which bytes in the input file are used in security sensitive operations and then focuses on mutating such bytes. Thus, the generated inputs are more likely to trigger potential vulnerabilities. We evaluated SwordFuzzer with an example program and a number of real-world applications. The experimental results show that SwordFuzzer can accurately locate the key bytes of the input file and dramatically improve the effectiveness of fuzzing in detecting real-world vulnerabilities
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
Linux Operating System is being reverenced by many professionals because of its versatile nature. As many network security professionals ,particularly those of ethical hackers use linux in an extensive way, did we ever observe how and why the number of hackers were enhancing day to day. Not only professionals ,every one are unleashing their hacking potentials with the help of Backtrack5R3 operating system which is a comprehensive tool kit for security auditing. This paper emphasizes on the so called SET (Social Engineering Toolkit).In a pen-testing scenario, alongside uncovering vulnerabilities in the hardware and software systems and exploiting them ,the most effective of all is penetrating the human mind to extract the desire information. Such devious technics are known as social engineering ,and computer based software tools to facilitate this form the basis of Social Engineering Toolkit
Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued by cyber threats that have the potential to cause widespread damage to businesses, organizations, and individuals. One of the most common types of cyber attacks is the buffer overflow attack. This article will explore the concept of remote buffer overflow attacks, their consequences, and prevention measures.
Cybersecurity has become a primary concern in today’s digital age. The increasing number of cyber-attacks highlights the importance of understanding the vulnerabilities that exist in computer systems and how to protect against them. One such vulnerability is a remote buffer overflow exploit. In this article, we will explore what a remote buffer overflow exploit is and how to use Python to create one.The digital world is plagued
Similar to How to find_vulnerability_in_software (20)
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
3. Who am I
Sanghwan,Ahn (h2spice)
Security Researcher in Team (NSHC.Inc)
Vulnerability/Malware Analysis , Hunting Bug , Mobile Security
313년 7월 3일 수요일
4. Agenda
Introduction about Vulnerability
What is The Vulnerability
How to Use Vulnerabilities
The Reason we must find vulnerabilities
Before finding vulnerability, things we should know
What knowledge will help you
What experience will help you
Think and Act like a hacker
413년 7월 3일 수요일
5. Agenda
How can we find vulnerability ?
Superficial analysis on the target
Internal analysis on the target
Occurs Crash
Demonstration
ActiveX module on Banking / Financial
Conclusion
513년 7월 3일 수요일
7. What is The Vulnerability
in a narrow perspective
Weakness, Flaw from hardware, software of computer
Loopholes in the system , in the design
Allows an attacker to reduce system’s information assurance
(eg. execution of arbitrary code , bypass security mitigation)
in a broad perspective
refers to all of the information security risks ,including user and
administrator’s negligence or by social engineering weaknesses
713년 7월 3일 수요일
8. Financial benefits
Information stealing
APT (Advanced Persistent Threat)
PDF, HWP, MSWord Vulnerability
3.20 Korean Terrorism
Random Target Attack
Via Web Browser Vulnerability
Making Zombie
How to use the vulnerability
[Refer to FireEye’s Next-Generation Threats]
813년 7월 3일 수요일
9. Percentage of Total Infections
[According to FireEye Cyber Attack Landscape]
Other : 3%
Logistics/Transportation : 5%
Retail : 6%
Business Services : 6%
Telecommunications : 7%
Energy/Utillities : 8%
Entertainment/Media : 8%
Healthcare : 9%
Manufacturing : 9%
Banking/Finance/Insurance : 14%
Technology : 25%
Technology : 25%
Banking/Finance/Insurance : 14%
Manufacturing : 9%
Healthcare : 9%
Entertainment/Media : 8%
Energy/Utillities : 8%
Telecommunications : 7%
Business Services : 6%
Retail : 6%
Logistics/Transportation : 5%
Other : 3%
913년 7월 3일 수요일
10. [According to IBM X-Force Research and Development]
0
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
Vulnerability Disclosure Growth by Year
Vulnerability disclosure growth by year
1013년 7월 3일 수요일
11. Why we must find vulnerability
Attacks used 0-day are difficult to detect and the extent of the
damage is huge
We discovered vulnerability in advance and there are the best
solutions which vulnerability is patched
Give me the money ( in Pwn2Own 2013)
Google Chrome on Windows7 ($100,000)
Microsoft Internet Explorer
IE 10 on Windows8 ($100,000) or IE 9 on Windows7 ($75,000)
To be hacker, most of them can find vulnerability on all platform, that
is the starting point of hacking
1113년 7월 3일 수요일
13. What knowledge will help you ?
Language
ASM / C / C++ / Python / Perl
Types of Vulnerability
Buffer Overflow (Stack,Heap,Integer)
Null Pointer Dereference
Format String Bug
Use After Free
Etc
1313년 7월 3일 수요일
14. What experience will help you ?
Vulnerability Analysis
Non-CVE Vulnerability Analysis
CVE-XXXX-XXXX Vulnerability Analysis
1413년 7월 3일 수요일
16. Think and Act like a hacker
There is no perfection in
software that’s because they
are made by Human.
so the vulnerability exists
Check from a small part
Do not greedy, take step by step
if i can’t find vulnerability,
that is my fault.
1613년 7월 3일 수요일
17. Superficial Analysis
on The Target
How to find vulnerability
Internal Analysis
on The Target
Occurs Crash
Exploitation /
Weaponizing
1713년 7월 3일 수요일
20. Phase2. Internal Analysis on The Target
Although there are vary approaches. many hackers are using some
popular ones such as SA, Reverse Engineering, Fuzzing
SA
(Source Code Auditing)
Reverse Engineering
Fuzzing
2013년 7월 3일 수요일
21. Source Code Auditing
If you have Source code, you can find Vulnerability
This is the powerful approach
Applied in many places
2113년 7월 3일 수요일
22. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2213년 7월 3일 수요일
23. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2313년 7월 3일 수요일
24. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2413년 7월 3일 수요일
25. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2513년 7월 3일 수요일
26. Approach
method
Code
Auditing
Reverse
Engineering
Start
if it’s Open source
Software ?
Search
Library
Check
Version
vulnerable
version?
Code
Analysis
Exploitation
Find
Vulnerability
if it’s Open source
Library ?
Fuzzing
Step
Y
N
N Y
Y
Code Auditing FlowChart
N
Decompile
2613년 7월 3일 수요일
27. How to analyze source code
From user interface
Can be accessed
Can be manipulated
Common vulnerability
Buffer Overflow (Stack / Heap / Integer)
Format string
Using an automatic analysis tools
RAT, ITS4, FindBugs, Flawfinder, Splint
Code Analysis
Accessible entry point from User interface
Common vulnerability
2713년 7월 3일 수요일
28. Stack Buffer Overflow in Source Code
Fixed buffer
(ex. buffer[4096] or buffer[define buffer_size] )
In source code, find dangerous function( )
like a strcpy( ), sprintf( ).
mostly used be mapped like abc_strcpy( )
Sometimes buffer overflow is caused
by termination conditions in the loop
Beer
Over
Flow
2813년 7월 3일 수요일
29. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
2913년 7월 3일 수요일
30. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step1. search accessible entry points
Program Name
Accessible
Entry Point
File Type File Format
VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc
Audio a52 / aac / ac3 / adt / adts / etc
Play list m3u / wpl / ram / pls / gvp / etc
URL mms / rtmp / rtp / rtsp / smb / etc
3013년 7월 3일 수요일
31. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step1. search accessible entry points
Program Name
Accessible
Entry Point
File Type File Format
VLC 2.0.0 Open File Video 3g2 / 3gp / 3gp2 / amv / asf / etc
Audio a52 / aac / ac3 / adt / adts / etc
Play list m3u / wpl / ram / pls / gvp / etc
URL mms / rtmp / rtp / rtsp / smb / etc
Occurs Stack Based Buffer Overflow
3113년 7월 3일 수요일
32. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step2. find source code about accessible entry point
h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$ find ./ |grep "mms"
.//contrib/src/src/goom/goom2k4-xmmslibdir.patch
.//modules/access/mms
.//modules/access/mms/asf.c
.//modules/access/mms/asf.h
.//modules/access/mms/buffer.c
.//modules/access/mms/buffer.h
.//modules/access/mms/Makefile.am
.//modules/access/mms/Makefile.in
.//modules/access/mms/mms.c
.//modules/access/mms/mms.h
.//modules/access/mms/mmsh.c
.//modules/access/mms/mmsh.h
.//modules/access/mms/mmstu.c
.//modules/access/mms/mmstu.h
.//modules/access/mms/Modules.am
h2spice-ui-MacBook-Pro:vlc-2.0.0 h2spice$
search accessible entry point
you can find source code about entry point
3213년 7월 3일 수요일
33. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-1. check dangerous method (eg. strcpy, sprintf, etc)
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf"
grep: ./: Is a directory
.//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username,
.//mmstu.c:535: sprintf( tmp,
.//mmstu.c:592: sprintf( tmp,
.//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" );
h2spice-ui-MacBook-Pro:mms h2spice$
search dangerous method
3313년 7월 3일 수요일
34. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-1. check dangerous method (eg. strcpy, sprintf, etc)
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcpy"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "strcat"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "getwd"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "gets"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "fscanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "scanf"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "realpath"
grep: ./: Is a directory
h2spice-ui-MacBook-Pro:mms h2spice$ find ./ |xargs grep -n "sprintf"
grep: ./: Is a directory
.//mmsh.c:518: if( asprintf( &buf, "%s:%s", p_sys->proxy.psz_username,
.//mmstu.c:535: sprintf( tmp,
.//mmstu.c:592: sprintf( tmp,
.//mmstu.c:599: sprintf( tmp, "192.168.0.1TCP1242" );
h2spice-ui-MacBook-Pro:mms h2spice$
as a result, able to find code that
used dangerous method
3413년 7월 3일 수요일
35. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step3-2. simple check via automatic tools (RAT, etc)
C:Documents and SettingsAdministratorDesktoprats-2.3-win32rats-2.3>rats.exe
mmstu.c
Analyzing mmstu.c
mmstu.c:459: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely. They are prime targets for buffer overflow
attacks.
mmstu.c:535: High: sprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.
mmstu.c:535: High: sprintf
mmstu.c:592: High: sprintf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle. Additionally, the format
string could contain `%s' without precision that could result in a buffer
overflow.
3513년 7월 3일 수요일
36. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
Step4. Analyze source code in detail
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
Static Buffer was Allocated
3613년 7월 3일 수요일
37. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
request packet was copied
into tmp[4096] buffer
Step4. Analyze source code in detail
3713년 7월 3일 수요일
38. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
if valid request packet
receives, buffer
overflow doesn.t occur
NSPlayer 7.0.0.195
6; {“user”};
Host:www.h2spice.
net
Step4. Analyze source code in detail
3813년 7월 3일 수요일
39. VLC MMS Stream Handling Buffer Overflow (CVE-2012-1775)
/*vlc-2.0.0/modules/access/mms/mmstu.c*/
/****************************************************************************
* MMSOpen : Open a connection with the server over mmst or mmsu
****************************************************************************/
static int MMSOpen( access_t *p_access, vlc_url_t *p_url, int i_proto )
{
access_sys_t *p_sys = p_access->p_sys;
int b_udp = ( i_proto == MMS_PROTO_UDP ) ? 1 : 0;
var_buffer_t buffer;
char tmp[4096];
uint16_t *p;
int i_server_version;
int i_tool_version;
int i_update_player_url;
int i_encryption_type;
int i;
int i_streams;
int i_first;
char *mediapath;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/* *** send command 1 : connection request *** */
var_buffer_initwrite( &buffer, 0 );
var_buffer_add16( &buffer, 0x001c );
var_buffer_add16( &buffer, 0x0003 );
sprintf( tmp,
"NSPlayer/7.0.0.1956; {"GUID_FMT"}; Host: %s",
GUID_PRINT( p_sys->guid ),
p_url->psz_host );
tmp[4096]
EBP
EIP
but if invalid request
packet receives, buffer
overflow occurs
NSPlayer 7.0.0.195
6; {“user”}; Host:AA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
AAAAAAAAAAAAAA
Step4. Analyze source code in detail
3913년 7월 3일 수요일
40. Heap Buffer Overflow in Source Code
h2spice-ui-MacBook-Pro:rtsp h2spice$ find ./ |xargs grep -n "malloc"
grep: ./: Is a directory
.//access.c:168: p_access->p_sys = p_sys = malloc( sizeof( access_sys_t ) );
.//access.c:171: p_sys->p_rtsp = malloc( sizeof( rtsp_client_t) );
.//real.c:433: buf= (char *)malloc(2048);
.//real.c:611: char *buf = malloc(256);
.//real.c:666: description = malloc(size+1);
.//real.c:675: subscribe = malloc(256);
.//real_asmrp.c:93: p = malloc (sizeof (asmrp_t));
.//real_rmff.c:384: mdpr->type_specific_data = malloc(type_specific_len);
.//real_sdpplin.c:70: buf = malloc( BUFLEN );
.//real_sdpplin.c:74: decoded = malloc( BUFLEN );
.//real_sdpplin.c:146: desc->mlti_data = malloc(desc->mlti_data_size);
.//real_sdpplin.c:193: buf = malloc( BUFLEN );
.//real_sdpplin.c:200: decoded = malloc( BUFLEN );
.//real_sdpplin.c:262: desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count);
.//rtsp.c:505: s->host = malloc(hostend+1);
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
search method
for memory allocation
as a result, you are able to find
the code that used method for
memory allocation
4013년 7월 3일 수요일
41. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4113년 7월 3일 수요일
42. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4213년 7월 3일 수요일
43. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4313년 7월 3일 수요일
44. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4413년 7월 3일 수요일
45. if(filter(*data,"a=OpaqueData:buffer;",&buf, BUFLEN)) {
desc->mlti_data_size =
vlc_b64_decode_binary_to_buffer(decoded, BUFLEN, buf );
if ( desc->mlti_data_size ) {
desc->mlti_data = malloc(desc->mlti_data_size);
memcpy(desc->mlti_data, decoded, desc->mlti_data_size);
handled=1;
*data=nl(*data);
lprintf("mlti_data_size: %in", desc->mlti_data_size);
}
}
if equal ?
check
the other malloc( )
and memcpy( )
Heap Buffer Overflow in Source Code
Search malloc( ), calloc( ), realloc( ), memcpy( )
Compare the allocated memory size to the copied data size
4513년 7월 3일 수요일
46. httpdx 1.5.4 Heap Overflow
Step1. Search malloc( ) or memcpy( )
h2spice-ui-MacBook-Pro:httpdx_src h2spice$ find ./ |xargs grep -n "malloc"
grep: ./: Is a directory
.//daemon.cpp:100: //d = (char*)malloc(_size);
.//daemon.cpp:191: //mimes = (dblstr_t*)malloc(vc+1);//+1: space for httpdx command virtual file extension
.//daemon.cpp:204: mimes = (dblstr_t*)malloc((vc+1)*sizeof(dblstr_t));//+1: space for httpdx command virtual file extension
.//ftp.cpp:122: client->transfers[client->transfers_c].d = (char*)malloc(1);
.//http.cpp:250: client->d = (char*)malloc(strlen(p[0])+1);
.//http.cpp:357: client->d = (char*)malloc(strlen(p[0])+1);
.//http.cpp:467: client->d = (char*)malloc(client->ds);
.//http.cpp:661: client->pd = (char*)malloc(client->cl+1);
.//script.cpp:233: //nodes[*ns].str = (char*)malloc(el+1);
.//script.cpp:246: //nodes[*ns].str = (char*)malloc(el+1);
.//script.cpp:264: //nodes[*ns].str = (char*)malloc(el+1);
h2spice-ui-MacBook-Pro:httpdx_src h2spice$
search method
for memory allocation
as a result, able to find code
that used method for memory
allocation
4613년 7월 3일 수요일
47. Step2. Compare the allocated memory size to the copied data size
int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
4713년 7월 3일 수요일
48. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
4813년 7월 3일 수요일
49. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
4913년 7월 3일 수요일
50. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step2. Compare the allocated memory size to the copied data size
5013년 7월 3일 수요일
51. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
client->pds = client->rs-hs-4;
if((client->rs-hs-4) >= client->cl)
client->state = STATE_REQD;
else client->state = STATE_DATADOWN;
}else{
client->state = STATE_ERROR;
return (client->code = C_REQUESTENTITYTOOLARGE);
}
if it’s not equal ,
carry out
a detailed analysis
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
}
}
}
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5113년 7월 3일 수요일
52. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
Source Path Structure Name Variable Type Variable Name Detail Info
source/include/http.h phclient_t int socket socket to communicate
char host[256] What host client used
char * pd
post-data: size is allocated with
"Content-Length"
size_t pds post-data size
int cl content-length
char req[4096] request buffer
int rs request size (by received packet)
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5213년 7월 3일 수요일
53. int hs = p-client->req; //Get data position in request
if(p){
client->pd = (char*)malloc(client->cl+1);
int pos = p+4-client->req;
memcpy(client->pd,client->req+pos,(client->rs-hs-4));
Source Path Structure Name Variable Type Variable Name Detail Info
source/include/http.h phclient_t int socket socket to communicate
char host[256] What host client used
char * pd
post-data: size is allocated with
"Content-Length"
size_t pds post-data size
int cl content-length
char req[4096] request buffer
int rs request size (by received packet)
content-length
request size (by received packet)
int h_readrequest(phclient_t client){
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
5313년 7월 3일 수요일
54. generate
a malformed
packet
send
a packet to
the server
POST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
heap based
buffer[101]
Other Space
Other Space
httpdx 1.5.4 Heap Overflow
Step3. if it is not equal, carry out a detailed analysis
dynamic buffer was allocated
5413년 7월 3일 수요일
55. generate
a malformed
packet
send
a packet to
the server
heap based
buffer[101]
Other Space
Other Space
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
POST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
POST/index.ht
ml HTTP/1.0
Content-Length
:100 Content-
Type :text Host:
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
request packet was copied
into buffer
5513년 7월 3일 수요일
56. heap based
buffer[101]
Other Space
Other Space
POST/index.ht
ml HTTP/1.0
Content-Length
:100 Content-
Type :text Host:
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
httpdx 1.5.4 Heap Overflow
Step3. if not equal, carry out a detailed analysis
generate
a malformed
packet
send
a packet to
the server
if content-length is smaller than
requset packet size, buffer
overflow was occurredPOST /index.html HTTP/1.0
Content-Length: 100
Content-Type: text
Host: AAAAAAAAA.....AAAAAAAAAAA
5613년 7월 3일 수요일
57. Integer Buffer Overflow in Source Code
0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0
0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0
1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0
20000
30000
-15536
+
it occurs when the operation result stored is bigger than permissible range
it occurs when the operation result stored is smaller than permaissible range
it occurs in the operation process
difficulty in detecting, so massive code analysis is needed
it is a negative number since it is interpreted as a sign bit
5713년 7월 3일 수요일
58. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
5813년 7월 3일 수요일
59. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
declare variable
(signed/unsigned type,
static buffer)
5913년 7월 3일 수요일
60. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
get size of user input data
and then, print size
6013년 7월 3일 수요일
61. Example of Integer Buffer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
check size of user input data
(code to prevent buffer overflow)
6113년 7월 3일 수요일
62. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow copy user input data to buffer
and then print user input data
6213년 7월 3일 수요일
63. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
if variable signed type stored in big
data, will occur integing overflow
6313년 7월 3일 수요일
64. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
because type2 it has been set
negative number, to bypass code that
prevent buffer overflow
6413년 7월 3일 수요일
65. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - Normal
Output 2 - Integer Overflow
as a result, occur stack buffer overflow
6513년 7월 3일 수요일
67. nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step1. Collect information about variable
Source Path Structure Name Function Name Variable Type Variable Name Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
ngx_uint_t state
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
off_t size signed type
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
off_t length signed type
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
size_t size unsigned type
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
u_char buffer [4096] fixed buffer
src/http/
ngx_http_request_body.c
ngx_http_read_discarded_request_body
(ngx_http_request_t *r)
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h
ngx_http_request_s none
ngx_http_header_in_t headers_in struct pointer
src/http/
ngx_http_request.h
ngx_http_request_s none ngx_http_header_out_t headers_out struct pointer
src/http/
ngx_http_request.h
ngx_http_request_s none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h ngx_http_header_in_t none
off_t content_length_n signed type
src/http/
ngx_http_request.h ngx_http_header_in_t none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
src/http/
ngx_http_request.h
ngx_http_header_out_t none
off_t content_length_n signed type
src/http/
ngx_http_request.h
ngx_http_header_out_t none
/*other variable was omitted *//*other variable was omitted *//*other variable was omitted */
6713년 7월 3일 수요일
68. Step2. Step by step, analyze source code
static ngx_int_t
ngx_http_static_handler(ngx_http_request_t *r)
{
u_char *last, *location;
size_t root, len;
ngx_str_t path;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->method & NGX_HTTP_POST) {
return NGX_HTTP_NOT_ALLOWED;
}
rc = ngx_http_discard_request_body(r);
if (rc != NGX_OK) {
return rc;
}
log->action = "sending response to client";
r->headers_out.status = NGX_HTTP_OK;
r->headers_out.content_length_n = of.size;
r->headers_out.last_modified_time = of.mtime;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/modules/ngx_http_static_module.c ]
ngx_http_discard_request_body( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
6813년 7월 3일 수요일
69. ngx_int_t
ngx_http_discard_request_body(ngx_http_request_t *r)
{
ssize_t size;
ngx_int_t rc;
ngx_event_t *rev;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/ngx_http_request_body.c ]
Check chunked data
in the header
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
6913년 7월 3일 수요일
70. ngx_int_t
ngx_http_discard_request_body(ngx_http_request_t *r)
{
ssize_t size;
ngx_int_t rc;
ngx_event_t *rev;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
[ src/http/ngx_http_request_body.c ]
ngx_http_discard_request_body_filter( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7013년 7월 3일 수요일
71. ngx_http_parse_chunked( )
was called
static ngx_int_t
ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b)
{
size_t size;
ngx_int_t rc;
ngx_http_request_body_t *rb;
if (r->headers_in.chunked) {
rb = r->request_body;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for ( ;; ) {
rc = ngx_http_parse_chunked(r, b, rb->chunked);
if (rc == NGX_OK) {
/* a chunk has been parsed successfully */
size = b->last - b->pos;
if ((off_t) size > rb->chunked->size) {
b->pos += rb->chunked->size;
rb->chunked->size = 0;
} else {
rb->chunked->size -= size;
b->pos = b->last;
}
continue;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
that exists integer overflow
vulnerability
7113년 7월 3일 수요일
72. ngx_int_t
ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
ngx_http_chunked_t *ctx)
{
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for (pos = b->pos; pos < b->last; pos++) {
ch = *pos;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
switch (state) {
case sw_chunk_start:
if (ch >= '0' && ch <= '9') {
state = sw_chunk_size;
ctx->size = ch - '0';
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
state = sw_chunk_size;
ctx->size = c - 'a' + 10;
break;
}
goto invalid;
case sw_chunk_size:
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ctx->size = ctx->size * 16 + (c - 'a' + 10);
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if ctx->size stored high number,
occurs integer overflow
by (ctx->size = ctx->size * 16 + @)
Source Path Structure Name
Function
Name
Variable
Type
Variable
Name
Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
none ngx_uint_t state
off_t size signed type
off_t length signed type
so ctx->size can be misinterpreted
as negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7213년 7월 3일 수요일
73. switch (state) {
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
case sw_chunk_size:
if (ch >= '0' && ch <= '9') {
ctx->size = ctx->size * 16 + (ch - '0');
break;
}
c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ctx->size = ctx->size * 16 + (c - 'a' + 10);
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
data:
ctx->state = state;
b->pos = pos;
switch (state) {
case sw_chunk_start:
ctx->length = 3 /* "0" LF LF */;
break;
case sw_chunk_size:
ctx->length = 2 /* LF LF */
+ (ctx->size ? ctx->size + 4 /* LF "0" LF LF */ : 0);
break;
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
and then ctx->length was stored
negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
Source Path Structure Name
Variable
Type
Variable
Name
Detail Info
src/http/ngx_http.h
ngx_http_chunked_s,
ngx_http_chunked_t
ngx_uint_t state
off_t size signed type
off_t length signed type
7313년 7월 3일 수요일
74. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
for ( ;; ) {
rc = ngx_http_parse_chunked(r, b, rb->chunked);
if (rc == NGX_OK) {
/* a chunk has been parsed successfully */
/*~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
continue;
}
if (rc == NGX_DONE) {
/* a whole response has been parsed successfully */
r->headers_in.content_length_n = 0;
break;
}
if (rc == NGX_AGAIN) {
/* set amount of data we want to see next time */
r->headers_in.content_length_n = rb->chunked->length;
break;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
r->headers.in.content_length_n
was stored negative number
Source Path Structure Name
Variable
Type
Variable Name
Detail
Info
src/http/
ngx_http_request.h
ngx_http_header_in_t off_t content_length_n
signed
type
ngx_http_header_out_t off_t content_length_n
signed
type
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
7413년 7월 3일 수요일
75. /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
if (r->headers_in.content_length_n <= 0 && !r->headers_in.chunked) {
return NGX_OK;
}
size = r->header_in->last - r->header_in->pos;
if (size || r->headers_in.chunked) {
rc = ngx_http_discard_request_body_filter(r, r->header_in);
if (rc != NGX_OK) {
return rc;
}
if (r->headers_in.content_length_n == 0) {
return NGX_OK;
}
}
rc = ngx_http_read_discarded_request_body(r);
if (rc == NGX_OK) {
r->lingering_close = 0;
return NGX_OK;
}
if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
return rc;
}
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
ngx_http_read_discarded_request_body( )
was called
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
that exists stack based overflow vulnerability
7513년 7월 3일 수요일
76. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
#define ngx_min(val1, val2)
((val1 > val2) ? (val2) : (val1))
Already, r->header_in.content_length
has been set negative number
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
as a result, able to bypass code that
prevent buffer overflow
7613년 7월 3일 수요일
77. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
buffer[4096]
EBP
EIP
chunked data was copied
into buffer
7713년 7월 3일 수요일
78. static ngx_int_t
ngx_http_read_discarded_request_body(ngx_http_request_t *r)
{
size_t size;
ssize_t n;
ngx_int_t rc;
ngx_buf_t b;
u_char buffer[NGX_HTTP_DISCARD_BUFFER_SIZE];
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http read discarded body");
ngx_memzero(&b, sizeof(ngx_buf_t));
b.temporary = 1;
for ( ;; ) {
if (r->headers_in.content_length_n == 0) {
r->read_event_handler = ngx_http_block_reading;
return NGX_OK;
}
if (!r->connection->read->ready) {
return NGX_AGAIN;
}
size = (size_t) ngx_min(r->headers_in.content_length_n,
NGX_HTTP_DISCARD_BUFFER_SIZE);
n = r->connection->recv(r->connection, buffer, size);
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~ was omitted*/
nginx 1.4.0 Stack Buffer Overflow (CVE-2013-2028)
Step2. Step by step, analyze source code
buffer[4096]
EBP
EIP
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAA
if chunked data is bigger than
4096 bytes, occurs stack
buffer overflow
7813년 7월 3일 수요일
80. Reverse Engineering
Some software codes have a large range that can not be imagined
; ridiculous but possible
It’s hard to find vulnerability with reverse engineering and dynamic
analysis. but can find unique bugs which fuzzer won’t find
usually
Be specific with the big picture first
Call graphs / System calls / Associated Data
Then dive into smaller parts
Recognize well-known routines
eg. crypto(RC4, RSA, etc), memcpy, strcpy, etc
8013년 7월 3일 수요일
84. Can be reduced the amount of code by using a script.
#include <stdio.h>
void code1(void)
{
! printf("code1n");
}
void code2(void)
{
! printf("code2n");
}
void main(void)
{
! printf("hello worldn");
! code1();
! code2();
}
Call flow
Debugging with script
8413년 7월 3일 수요일
88. Fuzzing
Throw random bits at the program, and see if it handles them
Popular robust testing mechanism for software
Fast and Effective
Easy to implement
Two type of Fuzzing
Dumb Fuzzing
Smart Fuzzing
8813년 7월 3일 수요일
93. Specific Target through Fuzzing
File Format (File Fuzzing)
Network Protocol (Network Fuzzing)
ActiveX (ActiveX Fuzzing)
Browser (Browser Fuzzing)
Etc
9313년 7월 3일 수요일
94. Type of Fuzzing - Dumb Fuzzing
Dumb Fuzzing
Based on mutation
Little or no knowledge for the structure of the inputs is assumed
Most of the input data are invalid
Anomalies may be completely random or follow some heuristics
Anomalies are added to existing valid inputs
Example
ex) m3u, pls, asx, etc
9413년 7월 3일 수요일
95. Dumb fuzzing sample
File Format
[AAAAAAA....AAAA]
[normal data] + [AAAAAAA....AAAA]
[header] + [AAAAAAA....AAAA] + [eof]
Mutated normal file
Network Protocol
GET /AAAAAAA....AAAA.html HTTP/1.1
AAAAAAA....AAAA /indext.html HTTP/1.1
GET /index.html HTTTTTTTTTTTTTTTP/1.1
9513년 7월 3일 수요일
96. Type of Fuzzing - Smart Fuzzing
Smart Fuzzing
Based on generation
Knowledge for the structure of the inputs is needed
Test cases are generated from some description of the format
RFC, Documents
Consideration of data structure such as offset , checksum
9613년 7월 3일 수요일
97. Smart fuzzing sample
File Format
Consideration of data structure or relations
Variety of attack vectors
length, offset, object, etc
Use 010 binary editor template
free binary templates
(*.bmp , *.zip , *wav)
int int int flag
int length stringstring int length
datadatadatadata
int int intint
datadatadatadata
9713년 7월 3일 수요일
98. Smart fuzzing sample
POST index.html HTTP/ 1.1HTTP/ 1.1
Content-TypeContent-Type
application/x-www-
form-urlencoded
application/x-www-
form-urlencoded
Accept-EncodingAccept-Encoding gzip deflate
User-AgentUser-Agent Mozilla/ 4.0
Content-LengthContent-LengthContent-Length 100
HOSTHOST localhost :8080
Network Protocol
Consideration of data structure or relations
Variety of attack vectors
host, content-length, etc
9813년 7월 3일 수요일
99. Smart fuzzing sample
Active X
Parameter extraction
Input data to parameter
big data, invalid data, etc
Generate HTML Document
classID parameter value
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
A String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
B String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
C String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
D Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
E Integer{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE} F String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
G Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
H Integer
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
I String
{AAAAAAAA-BBBB-CCCC-
DDDD-EEEEEEEEEEEE}
J String
9913년 7월 3일 수요일
100. Smart fuzzing sample
Browser
Take W3C specification
Group together (methods / attributes / properties)
Replace input values with getRandomValue( )
<html>
<head>
<script>
var gl = document.createElement("canvas").getContext('experimental-webgl')
var texture = gl.createTexture()
gl.bindTexture(gl.TEXTURE_2D, texture)
gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 256, 256, 0, gl.RGBA, gl.UNSIGNED_BYTE, null)
gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0x7fffff00, 256, 256, gl.RGBA, gl.UNSIGNED_BYTE, new
Uint8Array(256 * 256 * 4))
</script>
</head>
</html>
CVE-2012-2896
10013년 7월 3일 수요일
101. Phase 3. Crash
5 Type of Crash
Read Access Violation near NULL
Read Access Violation not near NULL
Write Access Violation near NULL
Write Access Violation not near NULL
Unknown
10113년 7월 3일 수요일
102. What is Exploitable Crash ?
mov eax,dword ptr [esi+0Ch]
mov eax,dword ptr [ecx]
mov edx,dword ptr [eax+5Ch]
call edx
10213년 7월 3일 수요일