SlideShare une entreprise Scribd logo

Reverse engineering – debugging fundamentals

Eran Goldstein
Eran Goldstein

Reverse engineering – debugging fundamentals

Technologie
1  sur  6
Télécharger pour lire hors ligne
Reverse Engineering – Debugging Fundamentals The debugger concept and purpose is to test and troubleshoot another written program. Whether the debugger is a simple script, tool or a more complex computer program the idea is to utilize it in order see and verify the functionality of the “target” program / application in such a form that one can see and understand via the debugger what is happening while the “target” program / application runs and especially when it stops. The “target” program’s / application’s code that is examined (by the debugger) might al-ternatively be running on an Instruction Set Simulator (ISS). The ISS is a certain form of tech-nique that gives the ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code di-rectly on the appropriate (or the same) processor. When the “target” program / application reach-es a running condition or when the program can-not normally continue due to a programming bug (what is commonly known as a “crash”) the debug-ger typically shows the location in the original code whether it is a source-level debugger (which gives the line or expression within the source code that resulted from the debugger’s actions.) or symbolic debugger (which displays procedure and variable names that are stored in the debugger). The Various Debuggers There are many debuggers available for the pur-pose in question, among the more common names are; WinDbg, Valgrind, LLDB Debugger, GNU De-bugger (GDB), Immunity Debugger, OllyDbg and many more. As the list is quite long and this ar-ticle’s purpose is to focus on the fundamentals of the debugger concept we’ll put an emphasis on three debugger types this time: The immunity De-bugger, WinDbg and OllyDbg. The first is the Immunity Debugger. This debug-ger has both interfaces types; the GUI and a com-mand line. The command line can be seen at all times on the bottom of the GUI. The Immunity De-bugger can write exploits, analyze malware, and reverse engineer binary files. The base platform of this tool is a solid user interface with graphing function and a fine analysis tool built especially for heap creation. This debugger has a well-support-ed Python API on top of its other features. The second debugger we’ll review is the WinDbg – this is a multipurpose tool for Microsoft’s Win-dows operation system. The WinDbg can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. The third and last debugger tool we’ll review is the OllyDbg. This is an x86 debugger who can trace reg-isters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locate rou-tines from object files and libraries. The main focus for this debugger is the binary code analysis which is useful when the source code is unavailable. Launching the environment Pre-Requisites • Microsoft windows XP/Vista/7 machine. • Immunity Debugger – http://debugger.immuni-tyinc. com/ 50 02/2013
EXTRA • Vulnerable FTP Server – http://frogteam.go-zure. com/FTP-Server.zip • FTP Fuzzer – http://frogteam.gozure.com/ Infigo.zip In this section we’ll show the basic actions re-quired to work with the debugger. Prior to starting this section please note that you’ll need to estab-lish the environment based on the pre-requisites listed above. Once you’ve completed the relevant actions you should have a windows machine with all the files from the links above, and you have in-stalled the Immunity Debugger which we will be used during this section. Once the machine is up and running, you may launch the Immunity Debugger. Immunity Debugger is a debugger with function-ality designed specifically for the security industry. Once the Immunity Debugger is up and running as can be seen in the image below we can start our FTP Server and then attach the Immunity De-bugger to the FTP Server process (Figure 1). In order to attach the Immunity Debugger to the FTP Server process we’ll need to perform the fol-lowing actions: • On Windows machine, extract the ‘FTP-Server. zip’ compressed file you’ve downloaded. • Double-click on ‘FTPServer.exe’ to start the FTP Server. • Return to the Immunity Debugger and click on File -> Attach (or Ctrl+F1) • On the Process list, select the “FTPServer” (TCP: 21) and click on the Attach button. When you attach the debugger to a running pro-cess it will pause. In the Immunity Debugger up-per bar, you can resume the process by click the “Play” button or create a new thread by choos-ing the “Restart” button and then the “Play” button (Figure 2 and Figure 3). In order to connect and authenticate the FTP Server simply flow up on the standard procedure and type the relevant username and password (e.g. user credentials). One should assume that these variables need to be passed from the client to the server and there-fore, the program needs to store them somehow Figure 1. Immunity Debugger Started Figure 2. Attaching the “FTPServer” Process Figure 3. New thread Created and FTPServer is Ready for Connections Figure 4. Connect and Authenticate to the FTP Server www.hakin9.org/en 51
in memory. For our analysis we need to ask our-selves the following questions: • What kind of information it should contain (user info, program info, etc...)? • Which type of data they are able to accept (In-teger, String, etc...)? • How many characters should there be (there is a chance for Buffer-Overflow)? • Are there any characters that the variables should ignore (Bad-Characters)? In order to find these answers, we need to find a vulnerable FTP function or command- this can be done automatically or manually. For an easy start (which will save time) it is sometimes recom-mended to use automated tools. Once a “buffer-overflow” vulnerability exists, we have to find the amount of “junk data” that, when sent to the appli-cation, will overwrite the register. Stack-based buffer overflows techniques Users may exploit stack-based buffer overflows to manipulate the program to their advantage in one of the following ways: • By overwriting a local variable which is near the memory‘s buffer on the stack to change the behavior of the program which may benefit the attacker. • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as it was specified by the at-tacker. Usually a user’s input fills the buffer. • By overwriting a function pointer, or exception handler, which is subsequently executed. With a method called trampolining, if the address the user-supplied is listed as data unknown and the location will still be stored in a register, then the return address can be overwritten with the ad-dress of an opcode (operation code, a part of a language instruction that specifies the operation which will be performed) – this will cause the exe-cution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause ex-ecution of user supplied data. The locations of suit-able opcodes, or bytes in memory, can be found in DLLs or the executable itself. Please note that the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. Security Fuzzer Another important term is the fuzzer. Security Fuzzer is a tool used by security professionals and profes-sional hackers to test a parameter of an application. Typical fuzzers test an application for buffer over-flows, format string vulnerabilities, and error handling. Both fuzzer and debugger work together to de-tect security problems on a system, and it’s soft-ware. The fuzzer provides invalid, unexpected, or random data to the inputs of the target program and then monitors for exceptions such as failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test and exploit development tools. More advanced fuzzers incorporate function-alities to test for directory traversal attacks, com- Figure 5.*OñHP'514USFTT'V[[FSW Figure 6. FTPStress Fuzzer Detected the Vulnerable Commands 52 02/2013
EXTRA mand execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Infigo FTPStress Fuzzer is a specific fuzzer for finding vulnerabilities in FTP server products. Al-though it is a simple tool, it has proved its efficiency by the number of vulnerabilities discovered in dif-ferent FTP server software tested with this tool. The parameters which are used for the fuzzing process are configurable. User can precisely de-fine which FTP commands will be fuzzed along with the size and type of the fuzzing data. On the windows machine from before we’ll acti-vate the “Infigo FTPStress Fuzzer” and try to crash the FTP server: • Extract the ‘Infigo.zip’ compressed file you’ve downloaded. • Double-click on the ‘ftpfuzz.exe’ file. You can try to crash the FTP Server from any oth-er external machine and to perform this step us-ing instance of ftpfuzz.exe running on deferent computer (Figure 5). Once The Fuzzer is up we’ll need to find the commands that are supported by the FTP server: • Enter the IP Address of the computer Host on which the FTP server is running (e.g. 127.0.0.1). • Next, click on Discover button. FTP Fuzzer detected the FTP commands sup-ported by FTP server. See example in Figure 6. Next we need to examine the behavior of these commands while sending “junk data”, Therefore we will configure the amount of “junk data” we want to send to the FTP server: • Click on Config button • On the configuration window, go to Fuzzing da-ta tab and click Deselect All • Check the “A” letter and then click on OK. Figure 7. FTPStress Fuzzer Configuration Window Figure 8. The Outcome Can Be Seen as the FTP Server Has Crashed Table 1.YQFDUFE3FTQPOTFJTi3$7u Total FTP commands: 2 FTP commands to fuzz: 2 Number of Fuzz tests: 26 [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 30 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 70 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood www.hakin9.org/en 53
Assuming your Infigo Fuzzer looks like the im-age below, the fuzzing process can start. Click on Start button (Figure 7). The outcome can be seen as the FTP Server has crashed (Figure 8). The Analysis Phase In this section we’ll review on the procedure of an-alyzing the log data. The normal flow of the fuzzer is to connect to the target FTP Server, get the 220 Hello Message and then, send the “A”s junk data in different amounts (1 “A” = 1 Byte) each time fol-lowed by the “FEAT” command, while the expected response is RECV: 500 (Table 1). In order to understand what actually happened in the memory process, we can look at the diagram on the next page (Table 2). Next we can observe that after 330 bytes of junk data sent the FTP fuzzer was not able to receive 520 bytes of junk data and disconnected. This indicates that if we send junk data of a size between 330 and 520 bytes, the FTP server will crash (Table 3). Now, that we know the amount of junk bytes to send to overwrite EIP register we’ll try to find the exact amount of data that will overwrite EIP register. The Following Table Describes What Actually Happened in the Process Memory (Table 4). After examining the FTP Fuzzer log we can return to Immunity Debugger and see what happened to the process during the fuzzing test (Figure 9). In the Immunity Debugger main window we can see that our x41 (“A”s) floods the memory stack until the EIP register and modified the address so it’s x41x41x41x41 (“AAAA”) as can be seen in the “Registers window” – this helped us find the “JMP” but leads to an access violation as we can see in the Immunity Debugger status bar. Table 2. #ZUFTPGKVOLEBUB Table 3. The crash of ftp server [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 330 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 520 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 700 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 1400 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). 54 02/2013
EXTRA To summarize our actions, we’ve found a stack-based buffer overflow in the FTP Server. In order to better understand the procedure we need to modify the exact register (4 bytes EIP in that case) with JMP value so we are able to hit an accessible register. In the upcoming articles we’ll learn how to write our first exploit test script that will help us to control the data we send to the target. ERAN GOLDSTEIN Eran Goldstein is the founder of Frogteam|Security, a cyber securi-ty vendor company in USA and Israel. He is also the creator and developer of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software devel-oper with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability assessments. Eran has a vast experience in leading and tutoring courses in appli-cation security, software analysis and secure develop-ment as EC-Council Instructor (C|EI). For more informa-tion about Eran and his company you may go to: http:// www.frogteam-security.com. Table 4.#ZUFTPGKVOLEBUB Figure 9. Examine the Buffer Overflow Immunity Debugger www.hakin9.org/en 55

Recommandé

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
Hacking ingress
Hacking ingressHacking ingress
Hacking ingressEran Goldstein
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debuggingn|u - The Open Security Community
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 
Secure Ftp Java Style Rev004
Secure Ftp Java Style Rev004Secure Ftp Java Style Rev004
Secure Ftp Java Style Rev004Rich Helton
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 

Recommandé

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
Hacking ingress
Hacking ingressHacking ingress
Hacking ingressEran Goldstein
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debuggingn|u - The Open Security Community
 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 
Secure Ftp Java Style Rev004
Secure Ftp Java Style Rev004Secure Ftp Java Style Rev004
Secure Ftp Java Style Rev004Rich Helton
 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
 
C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalRich Helton
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scannersmartacax
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Infinum
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010Rich Helton
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSPVS-Studio
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of AndroidTetsuyuki Kobayashi
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7Nutan Kumar Panda
 
Debugging over tcp and http
Debugging over tcp and httpDebugging over tcp and http
Debugging over tcp and httpKaniska Mandal
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!Rodolpho Concurde
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialAnup Singh
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart FrogSteve Loughran
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4Nutan Kumar Panda
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer OverflowEric alleshouse
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflowEric alleshouse
 
Ss debuggers
Ss debuggersSs debuggers
Ss debuggerssweety enit
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programmingsonalikharade3
 

Contenu connexe

Tendances

C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalRich Helton
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scannersmartacax
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Infinum
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010Rich Helton
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSPVS-Studio
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of AndroidTetsuyuki Kobayashi
 
Debugging over tcp and http
Debugging over tcp and httpDebugging over tcp and http
Debugging over tcp and httpKaniska Mandal
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!Rodolpho Concurde
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialAnup Singh
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?Rouven Weßling
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart FrogSteve Loughran
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflowEric alleshouse
 

Tendances (20)

C#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 FinalC#Web Sec Oct27 2010 Final
C#Web Sec Oct27 2010 Final
 
Bypassing anti virus scanners
Bypassing anti virus scannersBypassing anti virus scanners
Bypassing anti virus scanners
 
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
Android Meetup Slovenia #5 - Don't go crashing my heart by Zeljko Plesac, Inf...
 
Intro Java Rev010
Intro Java Rev010Intro Java Rev010
Intro Java Rev010
 
Analysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMSAnalysis of bugs in Orchard CMS
Analysis of bugs in Orchard CMS
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
 
Backtrack Manual Part7
Backtrack Manual Part7Backtrack Manual Part7
Backtrack Manual Part7
 
Debugging over tcp and http
Debugging over tcp and httpDebugging over tcp and http
Debugging over tcp and http
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitPenetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
 
From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!
 
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit TutorialJAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
JAVASCRIPT TDD(Test driven Development) & Qunit Tutorial
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Backtrack Manual Part4
Backtrack Manual Part4Backtrack Manual Part4
Backtrack Manual Part4
 
Slmail Buffer Overflow
Slmail Buffer OverflowSlmail Buffer Overflow
Slmail Buffer Overflow
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
 

Similaire à Reverse engineering – debugging fundamentals

Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programmingsonalikharade3
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory ManualDwight Sabio
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET Journal
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Parallel port programming
Parallel port programmingParallel port programming
Parallel port programmingmangal das
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system softwaregayathri ravi
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterAvi Sharma
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)IIUI
 
UNIT 3.1 INTRODUCTON TO IDA.ppt
UNIT 3.1 INTRODUCTON TO IDA.pptUNIT 3.1 INTRODUCTON TO IDA.ppt
UNIT 3.1 INTRODUCTON TO IDA.pptManjuAppukuttan2
 

Similaire à Reverse engineering – debugging fundamentals (20)

Ss debuggers
Ss debuggersSs debuggers
Ss debuggers
 
Introduction to system programming
Introduction to system programmingIntroduction to system programming
Introduction to system programming
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
IDAPRO
IDAPROIDAPRO
IDAPRO
 
computing networks and operating system
computing networks and operating system computing networks and operating system
computing networks and operating system
 
Presentation1
Presentation1Presentation1
Presentation1
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CSO Laboratory Manual
CSO Laboratory ManualCSO Laboratory Manual
CSO Laboratory Manual
 
IRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable SoftwareIRJET- Development of Uncrackable Software
IRJET- Development of Uncrackable Software
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Fuzz
FuzzFuzz
Fuzz
 
Parallel port programming
Parallel port programmingParallel port programming
Parallel port programming
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Debuggers in system software
Debuggers in system softwareDebuggers in system software
Debuggers in system software
 
E.s unit 6
E.s unit 6E.s unit 6
E.s unit 6
 
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterSquashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter
 
Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)Lecture 11 understanding requirements (3)
Lecture 11 understanding requirements (3)
 
UNIT 3.1 INTRODUCTON TO IDA.ppt
UNIT 3.1 INTRODUCTON TO IDA.pptUNIT 3.1 INTRODUCTON TO IDA.ppt
UNIT 3.1 INTRODUCTON TO IDA.ppt
 

Dernier

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Dernier (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Reverse engineering – debugging fundamentals

  • 1. Reverse Engineering – Debugging Fundamentals The debugger concept and purpose is to test and troubleshoot another written program. Whether the debugger is a simple script, tool or a more complex computer program the idea is to utilize it in order see and verify the functionality of the “target” program / application in such a form that one can see and understand via the debugger what is happening while the “target” program / application runs and especially when it stops. The “target” program’s / application’s code that is examined (by the debugger) might al-ternatively be running on an Instruction Set Simulator (ISS). The ISS is a certain form of tech-nique that gives the ability to halt when specific conditions are encountered but which will typically be somewhat slower than executing the code di-rectly on the appropriate (or the same) processor. When the “target” program / application reach-es a running condition or when the program can-not normally continue due to a programming bug (what is commonly known as a “crash”) the debug-ger typically shows the location in the original code whether it is a source-level debugger (which gives the line or expression within the source code that resulted from the debugger’s actions.) or symbolic debugger (which displays procedure and variable names that are stored in the debugger). The Various Debuggers There are many debuggers available for the pur-pose in question, among the more common names are; WinDbg, Valgrind, LLDB Debugger, GNU De-bugger (GDB), Immunity Debugger, OllyDbg and many more. As the list is quite long and this ar-ticle’s purpose is to focus on the fundamentals of the debugger concept we’ll put an emphasis on three debugger types this time: The immunity De-bugger, WinDbg and OllyDbg. The first is the Immunity Debugger. This debug-ger has both interfaces types; the GUI and a com-mand line. The command line can be seen at all times on the bottom of the GUI. The Immunity De-bugger can write exploits, analyze malware, and reverse engineer binary files. The base platform of this tool is a solid user interface with graphing function and a fine analysis tool built especially for heap creation. This debugger has a well-support-ed Python API on top of its other features. The second debugger we’ll review is the WinDbg – this is a multipurpose tool for Microsoft’s Win-dows operation system. The WinDbg can be used to debug user mode applications, drivers, and the operating system itself in kernel mode. The third and last debugger tool we’ll review is the OllyDbg. This is an x86 debugger who can trace reg-isters, recognizes procedures, API calls, switches, tables, constants and strings, as well as locate rou-tines from object files and libraries. The main focus for this debugger is the binary code analysis which is useful when the source code is unavailable. Launching the environment Pre-Requisites • Microsoft windows XP/Vista/7 machine. • Immunity Debugger – http://debugger.immuni-tyinc. com/ 50 02/2013
  • 2. EXTRA • Vulnerable FTP Server – http://frogteam.go-zure. com/FTP-Server.zip • FTP Fuzzer – http://frogteam.gozure.com/ Infigo.zip In this section we’ll show the basic actions re-quired to work with the debugger. Prior to starting this section please note that you’ll need to estab-lish the environment based on the pre-requisites listed above. Once you’ve completed the relevant actions you should have a windows machine with all the files from the links above, and you have in-stalled the Immunity Debugger which we will be used during this section. Once the machine is up and running, you may launch the Immunity Debugger. Immunity Debugger is a debugger with function-ality designed specifically for the security industry. Once the Immunity Debugger is up and running as can be seen in the image below we can start our FTP Server and then attach the Immunity De-bugger to the FTP Server process (Figure 1). In order to attach the Immunity Debugger to the FTP Server process we’ll need to perform the fol-lowing actions: • On Windows machine, extract the ‘FTP-Server. zip’ compressed file you’ve downloaded. • Double-click on ‘FTPServer.exe’ to start the FTP Server. • Return to the Immunity Debugger and click on File -> Attach (or Ctrl+F1) • On the Process list, select the “FTPServer” (TCP: 21) and click on the Attach button. When you attach the debugger to a running pro-cess it will pause. In the Immunity Debugger up-per bar, you can resume the process by click the “Play” button or create a new thread by choos-ing the “Restart” button and then the “Play” button (Figure 2 and Figure 3). In order to connect and authenticate the FTP Server simply flow up on the standard procedure and type the relevant username and password (e.g. user credentials). One should assume that these variables need to be passed from the client to the server and there-fore, the program needs to store them somehow Figure 1. Immunity Debugger Started Figure 2. Attaching the “FTPServer” Process Figure 3. New thread Created and FTPServer is Ready for Connections Figure 4. Connect and Authenticate to the FTP Server www.hakin9.org/en 51
  • 3. in memory. For our analysis we need to ask our-selves the following questions: • What kind of information it should contain (user info, program info, etc...)? • Which type of data they are able to accept (In-teger, String, etc...)? • How many characters should there be (there is a chance for Buffer-Overflow)? • Are there any characters that the variables should ignore (Bad-Characters)? In order to find these answers, we need to find a vulnerable FTP function or command- this can be done automatically or manually. For an easy start (which will save time) it is sometimes recom-mended to use automated tools. Once a “buffer-overflow” vulnerability exists, we have to find the amount of “junk data” that, when sent to the appli-cation, will overwrite the register. Stack-based buffer overflows techniques Users may exploit stack-based buffer overflows to manipulate the program to their advantage in one of the following ways: • By overwriting a local variable which is near the memory‘s buffer on the stack to change the behavior of the program which may benefit the attacker. • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as it was specified by the at-tacker. Usually a user’s input fills the buffer. • By overwriting a function pointer, or exception handler, which is subsequently executed. With a method called trampolining, if the address the user-supplied is listed as data unknown and the location will still be stored in a register, then the return address can be overwritten with the ad-dress of an opcode (operation code, a part of a language instruction that specifies the operation which will be performed) – this will cause the exe-cution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause ex-ecution of user supplied data. The locations of suit-able opcodes, or bytes in memory, can be found in DLLs or the executable itself. Please note that the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. Security Fuzzer Another important term is the fuzzer. Security Fuzzer is a tool used by security professionals and profes-sional hackers to test a parameter of an application. Typical fuzzers test an application for buffer over-flows, format string vulnerabilities, and error handling. Both fuzzer and debugger work together to de-tect security problems on a system, and it’s soft-ware. The fuzzer provides invalid, unexpected, or random data to the inputs of the target program and then monitors for exceptions such as failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test and exploit development tools. More advanced fuzzers incorporate function-alities to test for directory traversal attacks, com- Figure 5.*OñHP'514USFTT'V[[FSW Figure 6. FTPStress Fuzzer Detected the Vulnerable Commands 52 02/2013
  • 4. EXTRA mand execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Infigo FTPStress Fuzzer is a specific fuzzer for finding vulnerabilities in FTP server products. Al-though it is a simple tool, it has proved its efficiency by the number of vulnerabilities discovered in dif-ferent FTP server software tested with this tool. The parameters which are used for the fuzzing process are configurable. User can precisely de-fine which FTP commands will be fuzzed along with the size and type of the fuzzing data. On the windows machine from before we’ll acti-vate the “Infigo FTPStress Fuzzer” and try to crash the FTP server: • Extract the ‘Infigo.zip’ compressed file you’ve downloaded. • Double-click on the ‘ftpfuzz.exe’ file. You can try to crash the FTP Server from any oth-er external machine and to perform this step us-ing instance of ftpfuzz.exe running on deferent computer (Figure 5). Once The Fuzzer is up we’ll need to find the commands that are supported by the FTP server: • Enter the IP Address of the computer Host on which the FTP server is running (e.g. 127.0.0.1). • Next, click on Discover button. FTP Fuzzer detected the FTP commands sup-ported by FTP server. See example in Figure 6. Next we need to examine the behavior of these commands while sending “junk data”, Therefore we will configure the amount of “junk data” we want to send to the FTP server: • Click on Config button • On the configuration window, go to Fuzzing da-ta tab and click Deselect All • Check the “A” letter and then click on OK. Figure 7. FTPStress Fuzzer Configuration Window Figure 8. The Outcome Can Be Seen as the FTP Server Has Crashed Table 1.YQFDUFE3FTQPOTFJTi3$7u Total FTP commands: 2 FTP commands to fuzz: 2 Number of Fuzz tests: 26 [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 30 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 70 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA’: command not understood www.hakin9.org/en 53
  • 5. Assuming your Infigo Fuzzer looks like the im-age below, the fuzzing process can start. Click on Start button (Figure 7). The outcome can be seen as the FTP Server has crashed (Figure 8). The Analysis Phase In this section we’ll review on the procedure of an-alyzing the log data. The normal flow of the fuzzer is to connect to the target FTP Server, get the 220 Hello Message and then, send the “A”s junk data in different amounts (1 “A” = 1 Byte) each time fol-lowed by the “FEAT” command, while the expected response is RECV: 500 (Table 1). In order to understand what actually happened in the memory process, we can look at the diagram on the next page (Table 2). Next we can observe that after 330 bytes of junk data sent the FTP fuzzer was not able to receive 520 bytes of junk data and disconnected. This indicates that if we send junk data of a size between 330 and 520 bytes, the FTP server will crash (Table 3). Now, that we know the amount of junk bytes to send to overwrite EIP register we’ll try to find the exact amount of data that will overwrite EIP register. The Following Table Describes What Actually Happened in the Process Memory (Table 4). After examining the FTP Fuzzer log we can return to Immunity Debugger and see what happened to the process during the fuzzing test (Figure 9). In the Immunity Debugger main window we can see that our x41 (“A”s) floods the memory stack until the EIP register and modified the address so it’s x41x41x41x41 (“AAAA”) as can be seen in the “Registers window” – this helped us find the “JMP” but leads to an access violation as we can see in the Immunity Debugger status bar. Table 2. #ZUFTPGKVOLEBUB Table 3. The crash of ftp server [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 330 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 520 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 700 ] RECV: 500 ‘FEAT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [ CMD: [FEAT] FUZZ: [AAAAAAAAAAAAAAAAAAAA] SIZE: 1400 ] [ Connecting to 2.2.2.201:21... ] [ Connected, starting fuzz process... ] 220 FreeFloat Ftp Server (Version 1.00). 54 02/2013
  • 6. EXTRA To summarize our actions, we’ve found a stack-based buffer overflow in the FTP Server. In order to better understand the procedure we need to modify the exact register (4 bytes EIP in that case) with JMP value so we are able to hit an accessible register. In the upcoming articles we’ll learn how to write our first exploit test script that will help us to control the data we send to the target. ERAN GOLDSTEIN Eran Goldstein is the founder of Frogteam|Security, a cyber securi-ty vendor company in USA and Israel. He is also the creator and developer of “Total Cyber Security – TCS” product line. Eran Goldstein is a senior cyber security expert and a software devel-oper with over 10 years of experience. He specializes at penetration testing, reverse engineering, code reviews and application vulnerability assessments. Eran has a vast experience in leading and tutoring courses in appli-cation security, software analysis and secure develop-ment as EC-Council Instructor (C|EI). For more informa-tion about Eran and his company you may go to: http:// www.frogteam-security.com. Table 4.#ZUFTPGKVOLEBUB Figure 9. Examine the Buffer Overflow Immunity Debugger www.hakin9.org/en 55