Automatic, Bulk Auditing for Vulnerabilities

Clearly, reverse engineering is a time-consuming task and a process that does not scale well. T many cases when reverse engineering for security bugs would be valuable, but there isn't nearl time to analyze each and every component of a software system the way we have done in the p

ByGreg Hoglund,Gary McGraw

[14] The reason this is a white box analysis (and not a black box analysis) is that we're looking "inside" the pr out what's happening. Black box approaches treat a target program as an opaque box that can only be probe

Publisher:White boxAddisonapproachesWesl y dive into the box (regardless of whether source code is available).

Pub Date: February 17, 2004

Harking back to a previous example, let's assume we want to find other bugs that may involve

ISBN: 0-201-78695-8

ofwcsncat. We can use a utility called dumpbin under Windows to show which calls are importe

Pages: 512

executable:

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

techniques used by bad guys to break software. If you want to protect your software from dumpbin /imports target.exe

attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

To bulk audit all the executables on a system, we can write a small Perl script. First create a list

executables to analyze. Use the dir command as follows: Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software dir /B /S c:\winnt\*.exe > files.txt

Techniques for crafting malicious input

The technical details of buffer overflows

This creates a large output file of all the executable files under the WINNT directory. The Perl sc

Rootkits

calldumpbin on each file and will analyze the results to determine whether wcsncat is being use

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

open(FILENAMES, "files.txt");

while (<FILENAMES>)

{

chop($_);

my $filename = $_;

•Table of Contents

$command = "dumpbin /imports $_ > dumpfile.txt";

•Index

Exploiting Software How to Break Code

#print "trying $command";

ByGreg Hoglund,Gary McGraw

system($command);

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

open(DUMPFILE, "dumpfile.txt");

Pages: 512

while (<DUMPFILE>)

{

How does software break? How do attackers make software break on purpose? Why are if(m/wcsncat/gi)

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers.

{

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and print "$filename: $_";

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out.

}

This must-have book may shock you—and it will certainly educate you.Getting beyond the

}

script kiddie treatment found in many hacking books, you will learn about

close(DUMPFILE);

Why software exploit will continue to be a serious problem

}

When network security mechanisms do not work

close(FILENAMES);

Attack patterns

Reverse engineering

Classic attacks against server software

Running this script on a system in the lab produces the following output:

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

C:\temp>perlsoftware. scan.pl

c:\winnt\winrep.exe: 7802833F 2E4 wcsncat

c:\winnt\INF\UNREGMP2.EXE: 78028EDD 2E4 wcsncat

c:\winnt\SPEECH\VCMD.EXE: 78028EDD 2E4 wcsncat

c:\winnt\SYSTEM32\dfrgfat.exe: 77F8F2A0 499 wcsncat

c:\winnt\SYSTEM32\dfrgntfs.exe: 77F8F2A0 499 wcsncat

c:\winnt\SYSTEM32\IESHWIZ.EXE: 78028EDD 2E4 wcsncat

c:\winnt\SYSTEM32\NET1.EXE: 77F8E8A2 491 wcsncat

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

We can see that several of the programs under Windows NT are using wcsncat. With a little tim auditPubtheseDate: Februaryfiles to17,determine2004 whether they suffer from similar problems to the example progra earlier.ISBN:We 0could-201-78695also-8examine DLLs using this method and generate a much larger list:

Pages: 512

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

C:\temp>dir /B /S c:\winnt\*.dll > files.txt

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

C:\temp>perl scan.pl

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

c:\winnt\SYSTEM32\AAAAMONWhy software exploit will.continueDLL: to78028EDDbe a serious2E4problemwcsncat

When network security mechanisms do not work c:\winnt\SYSTEM32\adsldpc.dll: 7802833F 2E4 wcsncat

Attack patterns

c:\winnt\SYSTEM32\avtapi.dll: 7802833F 2E4 wcsncat

Reverse engineering

c:\winnt\SYSTEM32\AVWAV.DLL: 78028EDD 2E4 wcsncat

Classic attacks against server software c:\winnt\SYSTEM32\BR549.DLL: 78028EDD 2E4 wcsncat

Surprising attacks against client software c:\winnt\SYSTEM32\CMPROPS.DLL: 78028EDD 2E7 wcsncat

Techniques for crafting malicious input c:\winnt\SYSTEM32\DFRGUI.DLL: 78028EDD 2E4 wcsncat

The technical details of buffer overflows

c:\winnt\SYSTEM32\dhcpmon.dll: 7802833F 2E4 wcsncat

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

c:\winnt\SYSTEM32\EVENTLOG.DLL: 78028EDD 2E4 wcsncat

c:\winnt\SYSTEM32\GDI32.DLL: 77F8F2A0 499 wcsncat

c:\winnt\SYSTEM32\IASSAM.DLL: 78028EDD 2E4 wcsncat

c:\winnt\SYSTEM32\IFMON.DLL: 78028EDD 2E4 wcsncat

c:\winnt\SYSTEM32\LOCALSPL.DLL: 7802833F 2E4 wcsncat

•Table of Contents

•c:\winnt\SYSTEM32\MYCOMPUTIndex .DLL: 78028EDD 2E4 wcsncat

Exploiting Software How to Break Code

c:\winnt\SYSTEM32\netcfgx.dll: 7802833F 2E4 wcsncat

ByGreg Hoglund,Gary McGraw

c:\winnt\SYSTEM32\ntdsa.dll: 7802833F 2E4 wcsncat

Publisher: Addison Wesley

Pub Date: February 17, 2004

c:\winnt\SYSTEM32\ntdsapi.dll: 7802833F 2E4 wcsncat

ISBN: 0-201-78695-8

c:\winnt\SYSTEM32\ntdsetupPages: 512 .dll: 7802833F 2E4 wcsncat

c:\winnt\SYSTEM32\ntmssvc.dll: 7802833F 2E4 wcsncat

c:\winnt\SYSTEM32\NWWKS.DLL: 7802833F 2E4 wcsncat

How does software break? How do attackers make software break on purpose? Why are

c:\winnt\SYSTEM32\ODBC32.dll: 7802833F 2E4 wcsncat

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. c:\winnt\SYSTEM32\odbccp32.dll: 7802833F 2E4 wcsncat

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and c:\winnt\SYSTEM32\odbcjt32techn ques used by bad guys to.breakdll: software7802833F. If you2E4wantwcsncatto pro ect your software from

attack, you must first learn how real attacks are really carried out.

c:\winnt\SYSTEM32\OIPRT400.DLL: 78028EDD 2E4 wcsncat

This must-have book may shock you—and it will certainly educate you.Getting beyond the scriptc:\winnt\SYSTEM32\PRINTUIkiddie treatment found in.DLL:many hacking7802833Fbooks,2E4youwcsncatwill learn about

c:\winnt\SYSTEM32\rastls.dll: 7802833F 2E4 wcsncat

Why software exploit will continue to be a serious problem

c:\winnt\SYSTEM32\rend.dll: 7802833F 2E4 wcsncat

When network security mechanisms do not work

c:\winnt\SYSTEM32\RESUTILS.DLL: 7802833F 2E4 wcsncat

Attack patterns

c:\winnt\SYSTEM32\SAMSRV.DLL: 7802833F 2E4 wcsncat

Reverse engineering

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break c:\winnt\SYSTEM32\WIN32SPL.DLL: 7802833F 2E4 wcsncat

software.

c:\winnt\SYSTEM32\WINSMON.DLL: 78028EDD 2E4 wcsncat

c:\winnt\SYSTEM32\SETUP\msmqocm.dll: 7802833F 2E4 wcsncat

c:\winnt\SYSTEM32\WBEM\cimwin32.dll: 7802833F 2E7 wcsncat

//

// This example shows how to use GetOperandValue() function.

//

•Table of Contents

#include• <idcIndex.idc>

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

/* this routine is hard coded to understand sprintf calls */

Publisher: Addison Wesley

How does software break? How do attackers make software break on purpose? Why are

output_file

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers.

)

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

{

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out. auto ep; /* placeholder */

This must-have book may shock you—and it will certainly educate you.Getting beyond the scriptautokiddiek;treatment found in many hacking books, you will learn about

auto kill_frame_sz;

Why software exploit will continue to be a serious problem

auto comment_string;

When network security mechanisms do not work

Attack patterns

k = GetMnem(eb);

Reverse engineering

Classic attacks against server software

if(strstr(k, "call") != 0)

Surprising attacks against client software

{Techniques for crafting malicious input

The technicalMessage("Invaliddetails of bufferstartingoverflowspoint\n");

Rootkits

return;

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

}

software.

/* backtrace code */

while( eb=FindCode(eb, 0) )

{

auto j;

j = GetMnem(eb);

/* exit early if we run into a retn code */

•Table of Contents

if(strstr(j, "retn") == 0) return;

•Index

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

/* push means argument to sprintf call */

Publisher: Addison Wesley

if(strstr(j, "push") == 0)

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

{

Pages: 512

auto my_reg;

auto max_backtrace;

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. ep = eb; /* save our place */

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out.

/* work back to find out the parameter */

This must-have book may shock you—and it will certainly educate you.Getting beyond the my_reg = GetOpnd(eb, 0);

script kiddie treatment found in many hacking books, you will learn about

fprintf(output_file, "push number %d, %s\n", param_count, my_reg);

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

max_backtrace = 10; /* don't backtrace more than 10 steps */

Attack patterns

while(1)

Reverse engineering

{

Classic attacks against server software

auto x;

Surprising attacks against client software

x = GetOpnd(eb,0);

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

if ( x != -1 )

{

if(strstr(x, my_reg) == 0)

{

auto my_src;

my_src = GetOpnd(eb, 1);

/* param 3 is the target buffer */

•Table of Contents

if(3 == param_count)

•Index

Exploiting Software How to Break Code

{

ByGreg Hoglund,Gary McGraw

my_loc = PrevFunction(eb);

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. fprintf(output_file, "detected

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and subroutine 0x%x\n", my_loc);

techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the my_sz = GetFrame(my_loc);

script kiddie treatment found in many hacking books, you will learn about

fprintf(output_file, "got frame

Why software exploit will continue to be a serious problem

%x\n", my_sz);

When network security mechanisms do not work

Attack patterns

frame_sz = GetFrameSize(my_loc);

Reverse engineering

fprintf(output_file, "got frame size

Classic attacks against server software

%d\n", frame_sz);

Surprising attacks against client software

Techniques for crafting malicious input

kill_frame_sz =

The technical details of buffer overflows

Rootkits GetFrameLvarSize(my_loc);

fprintf(output_file, "got frame lvar

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.

size %d\n", kill_frame_sz);

my_sz = GetFrameArgsSize(my_loc);

fprintf(output_file, "got frame args

size %d\n", my_sz);

/* this is the target buffer */

fprintf(output_file, "%s is the target buffer,

•Table of Contents

in frame size %d bytes\n",

•Index

Exploiting Software How to Break Code

my_src, frame_sz);

ByGreg Hoglund,Gary McGraw

}

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

/* param 1 is the source buffer */

Pages: 512

if(1 == param_count)

{

How does software break? How do attackers make software break on purpose? Why are fprintf(output_file, "%s is the source buffer\n",

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. my_src);

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and if(-1 != strstr(my_src, "arg"))

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out.

{

This must-have book may shock you—and it will certainly educate you.Getting beyond the fprintf(output_file, "%s is an argument that wi

script kiddie treatment found in many hacking books, you will learn about

overflow if larger than %d bytes!\n",

Why software exploit will continue to be a serious problem my_src, kill_frame_sz);

When network security mechanisms do not work

}

Attack patterns

}

Reverse engineering

break;

Classic attacks against server software

}

Surprising attacks against client software

}

Techniques for crafting malicious input

max_backtrace--;

The technical details of buffer overflows

}

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

eb = ep; /* reset to where we started and continue for next paramet

param_count--;

if(0 == param_count)

{

fprintf(output_file, "Exhausted all parameters\n");

return;

}

}

•Table of Contents

if(ec-- == 0)break; /* max backtrace looking for parameters */

•Index

Exploiting Software How to Break Code

}

ByGreg Hoglund,Gary McGraw

}

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

static main()

Pages: 512

{

auto ea;

How does software break? How do attackers make software break on purpose? Why are auto eb;

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. auto last_address;

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and auto output_file;

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out. auto file_name;

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

/* turn off all dialog boxes for batch processing */

Why software exploit will continue to be a serious problem

Batch(0);

When network security mechanisms do not work

/* wait for autoanalysis to complete */

Attack patterns

Wait();

Reverse engineering

Classic attacks against server software

ea = MinEA();

Surprising attacks against client software

eb = MaxEA();

Techniques for crafting malicious input

The technical details of buffer overflows

output_file = fopen("report_out.txt", "a");

Rootkits

file_name = GetIdbPath();

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.

fprintf(output_file, "HUNTING FROM %x TO %x

while(ea != BADADDR)

{

auto my_code;

•Table of Contents

•Index

Exploiting Software How to Break Code

last_address=ea;

ByGreg Hoglund,Gary McGraw

//Message("checking %x\n", ea);

Publisher: Addison Wesley

my_code = GetMnem(ea);

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

if(0 == strstr(my_code, "call")){

Pages: 512

auto my_op;

my_op = GetOpnd(ea, 0);

How does software break? How do attackers make software break on purpose? Why are if(-1 != strstr(my_op, "sprintf")){

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. fprintf(output_file, "Found sprintf call at 0x%x -

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and checking\n", ea);

techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the

/* 3 parameters, max backtrace of 20 */

script kiddie treatment found in many hacking books, you will learn about

hunt_address(ea, 3, 20, output_file);

Why software exploit will continue to be a serious problem fprintf(output_file, "------------------------------------

When network security mechanisms do not work

----------\n");

Attack patterns

}

Reverse engineering

}

Classic attacks against server software

ea = FindCode(ea, 1);

Surprising attacks against client software

}

Techniques for crafting malicious input

fprintf(output_file, "FINISHED at address 0x%x

The technical details of buffer overflows

\n----------------------------------------------\n", last_address);

Rootkits

fclose(output_file);

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

Exit(0);

}

The output produced by this simple batch file is placed in a file called report_out.txt for later

The file looks something like this:

•Table of Contents

•Index

Exploiting Software How to Break Code

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

----------------------------------------------

Surprising attacks against client software

Filename: C:\reversing\of1.idb

Techniques for crafting malicious input

HUNTING FROM 401000 TO 404000

The technical details of buffer overflows

----------------------------------------------

Rootkits

Found sprintf call at 0x401012 - checking

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.

push number 3, ecx

detected subroutine 0x401000

got frame ff00004f

got frame size 32

got frame lvar size 28

got frame args size 0

[esp+1Ch+var_1C] is the target buffer, in frame size 32 bytes

•Table of Contents

push number 2, offset unk_403010

•Index

Exploiting Software How to Break Code

push number 1, eax

ByGreg Hoglund,Gary McGraw

[esp+arg_0] is the source buffer

Publisher: Addison Wesley

[esp+arg_0] is an argument that will overflow if larger than 28 bytes!

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Exhausted all parameters

Pages: 512

----------------------------------------------

Found sprintf call at 0x401035 - checking

How does software break? How do attackers make software break on purpose? Why are push number 3, ecx

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers. detected subroutine 0x401020

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and got frame ff000052

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out. got frame size 292

This must-have book may shock you—and it will certainly educate you.Getting beyond the got frame lvar size 288

script kiddie treatment found in many hacking books, you will learn about

got frame args size 0

Why software exploit will continue to be a serious problem

[esp+120h+var_120] is the target buffer, in frame size 292 bytes

When network security mechanisms do not work

push number 2, offset aSHh

Attack patterns

push number 1, eax

Reverse engineering

[esp+arg_0] is the source buffer

Classic attacks against server software

[esp+arg_0] is an argument that will overflow if larger than 288 bytes!

Surprising attacks against client software

Exhausted all parameters

Techniques for crafting malicious input

----------------------------------------------

The technical details of buffer overflows

FINISHED at address 0x4011b6

Rootkits

----------------------------------------------

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.

----------------------------------------------

Filename: C:\winnt\MSAGENT\AGENTCTL.idb

HUNTING FROM 74c61000 TO 74c7a460

----------------------------------------------