independent study end of semester presentation

Windows Exploitation 1

Independent StudyEnd of Semester Presentation

‘Windows Exploitation’Spring 2014

By: Markus GaasedelenMarkus Gaasedelen - 5/7/2014

Windows Exploitation 2

Goals of This Study

‘… This course will explore the tools, a number of mitigations, and their associated bypass techniques that are utilized in most modern exploits on the Windows platform. The outcome of this course will leave one with the ability to analyze real world vulnerabilities and develop reliable exploits from end to end for Windows XP – Windows 7 systems.’

-Course Abstract

Markus Gaasedelen - 5/7/2014

Windows Exploitation 3

Course Details & Materials

• http://gaasedelen.blogspot.com/– My security related blog– Includes extended homework write-ups

• http://security.cs.rpi.edu/~gaasem/winexp/– Includes my course syllabus & plan of study– graded deliverables for the course

Markus Gaasedelen - 5/7/2014

Windows Exploitation 4

REAL BUGS, REAL CRASHESDeliverable #4

Markus Gaasedelen - 5/7/2014

Windows Exploitation 5

Deliverable #4

• ‘Unique Bugs & Crashes’– Find a piece of shareware, or some other

application that you feel should have some bugs that aren’t too crazy to discover and see what you can find.

Markus Gaasedelen - 5/7/2014

Windows Exploitation 6

Target: Fortissimo

Markus Gaasedelen - 5/7/2014

http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fortissimo.shtml

Windows Exploitation 7

Attack surface

• Media files, .mp3 & .wav files• Playlist files• Media Player skins• … others?

Markus Gaasedelen - 5/7/2014

Windows Exploitation 8

KEEP IT SIMPLE STUPIDDumb fuzzing for crashes

Markus Gaasedelen - 5/7/2014

Windows Exploitation 9

Dumb Fuzzing

1. Given a sample file, change random data in it2. Use corrupted files as input to target3. ????4. Repeat

Markus Gaasedelen - 5/7/2014

Windows Exploitation 10

Visual Representation

Markus Gaasedelen - 5/7/2014

Sample.mp3

Fortissimo.exe

Sample.mp3

Windows Exploitation 11

Visual Representation

Markus Gaasedelen - 5/7/2014

Sample.mp3

Fortissimo.exe

Sample.mp3

MiniFuzz.exe

Sample.mp3

Excuse me, your file is corrupt.

Windows Exploitation 12

Visual Representation

Markus Gaasedelen - 5/7/2014

Sample.mp3

Fortissimo.exe

Sample.mp3

MiniFuzz.exe

Sample.mp3

SEGFAULT

Windows Exploitation 13

Using MiniFuzz to Find Bugs

Markus Gaasedelen - 5/7/2014

Windows Exploitation 14

Enhance!

Markus Gaasedelen - 5/7/2014

Windows Exploitation 15

MiniFuzz output

Markus Gaasedelen - 5/7/2014

Windows Exploitation 16

Closer Look at the Crashes

• None in Fortissimo … but id3lib.dll?– Wat

• Id3lib.dll is the one .dll that Fortissimo includes

Markus Gaasedelen - 5/7/2014

Windows Exploitation 17

What is id3lib.dll?

Markus Gaasedelen - 5/7/2014

Windows Exploitation 18

A Crash

Markus Gaasedelen - 5/7/2014

Windows Exploitation 19

Another Crash

Markus Gaasedelen - 5/7/2014

Windows Exploitation 20

At the Top Level – Fortissimo.exe

Markus Gaasedelen - 5/7/2014

We crash in this call(ID3_Tag object initialization)

Windows Exploitation 21

id3lib.dll

• There must be issues in id3lib.dll’s ability to parse malformed .MP3 headers– Open source!– Start from the ID3_Tag() initialization routine and

work your way down, looking for its parsing calls– … or try static analysis tools!– http://sourceforge.net/projects/id3lib/

Markus Gaasedelen - 5/7/2014

Windows Exploitation 22

Conclusion

• Dumb fuzzing works, can be slow– Use targeted fuzzing next time (eg. PeachFuzz)

• Fortissimo -– Its basic media handling at least stands up to short

term dumb fuzzing– I’m sure there’s bugs in the skin & playlist handling

• The id3lib.dll library definitely has issuesMarkus Gaasedelen - 5/7/2014