independent study end of semester presentation
DESCRIPTION
Independent Study End of Semester Presentation. ‘Windows Exploitation’ Spring 2014 By: Markus Gaasedelen. Goals of This Study. - PowerPoint PPT PresentationTRANSCRIPT
Windows Exploitation 1
Independent StudyEnd of Semester Presentation
‘Windows Exploitation’Spring 2014
By: Markus GaasedelenMarkus Gaasedelen - 5/7/2014
Windows Exploitation 2
Goals of This Study
‘… This course will explore the tools, a number of mitigations, and their associated bypass techniques that are utilized in most modern exploits on the Windows platform. The outcome of this course will leave one with the ability to analyze real world vulnerabilities and develop reliable exploits from end to end for Windows XP – Windows 7 systems.’
-Course Abstract
Markus Gaasedelen - 5/7/2014
Windows Exploitation 3
Course Details & Materials
• http://gaasedelen.blogspot.com/– My security related blog– Includes extended homework write-ups
• http://security.cs.rpi.edu/~gaasem/winexp/– Includes my course syllabus & plan of study– graded deliverables for the course
Markus Gaasedelen - 5/7/2014
Windows Exploitation 4
REAL BUGS, REAL CRASHESDeliverable #4
Markus Gaasedelen - 5/7/2014
Windows Exploitation 5
Deliverable #4
• ‘Unique Bugs & Crashes’– Find a piece of shareware, or some other
application that you feel should have some bugs that aren’t too crazy to discover and see what you can find.
Markus Gaasedelen - 5/7/2014
Windows Exploitation 6
Target: Fortissimo
Markus Gaasedelen - 5/7/2014
http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fortissimo.shtml
Windows Exploitation 7
Attack surface
• Media files, .mp3 & .wav files• Playlist files• Media Player skins• … others?
Markus Gaasedelen - 5/7/2014
Windows Exploitation 8
KEEP IT SIMPLE STUPIDDumb fuzzing for crashes
Markus Gaasedelen - 5/7/2014
Windows Exploitation 9
Dumb Fuzzing
1. Given a sample file, change random data in it2. Use corrupted files as input to target3. ????4. Repeat
Markus Gaasedelen - 5/7/2014
Windows Exploitation 10
Visual Representation
Markus Gaasedelen - 5/7/2014
Sample.mp3
Fortissimo.exe
Sample.mp3
Windows Exploitation 11
Visual Representation
Markus Gaasedelen - 5/7/2014
Sample.mp3
Fortissimo.exe
Sample.mp3
MiniFuzz.exe
Sample.mp3
Excuse me, your file is corrupt.
Windows Exploitation 12
Visual Representation
Markus Gaasedelen - 5/7/2014
Sample.mp3
Fortissimo.exe
Sample.mp3
MiniFuzz.exe
Sample.mp3
SEGFAULT
Windows Exploitation 13
Using MiniFuzz to Find Bugs
Markus Gaasedelen - 5/7/2014
Windows Exploitation 14
Enhance!
Markus Gaasedelen - 5/7/2014
Windows Exploitation 15
MiniFuzz output
Markus Gaasedelen - 5/7/2014
Windows Exploitation 16
Closer Look at the Crashes
• None in Fortissimo … but id3lib.dll?– Wat
• Id3lib.dll is the one .dll that Fortissimo includes
Markus Gaasedelen - 5/7/2014
Windows Exploitation 17
What is id3lib.dll?
Markus Gaasedelen - 5/7/2014
Windows Exploitation 18
A Crash
Markus Gaasedelen - 5/7/2014
Windows Exploitation 19
Another Crash
Markus Gaasedelen - 5/7/2014
Windows Exploitation 20
At the Top Level – Fortissimo.exe
Markus Gaasedelen - 5/7/2014
We crash in this call(ID3_Tag object initialization)
Windows Exploitation 21
id3lib.dll
• There must be issues in id3lib.dll’s ability to parse malformed .MP3 headers– Open source!– Start from the ID3_Tag() initialization routine and
work your way down, looking for its parsing calls– … or try static analysis tools!– http://sourceforge.net/projects/id3lib/
Markus Gaasedelen - 5/7/2014
Windows Exploitation 22
Conclusion
• Dumb fuzzing works, can be slow– Use targeted fuzzing next time (eg. PeachFuzz)
• Fortissimo -– Its basic media handling at least stands up to short
term dumb fuzzing– I’m sure there’s bugs in the skin & playlist handling
• The id3lib.dll library definitely has issuesMarkus Gaasedelen - 5/7/2014