Study End of Semester Presentation Windows Exploitation Spring 2014 By Markus Gaasedelen Markus Gaasedelen 572014 Windows Exploitation 1 Goals of This Study This course will explore the tools a number of mitigations and their associated bypass techniques that ar ID: 288920
Download Presentation The PPT/PDF document "Independent" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Independent StudyEnd of Semester Presentation
‘Windows Exploitation’Spring 2014By: Markus Gaasedelen
Markus Gaasedelen - 5/7/2014
Windows Exploitation
1Slide2
Goals of This Study
‘… This course will explore the tools, a number of mitigations, and their associated bypass techniques that are utilized in most modern exploits on the Windows platform. The outcome of this course will leave one with the ability to analyze real world vulnerabilities and develop reliable exploits from end to end for Windows XP – Windows 7 systems.’
-Course Abstract
Markus Gaasedelen - 5/7/2014
Windows Exploitation
2Slide3
Course Details & Materialshttp://gaasedelen.blogspot.com
/My security related blogIncludes extended homework write-upshttp
://security.cs.rpi.edu/~gaasem/winexp/Includes my course syllabus & plan of study
graded deliverables for the course
Markus Gaasedelen - 5/7/2014
Windows Exploitation
3Slide4
Real bugs, real crashesDeliverable #4
Markus Gaasedelen - 5/7/2014Windows Exploitation
4Slide5
Deliverable #4‘Unique Bugs &
Crashes’Find a piece of shareware, or some other application that you feel should have some bugs that aren’t too crazy to discover and see what you can find. Markus Gaasedelen - 5/7/2014
Windows Exploitation
5Slide6
Target: FortissimoMarkus Gaasedelen - 5/7/2014
Windows Exploitation6
http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fortissimo.shtmlSlide7
Attack surfaceMedia files, .mp3 & .wav files
Playlist filesMedia Player skins… others?Markus Gaasedelen - 5/7/2014
Windows Exploitation
7Slide8
Keep it simple stupidDumb fuzzing for crashes
Markus Gaasedelen - 5/7/2014Windows Exploitation
8Slide9
Dumb Fuzzing
Given a sample file, change random data in itUse corrupted files as input to target????Repeat
Markus Gaasedelen - 5/7/2014
Windows Exploitation
9Slide10
Visual RepresentationMarkus Gaasedelen - 5/7/2014
Windows Exploitation10
Sample.mp3
Fortissimo.exe
Sample.mp3Slide11
Visual Representation
Markus Gaasedelen - 5/7/2014
Windows Exploitation
11
Sample.mp3
Fortissimo.exe
Sample.mp3
MiniFuzz.exe
Sample.mp3
Excuse me, your file is corrupt.Slide12
Visual Representation
Markus Gaasedelen - 5/7/2014
Windows Exploitation
12
Sample.mp3
Fortissimo.exe
Sample.mp3
MiniFuzz.exe
Sample.mp3
SEGFAULTSlide13
Using MiniFuzz to Find Bugs
Markus Gaasedelen - 5/7/2014Windows Exploitation13Slide14
Enhance!Markus Gaasedelen - 5/7/2014
Windows Exploitation14Slide15
MiniFuzz output
Markus Gaasedelen - 5/7/2014
Windows Exploitation
15Slide16
Closer Look at the Crashes
None in Fortissimo … but id3lib.dll?WatId3lib.dll is the one .dll that Fortissimo includes
Markus Gaasedelen - 5/7/2014
Windows Exploitation
16Slide17
What is id3lib.dll?Markus Gaasedelen - 5/7/2014
Windows Exploitation17Slide18
A CrashMarkus Gaasedelen - 5/7/2014
Windows Exploitation18Slide19
Another CrashMarkus Gaasedelen - 5/7/2014
Windows Exploitation19Slide20
At the Top Level – Fortissimo.exeMarkus Gaasedelen - 5/7/2014
Windows Exploitation20
We crash in this call
(ID3_Tag object initialization)Slide21
id3lib.dllThere must be issues in id3lib.dll’s ability to parse malformed .MP3 headers
Open source!Start from the ID3_Tag() initialization routine and work your way down, looking for its parsing calls… or try static analysis tools!http://sourceforge.net/projects/id3lib/
Markus Gaasedelen - 5/7/2014
Windows Exploitation
21Slide22
ConclusionDumb fuzzing works, can be slow
Use targeted fuzzing next time (eg. PeachFuzz)Fortissimo -Its basic media handling
at least stands up to short term dumb fuzzingI’m sure there’s bugs in the skin & playlist handling
The id3lib.dll library definitely has issues
Markus Gaasedelen - 5/7/2014
Windows Exploitation
22