Independent - PowerPoint Presentation

Slide1

Independent StudyEnd of Semester Presentation

‘Windows Exploitation’Spring 2014By: Markus Gaasedelen

Markus Gaasedelen - 5/7/2014

Windows Exploitation

1Slide2

Goals of This Study

‘… This course will explore the tools, a number of mitigations, and their associated bypass techniques that are utilized in most modern exploits on the Windows platform. The outcome of this course will leave one with the ability to analyze real world vulnerabilities and develop reliable exploits from end to end for Windows XP – Windows 7 systems.’

-Course Abstract

Markus Gaasedelen - 5/7/2014

Windows Exploitation

2Slide3

Course Details & Materialshttp://gaasedelen.blogspot.com

/My security related blogIncludes extended homework write-upshttp

://security.cs.rpi.edu/~gaasem/winexp/Includes my course syllabus & plan of study

graded deliverables for the course

Markus Gaasedelen - 5/7/2014

Windows Exploitation

3Slide4

Real bugs, real crashesDeliverable #4

Markus Gaasedelen - 5/7/2014Windows Exploitation

4Slide5

Deliverable #4‘Unique Bugs &

Crashes’Find a piece of shareware, or some other application that you feel should have some bugs that aren’t too crazy to discover and see what you can find. Markus Gaasedelen - 5/7/2014

Windows Exploitation

5Slide6

Target: FortissimoMarkus Gaasedelen - 5/7/2014

Windows Exploitation6

http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fortissimo.shtmlSlide7

Attack surfaceMedia files, .mp3 & .wav files

Playlist filesMedia Player skins… others?Markus Gaasedelen - 5/7/2014

Windows Exploitation

7Slide8

Keep it simple stupidDumb fuzzing for crashes

Markus Gaasedelen - 5/7/2014Windows Exploitation

8Slide9

Dumb Fuzzing

Given a sample file, change random data in itUse corrupted files as input to target????Repeat

Markus Gaasedelen - 5/7/2014

Windows Exploitation

9Slide10

Visual RepresentationMarkus Gaasedelen - 5/7/2014

Windows Exploitation10

Sample.mp3

Fortissimo.exe

Sample.mp3Slide11

Visual Representation

Markus Gaasedelen - 5/7/2014

Windows Exploitation

11

Sample.mp3

Fortissimo.exe

Sample.mp3

MiniFuzz.exe

Sample.mp3

Excuse me, your file is corrupt.Slide12

Visual Representation

Markus Gaasedelen - 5/7/2014

Windows Exploitation

12

Sample.mp3

Fortissimo.exe

Sample.mp3

MiniFuzz.exe

Sample.mp3

SEGFAULTSlide13

Using MiniFuzz to Find Bugs

Markus Gaasedelen - 5/7/2014Windows Exploitation13Slide14

Enhance!Markus Gaasedelen - 5/7/2014

Windows Exploitation14Slide15

MiniFuzz output

Markus Gaasedelen - 5/7/2014

Windows Exploitation

15Slide16

Closer Look at the Crashes

None in Fortissimo … but id3lib.dll?WatId3lib.dll is the one .dll that Fortissimo includes

Markus Gaasedelen - 5/7/2014

Windows Exploitation

16Slide17

What is id3lib.dll?Markus Gaasedelen - 5/7/2014

Windows Exploitation17Slide18

A CrashMarkus Gaasedelen - 5/7/2014

Windows Exploitation18Slide19

Another CrashMarkus Gaasedelen - 5/7/2014

Windows Exploitation19Slide20

At the Top Level – Fortissimo.exeMarkus Gaasedelen - 5/7/2014

Windows Exploitation20

We crash in this call

(ID3_Tag object initialization)Slide21

id3lib.dllThere must be issues in id3lib.dll’s ability to parse malformed .MP3 headers

Open source!Start from the ID3_Tag() initialization routine and work your way down, looking for its parsing calls… or try static analysis tools!http://sourceforge.net/projects/id3lib/

Markus Gaasedelen - 5/7/2014

Windows Exploitation

21Slide22

ConclusionDumb fuzzing works, can be slow

Use targeted fuzzing next time (eg. PeachFuzz)Fortissimo -Its basic media handling

at least stands up to short term dumb fuzzingI’m sure there’s bugs in the skin & playlist handling

The id3lib.dll library definitely has issues

Markus Gaasedelen - 5/7/2014

Windows Exploitation

22