WinDBG Scripting, finding ROP gadgets

Finding all ROP gadgets with windbg using only windbg scripting? It can be done.


!for_each_module ".if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18) & 0x40)) {r @$t3 = @#End - @#Base;.foreach /s (retn \"C2 C3\") {.foreach (f {s -[1]b @#Base L@$t3 ${retn}}) {.for(r @$t0 = 1; @$t0 < 4; r @$t0 = @$t0 + 1) {r @$t1 = 0;.foreach (g {.catch {u f - @$t0 L@$t0+1}}) {.if($spat(\"${g}\", \"*ret*\") != 0) {r @$t1 = 1}};.if(@$t1 == 1) {.printf \"---------------------- size %x\", @$t0;.echo;.catch {u f - @$t0 L@$t0+1}}}}}}"

or broken down:


!for_each_module "
  .if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18) & 0x40)) {
    r @$t3 = @#End - @#Base;
    .foreach /s (retn \"C2 C3\") {
      .foreach (f {s -[1]b @#Base L@$t3 ${retn}}) {
        .for(r @$t0 = 1; @$t0 < 4; r @$t0 = @$t0 + 1) {
          r @$t1 = 0;
          .foreach (g {.catch {u f - @$t0 L@$t0+1}}) {
            .if($spat(\"${g}\", \"*ret*\") != 0) {
              r @$t1 = 1
            }
          };
          .if(@$t1 == 1) {
            .printf \"---------------------- size %x\", @$t0;
            .echo;
            .catch {u f - @$t0 L@$t0+1}
          }
        }
      }
    }
  }
"

or even further broken down:


  .if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18) & 0x40)) {
    r @$t3 = @#End - @#Base;

for each module read the offset to the PE Headerdwo(${@#Base}+0x3c) then add that offset to the base, then move up 0x18 to reach the Optional PE Header, then fetch the word at offset 0x46 of the Optional PE Header (DllCharacteristics) then check for the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 flag. Set @$t3 to reflect the size of the image to be used later in the C3 byte search.

this is followed by: .foreach /s (retn \"C2 C3\") which sets the variable 'retn' first to C2 and then to C3

Then .foreach (f {s -[1]b @#Base L@$t3 ${retn}}) will run the command s -[1]b @#Base L@$t3 C2 (or C3 depending on retn) and for ever line in the result its set the variable 'f' to be used later on.
's' will search memory, -[1] means: only list the addresses you find, and 'b' means search for bytes. So we search for all occurences of 'C3' and fetch the addresses into 'f'

.for(r @$t0 = 1; @$t0 < 4; r @$t0 = @$t0 + 1) {

We want to dissassmble a few bytes back from the C3 we found, so we do 1 - 3 bytes back from where we found the C3


       .foreach (g {.catch {u f - @$t0 L@$t0+1}}) {
          .if($spat(\"${g}\", \"*ret*\") != 0) {
            r @$t1 = 1
          }

This dissasembles and then checks if we do indeed have a 'ret' in the dissambled code. Future addition: look for ??? in output before the 'ret'

This it work? Yes it does. Sortofish. It will dissasemble more then it should since the 'u' command doesnt take a byte length but and instruction length. And just dumping all the gadgets on the commandline is silly so you might want to add and .logopen and .logclose to the script.

I wrote it mostly for fun and to show it is possible to do a bit more with windbg scripts then just set some breakpoints.

also:


!for_each_module ".if(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18) & 0x40) { .echo \"${@#ModuleName}: aslr\"; } .else { .echo \"${@#ModuleName} NO ASLR\"; };"

Will dump all the modules and state if they do or dont have ASLR
Or, small enough to fit into 140 chars:


!for_each_module ".if(not(wo(dwo(${@#Base}+0x3c)+${@#Base}+46+18)&0x40)){.echo \"${@#ModuleName} NO ASLR\";};"

PoC for MS10-071

Here is a PoC for MS10-071
Its nice vulnerability that allows for information disclosure and triggering a use-after-free. The PoC should be able to fetch the address for mshtml.dll and then trigger a use-after-free ending the execution at eip 0×41414141 or referencing a vftable at 0×41414141 I forgot what it did.
Anyways, no explanations only the source of the PoC.

PoC: ms10-071.txt

MS11-002 Pwn2Own heap overflow

Today Microsoft patched the heap overflow I used in pwn2own 2010. The vulnerability was a int wrap during heap allocation. The small allocation was later used to store a bit more information then would fit in there.

More specifically:

< ?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid1">
<Devices>
<Device>
<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA />
</Device>
</Devices>
</XML></pre>

Inside an HTML file would give you access to what is called an XML Data Island. This is actually acts as an database interface. You can query the XML data, retrieve rows and data and add more rows. The underlying object is an MSAdo object. Read the rest of this entry »

IDAPython script to copy cursor location to clipboard

Below is a small IDAPython script that will copy the location of the current address you are looking at to your windows clipboard.
I use it to copy paste from IDA to WinDBG which is why it currently uses ‘module + offset’, for example ‘ntdll + 0×1234′. This way it doesn’t matter if the module in WinDBG is loaded at a different offset then your module in IDA.

import idaapi
import ctypes

COPYHOTKEY = 'z'

strcpy = ctypes.cdll.msvcrt.strcpy
ocb = ctypes.windll.user32.OpenClipboard    #Basic Clipboard functions
ecb = ctypes.windll.user32.EmptyClipboard
gcd = ctypes.windll.user32.GetClipboardData
scd = ctypes.windll.user32.SetClipboardData
ccb = ctypes.windll.user32.CloseClipboard
ga = ctypes.windll.kernel32.GlobalAlloc    # Global Memory allocation
gl = ctypes.windll.kernel32.GlobalLock     # Global Memory Locking
gul = ctypes.windll.kernel32.GlobalUnlock
GMEM_DDESHARE = 0x2000 

def Paste( data ):
  ocb(None) # Open Clip, Default task
  ecb()
  hCd = ga( GMEM_DDESHARE, len(data)+1 )
  pchData = gl(hCd)
  strcpy(ctypes.c_char_p(pchData),data)
  gul(hCd)
  scd(1,hCd)
  ccb()

def CopyEA():
  myModuleName = GetInputFile()
  MyModuleShortName = re.sub(r'\.[^.]*$','',GetInputFile())
  myModuleBase = idaapi.get_imagebase()
  myOffset = ScreenEA() - myModuleBase
  Paste(MyModuleShortName + " + " + hex(myOffset))

print "Press '%s' to copy location of effective address to clipboard()"%COPYHOTKEY
idaapi.CompileLine('static _copy_ea() { RunPythonStatement("CopyEA()"); }')
idc.AddHotkey(COPYHOTKEY,"_copy_ea")

Its maybe a little bit ugly, but the other option to use the clipboard was to install Python for Win32.
Feel free to use and change it into what ever you need.

Java midi parse vulnerabilities

Index

  1. Introduction
  2. Basic information on Java
  3. Java and sound files
  4. Null byte write to stack
  5. User supplied function pointer call
  6. Heap overflow
  7. Links

Introduction

A while back I found some vulnerabilities in the way java handles certain audio files. Those problems were fixed in Java update 19, and since anyone who did not yet install Java update 20 is being exploited anyways I figured I might as well write down all the details.

Once it was believed that Java was safe from buffer overflows, and while that might still be the case for the actual Java classes, it is not the case for the underlying native code. For those who weren’t aware, the core Java functionality actually exists of both java class files and C-code containing the code for the native functions. This native functions are vulnerable to everything your average C-code can be vulnerable to. And since the Java dll files are compiled without any protection like ALSR or DEP, any vulnerability is pretty easy to exploit. I poked around in the native code for a bit and found some nice vulnerabilities. 3 of those I will try to explain here.
Read the rest of this entry »

Old bugs: YaBB

I decided to write up on some old and funny bugs I found a while back. Starting today with ‘remote’ code execution in YaBB version 2.2 the problem is fixed in 2.4 (or so it seems at first glance)

YaBB (yet another bulletin board) is as the name says a bulletin board. Its written in perl which is nice since I do work a lot with perl making it easier for me to rush through the code for problems.
YaBB doesn’t use a database, but it saves all information in plain text files. Every user has a text file with his/her user data, and every other data is stored in text files as well.

YaBB pages are actually perl code that gets executed and the resulting html is then parsed again for special tags. So if we can find a way to edit those templates we can run perl code with the rights of the webuser. Read the rest of this entry »

ICQ Exploit CVE-2006-5650

I’ll kick off with imho one of my more interresting findings. Its not interresting due to the nature of the vulnerability, but due to the possible impact. It was quite some time ago already, back in the summer of 2006 when I was looking into COM objects that came installed with ICQ. If you’re unfamiliair with COM objects and how that ‘sneak’ in with program installations, I suggest you read this article. Anyway, installing ICQ added a few COM objects that were accesible as ActiveX Objects in IE6 without warning. Most of them were a bit boring, but there was a nice design error in one of them.

The object in question had CLSID: 54BDE6EC-F42F-4500-AC46-905177444300 and ws also accesible under the name ‘ICQPhone.SipxPhoneManager’

It exposed a function called ‘DownloadAgent’ wich had one parameter. The string you entered as parameter would be used as a URL and the location of the URL would be downloaded to the local machine and then run.
Read the rest of this entry »

How it began

Although this is my first post I have been searching for vulnerabilities since 1998. Back then it was mostly unsafe php includes and evals,  and there were a lot them. I can remember them all, but funnily enough some still show up in google searches. But I doubt anyone will be interrested in those anymore so I’ll try to write more about my recent work. Most of my research I sell to either ZDI or iDefense so I wont be able to disclose much of them untill they are published. But since Im not a strong believer in fulldisclosure anyway I have no problem with that :) For some of my work I will post POC and detailed analyses when I have the time, others I wont even mention.

Recently I found quite a few holes in IE8, but since all most of them are still being undisclosed I wont post anything about those yet. I will start soon with some posts about older stuff just to get the hang of it for myself.

For those who are interrested: here is a quick list of my findings.