Similar to the discussion in class, the homework-re-fall2011 binary implements a basic network service. Find and describe the buffer overflow vulnerability in this service.
General Purpose References
- Assembly Community
- TippingPoint DVLabs Blog
- Security Research Presentations by Alex Sotirov
- Compiler Optimizations for Reverse Engineers by Rolf Rolles
- The ReverseEngineering reddit
- The Binary Auditor, Dr. Thorsten Schneider
- Tuts 4 You: Lena's Reversing for Newbies
- Mac OS X Reversing Tutorial for Newbies, by Fractal Guru
- From Patch to Proof-of-Concept: MS10-081
The University of Helsinki and F-Secure 'Malware Analysis and Antivirus Technologies' open course
- Reverse Engineering 101 video and slides (download)
- Reverse Engineering 102 video and slides (download)
- Show the upgraph and downgraph of the _strcpy function and take a screenshot
To do this, open the GreenMan executable in IDA and go to the Names windows (View -> Open Subviews -> Names). Find the _strcpy function (use alt+t to search and ctrl+t to advance to the next search result). Double-click _strcpy once you've located it. You should notice that the entire strcpy function is defined within the binary due to static linking. At this point, show the upgraph and the downgraph and take a screenshot.
- Identify a buffer that is being manipulated in a function that uses strcpy and take a screenshot
Now, we want to check out all the functions that call _strcpy. Close the upgraph and then show the xrefs to _strcpy by pressing X with the _strcpy function selected. Go to the first call to _strcpy. Determine the size of the buffer passed to _strcpy. Double-click the stack variable, do you remember how to resize arrays? Resize the array and take a screenshot of the resized array in the stack view.
- Identify a programming flaw in a function that uses strcpy and take a screenshot
Finally, we know the function calling _strcpy is passing a char * as the dest buffer, and the source buffer is passed as an argument to the function. We know the source buffer is a char * as well so change the function prototype of the function that calls _strcpy. You can change the prototype by pressing Y on the function. Take a screen shot of the changed prototype.
NOTE: Due to a discrepancy in features between IDA Free and IDA Pro, the _strcpy function will not be automatically recognized in IDA Free. To find it, press 'g' and enter the address '004013A0' to jump to the beginning of the _strcpy function (IDA Free is not able to recognize this function, so it generically names it sub_4013A0). You can press 'n' to rename the function to _strcpy. The _strcpy function name should now appear in the Names window.
If you want to follow the original instructions, you can download the IDA Pro Demo but watch out for the timeouts if you do this.
- Reverse Engineering 101 video and slides
- Reverse Engineering 102 videos part 1 and part 2 and slides
The homework this semester was to answer the following five questions with the lab VM (Windows 2000):
- Describe the process you would follow to investigate whether the "Print Spooler" service would be an interesting service to audit (list all tools, gathered information). Google for 'foo.exe vulnerability' where foo.exe is the Print Spooler process name. What is the first result?
- Locate and identify the process that maintains a handle to the wkssvc named pipe. What is the name of its parent process?
- Describe why it is important to locate an object's constructor and destructor methods within a binary when looking for vulnerabilities. (hint: the Fortify VulnCat might be able to help again)
- In IDA Pro, open C:\Windows\system32\ieframe.dll. When the 'load a new file' dialog pops up, just click OK. Give IDA a minute to analyze the binary. Then go to the Exports view (View -> Open subviews->Exports). Sort them by name by clicking on the Name column. What is the name of the first exported function in that list?
- Double-click that function to jump to the function definition in the disassembly. How many arguments does this function take? Which function does this function call in to? (note the only call instruction in the function)