independent study end of semester presentation
DESCRIPTION
Independent Study End of Semester Presentation. ‘Windows Exploitation’ Spring 2014 By: Markus Gaasedelen. Goals of This Study. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/1.jpg)
Windows Exploitation 1
Independent StudyEnd of Semester Presentation
‘Windows Exploitation’Spring 2014
By: Markus GaasedelenMarkus Gaasedelen - 5/7/2014
![Page 2: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/2.jpg)
Windows Exploitation 2
Goals of This Study
‘… This course will explore the tools, a number of mitigations, and their associated bypass techniques that are utilized in most modern exploits on the Windows platform. The outcome of this course will leave one with the ability to analyze real world vulnerabilities and develop reliable exploits from end to end for Windows XP – Windows 7 systems.’
-Course Abstract
Markus Gaasedelen - 5/7/2014
![Page 3: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/3.jpg)
Windows Exploitation 3
Course Details & Materials
• http://gaasedelen.blogspot.com/– My security related blog– Includes extended homework write-ups
• http://security.cs.rpi.edu/~gaasem/winexp/– Includes my course syllabus & plan of study– graded deliverables for the course
Markus Gaasedelen - 5/7/2014
![Page 4: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/4.jpg)
Windows Exploitation 4
REAL BUGS, REAL CRASHESDeliverable #4
Markus Gaasedelen - 5/7/2014
![Page 5: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/5.jpg)
Windows Exploitation 5
Deliverable #4
• ‘Unique Bugs & Crashes’– Find a piece of shareware, or some other
application that you feel should have some bugs that aren’t too crazy to discover and see what you can find.
Markus Gaasedelen - 5/7/2014
![Page 6: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/6.jpg)
Windows Exploitation 6
Target: Fortissimo
Markus Gaasedelen - 5/7/2014
http://www.softpedia.com/get/Multimedia/Audio/Audio-Players/Fortissimo.shtml
![Page 7: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/7.jpg)
Windows Exploitation 7
Attack surface
• Media files, .mp3 & .wav files• Playlist files• Media Player skins• … others?
Markus Gaasedelen - 5/7/2014
![Page 8: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/8.jpg)
Windows Exploitation 8
KEEP IT SIMPLE STUPIDDumb fuzzing for crashes
Markus Gaasedelen - 5/7/2014
![Page 9: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/9.jpg)
Windows Exploitation 9
Dumb Fuzzing
1. Given a sample file, change random data in it2. Use corrupted files as input to target3. ????4. Repeat
Markus Gaasedelen - 5/7/2014
![Page 10: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/10.jpg)
Windows Exploitation 10
Visual Representation
Markus Gaasedelen - 5/7/2014
Sample.mp3
Fortissimo.exe
Sample.mp3
![Page 11: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/11.jpg)
Windows Exploitation 11
Visual Representation
Markus Gaasedelen - 5/7/2014
Sample.mp3
Fortissimo.exe
Sample.mp3
MiniFuzz.exe
Sample.mp3
Excuse me, your file is corrupt.
![Page 12: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/12.jpg)
Windows Exploitation 12
Visual Representation
Markus Gaasedelen - 5/7/2014
Sample.mp3
Fortissimo.exe
Sample.mp3
MiniFuzz.exe
Sample.mp3
SEGFAULT
![Page 13: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/13.jpg)
Windows Exploitation 13
Using MiniFuzz to Find Bugs
Markus Gaasedelen - 5/7/2014
![Page 14: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/14.jpg)
Windows Exploitation 14
Enhance!
Markus Gaasedelen - 5/7/2014
![Page 15: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/15.jpg)
Windows Exploitation 15
MiniFuzz output
Markus Gaasedelen - 5/7/2014
![Page 16: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/16.jpg)
Windows Exploitation 16
Closer Look at the Crashes
• None in Fortissimo … but id3lib.dll?– Wat
• Id3lib.dll is the one .dll that Fortissimo includes
Markus Gaasedelen - 5/7/2014
![Page 17: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/17.jpg)
Windows Exploitation 17
What is id3lib.dll?
Markus Gaasedelen - 5/7/2014
![Page 18: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/18.jpg)
Windows Exploitation 18
A Crash
Markus Gaasedelen - 5/7/2014
![Page 19: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/19.jpg)
Windows Exploitation 19
Another Crash
Markus Gaasedelen - 5/7/2014
![Page 20: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/20.jpg)
Windows Exploitation 20
At the Top Level – Fortissimo.exe
Markus Gaasedelen - 5/7/2014
We crash in this call(ID3_Tag object initialization)
![Page 21: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/21.jpg)
Windows Exploitation 21
id3lib.dll
• There must be issues in id3lib.dll’s ability to parse malformed .MP3 headers– Open source!– Start from the ID3_Tag() initialization routine and
work your way down, looking for its parsing calls– … or try static analysis tools!– http://sourceforge.net/projects/id3lib/
Markus Gaasedelen - 5/7/2014
![Page 22: Independent Study End of Semester Presentation](https://reader036.vdocuments.site/reader036/viewer/2022062520/56816564550346895dd7ebcd/html5/thumbnails/22.jpg)
Windows Exploitation 22
Conclusion
• Dumb fuzzing works, can be slow– Use targeted fuzzing next time (eg. PeachFuzz)
• Fortissimo -– Its basic media handling at least stands up to short
term dumb fuzzing– I’m sure there’s bugs in the skin & playlist handling
• The id3lib.dll library definitely has issuesMarkus Gaasedelen - 5/7/2014