introduction_to_vulnerability_finding.pdf

Transcript

1. 1 introduction to vulnerability finding hellok [email protected] hellok [email protected] hellok

   [email protected] hellok [email protected]

2. different thoughts wushi： “Fuzzing framework software architecture, rather than the

   details” flash-sky ： "Dynamic data flow, smart fuzz, logic-based analysis" ... ... All test methods are suitable for finding vulnerability someone:time&&experience&&music&&patient

3. how to learn � sample analyze � find deep reason

   � think as a vulnhunter � understand a old 0day is much more important than debug a new one � repeat � most important:write script,but no just read

4. differernt type � mutimedia player � Kernel bug � browser

   bug � server � ...... � etc

5. process � programs with complex input � find classical programs

   example： � APPLE ITUNE m3u overflow just 1000*‘\x41’ � QUICKPLAYER 2012 AVI file overflow not that hard as you thought

6. format type format type format type format type � mediaplayer,realplayer

   quickplayer mediaplayer,realplayer quickplayer mediaplayer,realplayer quickplayer mediaplayer,realplayer quickplayer � kinds of splitter kinds of splitter kinds of splitter kinds of splitter example: example: example: example:ffmpeg ffmpeg ffmpeg ffmpeg，avi-splitter avi-splitter avi-splitter avi-splitter � different architectures media player, different architectures media player, different architectures media player, different architectures media player, will meet their needs will meet their needs will meet their needs will meet their needs and write sth and write sth and write sth and write sth strange strange strange strange

7. ways ways ways ways � file format file format file

   format file format FUZZ FUZZ FUZZ FUZZ � code audit code audit code audit code audit � new theory new theory new theory new theory，Code Features Code Features Code Features Code Features,tree ,tree ,tree ,tree search,match search,match search,match search,match � func weighted Calculate func weighted Calculate func weighted Calculate func weighted Calculate � binwalk..... binwalk..... binwalk..... binwalk..... � ....... ....... ....... .......
8. None

9. Black Box Auditing Adobe Shockwave from BH2012 里面叙述到的各种方法. . .

   . 迄今最详细的File FUZZ File FUZZ File FUZZ File FUZZ文档,HOOK file read, ,HOOK file read, ,HOOK file read, ,HOOK file read,这样他就能发现在哪里读取文件内容的了 （FOURCC）

10. 规则中的协议 � alert alert alert alert tcp 10.1.1.1 any ->

    10.1.1.2 80 10.1.1.1 any -> 10.1.1.2 80 10.1.1.1 any -> 10.1.1.2 80 10.1.1.1 any -> 10.1.1.2 80 (msg:"xxx (msg:"xxx (msg:"xxx (msg:"xxx攻击"; content: "; content: "; content: "; content:“ “ “ “xxx"; xxx"; xxx"; xxx"; sid:00001; rev:1;) sid:00001; rev:1;) sid:00001; rev:1;) sid:00001; rev:1;) � 要明确攻击所使用的协议类型 � 下面是Snort Snort Snort Snort可以解析的协议类型: : : : �TCP TCP TCP TCP �UDP UDP UDP UDP �ICMP ICMP ICMP ICMP �IP IP IP IP

11. 规则中的IP IP IP IP地址： � alert tcp alert tcp alert

    tcp alert tcp 10.1.1.1 any -> any -> any -> any -> 10.1.1.2 80 (msg:"xxx 80 (msg:"xxx 80 (msg:"xxx 80 (msg:"xxx攻 击"; content: "; content: "; content: "; content:“ “ “ “xxx"; sid:00001; rev:1;) xxx"; sid:00001; rev:1;) xxx"; sid:00001; rev:1;) xxx"; sid:00001; rev:1;) 示例 10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.1 � 指定IP IP IP IP地址 10.1.1.0/24 10.1.1.0/24 10.1.1.0/24 10.1.1.0/24 � 从10.1.1.0 10.1.1.0 10.1.1.0 10.1.1.0 到 10.1.1.255 10.1.1.255 10.1.1.255 10.1.1.255 !10.1.1.0/24 !10.1.1.0/24 !10.1.1.0/24 !10.1.1.0/24 � 除了10.1.1.0 10.1.1.0 10.1.1.0 10.1.1.0 到 10.1.1.255 10.1.1.255 10.1.1.255 10.1.1.255以外的所有IP IP IP IP地址 [10.1.0.0/24,10.2.0.0./24] [10.1.0.0/24,10.2.0.0./24] [10.1.0.0/24,10.2.0.0./24] [10.1.0.0/24,10.2.0.0./24] � 从10.1.0.0 10.1.0.0 10.1.0.0 10.1.0.0 到10.1.0.255 10.1.0.255 10.1.0.255 10.1.0.255 或者从10.2.0.0 10.2.0.0 10.2.0.0 10.2.0.0 到10.2.0.255 10.2.0.255 10.2.0.255 10.2.0.255的IP IP IP IP地址 ![10.1.0.0/24,10.2.0.0./24] ![10.1.0.0/24,10.2.0.0./24] ![10.1.0.0/24,10.2.0.0./24] ![10.1.0.0/24,10.2.0.0./24] � 除了从10.1.0.0 10.1.0.0 10.1.0.0 10.1.0.0到10.1.0.255 10.1.0.255 10.1.0.255 10.1.0.255 或者10.2.0.0 10.2.0.0 10.2.0.0 10.2.0.0到10.2.0.255 10.2.0.255 10.2.0.255 10.2.0.255的IP IP IP IP地 址这外的所有IP IP IP IP地址。 Any Any Any Any � 所有的IP IP IP IP地址。
12. None
13. None
14. None
15. None
16. None

17. � simple idea,but effective simple idea,but effective simple idea,but effective

    simple idea,but effective

18. bug hunt's diary � VLC BUG.ffmpeg VLC BUG.ffmpeg VLC BUG.ffmpeg

    VLC BUG.ffmpeg � with source code,good~ with source code,good~ with source code,good~ with source code,good~ � with out source code,2-3 times more with out source code,2-3 times more with out source code,2-3 times more with out source code,2-3 times more � thunder stackoverflow,PEACH fuzz thunder stackoverflow,PEACH fuzz thunder stackoverflow,PEACH fuzz thunder stackoverflow,PEACH fuzz � Avispliter MUTIL DOS,PEACH FUZZ Avispliter MUTIL DOS,PEACH FUZZ Avispliter MUTIL DOS,PEACH FUZZ Avispliter MUTIL DOS,PEACH FUZZ � recent recent recent recent flash flash flash flash漏洞,vulnhunt ,vulnhunt ,vulnhunt ,vulnhunt 2-3 2-3 2-3 2-3个,zdi ,zdi ,zdi ,zdi 10+ 10+ 10+ 10+..... ..... ..... ..... � future fuzz,more smart future fuzz,more smart future fuzz,more smart future fuzz,more smart FUZZ FUZZ FUZZ FUZZ � FUZZ technology promotion from the outcome FUZZ technology promotion from the outcome FUZZ technology promotion from the outcome FUZZ technology promotion from the outcome of the majority of users of the majority of users of the majority of users of the majority of users

19. Kernel bug Kernel bug Kernel bug Kernel bug � Mokb

    Mokb Mokb Mokb（mouth of kernel bug mouth of kernel bug mouth of kernel bug mouth of kernel bug） � write your own write your own write your own write your own KERNEL KERNEL KERNEL KERNEL IOCTL FUZZER IOCTL FUZZER IOCTL FUZZER IOCTL FUZZER � write your own KERNEL File format fuzzer write your own KERNEL File format fuzzer write your own KERNEL File format fuzzer write your own KERNEL File format fuzzer � book: book: book: book:0DAY 0DAY 0DAY 0DAY security (2) security (2) security (2) security (2)
20. None

21. another case: another case: another case: another case: � MS12-0XX

    MS12-0XX MS12-0XX MS12-0XX �Win32sys Win32sys Win32sys Win32sys kernel Privilege escalation or kernel Privilege escalation or kernel Privilege escalation or kernel Privilege escalation or Denial of Service (DoS). Denial of Service (DoS). Denial of Service (DoS). Denial of Service (DoS). �when when when when WIN32SYS WIN32SYS WIN32SYS WIN32SYS deal with OEM Character deal with OEM Character deal with OEM Character deal with OEM Character �only on CSRSS only on CSRSS only on CSRSS only on CSRSS �1.looked for inside patches a long time did 1.looked for inside patches a long time did 1.looked for inside patches a long time did 1.looked for inside patches a long time did not find not find not find not find �2.author find it during test(lucky~) 2.author find it during test(lucky~) 2.author find it during test(lucky~) 2.author find it during test(lucky~)

22. browser browser browser browser bug bug bug bug � AxMAN

    AxMAN AxMAN AxMAN � less less less less Activex Activex Activex Activex � .net .net .net .net � plugin � extensions � ... � ...

23. how to � mobb（mouth of browser bugl）， � HD HD

    HD HD Moore Moore Moore Moore's 's 's 's HTML FUZZer � example: Tower of Hanoi � new:Fuzzing with DOM Level 2 and 3 https://sites.google.com/site/tentacoloviola/

24. programe engine logger starter Distributed!

25. http://digitaloffense.net/tools/domhanoi/domhanoi.html Welcome to Welcome to Welcome to Welcome to DOM-Hanoi

    DOM-Hanoi DOM-Hanoi DOM-Hanoi. . . . DOM-Hanoi is a community-developed utility for verifying browser integrity, written by H D Moore and Aviv Raff. DOM-Hanoi will look for common DHTML implementation flaws by adding/removing DOM elements, in a similar way to the known Tower of Hanoi game.
26. None

27. kernel fuzz:BLACKHAT UE 2012 GDI Font Fuzzing in Windows Kernel

    for Fun https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee- GDI_Font_Fuzzing-WP.pdf The complex input processing places prone vulnerability

28. MOBB(mouth of browser bug) MOKB(mouth of kernel bug） moub（mouth of

    undiscover bug）they found exploit-db SOBB Type confuse。JAVA，ASP.net.RUBY anti-av MITM.HIJACK brute force ... know it，then hack it。 and will understand why we love calc

29. Exploit technology Exploit technology Exploit technology Exploit technology � Dep/aslr/seh/safe

    seh/sehop/gs/sandbox � Rop/heap spreay � ... � ... � ...

30. challenge � http://dvlabs.tippingpoint.com/blog/2012/0 3/15/pwn2own-2012-challenge-writeup � http://www.softpedia.com/progDownload/I nternet-Explorer-8-Download-95339.html

31. � why � 1. fame and money � 2. Technical

    challenges, life is short, a rare pursuit � 3. Technology growth. Such as various types of architecture, various algorithms � 4. freedom � MS, Google, IBM has invested more and more human and material resources,but We are still able to find your BUG � impossible � i'am possible

32. Reference � data flow: http://www.ccf.org.cn/sites/ccf/weekly/papers/王铁磊1.pdf � flash: � aslr bypass

    � http://zhodiac.hispahack.com/my- stuff/security/Flash_ASLR_bypass.pdf � � http://kernelfun.blogspot.com/ � http://browserfun.blogspot.com/ � http://projects.info-pull.com/mokb/ � http://www.abysssec.com/blog/2010/09/01/moaub-1/