Slide 1

Slide 1 text

1 introduction to vulnerability finding hellok [email protected] hellok [email protected] hellok [email protected] hellok [email protected]

Slide 2

Slide 2 text

different thoughts wushi: “Fuzzing framework software architecture, rather than the details” flash-sky : "Dynamic data flow, smart fuzz, logic-based analysis" ... ... All test methods are suitable for finding vulnerability someone:time&&experience&&music&&patient

Slide 3

Slide 3 text

how to learn � sample analyze � find deep reason � think as a vulnhunter � understand a old 0day is much more important than debug a new one � repeat � most important:write script,but no just read

Slide 4

Slide 4 text

differernt type � mutimedia player � Kernel bug � browser bug � server � ...... � etc

Slide 5

Slide 5 text

process � programs with complex input � find classical programs example: � APPLE ITUNE m3u overflow just 1000*‘\x41’ � QUICKPLAYER 2012 AVI file overflow not that hard as you thought

Slide 6

Slide 6 text

format type format type format type format type � mediaplayer,realplayer quickplayer mediaplayer,realplayer quickplayer mediaplayer,realplayer quickplayer mediaplayer,realplayer quickplayer � kinds of splitter kinds of splitter kinds of splitter kinds of splitter example: example: example: example:ffmpeg ffmpeg ffmpeg ffmpeg,avi-splitter avi-splitter avi-splitter avi-splitter � different architectures media player, different architectures media player, different architectures media player, different architectures media player, will meet their needs will meet their needs will meet their needs will meet their needs and write sth and write sth and write sth and write sth strange strange strange strange

Slide 7

Slide 7 text

ways ways ways ways � file format file format file format file format FUZZ FUZZ FUZZ FUZZ � code audit code audit code audit code audit � new theory new theory new theory new theory,Code Features Code Features Code Features Code Features,tree ,tree ,tree ,tree search,match search,match search,match search,match � func weighted Calculate func weighted Calculate func weighted Calculate func weighted Calculate � binwalk..... binwalk..... binwalk..... binwalk..... � ....... ....... ....... .......

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Black Box Auditing Adobe Shockwave from BH2012 里面叙述到的各种方法. . . . 迄今最详细的File FUZZ File FUZZ File FUZZ File FUZZ文档,HOOK file read, ,HOOK file read, ,HOOK file read, ,HOOK file read,这样他就能发现在哪里读取文件内容的了 (FOURCC)

Slide 10

Slide 10 text

规则中的协议 � alert alert alert alert tcp 10.1.1.1 any -> 10.1.1.2 80 10.1.1.1 any -> 10.1.1.2 80 10.1.1.1 any -> 10.1.1.2 80 10.1.1.1 any -> 10.1.1.2 80 (msg:"xxx (msg:"xxx (msg:"xxx (msg:"xxx攻击"; content: "; content: "; content: "; content:“ “ “ “xxx"; xxx"; xxx"; xxx"; sid:00001; rev:1;) sid:00001; rev:1;) sid:00001; rev:1;) sid:00001; rev:1;) � 要明确攻击所使用的协议类型 � 下面是Snort Snort Snort Snort可以解析的协议类型: : : : �TCP TCP TCP TCP �UDP UDP UDP UDP �ICMP ICMP ICMP ICMP �IP IP IP IP

Slide 11

Slide 11 text

规则中的IP IP IP IP地址: � alert tcp alert tcp alert tcp alert tcp 10.1.1.1 any -> any -> any -> any -> 10.1.1.2 80 (msg:"xxx 80 (msg:"xxx 80 (msg:"xxx 80 (msg:"xxx攻 击"; content: "; content: "; content: "; content:“ “ “ “xxx"; sid:00001; rev:1;) xxx"; sid:00001; rev:1;) xxx"; sid:00001; rev:1;) xxx"; sid:00001; rev:1;) 示例 10.1.1.1 10.1.1.1 10.1.1.1 10.1.1.1 � 指定IP IP IP IP地址 10.1.1.0/24 10.1.1.0/24 10.1.1.0/24 10.1.1.0/24 � 从10.1.1.0 10.1.1.0 10.1.1.0 10.1.1.0 到 10.1.1.255 10.1.1.255 10.1.1.255 10.1.1.255 !10.1.1.0/24 !10.1.1.0/24 !10.1.1.0/24 !10.1.1.0/24 � 除了10.1.1.0 10.1.1.0 10.1.1.0 10.1.1.0 到 10.1.1.255 10.1.1.255 10.1.1.255 10.1.1.255以外的所有IP IP IP IP地址 [10.1.0.0/24,10.2.0.0./24] [10.1.0.0/24,10.2.0.0./24] [10.1.0.0/24,10.2.0.0./24] [10.1.0.0/24,10.2.0.0./24] � 从10.1.0.0 10.1.0.0 10.1.0.0 10.1.0.0 到10.1.0.255 10.1.0.255 10.1.0.255 10.1.0.255 或者从10.2.0.0 10.2.0.0 10.2.0.0 10.2.0.0 到10.2.0.255 10.2.0.255 10.2.0.255 10.2.0.255的IP IP IP IP地址 ![10.1.0.0/24,10.2.0.0./24] ![10.1.0.0/24,10.2.0.0./24] ![10.1.0.0/24,10.2.0.0./24] ![10.1.0.0/24,10.2.0.0./24] � 除了从10.1.0.0 10.1.0.0 10.1.0.0 10.1.0.0到10.1.0.255 10.1.0.255 10.1.0.255 10.1.0.255 或者10.2.0.0 10.2.0.0 10.2.0.0 10.2.0.0到10.2.0.255 10.2.0.255 10.2.0.255 10.2.0.255的IP IP IP IP地 址这外的所有IP IP IP IP地址。 Any Any Any Any � 所有的IP IP IP IP地址。

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

� simple idea,but effective simple idea,but effective simple idea,but effective simple idea,but effective

Slide 18

Slide 18 text

bug hunt's diary � VLC BUG.ffmpeg VLC BUG.ffmpeg VLC BUG.ffmpeg VLC BUG.ffmpeg � with source code,good~ with source code,good~ with source code,good~ with source code,good~ � with out source code,2-3 times more with out source code,2-3 times more with out source code,2-3 times more with out source code,2-3 times more � thunder stackoverflow,PEACH fuzz thunder stackoverflow,PEACH fuzz thunder stackoverflow,PEACH fuzz thunder stackoverflow,PEACH fuzz � Avispliter MUTIL DOS,PEACH FUZZ Avispliter MUTIL DOS,PEACH FUZZ Avispliter MUTIL DOS,PEACH FUZZ Avispliter MUTIL DOS,PEACH FUZZ � recent recent recent recent flash flash flash flash漏洞,vulnhunt ,vulnhunt ,vulnhunt ,vulnhunt 2-3 2-3 2-3 2-3个,zdi ,zdi ,zdi ,zdi 10+ 10+ 10+ 10+..... ..... ..... ..... � future fuzz,more smart future fuzz,more smart future fuzz,more smart future fuzz,more smart FUZZ FUZZ FUZZ FUZZ � FUZZ technology promotion from the outcome FUZZ technology promotion from the outcome FUZZ technology promotion from the outcome FUZZ technology promotion from the outcome of the majority of users of the majority of users of the majority of users of the majority of users

Slide 19

Slide 19 text

Kernel bug Kernel bug Kernel bug Kernel bug � Mokb Mokb Mokb Mokb(mouth of kernel bug mouth of kernel bug mouth of kernel bug mouth of kernel bug) � write your own write your own write your own write your own KERNEL KERNEL KERNEL KERNEL IOCTL FUZZER IOCTL FUZZER IOCTL FUZZER IOCTL FUZZER � write your own KERNEL File format fuzzer write your own KERNEL File format fuzzer write your own KERNEL File format fuzzer write your own KERNEL File format fuzzer � book: book: book: book:0DAY 0DAY 0DAY 0DAY security (2) security (2) security (2) security (2)

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

another case: another case: another case: another case: � MS12-0XX MS12-0XX MS12-0XX MS12-0XX �Win32sys Win32sys Win32sys Win32sys kernel Privilege escalation or kernel Privilege escalation or kernel Privilege escalation or kernel Privilege escalation or Denial of Service (DoS). Denial of Service (DoS). Denial of Service (DoS). Denial of Service (DoS). �when when when when WIN32SYS WIN32SYS WIN32SYS WIN32SYS deal with OEM Character deal with OEM Character deal with OEM Character deal with OEM Character �only on CSRSS only on CSRSS only on CSRSS only on CSRSS �1.looked for inside patches a long time did 1.looked for inside patches a long time did 1.looked for inside patches a long time did 1.looked for inside patches a long time did not find not find not find not find �2.author find it during test(lucky~) 2.author find it during test(lucky~) 2.author find it during test(lucky~) 2.author find it during test(lucky~)

Slide 22

Slide 22 text

browser browser browser browser bug bug bug bug � AxMAN AxMAN AxMAN AxMAN � less less less less Activex Activex Activex Activex � .net .net .net .net � plugin � extensions � ... � ...

Slide 23

Slide 23 text

how to � mobb(mouth of browser bugl), � HD HD HD HD Moore Moore Moore Moore's 's 's 's HTML FUZZer � example: Tower of Hanoi � new:Fuzzing with DOM Level 2 and 3 https://sites.google.com/site/tentacoloviola/

Slide 24

Slide 24 text

programe engine logger starter Distributed!

Slide 25

Slide 25 text

http://digitaloffense.net/tools/domhanoi/domhanoi.html Welcome to Welcome to Welcome to Welcome to DOM-Hanoi DOM-Hanoi DOM-Hanoi DOM-Hanoi. . . . DOM-Hanoi is a community-developed utility for verifying browser integrity, written by H D Moore and Aviv Raff. DOM-Hanoi will look for common DHTML implementation flaws by adding/removing DOM elements, in a similar way to the known Tower of Hanoi game.

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

kernel fuzz:BLACKHAT UE 2012 GDI Font Fuzzing in Windows Kernel for Fun https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee- GDI_Font_Fuzzing-WP.pdf The complex input processing places prone vulnerability

Slide 28

Slide 28 text

MOBB(mouth of browser bug) MOKB(mouth of kernel bug) moub(mouth of undiscover bug)they found exploit-db SOBB Type confuse。JAVA,ASP.net.RUBY anti-av MITM.HIJACK brute force ... know it,then hack it。 and will understand why we love calc

Slide 29

Slide 29 text

Exploit technology Exploit technology Exploit technology Exploit technology � Dep/aslr/seh/safe seh/sehop/gs/sandbox � Rop/heap spreay � ... � ... � ...

Slide 30

Slide 30 text

challenge � http://dvlabs.tippingpoint.com/blog/2012/0 3/15/pwn2own-2012-challenge-writeup � http://www.softpedia.com/progDownload/I nternet-Explorer-8-Download-95339.html

Slide 31

Slide 31 text

� why � 1. fame and money � 2. Technical challenges, life is short, a rare pursuit � 3. Technology growth. Such as various types of architecture, various algorithms � 4. freedom � MS, Google, IBM has invested more and more human and material resources,but We are still able to find your BUG � impossible � i'am possible

Slide 32

Slide 32 text

Reference � data flow: http://www.ccf.org.cn/sites/ccf/weekly/papers/王铁磊1.pdf � flash: � aslr bypass � http://zhodiac.hispahack.com/my- stuff/security/Flash_ASLR_bypass.pdf � � http://kernelfun.blogspot.com/ � http://browserfun.blogspot.com/ � http://projects.info-pull.com/mokb/ � http://www.abysssec.com/blog/2010/09/01/moaub-1/