AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Reverse engineering code with ida pro12/8/2022 The following graph from IDA depicts the case where the execution flow would be redirected to the location loc_4024E8 following the termination of the socket connection. If no data returned from recv function, then the socket connection would be closed. Also, as we see at the screenshot below, if there is a redirection of the execution flow to the location loc_4024B6, the connection with the vulnserver would be closed.Īt this point it won't be a redirection to loc_4024B6, and the execution flow will continue as is. Then the instruction cmp dword ptr, 0 will compare the value pointed by, with value 0, and if the value is less than or equal to 0, then the program flow should be redirected to the location loc_4024B6. So, as we now see at WinDbg debugger the value 0x1000 is stored in address 0x0103fb60 on the stack. The hex value 0x1000 that stored onto the stack at the address 0x0103fb60 is the return value of the recv function which shows clearly that 4096 bytes have been written to the buffer, and this also indicates that there are data coming from user input. First, esp register will reserve some space on the stack, specifically 10h ( 16 bytes in decimal ), in order to put there the value in eax to the memory address contained in ebp-410h, which has been moved there using the mov, eax instruction. Now, lets try to understand the code marked with a red square as seen at the screenshot above. After returning from recv we will land to the address 0x00401958 Moreover, the recv function is not of much interest at this time, so we will continue execution until return from recv function. Once we run the poc script, we immediately hit the breakpoint in WinDbg which is set at recv function inside the ws2_32.dll module. We start by seting a breakpoint at the recv function using the command bp ws2_32!recv At this point we will put a breakpoint at the recv function as follows The recv function is the first entry point that will be used in order to receive the bytes coming from the user input. Int recv ( SOCKET s, char * buf, int len, int flags ) Specifically, one interesting function is recv, which according to msdn has the following prototype, All the related functions used to implement the raw socket connection are referred at the ws2_32.dll module. As we saw earlier, when the application starts, it binds to a specific port where it listens for incoming connections. First we will run vulnserver on the target machine and then we will start IDA and attach WinDbg as seen belowĪfter attaching the vulnserver process to WinDbg, we will be ready to start debugging. For this reason we will be using WinDbg and IDA Pro. close ()Īt this point we are ready to run the script above in order to observe the functional behaviour of the vulnserver. recv ( 1024 ) print " Sending exploit." s. Import os import sys import socket host = "192.168.201.9" port = 9999 buffer = "A" * 5000 s = socket. Following, is the prototype of the getaddrinfo function. According to msdn, the getaddrinfo function provides protocol-independent translation from an ANSI host name to an address. Starting our binary analysis, we will run API Monitor v2 in order to have a first site about how to communicate with the vulnserver.Īs we can see at the image above, when we run vulnserver, we have an overview of the socket functions that we expect. The tools used for this exercise are the following In this article we will not be focusing on fuzzing techniques, but rather we will be focusing most in reverse engineering techniques in order to find potential security issues. Furthermore, at this article we will analyse the vulnserver executable using WinDbg debugger assisted with reverse engineering techniques using IDA Pro, in order to understand how the binary works as well as to search for vulnerabilities that may lead to exploitation. This article is the first part of an exploit development series regarding the exploitation process of the GTER command of the vulnserver executable. 1 - Reverse Engineering GTER using IDA Pro
0 Comments
Read More
Leave a Reply. |