Reversing Patches for Exploit Creation, Pen-Testing or Just Fun

like that only Microsoft and the security researcher knew about it for this talk I'll be concentrating on CV 201 1966 and if you go back and look at the advisory for this it tells you that it was a remote code execution vulnerability in um when handling nap DNS records okay does anyone know what an nap record is neither did I when I looked at this thing so we all know what DNS server is we give it a domain it will give you the IP addresses so these are all records which are stored in your DNS server and NTR is just a type of a record at this point of talk what we want to know is it's just another type

of record which is stored in your DNS server we don't care much about what the naptr record is and as I told you that what we'll be doing is we'll be taking security patches and we'll be trying to reverse engineer them so the tools that I use is Ida Pro and turbo everyone knows what Ida Pro is it's a disassembler you give it a binary it will give you the code flow and things like that it will give you a lot of details about that binary and turbo is just a plugin for Ida Pro what it does is uh we do B we do diffing every day in our daily day-to-day task what turbo diff does is it uh it does not uh

compare it will uh compare two binary files rather than two text files it will give you a difference between the two binary files just to give you guys how turbo and Ida Pro looks like this is what you see when you open u a binary in Ida Pro it will give you a disassembly of the code it will show you the flow graph of the uh binary uh there are these tabs over here if you could see ex exports exports are the functions that are exported by that binary Imports are the function that are imported by the binary the uh string steps will tell you what strings are in that binary and things like that and if

you want to compare to files what you do is you go to edit go to plugins there is a plug-in named turbo diff and you ask this ask turbo to compare it with another file just so it will compare to binary files that's it and once it does the comparison turbo tells you gives you something like this it will tell you what functions were identical in that uh in these two binary files what functions were suspicious if you see over here it classifies them as suspicious some as suspicious Plus+ and it will also classify them as changed which is not shown in here it changed and unmatched so how the turbo has this uh some guidelines as to how it uh uh

tells you the degree of change in the uh the two binary files and how I look at it is if the function is classified as suspicious plus that means the number of changes changes made by this uh in these two binary files were very less if it is suspicious Plus+ the changes made were more if it is marked as change that means a considerable of changes were made and if it is unmatched then it's like a totally new function was added to this new binary file now as I told you we'll be going into some binary diffing and things like that so I wanted to go over really uh some very Basics so that everyone is on

the same page and this is sign magnitude representation now we know all the integers are classified as signed and unsigned integers so one of the ways of representing an integer is using sign magnitude representation it's really very simple what you do is take an integer convert it into a binary number and the MSB will tell you if the uh if the integer is positive if it's signed integer or it's an unsigned integer I mean if it is uh if the MSB is zero that means the integer is positive and if it the uh uh MSB is one that means the integer is negative so if a for an uh um for one by it could represent from minus 127 to

plus 127 okay and because we'll be doing some uh assembly uh U reversing binaries we need to know some assembly but trust me this is really simple assembly don't get scared it's really really simple we just need to go over like two or three uh assembly instructions so the first instruction is move instruction very simple the syntax is move destination comma source and what it does is whatever is in the source is moved to destination example is move ax comma BX and whatever is what this instruction would do is whatever is in BX would move to ax okay the only important thing we want to know about move instruction is that the source and destination has to be of the same size

so if The Source uh Source register is 16 bit this has to be 16 bit if the source register is 32bit this has to be 32bit any questions toia but often what happens is we know that when uh two uh integers are added it's a high probability that the result would be a value that is that cannot be stored in just uh like when 26 bit reg uh integers are added it's a high chance that the addition will the result will exceed like um the destination would not 16bit destination would not be enough and we need a bigger space so for that assembly gives us two instructions the first instruction is move SX it stands for move signed

extended and per the definition it fills the MSB of the destination with Source operant sign bid kind of confusing over here but uh a picture will make it more clear so what what we are doing in this case is we are trying to move an 8bit value to a 16bit destination so what happens is the least significant bytes are copied as it is and the MSB of the destination is filled with the source operant bite so in this case it would be filled with 1111111 okay questions the second instruction is move ZX and it stands for move Z extended and per the definition it fills the destination of destination with uh MSB of the destinations with zeros so

picture will make it more clear again in this case we are trying to move an 8 bit value to a 16bit resistor and what happens is least significant bytes are copied as it is and the MSB is filled with 000000 okay let's try and see move and uh Mo SX and mo ZX side by side and I think this will make things more clear so our example is Mo SX e x comma 128 now 128 is represented as 1 00 0 0 0 what happens is least significant bytes are copied as it is and because eax is a 32bit resistor what happens is top three bytes are filled with one one one one11 one and once this instruction is

executed e will have something like this FFF FFF FFF and 8 Z questions no yeah so if it is just a mo mo SX eax not not e just eax then only what first uh only yeah just the upper part will be filled the msbs will be filled with one uh with the source oper sign for Mo ZX what happens is again 128 1 0 0000 0 least significant bytes are copied as it is but top three msbs uh top three MSB bytes are filled with 0000 0 and after this instruction is executed eex equal 000080 only this much is the assembly what we want to know for this talk okay so let's move on to our example of

ms158 and if you compare uh turbo tells you that most of the functions are identical and it lists four functions as suspicious and suspicious Plus+ let's see what these functions are the first function is remote choose send the second function is remote set valid response nap wire read and remote build V list from new zone so remember we are trying to analyze a vulnerability with naptr records turbo tells us that there are these four functions which Microsoft changed with this patch so if you guys were to pick one function which will start you'll try try to reverse engineer first which one of which function would you pick from here sorry yeah so that's a corre guess right

so we know that the vulnerability that we are trying to fix is in related to nap record tboi tells you that there is a function named nap yre read that has been changed by this function uh by this patch so it's our obvious guess that the function which we will choose as nap or wi read so that just also tell you after that address was changed to after address offet of the function was Chang so turbo lifts all the functions that were in that binary see it yeah yeah so if you see most of them were identical only four functions were changed by this batch and of them yeah n so at this point we have done our first

step where we try to see what was the change made by the patch now let's try move on to our second step well we what we'll do is will try to analyze what the change was made by the patch so this is how turbo tells you what changes were made to that function on the left hand side you see is the unpatched function and the right hand side is the patched version of the function and if you start comparing each instruction one by one you will see that there was only one bite of change that was made by this patch so to fix this vulnerability there was just one bite of change made by Microsoft to fix this patch okay let's

try to see see what's going on in this thing with this thing so we all know that this patch what it did is the unpatched version uh it was Mo SX and the patch versioned Mo ZX so Mo SX was replaced with Mo ZX okay let's try to see what's going on in this bunch of assembly instruction so what happens over here is Mo SX EDI bite pointer evx what this instruction does is a one byte value was moved to a uh EDI with Mo SX so if I were to replace this in a very simple language what I could do is I will tell X is moved to Y okay the first instruction moves 1 by2

to EDI whatever that bite value was was incremented by one EDI + 1 and that value the resultant value is loaded in E so if I were to replace this with very simple instruction I would say X is moved to y y was incremented by one and that value is moved to Z Now you see there is this push instruction push instruction push instruction and there is a call to M Copy function so what this bunch of this four uh lines of assembly function is doing is it's just a simple calling mam copy with destination scores comma Z this is what it is trying to do over here okay any questions till this point do okay So based on our previous example

what would happen if I was this value X is set to 128 based on the uh uh example which we have seen before can you can someone tell me what will the Val what will be the value of Z after that 129 no that would be 129 if there was just a moo instruction but this is Moo SX yeah so what will happen is the top three the top three bytes will be filled with 11111 and what will happen is the resultant value would be FFF FFF FFF 81 yeah so if you were to convert this number into decimal this is approximately equal to 4 gabes okay so what was happening in the unpatch function is there was a mam copy

function which was ideally trying to copy like four gigabytes of value if you were to put this number to be 128 it was trying to copy 4 gbt of value but in the PED version what was what would happen is it would be 0081 so in the patch version it was only trying to copy 129 bytes and in the unpatched version it was trying to copy like 4 gbt of value so what would happen if the destination buffer over here is not equal to 4 GB obviously that would lead to a buffer overflow and it's a very high probability I can tell it with certainty that there would no there would be no developer who would try to write a mam

copy uh who would try to code like with a mam copy function and and he's trying to copy like the 4 gabt of value 4 gbt is like the maximum uh possible uh address SP address space that 32-bit uh um CPU could address so it's a high chance that uh you would get a crash if uh you put this value to be 128 in here so how do I exploit this thing why did they use a full register for that sorry why did they use a full register for for that right if they they couldn't ever have an actual need for four gabes right they could never have yeah but but they did it right

yeah it happens so how do I exploit this turns out it's not very difficult what we have to do is we have to somehow put this magic number 128 somewhere in this thing hoping that it would crash the target I bring I will exploit the vulnerability so at this point what we have done is we have we have completed with our second step where we wanted to analyze what was going on with the uh patch so now let's move on to a third step where we want to write proof of concept for this exploit and for that this is how a sample naptr record looks like okay what you do is you register a domain and there are these fields in

your uh order preferences flag string service string replace regular expression string replacement domain and things like that turns out if you want to exploit this vulnerability you don't have to be an expert with naptr records and for the matter of fact even at this point I don't know much about NTR records so all I care is there is somehow I want to put this magic number 128 in the one of these fields hoping that it would uh exploit the vulnerability so what I do is I start putting 128 in here here in the string this R but nothing happened can someone give me a better solution of what should I have done rather than just

putting 128 in this thing something 12 that's correct so what I do is rather than putting like what I did is I start putting 128 128 in all these fields and do any U like an NS lookup but nothing happened so what I did is that I saw there was this field named regular expression string and it was accepting a lot of characters so what I did is rather than putting 128 in here what I did is I started putting random characters in here and at the point when I reached like 128 random characters when I uh started inserting 128 character in here and when I did an NS look up on this thing and the DNS server

went down so yeah at this point so yeah this is how I created a proof of concept for this and how a typical attack scenario would look like for ms158 so what an attacker could do is he could register a domain with a malicious nap record and if he was supposed to Target a company named X YZ what he would he could do is he could send an email to one of the employees of these company with the link and when this guys tries to open that link it will send uh send a request to the DNS server of this company to try and fetch a record for that domain now when this DNS server

tries to get uh uh tries to fetch the record for that domain this malicious record would be would come in here and this DNS server would try to pass record and when this DNS servers tries to pass this record this DNS server would crash okay any questions on

ms158 okay so what we want to know about this thing is when this DNS server tries to pass this record only the DNS server component running on that server would crash there won't be a entire blue screen of death on the target because DNS server for the windows it is um not a kernel component but it's sort of an in the application layer so only the DNS service running on the server would crash not the there won't be any blue screen of that on that Target so let's try to do something more malicious and this brings us to our second example of the talk of ms177 ms177 was released last year in October 2011 and what it did it it fixed four

vulnerabilities in Windows kernel and for this talk we'll be concentrating on CV 2011 1985 and if you go back to the advisory again it tells you it's an elevation of previlege vulnerability because of insanitized input again not giving a lot of information as to what this input was how it got fixed and things like that so our first step to do binary diffing of the of this uh for this patch and it tells you in this case that there are some functions were identical but there was this whole bunch of functions that looked suspicious suspicious Plus+ or changed can anyone tell me why for the ms158 example there was just like this four functions were changed but for this

example there are like this many functions were changed can anyone tell me why is that the case it was a larger change sorry it was a l CH that's exactly correct so we know that for ms158 there was only two vulnerabilities were fixed by the patch but in this with this msln 077 Microsoft bundled this patch to fix four vulnerabilities so obviously because the number of vulnerabilities fixed by this one patch is more that more the number of changes were more so what I do is I start looking at the each functions one by one one by one and what particularly struck me at this point was there were three functions they all start with an user FN anti user

FN an user FN all these three functions they had the similar code changes so whatever was the code change made to one function that was ideally copy pasted between all these three functions so I took one of the function name anti user FN NL box string and I start to analyze it further uh can anyone everyone see this thing because many times I there are like this conferences and people are not able to see this so anti user NL box string on the left hand side is the unpatched version on the right hand side is the patched version and I start if compare each uh instruction one by one what you would see is there was

this one additional instruction added over here it was not in here and there was this whole block of code that was added by this function okay by this patch so let's try to analyze what this ped version is trying to do okay so we know that there was a addition additional instruction compare ECX FFF FFF FFF FFF this is nothing but two's complement of minus1 so what it is trying to do is it is trying to compare the value of ECX with minus one let's see there before this instruction there is a move instruction move ECX EBP plus r of Z this is nothing but whatever is the first argument passed to this function that was moved to ECX ECX is

now compared with minus1 and if it is found to be minus1 what it does is it it calls a function name set user last error with this uh value and it bails out of the function so let's try to analyze what's going on in here the the first argument of this function is compared with minus one and if it is found to be minus one it is returned and then I did a bit of a Googling as to what this thing is what the set user last error is with this uh value so it turns out this is uh System error code for uh Windows invalid handle error invalid handle let's try to see what's going on

in here so what this in the unpatched version of the file what was happening is whatever was the first argument passed to this function it did not care about it whatever it was it took that thing and started processing it but in the pat version what is happening is the pat version is explicitly looking for the first argument passed to this function it is checking that if it is minus one if it is found to be minus one it is not happy it sets an error and it bails out so how would you exploit this thing sorry try to pass the value ofus one yeah that's correct right because we know that in the uh Pat version whatever

was the input function was happy and it started processing it and in the second thing what is in the patch version what it is doing it is taking this first argument it is checking if it is minus one if it is found to be minus one it will it is not happy and it bails out so if you were to exploit this thing what you do is you set that first value to be minus one and there was a little subtle hint in that new block of code it told you it's before bailing out what it did is it told you that okay this is an invalid window handle so that what that means is uh that the argument is of type

handle right that's the reason it is telling you that it is an invalid handle that's a very subtle uh hint but we don't need that to exploit this thing so let's see a proof of concept for M77 this really simple just two lines of code and you have a blue screen of that on the server sorry yeah it's not like when you try to comp if if you don't put this handle over here what it will tell you that's uh when compiling it it will give you a warning but it's still execute so yeah this is as simple as this so yeah this is the proof of concept for Ms l77 and what I want to highlight at this

point and talk is that this reversing patches technique is really helpful for penetration testing guys what they can do is uh they are just now not limited to the exploits available from the exploit packs but what they could do is they could actually do the reverse engineering of this patches they could do this uh binary diffing and they could just create their own exploits rather than relying just on the uh exploits available from the commercial packs but it is better that they start creating their own exploits right so it turns out this technique is good for the uh penetration testers but there are this bunch of guys who are already using it can anyone guess who

are the one who are using this the the most sorry malware authors so day these patches are released malare authors what they do is they start doing this um binary diffing and they try to come up with exploits they try to come up with uh with the custom malwares to exploit these vulnerabilities and for that I'll show you an example of uh a third example of ms1 12004 it was released in January 2012 and it fixed two critical vulnerabilities in Windows and for this stock we'll be concentrating on CV 20123 if you look at the advisory it tells you it's a remote code execution B when trying to pass MIDI files everyone know what midi fil is

these are like really small music files seems to be very harmless but the nature of this vulnerability that made it more lucrative for the malware authors is first of all it was a remote code execution vulnerability and these files look very very harmless so if I send you an email saying hey could you uh could you listen to one of the music that I've composed and you click on that link your browser would try to pass this file and if this is a malicious fly file the by the time you just click and it is trying to par it you are basically owned by that time so this nature of this vulnerability was very lucrative for the

malware authors okay so this is the result of Turbo diff it tells you that this patch changed just one function all the functions were identical but there was this one change um there was this one function change the function name is midi output poly event and let's try to analyze what was going on with this thing so on the left hand side is the unpatch version right hand side is the patch version and again if you start comparing instructions one by one one there was this one instruction that was added in here and bl comma 7 FH so what this patch was trying to do is it was trying to take one of the variables and it was doing a

logical end with 7fh when you do a logical end with 7fh or what happens is if this value is greater than 7 FH what it does it tries to limit that variable so if the value is greater than 7 FH it would be reduced to 7 FH if it is less than 7 FH it would keep it as it is okay so very simple change what it did is it was trying to check a variable if and it was does not want it to be greater than 7 FH so how would you exploit this

thing sorry yeah that's true right because in the unpatched version it was happy whatever the value is it's not doing anything but but in the patge version what it is trying to do is it is checking that one variable and if it does not want it to be greater than 7 FH so if you were to exploit this vulnerability just put that value to be greater than 7 FH right and turns out if you are good with the med file formats that variable that it was trying to check is the note number parameter and if you put this variable to be greater than 7 FH it would give you it would crash that crash the

application sorry because there's no hand so I don't I it's a I don't I cannot show you a proof of concept for this thing because it's a Medi file but I'll be putting a BL it on my blog post and you guys can download it from there if you want and proof of concept exploit yes this patch was released on 10th of January 2012 can anyone guess when was the first time a malware found in the wild exploiting this vulnerability so so for malware authors they just don't want your application to crash for them it is more what they want is they want to get reliable code execution so you can create a proof of concept which

would give you a crash on the target but if you want a reliable code execution you need to put in more efforts so turns out the first time the malware was found in the mild exploiting this vulnerability was on 26th of January 2012 so just like 16 days after the Patch was released there was a malware in the wild exploiting this vulnerability just imagine like previously no one knew about this thing but at the time like once Microsoft released this patch there was already a like in 16 days there was a malv in the wild exploiting this vulnerability so what we have seen is this technique is useful for uh malware uh for penetration testers malware authors are already

using this how could a vulnerability researcher if you are finding new vulnerabilities how could you use this technique turns out the hard truth is patches are not always done right these patches are supposed to fix some vulnerabilities in your system but often what they do is they introduce new vulnerabilities a very good example of this is PHP 5.39 it was released in January 2012 and one of the things that it did did was it fixed the hash Collision denial of service vulnerability so what hash Collision denial of service vulnerability is you have a web server what you do is you just bombard that web server with lots of post variables now these post variables when they reach the

web server they are stored in an hash table so if what you do is you bombard that web server with lots of uh post variables and when these post variables go into the has tables uh like you because you sent a lot of post variables like there are high there is a high chance that there would be a hash collisions in them and when the hash collisions occur what happens is the web server will try to it will consume a lot of web server resources and basically causing a denial of service vulnerability on that Target on the web server it was a very popular vulnerability and it did not just affected PHP but all the web servers

with Tomcat uh asp.net everyone was affected Microsoft fixed this vulnerability with I believe ms100 uh and how PSP fixed this vulnerability was it introduced a directive name Max input wees so what this directive could do is it will allow a web server administrator to set a limit to the number of post variables it is willing to accept so the less the number of uh variables being sent lesser the Lesser are the chances that uh there would be hash collisions and lesser is the chance that you'll have a denial of service vulnerability let's look at the patch for this very simple change if you see over here what it did is it was trying to put a limit

that it will only process that those variables that are less than that set by the max input wees it was so good so far but what they did not do is what if the number of variables if an attacker is still trying to send a lot of variables what to do with them so rather than an else condition over here where it should have ideally returned from the code what happened is they started they keep uh the code was allowed to execute and what this thing did is the with this thing they fix the denial of service vulnerability but introduced a remote code execution vulnerability so just imagine a web server running a PHP with

an uh remote code execution vulnerability so what the vulnerability was vulnerability occurred when the number of variables exceeded Max input Wares AR the variable is of type array and instead of an else condition where they should have returned from the code the code was allowed to execute and it uh introduced a remote code execution vulnerability proof of concept for this thing very very simple what you do is just do a post on the target web server with random variables thousand was the uh default limit set by Max input Wares and you just add an uh array element over here and you have a proof of concept for remote code execution vulnerability on bsp 5.3.0 summary so as we I mentioned in

the starting that we'll be reverse engineering for security patches we did that we exploited all these vulnerabilities uh it's a very good technique for penetration testers they could they are just not limited to the exploit available from commercial PCS but they could uh start writing their own exploits vulnerability researchers it's a very good uh Technique we could just find new vulnerability based on reversing this patches [Music] and for it administrators and for people like us we need to start updating our systems as soon as possible because there are people out there who are trying to exploit this vulnerability the day the patches are out so we need to be on our tools that said I think I don't

have time for question and answers but you could always send me questions on we we push you back yeah we pushed you back yeah any questions and questions I'll will be more than happy to answer

them I had to run through the last are you going to be here after this for people who might want to ask you question okay if you have any questions just all right thank you