Stack Guard & Format String Blocker in Python

[Download the tool][1]

`
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Stack Guard & Format String Blocker in Python
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%</p>

:author: Nam T. Nguyen
:copyright: 2010, public domain

(Shamefully admitted that this tool was used in the Capture the Flag game at HITB Kuala Lumpur 2010, and it failed)

The Big Picture
===============

Basically, we are running the application under a debugger. When an interesting event occurs, we process it accordingly.

Stack Guard
-----------

The interesting events are function entry and function exit. When we enter into a function, the value at top of stack is XOR'd with a random value. When we exit from a function, the value at TOS is again XOR'd with that same random value.

Format String
-------------

The interesting events are those ``printf`` family functions. When the function is entered, we just have to check if its format string argument contains ``%n`` or ``%hn``. For some functions (e.g. ``printf```), this argument is at TOS + 4 (leave one for saved EBP), for some others (e.g. ``fprintf``) it is at TOS + 8, yet for some (e.g. ``snprintf``) it is at TOS + 12.

The Problems
============

Breakpoints
-----------

The main issue is with multi-process (fork'd code) applications. Basically, when they fork, the soft-breakpoints (0xCC) are retained but the handler does not attach to the new process. Therefore, when a breakpoint hits, the newly forked process simply dies.

To work around this issue, the ``MultiprocessDebugger`` class is written to remember breakpoints in both original and forked processes. It also kills new image (via ``exec``) to protect against successful exploitation that launches ``/bin/sh``, for example.

Function entries/exits
----------------------

Basically, to find all function entries, and exits, we have to walk the code. A recursive iterator (flattened with a simple queue) is used to visit all functions from a starting location (usually ``main`` function). When a ``CALL`` instruction is reached, its destination is deemed a function entry. When a ``RET`` instruction is reached, this current location is deemed an exit of the the current function. This does not work with indirect calls (``CALL EAX``, for e.g.) because we do not know its destination.

Samples
=======

Please peruse ``target.py`` for a sample usage.
` [1]: http://force.vnsecurity.net/download/lamer/guard.zip

Sự cố Vietcombank, một góc nhìn kỹ thuật (Categories: research)
Foxit Reader 7.3.0 Use-After-Free (patched in 7.3.4 recently) (Categories: research)
Exploiting Sudo format string vunerability (Categories: research)
Yet another universal OSX x86_64 dyld ROP shellcode (Categories: research)
Mật mã hiện đại (1) (Categories: research)
Simple Mac OS X ret2libc exploit (x86) (Categories: research)

« Simple Mac OS X ret2libc exploit (x86) Mật mã hiện đại (1) »

ORC Team

Stack Guard & Format String Blocker in Python

Related Posts