-atlas wandering-
   


-atlas wandering-
Bloggorama for breaking things

\

Categories:
  • /(75)

Subscribe
Subscribe to a (RSS) feed of this weblog.



Archives


This Blog




atlasutils-2.2.19.tgz


disass-3.04.tgz

       
Tue, 19 Feb 2008

Post Shmoocon 2008

Well the great and mighty shmoo has left the building. What a weekend. I'm beat.

I couldn't get in until Saturday night, but I hear Friday and Saturday were amazing. Everything from H1kari's FPGAs attacking cellular to hacking Second Life's helper apps (dude, they really hacked quicktime through the game!? sweet!). Jay Freakin Beale had an acapella rap-cameo by his fellow Intelguardian JimmyD! G Mark is always interesting to hear and cool to chat with. Simple Nomad apparently had a picture of him on CNN (Crappy Network News) where they named him Mike and made him look like Winn Schwartau! Unbelievable. All I have to say is WWDKD? ok, just listing Dan Kaminski in a place where Jesus has been is making me step away from the keyboard....


<long pause>

ok. I'm back. No lightning yet... although I've checked my life insurance.

I had a beer scheduled with Moose, but nothing ever came of it (sadly). Hopefully we'll be able to sit down and chat some other time. Same deal with Joe from learnsecurityonline, but at least we hooked up by phone. He's putting together a cool set of binary reversing challenges for his readers and has graciously asked for my input and possibly help. We'll see what comes of it.
And Darren from hak5 was also supposed to catch up with me after my talk (9am was too early for them :) but he got held up as well. I'm thinking the parties were just too good, because by Sunday everybody was asleep. I actually drank red bull just before my presentation to try to regain some kick I had lost. Yes, I went to the shmoo party and got to see Pablos and his gang break it down. What was amazing was the number of folks in blue lock-shirts that cut a rug. Even Ed Skoudis was doin a dance! Jay MFBeale, well, you see there are dancers and there is Jay.... the difference? Dancers get tired and take a break. Jay is a freakin animal! Lara, dude, Lara. But the man with presence, Mike Poor, was dancing the whole freakin night! Whatever they're drinkin at Intelguardians has got to be better than redbull! gimme some-o-dat! I spent most the night over in the corner writing code. No, I'm not completely inept on the dance-floor, but I wanted to get a few things tweaked and tuned before my talk. Just because I gave a talk on the same topic at POC doesn't mean I don't work a lot on it in between. Programmatic Debugging for Vulnerabilities is a relatively new topic (at least for public consumption). Expect the topic to hit BH and defcon this year as well (if they'll have me), and full of untapped potential.

To be specific, and not just another "blogger positing his empty opinion", I was truing up the code which determines heap chunk length. Finding buffer overflows is not a simple task, and at the very core of that search (at least in this approach) is being able to consistently determine interesting values for buffer length. Stack buffers and heap buffers both present their own challenges. At POC I had the concept of measuring stack buffer length by finding a valid return pointer higher on the stack and measuring the difference. For that I developed findRET(), which, once I worked out a few bugs, is quite accurate. For HEAP chunk length, however, I was focused on DL Malloc and relying on HEAP chunks keeping their buffer length at ptr-4 (the 32-bit number immediately preceeding the memory pointer location). Unfortunately, many of the calls to memcpy() are copying portions of a HEAP chunk (since HEAP chunks are often cut to the size of a structure), so the values immediately preceeding many destination HEAP buffers is anything but the length of the buffer. That length may have been implied by the struct used to access the HEAP chunk, but that information is long gone, and must be reversed (another great topic).
So this time around I improved the HEAP length issue by running the allocated HEAP structures (again, DL Malloc, but RTL won't be hard to add). Once I find the HEAP chunk past the HEAP address we're measuring, we take the difference as the length. The odd thing I found was that the HEAP in some binaries (eg. top on linux) doesn't start at the beginning of the HEAP memory map. So, tracing the HEAP means finding it first. So you'll find code in getConnectedChain() that first searches for a connected chain of HEAP chunks before traversing it and returning the start of each HEAP chunk.

I need to mention that these methods are still somewhat archane and unrefined. They will indicate the most fruitful overflows, such as overwriting RET or the HEAP control structures.... They will not indicate overwrites which occur within the same HEAP chunk or between stack buffers.

Slides are here: odp pdf
New releases of atlasutils (formerly the @ Utility Belt) is coming shortly.


Found a few interesting links about the con, one was an interview I did with Joe from LearnSecurityOnline.com.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2112.msg8708/topicseen,1/
http://www.learnsecurityonline.com/index.php?option=com_content&task=view&id=237&Itemid=1


Greetz to visi and squires, alien and hackerprincess, sk0d0 (nice pic!), sk3wlmast3r & son, Toby and joshwright, G. Mark, chris paget, vangelis, beetle, hollywood and jsyn, keith myers!, Intelguardians (choops for supporting the con!) and ASI guys. It was excellent to see you all again!
And thanks to those who came to my talk (for not stepping in front of the wizzing redbull and causing legal headaches!) Dude, Chuck, smile! Seriously, I hope you all enjoyed the talk and got something out of it.

@

[] permanent link / /




May 2025
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31