Scribd
Upload
55 views

Effect To Cause Determination: Crash Workflow

1. The document discusses analyzing crashes by determining the effect to cause rather than just grading crashes. It examines overflow analysis by marking program inputs and sinks. 2. The document also covers a Windows Metafile vulnerability that allows execution of arbitrary code via a crafted SETABORTPROC escape function call. It provides information on the WMF file format and key structures. 3. Details are given on taint analysis and execution slicing to track events related to a WMF crash initiation. Future work mentioned includes improved trace generation, taint analysis, replay, and automated analysis.

Uploaded by

Loc Nguyen
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
55 views

Effect To Cause Determination: Crash Workflow

1. The document discusses analyzing crashes by determining the effect to cause rather than just grading crashes. It examines overflow analysis by marking program inputs and sinks. 2. The document also covers a Windows Metafile vulnerability that allows execution of arbitrary code via a crafted SETABORTPROC escape function call. It provides information on the WMF file format and key structures. 3. Details are given on taint analysis and execution slicing to track events related to a WMF crash initiation. Future work mentioned includes improved trace generation, taint analysis, replay, and automated analysis.

Uploaded by

Loc Nguyen
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 15

Crash Workflow

Effect to Cause Determination

DISCOVERY VS. ANALYSIS

Grading crashes/mishandlings rather than discovering


Point A to Point B or Point B to A analysis
Point A to Point C?
Point D to Point B?

BASIC OVERFLOW ANALYSIS POINT A


TO POINT B
Marking program inputs
Marking a sink, return address overflow, EIP influence

Basic Overflow
L
ntdll.dll 76f60000 1292080
L
kernel32.dll 76230000 1114112
L
KernelBase.dll 74890000 272384
L
msvcrt.dll 760e0000 690688
L
libgcc_s_dw2-1.dll 6e940000 112142
L
libstdc++-6.dll 6fc40000 1000974
E
0x00401573 7 c7042401000000 5860 0 : mov dword
[esp],0x1 Reg( ESP=0x28ff70 ) W 4 28ff70
E
0x0040157a 6 ff15bc814000 5860 1 : call [0x4081bc]
Reg( EIP=0x40157a ESP=0x28ff70 ) R 4 4081bc 4_28_f_76 W 4
28ff70
E
0x760f2804 2 8bff 5860 2 : mov edi,edi Reg( EDI=0x0 )
E
0x760f2806 1 55 5860 3 : push ebp Reg( EBP=0x28ff94
ESP=0x28ff6c ) W 4 28ff6c
E
0x760f2807 2 8bec 5860 4 : mov ebp,esp Reg(
EBP=0x28ff94 ESP=0x28ff68 )
E
0x760f2809 3 ff7508 5860 5 : push dword [ebp+0x8]
Reg( ESP=0x28ff68 ) R 4 28ff70 1_0_0_0 W 4 28ff68
E
0x760f280c 5 e874edffff 5860 6 : call 0x760f1585 Reg(
EIP=0x760f280c ESP=0x28ff64 ) W 4 28ff64
E
0x760f1585 2 8bff 5860 7 : mov edi,edi Reg( EDI=0x0 )
E
0x760f1587 1 55 5860 8 : push ebp Reg( EBP=0x28ff68
ESP=0x28ff60 ) W 4 28ff60
E
0x760f1588 2 8bec 5860 9 : mov ebp,esp Reg(
EBP=0x28ff68 ESP=0x28ff5c )
E
0x760f158a 2 6a00 5860 10 : push byte 0x0 Reg(
ESP=0x28ff5c ) W 4 28ff5c
E
0x760f158c 6 ff15ac110e76 5860 11 : call
[0x760e11ac] Reg( EIP=0x760f158c ESP=0x28ff58 ) R 4 760e11ac
f_13_8a_74 W 4 28ff58
E
0x748a130f 2 8bff 5860 12 : mov edi,edi Reg( EDI=0x0
)

Taint Results

[217]reg_eip_0_0[0x1cb:0]<-retl {D}206
[206]mem_0x26f74c[0x19d:0]<-movb %dl, -0x8(%ebp,%ecx,1){D}205
[205]reg_edx_0_0[0x19c:0][0x1a2:0]<-movb (%eax), %dl{D}165
[165]mem_0x26f76c[0xdf:0]<-movb %cl, -0x10(%ebp,%edx,1){D}157
[157]reg_ecx_0_0[0xdd:0][0xe8:0]<-add %edx, %ecx{D}156 155
[155]reg_edx_0_0[0xda:0][0xde:0]<-movsxb -0xf(%ebp,%ecx,1), %edx{D}14
[156]reg_ecx_0_0[0xdc:0]<-movsxb -0x10(%ebp,%eax,1), %ecx{D}13
[13]mem_0x26f76c[-0x1:-1][0xdf:0]
[14]mem_0x26f76d[-0x1:-1][0xee:0]
[218]reg_eip_1_0[0x1cb:0]<-retl {D}208
[208]mem_0x26f74d[0x1a9:0]<-movb %dl, -0x8(%ebp,%ecx,1){D}207
[207]reg_edx_0_0[0x1a8:0][0x1ae:0]<-movb (%eax), %dl{D}176
[176]mem_0x26f76d[0xee:0]<-movb %cl, -0x10(%ebp,%edx,1){D}168
[168]reg_ecx_0_0[0xec:0][0x10b:0]<-add %edx, %ecx{D}167 166
[166]reg_edx_0_0[0xe9:0][0xed:0]<-movsxb -0xf(%ebp,%ecx,1), %edx{D}15
[167]reg_ecx_0_0[0xeb:0]<-movsxb -0x10(%ebp,%eax,1), %ecx{D}14
[15]mem_0x26f76e[-0x1:-1]
[219]reg_eip_2_0[0x1cb:0]<-retl {D}210
[210]mem_0x26f74e[0x1b5:0]<-movb %dl, -0x8(%ebp,%ecx,1){D}209
[209]reg_edx_0_0[0x1b4:0][0x1ba:0]<-movb (%eax), %dl{D}15
[220]reg_eip_3_0[0x1cb:0]<-retl {D}212
[212]mem_0x26f74f[0x1c1:0]<-movb %dl, -0x8(%ebp,%ecx,1){D}211
[211]reg_edx_0_0[0x1c0:0][0x1c6:0]<-movb (%eax), %dl{D}16
[16]mem_0x26f76f[-0x1:-1]

Windows Metafile Vulnerability


Point B to Point ???

Metafile Image Code Execution


December 27, 2005
WMF SETABORTPROC Escape Vulnerability
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft
Windows allows remote attackers to execute arbitrary code
via a Windows Metafile (WMF) format image with a crafted
SETABORTPROC GDI Escape function call, related to the Windows Picture
and Fax Viewer (SHIMGVW.DLL).
Explore Bad Paths
Refine Exploits

WMF FORMAT
[MS-WMF]: Windows Metafile format
http://msdn.microsoft.com/en-us/library/cc250370.aspx
A simplified overview:
http://wvware.sourceforge.net/caolan/ora-wmf.html
Overall WMF File Structure:

One type of record is the escape record


SETABORTPROC escape allows an application to register a
hook function to handle spooler errors

WMF CRASH INITIATION

WMF CRASH TAINT GRAPH

FILE FORMAT FIELDS AND KEY


STRUCTURES

WMF EXECUTION SLICING


EVENT TRACKING
0x77f330a3 call eax 2 ffd0 0x0 0x3812f Reg( EAX=0xa8b94

ESP=0xb4fb88 EIP=0x77f330a3 ) W 4 b4fb88


0x77c472e3 rep movsd 2 f3a5 0x0 0xb142 Reg( EDI=0xa8804
eflags=0x10216 ESI=0xa9f8c ECX=0xa ) R 4 a9f8c cc_cc_cc_cc W 4
a8804
0x77f2e997 mov ecx, [ebp+arg_8] 3 8b4d10 0x0 0xc5c3 Reg(
EBP=0xb4fbf8 ECX=0x7c809a20 ) R 4 b4fc08 44_0_0_0
0x77f2e983 mov [ebp+arg_8], eax 3 894510 0x0 0xbd8c Reg(
EAX=0x44 EBP=0xb4fbf8 ) W 4 b4fc08
0x77f2e97f add eax, eax 2 03c0 0x0 0xbd89 Reg( EAX=0x22
eflags=0x246 )
0x77f2e949 mov eax, [edi+6] 3 8b4706 0x0 0xbd7d Reg(
EAX=0xa8920 EDI=0xa87e8 ) R 4 a87ee 22_0_0_0
0x77c472e3 rep movsd 2 f3a5 0x0 0xb13c Reg( EDI=0xa87ec
eflags=0x10216 ESI=0xa9f74 ECX=0x10 ) R 4 a9f74 0_3_22_0 W 4
a87ec

WMF SLICING 2

WMF SLICING (3)

FILTERING OUT INFORMATION NOISE

FUTURE
Trace Generation (Working)
Taint Analysis (2013)
Replay
Automated Analysis

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy