03.22
hi everyone,
This is aMIr (a.k.a sCORPINo) and its my second post at this blog 
recently CanSecWest finished and as Microsoft promised for releasing !exploitable (called bang-exploitable) tool after CanSecWest ,they did and !exploitable published a few hours ago.
so i decided to do a test or may be an analysis! of this tool. Well you can download this tools and presentation about it here( thanks goes to Thierry Zoller for link ) :
well it’s not correct that name it a tool cause this is not stand-alone ,it’s definitely an extension for WinDbd, Microsoft official debugging tool that you can grab it here(test it, you’ll love it):
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
after installing WinDbg and exteracting !exploitable you need to copy-paste “MSEC.dll” file from binaries folder to your “[winDbg folder]\winext” and then fire up Windbg, and then you need to load and executable or attach to it.
after all you need to load this extension to your Windbg by this command :
!load winext\msec.dll
ok, now everything is waiting for you ! yes you, make some EXCEPTION !
when you made an Exception , Windbg drop and breakpoint and waite for your interaction, resume , terminate , blah blah…
well when Exception made, you ask yourself is it exploitable or NOT ?! you are in doubt. so ask !exploitable :>
try this command :
!exploitable -v
running this command analysis the Exception and check it if it is exploitable or not, and print you some information about it.
This feature is great and help you in many times but at least it’s a software and can make mistakes !
I made some piece of codes as vulnerable conditions and tested it with !exploitable extension in Windbg and it made disparate behaviors.
1)first PoC was a simple Stack-Based Buffer Overflow that compiled whit MinGW compiler. result after making EXCEPTION and running “!exploitable -v” command is:
CommandLine: C:\Users\sCORPINo\Desktop\cpp\sim-bof.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00400000 00406000 image00400000 ModLoad: 77ce0000 77dfe000 ntdll.dll ModLoad: 77550000 77628000 C:\Windows\system32\kernel32.dll ModLoad: 76670000 7671a000 C:\Windows\system32\msvcrt.dll (740.1708): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=0022fb00 edx=77d40f34 esi=fffffffe edi=77da5d14 eip=77d22ea8 esp=0022fb18 ebp=0022fb48 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!DbgBreakPoint: 77d22ea8 cc int 3 0:000> g (740.1708): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=7ffdf000 ecx=00332aa4 edx=00414141 esi=00000000 edi=00000000 eip=41414141 esp=0022ff60 ebp=41414141 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 41414141 ?? ??? 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\msvcrt.dll - *** ERROR: Module load completed but symbols could not be loaded for image00400000 Exception Faulting Address: 0x41414141 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Exception Hash (Major/Minor): 0x39677f42.0xb7c7f42 Stack Trace: Unknown Unknown msvcrt!strupr+0x98 image00400000+0x1298 Instruction Address: 0x41414141 Description: Read Access Violation at the Instruction Pointer Short Description: ReadAVonIP Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x157d9fc (Hash=0x39677f42.0xb7c7f42) Access violations at the instruction pointer are exploitable if not near NULL.
2)second PoC was a simple Format String Bug and compiled it with MinGW compiler. I made Exception, and though it’s exploitable this extension showed “UNKNOWN” as result:
CommandLine: C:\Users\sCORPINo\Desktop\cpp\sim-fst.exe AAAA%x%x%x%x%x%x%x%x%x%x%x%s Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00400000 00406000 image00400000 ModLoad: 77ce0000 77dfe000 ntdll.dll ModLoad: 77550000 77628000 C:\Windows\system32\kernel32.dll ModLoad: 76670000 7671a000 C:\Windows\system32\msvcrt.dll (1718.37c): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=0022fb00 edx=77d40f34 esi=fffffffe edi=77da5d14 eip=77d22ea8 esp=0022fb18 ebp=0022fb48 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!DbgBreakPoint: 77d22ea8 cc int 3 0:000> g (1718.37c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=76710978 ecx=00000073 edx=7ffffffe esi=0022fefc edi=41414141 eip=7667a2af esp=0022fbdc ebp=0022fe60 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\msvcrt.dll - msvcrt!isleadbyte_l+0x41: 7667a2af 803800 cmp byte ptr [eax],0 ds:0023:41414141=?? 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Module load completed but symbols could not be loaded for image00400000 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll - Exception Faulting Address: 0x41414141 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:0040133f mov eax,0 Basic Block: 0040133f mov eax,0 00401344 leave 00401345 ret Exception Hash (Major/Minor): 0x43393836.0x39474436 Stack Trace: msvcrt!isleadbyte_l+0x41 msvcrt!printf+0x46 image00400000+0x133f image00400000+0x124b image00400000+0x1298 kernel32!BaseThreadInitThunk+0x12 ntdll!LdrInitializeThunk+0x4d Instruction Address: 0x40133f Description: Read Access Violation Short Description: ReadAV Exploitability Classification: UNKNOWN Recommended Bug Title: Read Access Violation starting at image00400000+0x133f (Hash=0x43393836.0x39474436)
Then i decided to check binary file that compiled with Visual Studio 2008 to check “!exploitable” behavior on this compiler concept.
4)so I wrote a Simple Buffer Overflow and Compiled it without /GS . check the result here:
CommandLine: "C:\Users\sCORPINo\Documents\Visual Studio 2008\Projects\bang-exploitable\Release\bang-exploitable.exe" Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00e90000 00e96000 bang-exploitable.exe ModLoad: 77ce0000 77dfe000 ntdll.dll ModLoad: 77550000 77628000 C:\Windows\system32\kernel32.dll ModLoad: 68eb0000 68f53000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\MSVCR90.dll (15b4.12b4): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=0030f5d8 edx=77d40f34 esi=fffffffe edi=77da5d14 eip=77d22ea8 esp=0030f5f0 ebp=0030f620 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!DbgBreakPoint: 77d22ea8 cc int 3 0:000> g (15b4.12b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=68ee149c edx=68f473a8 esi=00000001 edi=00e93378 eip=41414141 esp=0030fa3c ebp=0030fa78 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 41414141 ?? ??? 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll - Exception Faulting Address: 0x41414141 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x6c472519.0x770f2519 Stack Trace: Unknown Unknown kernel32!BaseThreadInitThunk+0x12 ntdll!LdrInitializeThunk+0x4d Instruction Address: 0x41414141 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x202dab4 (Hash=0x6c472519.0x770f2519) User mode DEP access violations are exploitable.
great ! MS knows User-Mode DEP access violations are exploitable :>
4)let’s compile last PoC with /GS and check the result :
CommandLine: "C:\Users\sCORPINo\Documents\Visual Studio 2008\Projects\bang-exploitable\Release\bang-exploitable.exe" Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ModLoad: 00ab0000 00ab6000 bang-exploitable.exe ModLoad: 77ce0000 77dfe000 ntdll.dll ModLoad: 77550000 77628000 C:\Windows\system32\kernel32.dll ModLoad: 68eb0000 68f53000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\MSVCR90.dll (17e4.338): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=002bf3a4 edx=77d40f34 esi=fffffffe edi=77da5d14 eip=77d22ea8 esp=002bf3bc ebp=002bf3ec iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!DbgBreakPoint: 77d22ea8 cc int 3 0:000> g STATUS_STACK_BUFFER_OVERRUN encountered (17e4.338): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00ab20ec ecx=775e5cc0 edx=002bf1f5 esi=00000000 edi=00ab3378 eip=77d22ea8 esp=002bf438 ebp=002bf4b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!DbgBreakPoint: 77d22ea8 cc int 3 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll - Exception Faulting Address: 0x77d22ea8 First Chance Exception Type: STATUS_BREAKPOINT (0x80000003) Faulting Instruction:77d22ea8 int 3 Basic Block: 77d22ea8 int 3 Exception Hash (Major/Minor): 0x3e2d2555.0x25522527 Stack Trace: ntdll!DbgBreakPoint+0x0 bang_exploitable!__report_gsfailure+0xe1 bang_exploitable!wmain+0x28 kernel32!BaseThreadInitThunk+0x12 ntdll!LdrInitializeThunk+0x4d Instruction Address: 0x77d22ea8 Description: Breakpoint Short Description: Breakpoint Exploitability Classification: UNKNOWN Recommended Bug Title: Breakpoint starting at ntdll!DbgBreakPoint+0x0 (Hash=0x3e2d2555.0x25522527) While a breakpoint itself is probably not exploitable, it may also be an indication that an attacker is testing a target. In either case breakpoints should not exist in production code.
oops! UNKNOWN ?!
may be MS guys think that programs with /GS are not exploitable, but if we guess that way, they should print an “NOT EXPLOITABLE” result, so it may that there is another reason for it or a weakness in tool 
altogether it is a good tool and can improve in future.
Good Work MS :>
BTW, wait for new issue of “Snoop Security Magazine”. coming soon…
/aMIr
Great…
Хороший блог! Всегда буду читать
Кстати у тебя какой ТИЦ и ПИАР ? Можно обменяться если что! Стучи в ICQ четыре\\ пять \\\\ две девятки , и четыре тройки )))
Если разместишь – я в гугле увижу , твою тоже поставлю!
Ок? Если что пиши на моём блоге! =)
———————————————————————
sCORPINo:
I didn’t get your words thoroughly, anyway thanks for your comment.
translation of your comment ::
Good blog! Will always read:)
By the way you have a TIC and PR? You can share if that! Knocking on ICQ four \ five \ \ \ \ two-nine, and four triples)))
If the place – I see in Google, too, put your own!
Ok? If you write on my blog! =)
Good post ,
keep the good work.
———————————————————————
sCORPINo:
Thanks for your comment.
Interisting post, keep work
Good review
I’ve got some comments to add to it:
DEP access violations have to be reported as exploitable, because not all hardwares and not all Windows installations support or enable DEP.
Breakpoints may or may not be related to security bugs. For example, when the heap is in debug mode, a breakpoint will be hit whenever a heap buffer overflow is detected.
Also, I believe you’ll get a better result with the format string poc if you use %n rather than %x. That way you’ll get an access violation when writing rather than reading.
All in all I think it’s a good tool to couple with a fuzzer. It can filter out quite a few harmless crashes. Then again, of course, it can’t replace a human analysis, but I don’t think it’s meant to.
Nice post, keep up the good work!
@Mario
Thanks for reading this review and commenting on
yep, DEP have to be reported as Exploitable, and i encourage MS guys, that accepted their mitigation can be bypassed(as mentioned in their plugin result).
yes, this plugin can be great when you got a bunch of crashes from a fuzzing session and want to clarify security bugs from other bugs to focus on them.
thanks for your great comments again
thanks for the catch. I’ll get in there and fix it….
Я извиняюсь, но, по-моему, Вы не правы. Я уверен. Давайте обсудим.
–
English : I’m sorry, but, in my opinion, you’re wrong. I’m sure. Let’s discuss.
/Snake
yes, partseoru. +1
А мне блог понравился
блин…писал-писал, а сообщение не отправилось и не сохранилось
вообщем блог понравился. админу удачи в развитии.
thank!