This is aMIr (a.k.a sCORPINo) and its my second post at this blog

recently CanSecWest finished and as Microsoft promised for releasing !exploitable (called bang-exploitable) tool after CanSecWest ,they did and !exploitable published a few hours ago.

so i decided to do a test or may be an analysis! of this tool. Well you can download this tools and presentation about it here( thanks goes to Thierry Zoller for link ) :

http://msecdbg.codeplex.com

well it’s not correct that name it a tool cause this is not stand-alone ,it’s definitely an extension for WinDbd, Microsoft official debugging tool that you can grab it here(test it, you’ll love it):

http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx

after installing WinDbg and exteracting !exploitable you need to copy-paste “MSEC.dll” file from binaries folder to your “[winDbg folder]\winext” and then fire up Windbg, and then you need to load and executable or attach to it.

after all you need to load this extension to your Windbg by this command :

!load winext\msec.dll

ok,  now everything is waiting for you ! yes you, make some EXCEPTION !

when you made an Exception , Windbg drop and breakpoint and waite for your interaction, resume , terminate , blah blah…

well when Exception made, you ask yourself is it exploitable or NOT ?! you are in doubt. so ask !exploitable  :>

try this command :

!exploitable -v

running this command analysis the Exception and check it if it is exploitable or not, and print you some information about it.

This feature is great and help you in many times but at least it’s a software and can make mistakes !

I made some piece  of codes as vulnerable conditions and tested it with !exploitable extension in Windbg and it made disparate behaviors.

1)first PoC was a simple Stack-Based Buffer Overflow that compiled whit MinGW compiler. result after making EXCEPTION and running “!exploitable -v” command is:

CommandLine: C:\Users\sCORPINo\Desktop\cpp\sim-bof.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00406000   image00400000
ModLoad: 77ce0000 77dfe000   ntdll.dll
ModLoad: 77550000 77628000   C:\Windows\system32\kernel32.dll
ModLoad: 76670000 7671a000   C:\Windows\system32\msvcrt.dll
(740.1708): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0022fb00 edx=77d40f34 esi=fffffffe edi=77da5d14
eip=77d22ea8 esp=0022fb18 ebp=0022fb48 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
77d22ea8 cc              int     3
0:000> g
(740.1708): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=7ffdf000 ecx=00332aa4 edx=00414141 esi=00000000 edi=00000000
eip=41414141 esp=0022ff60 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\msvcrt.dll -
*** ERROR: Module load completed but symbols could not be loaded for image00400000
Exception Faulting Address: 0x41414141
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Exception Hash (Major/Minor): 0x39677f42.0xb7c7f42

Stack Trace:
Unknown
Unknown
msvcrt!strupr+0x98
image00400000+0x1298
Instruction Address: 0x41414141

Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x157d9fc (Hash=0x39677f42.0xb7c7f42)

Access violations at the instruction pointer are exploitable if not near NULL.

2)second PoC was a simple Format String Bug and compiled it with MinGW compiler. I made Exception, and though it’s exploitable this extension showed “UNKNOWN” as result:

CommandLine: C:\Users\sCORPINo\Desktop\cpp\sim-fst.exe AAAA%x%x%x%x%x%x%x%x%x%x%x%s
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00406000   image00400000
ModLoad: 77ce0000 77dfe000   ntdll.dll
ModLoad: 77550000 77628000   C:\Windows\system32\kernel32.dll
ModLoad: 76670000 7671a000   C:\Windows\system32\msvcrt.dll
(1718.37c): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0022fb00 edx=77d40f34 esi=fffffffe edi=77da5d14
eip=77d22ea8 esp=0022fb18 ebp=0022fb48 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
77d22ea8 cc              int     3
0:000> g
(1718.37c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=76710978 ecx=00000073 edx=7ffffffe esi=0022fefc edi=41414141
eip=7667a2af esp=0022fbdc ebp=0022fe60 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\msvcrt.dll -
msvcrt!isleadbyte_l+0x41:
7667a2af 803800          cmp     byte ptr [eax],0           ds:0023:41414141=??
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Module load completed but symbols could not be loaded for image00400000
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
Exception Faulting Address: 0x41414141
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:0040133f mov eax,0

Basic Block:
    0040133f mov eax,0
    00401344 leave

    00401345 ret

Exception Hash (Major/Minor): 0x43393836.0x39474436

Stack Trace:
msvcrt!isleadbyte_l+0x41
msvcrt!printf+0x46
image00400000+0x133f
image00400000+0x124b
image00400000+0x1298
kernel32!BaseThreadInitThunk+0x12
ntdll!LdrInitializeThunk+0x4d
Instruction Address: 0x40133f

Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at image00400000+0x133f (Hash=0x43393836.0x39474436)

Then i decided to check binary file that compiled with Visual Studio 2008 to check “!exploitable” behavior on this compiler concept.

4)so I wrote a Simple Buffer Overflow and Compiled it without /GS . check the result here:

CommandLine: "C:\Users\sCORPINo\Documents\Visual Studio 2008\Projects\bang-exploitable\Release\bang-exploitable.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00e90000 00e96000   bang-exploitable.exe
ModLoad: 77ce0000 77dfe000   ntdll.dll
ModLoad: 77550000 77628000   C:\Windows\system32\kernel32.dll
ModLoad: 68eb0000 68f53000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\MSVCR90.dll
(15b4.12b4): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=0030f5d8 edx=77d40f34 esi=fffffffe edi=77da5d14
eip=77d22ea8 esp=0030f5f0 ebp=0030f620 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
77d22ea8 cc              int     3
0:000> g
(15b4.12b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=68ee149c edx=68f473a8 esi=00000001 edi=00e93378
eip=41414141 esp=0030fa3c ebp=0030fa78 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
41414141 ??              ???
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
Exception Faulting Address: 0x41414141
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x6c472519.0x770f2519

Stack Trace:
Unknown
Unknown
kernel32!BaseThreadInitThunk+0x12
ntdll!LdrInitializeThunk+0x4d
Instruction Address: 0x41414141

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x202dab4 (Hash=0x6c472519.0x770f2519)

User mode DEP access violations are exploitable.

great ! MS knows User-Mode DEP access violations are exploitable :>

4)let’s compile last PoC with /GS  and check the result :

CommandLine: "C:\Users\sCORPINo\Documents\Visual Studio 2008\Projects\bang-exploitable\Release\bang-exploitable.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00ab0000 00ab6000   bang-exploitable.exe
ModLoad: 77ce0000 77dfe000   ntdll.dll
ModLoad: 77550000 77628000   C:\Windows\system32\kernel32.dll
ModLoad: 68eb0000 68f53000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\MSVCR90.dll
(17e4.338): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=002bf3a4 edx=77d40f34 esi=fffffffe edi=77da5d14
eip=77d22ea8 esp=002bf3bc ebp=002bf3ec iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
77d22ea8 cc              int     3
0:000> g

STATUS_STACK_BUFFER_OVERRUN encountered
(17e4.338): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00ab20ec ecx=775e5cc0 edx=002bf1f5 esi=00000000 edi=00ab3378
eip=77d22ea8 esp=002bf438 ebp=002bf4b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
77d22ea8 cc              int     3
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
Exception Faulting Address: 0x77d22ea8
First Chance Exception Type: STATUS_BREAKPOINT (0x80000003)

Faulting Instruction:77d22ea8 int 3

Basic Block:
    77d22ea8 int 3

Exception Hash (Major/Minor): 0x3e2d2555.0x25522527

Stack Trace:
ntdll!DbgBreakPoint+0x0
bang_exploitable!__report_gsfailure+0xe1
bang_exploitable!wmain+0x28
kernel32!BaseThreadInitThunk+0x12
ntdll!LdrInitializeThunk+0x4d
Instruction Address: 0x77d22ea8

Description: Breakpoint
Short Description: Breakpoint
Exploitability Classification: UNKNOWN
Recommended Bug Title: Breakpoint starting at ntdll!DbgBreakPoint+0x0 (Hash=0x3e2d2555.0x25522527)

While a breakpoint itself is probably not exploitable, it may also be an indication that an attacker is testing a target.
In either case breakpoints should not exist in production code.

oops! UNKNOWN ?!

may be MS guys think that programs with /GS are not exploitable, but if we guess that way, they should print an “NOT EXPLOITABLE” result, so it may that there is another reason for it or a weakness in tool

altogether it is a good tool and can improve in future.

Good Work MS :>

BTW, wait for new issue of “Snoop Security Magazine”. coming soon…

/aMIr