1 / 12

IDA Pr0wned

IDA Pr0wned. Jason Geffner, NGS jason@ngssoftware.com 8/25/10. Background.

corbin
Télécharger la présentation

IDA Pr0wned

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDA Pr0wned Jason Geffner, NGS jason@ngssoftware.com 8/25/10

  2. Background • “The IDA Pro Disassembler and Debugger is an interactive, programmable, extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA Pro has become the de-facto standard for the analysis of hostile code, vulnerability research and COTS validation.” • -- http://hex-rays.com/idapro/overview.htm

  3. How IDA LOADS FILES • IDA supports dozens of file formats • One DLL per file format in IDA’s “loaders” subdirectory • Each DLL exports the following two functions: • accept_file(…) – Does loader recognize file format? • load_file(…) – Load the file into the database

  4. How IDA LOADS FILES • IDA calls each loader DLL’s accept_file(…) function on the input file • IDA then asks the user which loader to use to load the file

  5. Loaders

  6. QNX • “QNX is a commercial Unix-like real-time operating system, aimed primarily at the embedded systems market.” • -- http://en.wikipedia.org/wiki/QNX • IDA Pro includes a QNX program file loader • A code snippet from its accept_file(…) function follows…

  7. The data for all structures below are read in from the input file. • Code below iterates through each “ex.lmf_data” structure in the input file, advancing the file pointer based on “sizeof(lmf_data) + lmf_data.offset”. • However, if “lmf_data.offset” == “-sizeof(lmf_data)” then “at” is never increased and this code will run in an infinite loop. for (uint32 at = sizeof(ex.lmf_header) + ex.lmf_header.data_nbytes; lmf_data.segment_index != _LMF_EOF_REC; at += sizeof(lmf_data) + lmf_data.offset) { qlseek( li, at, 0 ); if ( sizeof(_lmf_data) != qlread( li, &lmf_data, sizeof(_lmf_data) ) ) return 0; switch(lmf_data.segment_index) { ... case _LMF_COMMENT_REC: break; ... } }

  8. The code below shows the checks made before the vulnerable loop. The structure to the right shows the fields with required values.

  9. We can make a COM file containing raw 16-bit assembly code. The NTVDM (NT Virtual DOS Machine) initializes AX to 0x0000, but since we’re in virtualized real-mode, we can write to that address without throwing an exception.

  10. DEMO • Running the COM file • Opening the COM file in IDA Pro

  11. Icing on the Cake • We can rename the .com file to a .exe file and Windows will still run it (and IDA will still fail to load it)

  12. Q & A

More Related