Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf ·...
Transcript of Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf ·...
![Page 1: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/1.jpg)
Hopelessly Ambitious Reversing Talk
Applying Reverse Engineering to Web Security
![Page 2: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/2.jpg)
about:matasano★ An Indie Security Firm: Founded Q1’05,
Chicago and NYC.
★ Research 2006:
‣ endpoint agent vulnerabilities
‣ hardware virtualized rootkits
‣ a protocol debugger
‣ windows vista (on contract to msft)
‣ storage area networks (broke netapp)
‣ 40+ pending advisories
![Page 3: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/3.jpg)
about:thomasptacek
★ You may remember me from such research papers as: “Insertion, Evasion, Denial of Service”
★ or such companies as: Secure Networks, Network Associates, Arbor Networks
★ or such ISPs as: EnterAct
★ or such high schools as: St. Ignatius
★ etc, etc.
![Page 4: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/4.jpg)
about:owasp_talk
★ Reversing and Code-Assisted Pen Test
‣ add hours-not-days to projects, find 10x as many flaws
★ Binary Reversing
‣ all source is now open; C++, Java, .NET
★ Protocol Reversing
‣ busting secret protocols that hide in HTTP
![Page 5: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/5.jpg)
lopaticoverflow
smashingthe stack
heapoverflows
integeroverflows
uninitializedvariables
helpfiletypos
morrisworm
mysteryzone
‘88 ‘95
a question:
why did overflows take 7 years to break out?
![Page 6: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/6.jpg)
why reversing matters (1)
★ Reversing Will “Break Out” For Attackers
★ 1994 Attacker: Shell Scripts, .rhosts
★ 2006 Attacker: Assembly, Kernel Heap
![Page 7: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/7.jpg)
matasano
randomfuzzing
targetedfuzzing
surgicalfuzzing
audit
knowledge
sample file source
coverage
shallow deep
instant
speedpainstaking
sweet spot
fishedout
![Page 8: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/8.jpg)
why reversing matters (2)
★ The Easy Findings Are Drying Up
★ Pond Fished With Dynamite: Random Binary Fuzzing
★ Matters More For Attackers, But Professionals Must Follow
![Page 9: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/9.jpg)
matasano
dueling methodologies:pen test vs. code review
![Page 10: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/10.jpg)
matasano
pen test: fast, tactical
![Page 11: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/11.jpg)
matasano
pen test: misses stuff(unexposed form fields, hidden injection)
![Page 12: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/12.jpg)
matasano
pen test: limited range(just CGI variables ala scarab, pantera)
![Page 13: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/13.jpg)
matasano
code review: thorough
![Page 14: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/14.jpg)
matasano
code review: slowfrequent effort/reward risk
![Page 15: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/15.jpg)
matasano
code review: need codeforget third-party dependencies
![Page 16: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/16.jpg)
middle ground
★ Code Assisted Penetration Test
‣ use info about code to improve tests
‣ test-driven, tactical
‣ exploit source, but minimize effort
![Page 17: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/17.jpg)
matasano
reverse engineeringis now practical
![Page 18: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/18.jpg)
intersection
toolevolution
hardwaredependence
hex edit decompilation
.net CLR
C++
hit trace
![Page 19: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/19.jpg)
rce myth #1
★ End results need to be compilable, nearly as good as the original source code!
‣ No. Results just need to map out the inputs and operations. We’ll never recompile. We don’t need your algorithms.
![Page 20: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/20.jpg)
rce myth #2
★ All reversed source code needs to be read.
‣ No. We’re barely going to read any code. We isolate the few functions that matter, figure out their inputs, and test them.
![Page 21: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/21.jpg)
rce myth #3
★ If there are no symbols, reversing is impractical.
‣ No. Real code is littered with giveaways about which functions are which. Stripping function names adds hours, not days.
![Page 22: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/22.jpg)
rce myth #4
★ The goal of reversing is to get back to the original source language.
‣ No. All we need is “better than assembly”. We can “decompile” to a call graph, or a low-level language, and analyze that.
![Page 23: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/23.jpg)
rce myth #5
★ All decompilation is static, file-at-a-time.
‣ No. We’ll use debuggers, system call tracing, filesystems, logging, and single-stepping to help.
![Page 24: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/24.jpg)
open
int main(int argc, char **argv) { printf(“helu, world\n”); exit(0); }
![Page 25: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/25.jpg)
closed
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 55 89 e5 53 |............U..S|000001d0 83 ec 14 e8 f4 ff ff ff 8d 83 1a 00 00 00 89 04 |................|000001e0 24 e8 1d 00 00 00 c7 04 24 01 00 00 00 e8 0c 00 |$.......$.......|000001f0 00 00 68 65 6c 75 2c 20 77 6f 72 6c 64 00 f4 f4 |..helu, world...|00000200 f4 f4 f4 f4 f4 f4 f4 f4 8b 1c 24 c3 22 00 00 00 |..........$."...|00000210 03 00 00 05 16 00 00 00 03 00 00 05 0e 00 00 a4 |................|00000220 26 00 00 00 00 00 00 a1 0c 00 00 00 08 00 00 00 |&...............|
![Page 26: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/26.jpg)
disassembled
push %ebp mov %esp,%ebp push %ebx sub $0x14,%esp call 0 <LC_SEGMENT.__TEXT.__text> lea 0x1a(%ebx),%eax mov %eax,(%esp) call 37 <___i686.get_pc_thunk.bx-0x5> movl $0x1,(%esp) call 32 <___i686.get_pc_thunk.bx-0xa>
![Page 27: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/27.jpg)
call graphedread()
unknown
close()open()
read()
write()
memcmp()
![Page 28: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/28.jpg)
bblock graphedprologue
condition
false?funcall
retval
epilogue
![Page 29: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/29.jpg)
hit tracedread()
unknown
close()open()
read()
write()
memcmp()
![Page 30: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/30.jpg)
bblock diffed patchprologue
condition
false?funcall
retval
epilogue
prologue
condition
false?
funcall
retval
epilogue
condition
![Page 31: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/31.jpg)
open java
class Program { public static void main(String args[]) { System.out.println(“helu, world”); }}
![Page 32: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/32.jpg)
closed java
class Program { public static void main(String args[]) { System.out.println(“helu, world”); }}
![Page 33: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/33.jpg)
Why Java Decompiles★ Simple instructions: fits on a Wikipedia page
★ Embedded types: everything’s an object, objects have names.
★ Storage model: arguments, locals, instance variables all predictable, along with stack frames
★ Verified code: can’t jump to the middle of an instruction.
★ Minimal indirection: no computed function pointers
![Page 34: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/34.jpg)
matasano
demo: ida
![Page 35: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/35.jpg)
matasano
demo: paimei minesweeper
![Page 36: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/36.jpg)
matasano
demo: binnavi eye candy
![Page 37: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/37.jpg)
matasano
demo: jad
![Page 38: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/38.jpg)
matasano
demo: xcode java
![Page 39: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/39.jpg)
matasano
demo: .net reflector
![Page 40: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/40.jpg)
the 8 steps
1. Configure the Application: set up a working lab.
2. Sniff Test: see if it survives silly stuff.
3. Capture Traffic: get data to work with.
4. Decode and Frame: break up messages.
5. Establish Replayability: start talking to target.
6. Establish Variability: start attacking target.
7. Establish Generation: build fuzzing framework.
8. Write Test Cases: test for coverage.
![Page 41: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/41.jpg)
(1) configure
★ Get the product working in its normal state.
‣ Consider disabling security features for now.
★ We lose more time here than anywhere else.
★ Objective: A VMware “just-add-water” lab.
![Page 42: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/42.jpg)
(2) sniff test
★ Is there any authentication?
★ Can I crash it with random data?
★ Objective: Qualify the target.
‣ don’t waste time with totally broken apps.
![Page 43: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/43.jpg)
(3) capture
★ I use tcpdump to figure out what ports an application uses.
★ I use a simple socket-based plugboard for everything else.
★ Objective: files for each side of connection
‣ inspect in hexdump
![Page 44: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/44.jpg)
(4) frame
★ The hardest step.
‣ but usually much simpler for web apps
★ Take one capture file.
★ Objective: files for each protocol message.
![Page 45: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/45.jpg)
(5) replay
★ Cat message files back at the server
‣ (in the right order)
★ Objective #1: successful responses
★ Objective #2: see what varies
![Page 46: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/46.jpg)
(6) vary
★ Now we have examples of protocol messages.
★ Objective: fuzzing templates
‣ Change strings
‣ Change length
‣ Change things at random
![Page 47: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/47.jpg)
(7) generate
★ Now we have a good idea of how the protocol works.
★ Objective: code to generate from scratch
‣ I’ve used C, Python, Ruby, and Bash
‣ I actually prefer Bash.
![Page 48: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/48.jpg)
(8) test cases
★ Start finding flaws.
★ You should be minutes-not-hours for each new test case now.
![Page 49: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/49.jpg)
matasano
protocol decoder ringweb RPC corbaHTTP transport IIOPPOST pdu Message
Apache server ORB
Page service Object
URL request IOR
DNS resolver CosNaming
&action= action Method
Cookie session SvcContext
POST Args data MessageBody
![Page 50: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/50.jpg)
matasano
predictable sessionsweb RPC corbaCookie session SvcContext
proprietary session cookies are almost always monotonically increasing 32 bit integers.
![Page 51: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/51.jpg)
matasano
forced browsingweb RPC corbaPage service Object
URL request IOR
&action= action Method
Cookie session SvcContext
often, every service/action is left to fend for itself to verify the caller: requests with no session are honored.
![Page 52: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/52.jpg)
matasano
memory corruptionweb RPC corbaHTTP transport IIOP
POST pdu Message
POST Args data MessageBody
most web apps are built in Java/.NET.most custom protocols are C/C++.
![Page 53: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/53.jpg)
matasano
injectionweb RPC corbaPOST pdu Message
POST Args data MessageBody
requests usually still hit an SQL database, but there’s no off-the-shelf validator code to use. don’t forget ‘90s shell metacharacters and UNC paths!
![Page 54: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/54.jpg)
matasano
cross-site-scriptingweb RPC corba
POST Args data MessageBody
almost all of these apps have a web front-end somewhere; “submarine” XSS lets us inject javascript into backend database.
![Page 55: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/55.jpg)
matasano
conclusionit seems vanishingly unlikely I’ll
make it to this slide.
![Page 57: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/57.jpg)
matasano
chisec:third thursday, every other month,
houlihan’s on wacker.
![Page 58: Hopelessly Ambitious Reversing Talkwittys.com/owasp/OWASP_Chicago_Thomas_Ptacek.pdf · about:owasp_talk ★ Reversing and Code-Assisted Pen Test ‣ add hours-not-days to projects,](https://reader035.fdocuments.in/reader035/viewer/2022081600/60568bfe072e5c4f240f3f9e/html5/thumbnails/58.jpg)
matasano