thatsBroken

If you’ve spent any time playing with PaiMei’s PEEK! Module you’ve no doubt run into bugs.

PEEK! has the ability to track and print to screen the registers and stack when calls to recv() and recvfrom() are made. When these functions return EAX holds the buffer length of the recieved packet… unless there is a failure and it returns -1 (or FFFFFFFF). Unfortunately pydbg is instructed to do this without first checking the value of length.:

read_buf = create_string_buffer(length)

Which results in this:

File “C:\Python25\lib\ctypes\__init__.py”, line 70, in create_string_buffer
buftype = c_char * init
OverflowError: cannot fit ‘long’ into an index-sized integer

What’s the right ay to fix this? Should we edit pydbg to make sure it doesnt try to create a buffer 4294967295 in length? Maybe… but for now we’ll edit PAIMEIpeek.py because its easier, faster, and I don’t have commit to the svn

To resolve this, I modified each hook container call back like so:

    ####################################################################################################################
    def socket_logger_ws2_recvfrom (self, dbg, args, ret):
        '''
        Hook container call back.
        '''

        self.msg("ws2_32.recvfrom(buf=%08x, len=%d)" % (args[1], args[2]))
        self.msg("Actually received %d bytes:" % ret)
        if int(ret) == 4294967295:
            self.msg("ERROR received from ws2_32:%d" % ret)
        else:
            self.msg(dbg.hex_dump(dbg.read(args[1], ret)))

    ####################################################################################################################

Yes, its a hack but it accomplishes what I need to continue monitoring so it’s good enough for now.

PaiMei and Sulley still rely on the power of IDA Pro to disassemble and identify basic blocks. This crucial piece of information is essential for setting breakpoints that identify entry and exit point of each basic block/function.

Thankfully the process of generating a PIDA file is rather simple these days. IDA Python has been included with the standard distribution of IDA Pro since 5.(2?). It is unfortunate that the whole process relies on having IDA Pro as it is a difficult product to license as an independant researcher. Thankfully I’ve got friends willing to generate my PIDA files for me. If anyone out there is interested, I’d love to develop a web front end/automated process for submitting a binary and generating a PIDA file.

In any case the process boils down to:

[1] Open the binary in IDA Pro and let it analyze the file. The console should alert you when AutoAnalysis is complete.
[2] Press ALT-9 and run C:\paimei\pida_dump.py
[3] Choose Full, Propagate nodes and edges for API calls (imports) Yes, Enumerate RPC Yes, Save.

Watch for this in the console log:

Analyzing IDB…
Analyzing functions…
Enumerating imports…
Enumerating RPC interfaces…
Enumerating intramodular cross references…
Done. Completed in 23.844000 seconds.

Saving to file… 25% 50% 75% Done. Completed in 1.562000 seconds.

If you’re going to start fuzzing with Sulley I’m hoping you’ve spent a little time getting to know the concepts.

Overall usage of Sulley breaks down to the following:
Data Representation: First step in using any fuzzer. Run your target and tickle some interfaces while snagging the packets. Break down the protocol into individual requests and represent that as blocks in Sulley.
Session: Link your developed requests together to form a session, attach the various available Sulley monitoring agents (socket, debugger, etc…) and commence fuzzing.
Post Mortem: Review the generated data and monitored results. Replay individual test cases.

Today we’re going to be focusing on Data Representation. I’ve chosen a UDP broadcast protocol used by a demo SCADA app.

Here is a screenshot of the network traffic.

So it sends packets out from TCP 5513 to a UDP subnet broadcast IP of 10.7.0.255 at port 5512. After observing the application idle for 5 minutes I identified two slightly different packets:

4e65747363616e3b30643b353b
4e65747363616e3b30643b373b

As you can see in the wireshark screenshot, this is an ascii, plain text representation of those two packets:

Netscan;0d;5;
Netscan;0d;7;

To build our simple protocol defnintion lets look at the following example:

# fuzzes the string: 
s_delim("<")
s_string("BODY")
s_delim(" ")
s_string("bgcolor")
s_delim("=")
s_delim("\"")
s_string("black")
s_delim("\"")
s_delim(">")

Ours will look like:

s_string("Netscan")
s_delim(";")
s_binary(“0d”)
s_delim(";")
s_word(1, format="ascii")
s_delim(";")

Check out “C:/sulley/docs/index.html#installation” for full API details.

Lets create our Sulley fuzzing scripts. I use Crimson Editor for quick edits. Feel free to use your favorite IDE.

Create a new file called irc5.py in C:\sulley\requests

from sulley import *

########################################################################################################################
s_initialize("irc5")

if s_block_start("bcast"):
	s_string("Netscan")
	s_delim(";")
	s_binary("0d")
	s_delim(";")
	s_word(1, format="ascii")
	s_delim(";")
s_block_end()

Now in C:\sulley\ create irc5_bcast.py with the following:

#!c:\\python\\python.exe

from sulley   import *
from requests import irc5

########################################################################################################################
sess = sessions.session(session_filename="audits/irc5-bcast.session", sleep_time=.25, log_level=10)
sess                   = sessions.session(proto="udp")
sess.add_target(sessions.target("10.7.0.255", 5513))

sess.connect(s_get("irc5"))
sess.fuzz()

Now from the DOS box run the fuzzing script:

And if we look at Wireshark we can see the packets going across the wire… I wonder what code out packets are hitting… is there more we should know about the code that processes incoming packets (yes!)

Enter Process Stalking. This process will allow us to identify the basic blocks hit by our incoming packets. Check out the next post on Process Stalking.

When analyzing software for vulnerabilities we need to map its attack surface. For obvious reasons, remote unauthenticated communication is of special interest because it can potentially yeild the holy grail in vulnerability research – remote, unauthenticated arbitrary code execution.

The process of picking a target is up to you. If you want to make some money from the folks at ZDI then I’d suggest looking at the vendors listed in the last few months of disclosures… that’s obviously what they are paying for these days.

If you want to start with something simple but still fun, I’d suggest grabbing a demo SCADA app. NOTE: Please be responsible.

For this blog post I’m going to use: “IRC5 OPC Server_5.12.01.exe” but Before we run the installer, lets fire up TCPView and check out our current open ports…

Ok, let’s get this installed…

We will look for new open ports in TCPView…

Based on what TCPView is telling us, it looks like this application listens on UDP ports 1308, 5512 and 5513.

Lets fire up wireshark to see if the application is chatty

So it sends packets out from TCP 5513 to a UDP subnet broadcast IP of 10.7.0.255 at port 5512. After observing the application idle for 5 minutes I identified two slightly different packets:

4e65747363616e3b30643b353b
4e65747363616e3b30643b373b

As you can see in the wireshark screenshot, this is an ascii, plain text representation of those two packets:

Netscan;0d;5;
Netscan;0d;7;

It starts with the string Netscan, followed by a separator, followed by what looks to be an ascii representation of a hex number, followed by a separator, followed by a decimal number and ending in a separator. This is going to be fun to fuzz later but what other attack surfaces can we find? Lets take a closer look at the application itself.

I tried changing poll rate, language, and users/password settings but the broadcast packet stayed the same. I’m going to go fuzz this with Sulley, would you like to come along? Don’t have Sully installed? We have an page for that too!

Open up C:\paimei\__build_installer.bat and change:

REM $Id: __build_installer.bat 194 2007-04-05 15:31:53Z cameron $

c:\python\python.exe setup.py bdist_wininst –bitmap=logos\installer.bmp –title=PaiMei

To:

REM $Id: __build_installer.bat 194 2007-04-05 15:31:53Z cameron $

c:\python25\python.exe setup.py bdist_wininst –bitmap=logos\installer.bmp –title=PaiMei

Open up a command prompt and go to wherever you checked out the paimei source… mine is in C:\paimei. Run the “__build_installer.bat” script:

C:\paimei>c:\python25\python.exe setup.py bdist_wininst –bitmap=logos\installe
.bmp –title=PaiMei
running bdist_wininst
running build
running build_py
creating build
creating build\lib
creating build\lib\pida
copying pida\basic_block.py -> build\lib\pida
copying pida\defines.py -> build\lib\pida
copying pida\function.py -> build\lib\pida
copying pida\instruction.py -> build\lib\pida
copying pida\module.py -> build\lib\pida
copying pida\__init__.py -> build\lib\pida
creating build\lib\pgraph
copying pgraph\cluster.py -> build\lib\pgraph
copying pgraph\edge.py -> build\lib\pgraph
copying pgraph\graph.py -> build\lib\pgraph
copying pgraph\node.py -> build\lib\pgraph
copying pgraph\__init__.py -> build\lib\pgraph
creating build\lib\pydbg
copying pydbg\breakpoint.py -> build\lib\pydbg
copying pydbg\defines.py -> build\lib\pydbg
copying pydbg\hardware_breakpoint.py -> build\lib\pydbg
copying pydbg\memory_breakpoint.py -> build\lib\pydbg
copying pydbg\memory_snapshot_block.py -> build\lib\pydbg
copying pydbg\memory_snapshot_context.py -> build\lib\pydbg
copying pydbg\my_ctypes.py -> build\lib\pydbg
copying pydbg\pdx.py -> build\lib\pydbg
copying pydbg\pydbg.py -> build\lib\pydbg
copying pydbg\pydbg_client.py -> build\lib\pydbg
copying pydbg\system_dll.py -> build\lib\pydbg
copying pydbg\windows_h.py -> build\lib\pydbg
copying pydbg\__init__.py -> build\lib\pydbg
creating build\lib\utils
copying utils\code_coverage.py -> build\lib\utils
copying utils\crash_binning.py -> build\lib\utils
copying utils\hooking.py -> build\lib\utils
copying utils\injection.py -> build\lib\utils
copying utils\process_stalker.py -> build\lib\utils
copying utils\udraw_connector.py -> build\lib\utils
copying utils\__init__.py -> build\lib\utils
copying pydbg\pydasm.pyd -> build\lib\pydbg
installing to build\bdist.win32\wininst
running install_lib
creating build\bdist.win32
creating build\bdist.win32\wininst
creating build\bdist.win32\wininst\PURELIB
creating build\bdist.win32\wininst\PURELIB\pgraph
copying build\lib\pgraph\cluster.py -> build\bdist.win32\wininst\PURELIB\pgraph
copying build\lib\pgraph\edge.py -> build\bdist.win32\wininst\PURELIB\pgraph
copying build\lib\pgraph\graph.py -> build\bdist.win32\wininst\PURELIB\pgraph
copying build\lib\pgraph\node.py -> build\bdist.win32\wininst\PURELIB\pgraph
copying build\lib\pgraph\__init__.py -> build\bdist.win32\wininst\PURELIB\pgrap

creating build\bdist.win32\wininst\PURELIB\pida
copying build\lib\pida\basic_block.py -> build\bdist.win32\wininst\PURELIB\pida
copying build\lib\pida\defines.py -> build\bdist.win32\wininst\PURELIB\pida
copying build\lib\pida\function.py -> build\bdist.win32\wininst\PURELIB\pida
copying build\lib\pida\instruction.py -> build\bdist.win32\wininst\PURELIB\pida
copying build\lib\pida\module.py -> build\bdist.win32\wininst\PURELIB\pida
copying build\lib\pida\__init__.py -> build\bdist.win32\wininst\PURELIB\pida
creating build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\breakpoint.py -> build\bdist.win32\wininst\PURELIB\pydb

copying build\lib\pydbg\defines.py -> build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\hardware_breakpoint.py -> build\bdist.win32\wininst\PUR
LIB\pydbg
copying build\lib\pydbg\memory_breakpoint.py -> build\bdist.win32\wininst\PUREL
B\pydbg
copying build\lib\pydbg\memory_snapshot_block.py -> build\bdist.win32\wininst\P
RELIB\pydbg
copying build\lib\pydbg\memory_snapshot_context.py -> build\bdist.win32\wininst
PURELIB\pydbg
copying build\lib\pydbg\my_ctypes.py -> build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\pdx.py -> build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\pydasm.pyd -> build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\pydbg.py -> build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\pydbg_client.py -> build\bdist.win32\wininst\PURELIB\py
bg
copying build\lib\pydbg\system_dll.py -> build\bdist.win32\wininst\PURELIB\pydb

copying build\lib\pydbg\windows_h.py -> build\bdist.win32\wininst\PURELIB\pydbg
copying build\lib\pydbg\__init__.py -> build\bdist.win32\wininst\PURELIB\pydbg
creating build\bdist.win32\wininst\PURELIB\utils
copying build\lib\utils\code_coverage.py -> build\bdist.win32\wininst\PURELIB\u
ils
copying build\lib\utils\crash_binning.py -> build\bdist.win32\wininst\PURELIB\u
ils
copying build\lib\utils\hooking.py -> build\bdist.win32\wininst\PURELIB\utils
copying build\lib\utils\injection.py -> build\bdist.win32\wininst\PURELIB\utils
copying build\lib\utils\process_stalker.py -> build\bdist.win32\wininst\PURELIB
utils
copying build\lib\utils\udraw_connector.py -> build\bdist.win32\wininst\PURELIB
utils
copying build\lib\utils\__init__.py -> build\bdist.win32\wininst\PURELIB\utils
running install_egg_info
Writing build\bdist.win32\wininst\PURELIB\PaiMei-1.2-py2.5.egg-info
creating ‘c:\docume~1\saint\locals~1\temp\tmpa3ag4q.zip’ and adding ‘.’ to it
adding ‘PURELIB\PaiMei-1.2-py2.5.egg-info’
adding ‘PURELIB\pgraph\cluster.py’
adding ‘PURELIB\pgraph\edge.py’
adding ‘PURELIB\pgraph\graph.py’
adding ‘PURELIB\pgraph\node.py’
adding ‘PURELIB\pgraph\__init__.py’
adding ‘PURELIB\pida\basic_block.py’
adding ‘PURELIB\pida\defines.py’
adding ‘PURELIB\pida\function.py’
adding ‘PURELIB\pida\instruction.py’
adding ‘PURELIB\pida\module.py’
adding ‘PURELIB\pida\__init__.py’
adding ‘PURELIB\pydbg\breakpoint.py’
adding ‘PURELIB\pydbg\defines.py’
adding ‘PURELIB\pydbg\hardware_breakpoint.py’
adding ‘PURELIB\pydbg\memory_breakpoint.py’
adding ‘PURELIB\pydbg\memory_snapshot_block.py’
adding ‘PURELIB\pydbg\memory_snapshot_context.py’
adding ‘PURELIB\pydbg\my_ctypes.py’
adding ‘PURELIB\pydbg\pdx.py’
adding ‘PURELIB\pydbg\pydasm.pyd’
adding ‘PURELIB\pydbg\pydbg.py’
adding ‘PURELIB\pydbg\pydbg_client.py’
adding ‘PURELIB\pydbg\system_dll.py’
adding ‘PURELIB\pydbg\windows_h.py’
adding ‘PURELIB\pydbg\__init__.py’
adding ‘PURELIB\utils\code_coverage.py’
adding ‘PURELIB\utils\crash_binning.py’
adding ‘PURELIB\utils\hooking.py’
adding ‘PURELIB\utils\injection.py’
adding ‘PURELIB\utils\process_stalker.py’
adding ‘PURELIB\utils\udraw_connector.py’
adding ‘PURELIB\utils\__init__.py’
creating dist
removing ‘build\bdist.win32\wininst’ (and everything under it)

If everything worked you should now have a barnd new binary in C:\paimei\dist:

PaiMei-1.2.win32.exe

Lets run it to install the final bits of PaiMei…

When you re-run the “__install_requirements.py” script you’ll still get:

looking for PaiMei -> PyDbg … NOT FOUND

To resolve this, edit “edit C:\Python25\Lib\site-packages\pydbg\my_ctypers.py”

Look for the following code segment:

c_types = (Structure, c_char, c_byte, c_ubyte, c_short, c_ushort, c_int, c_uint, c_long, c_ulong, c_longlong, \
c_ulonglong, c_float, c_double, c_char_p, c_wchar_p, c_void_p)

… and ABOVE it, add ( replace “insert tab” with an actual tab, wordpress mess with my tabbing):

class Structure(Structure):
[INSERT TAB] pass

When you re-run the “__install_requirements.py” script you shound get FOUND for all of them. You’ll probably get this error (and I don’t care):

looking for pydot … Couldn’t import dot_parser, loading of dot files will not be possible.

Lets navigate to C:\paimei\console

When we double click the console you will (hopefully) be greated by an old-man, Mr. PaiMei himself, and then the console. Take the time to read the documentation but be ready to re-learn a few things.

The framework comes with a number of great reversing tools that we will cover in the days to come:

Install GraphViz. Rename the folder it creates in Program Files to Graphviz (remove the 2.26).

Install Oreas GDE from:

http://www.oreas.com/download/get_gde_win.php

Install uDraw:

http://www.informatik.uni-bremen.de/uDrawGraph/download/uDrawGraph-3.1.1-0-win32-en.exe

Go grab pydot 1.0.2 and extract it. You’re on your own from here though, I don’t use it. GL/HF.

With your fingers crossed and a hopeful heart, move on to Step Six: Checking Prerequisites

[1] Install Python 2.5 –Install docs say 2.4 but internal components use 2.5 now)
http://www.python.org/download/releases/2.5.4/

[2] Install mysql – I installed mysql-essential-5.0.89-win32.msi because 5.1 isn’t detected by the python mysql library we need to install later.  You can update the registry key it looks for if you want 5.1 installed. Make sure you choses COMPLETE INSTALL… you’ll need the developer bits to get mysql for python to compile.
http://dev.mysql.com/downloads/mirror.php?id=380527#mirrors

All Done! Lets move on to Step Three: Installing MySQLdb

Download TortoiseSVN from http://tortoisesvn.net/downloads. I used This version. This is a ‘next->accept->next->install’ and will not be covered.

REBOOT (Its windows shell extension so I guess it wants a reboot.)

Use TortoiseSVN to download paimei to C:\paimei

*** NOTE: Windows7 and Windows Vista users may have permission issues if it is installed in C:\Program Files or \Users.  Make sure you choose a folder just off the root of your hard drive for best results.

For funzies and to make sure we don’t have future issues caused by svn setting file permissions, lets remove read-only/hidden permissions recursively.  Make sure you have “Show hidden files/folders” turned on in XP as well, it can be easy to forget if you just created a base VM image for this project (and you should have!).

That’s it!  You have the most up-to-date PaiMei source from Google code.  The bad news… install requirements for PaiMei do not match the original install documentation so there is going to some work involved in getting everything up and running.  The order of installation doesn’t really matter for many of the prerequisites but Python 2.5 and Mysql 5.0 should be installed first as they are required by many of the other prerequisites.

Lets get started Installing Python 2.5 and MySQL 5.0.89 …