CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

Transcription

1 CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE The purpose of this exercise is to learn Intel assembly language by disassembling a small piece of code and extensively commenting the resulting instructions. II. BACKGROUND Microsoft s SQL Server 2000 has two buffer overrun vulnerabilities that can be exploited by a remote attacker with no authentication necessary. The SQL Server listens on UDP port 1434, and a client is expected to send a single byte as a message to dynamically discover how the client should connect. Slammer exploits one of these vulnerabilities by sending more bytes than are expected. Slammer does not store anything on the file system, nor does it change anything on the filesystem, but it sends a copy of itself to other vulnerable servers. Slammer is a small piece of code (376 bytes). III. MATERIAL The code (slammer.bin) that is used in this exercise was extracted from the memory of a compromised machine. You are given a copy of slammer.bin on the course web site. You will also need two function definitions: The sendto function sends data to a specific destination where int sendto( SOCKET s, const char FAR * buf, int len, int flags, const struct sockaddr FAR * to, int tolen struct sockaddr_in { short sin_family; u_short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; 1

2 The socket function creates a socket that is bound to a specific service provider: SOCKET socket( int af, int type, int protocol // Address family (e.g., AF_UNIX) // Type (e.g., SOCK_STREAM) // Protocol (e.g., IPPROTO_TCP) IV. PROCEDURES Some exercises will take more time than others to complete. The exercises marked with a diamond ( ) should only be attempted after all other exercises are completed. We will analyze the Slammer code with the IDA Pro disassembler. 1. Open a Windows-based VMware session in non-persistent mode. 2. Does PEView tell you anything about Slammer? 3. Load the shell code in IDA Pro. Open IDA Pro by either double clicking on the IDA Pro icon or by dragging the slammer file onto the icon. Because there is no header information, IDA Pro will ask if you want to load it as a binary file. Respond OK. Convert the bytes to code after the run of NOP (0x90) instructions (place the cursor at the desired position and select Edit Code from the file menu). Our analysis will start at the first instruction of the payload: push 42B0C9DCh. This instruction overwrites the instruction pointer with an address from sqlsort.dll. The instruction at this address is jmp esp, and executing this instruction results in the execution of the slammer code. Note that as a result of the eighth instruction after this push, EBP is set to be the current stack pointer, ESP. The table on the page following question 17 provides an illustration of the stack at this point, after EBP is set to ESP. 4. Initially, what is the decimal value of ecx at position 0x8B? 2

3 5. Slammer overflows the stack of the SQL Server machine. The SQL Server code continues to execute before the slammer payload is executed (reached by a jmp esp instruction), and in the process, the beginning of the payload buffer is corrupted. Therefore the first thing that the slammer code does is rebuild the buffer so that it will be ready to send during the next compromise. What is the starting location of the loop that rebuilds the buffer? Describe what happens in this loop (refer to the Intel manual to learn more about the loop instruction if necessary): 6. What is the decimal value of ecx at position 0x93? Explain how it changed: 7. At position 0x94, esp is moved into ebp so that ebp can be used to reference data that is pushed onto the stack. Use the table on the page following question 17 to record changes to the stack, grouping items as appropriate. You may want to avoid recording data that is pushed onto the stack immediately before a function call since the functions used in Slammer use the stdcall calling convention, i.e., they remove the parameters from the stack upon completion. The first few values have already been entered. Remember the stack grows toward low memory (up the page), and functions typically place return values in the eax register. At some memory locations, it will be possible to provide a description of the data, but it will not be possible to determine the byte values without executing the code. 8. What is ecx used for at location.text: ? 3

4 9. Describe the purpose of the following sequence of instructions that start at location.text:000000b6: mov cx, 6C6Ch, push ecx, push 642E3233h, push 5F327377h: 10. What libraries (DLLs) does Slammer use? 11. Which functions are used from each DLL? 12. To find function addresses, Slammer uses a two-step procedure that is commonly used by malware. Basically, the LoadLibrary function is called to map a specified executable module (DLL) into the address space of the calling process (a handle to the module is returned). Then the GetProcAddress function is used to return the address of a specified exported DLL function. The definition for each function is given below (it is not necessary to understand the specifics of the data types, but rather to understand the text description provided). HINSTANCE LoadLibrary( LPCTSTR lplibfilename // address of DLL module filename Given the name of a DLL (actually, a pointer to the string), LoadLibrary returns the base address (starting address) of the DLL. FARPROC GetProcAddress( HMODULE hmodule LPCSTR lpprocname // handle to DLL module // name of function Given the base address of the DLL module (as returned by LoadLibrary) and the name of a function (pointer to the string), GetProcAddress returns the address of the function. 4

5 Given this information, what does Slammer use as the address of LoadLibrary? The coder would have originally determined this value by looking at the Import Address Table of sqlsort.dll (a DLL used by the SQL Server). The Slammer coder uses one of two possible addresses for GetProcAddress. What are the addresses? Explain how the correct address is identified. 13. The function GetProcAddress is called at location.text: What function is called at location.text: ? Retrace the sequence of instructions (stack manipulation) that tells you this. 14. What function is called at location.text: b? Use the function definitions given in the Material section at the beginning of the exercise and refer to WINSOCK2.H (available on your system) to provide meaningful definitions for the integers passed to the function: 15. The loop that generates random IP addresses starts at instruction 0x142. (The value of ebx is set prior to entering the loop.) a. Which instruction initially accesses the seed generated by GetTickCount: 5

6 b. What is the value of ecx after the instruction: lea ecx,[eax+eax*2]? c. What is the value of eax after the instruction: lea eax,[eax+edx*4]? d. The seed generated by GetTickCount is only used once (otherwise, the same IP address would be repeatedly generated). What is used in place of the GetTickCount seed in subsequent iterations of the loop? 16. What function is called at location.text: ? Refer to the function definitions provided in the Materials section. Identify the parameters that are passed, providing explicit values if possible, and otherwise referencing their stack addresses: 17. Shell code like Slammer cannot be run directly (i.e., it is not in PE format). Can you think of any methods that one could dynamically analyze the code? This topic will be addressed in the next section. 6

7 Table: The Stack of Slammer Note the addresses provided in the left most column indicate that the empty boxes in the Byte Value column do not necessarily contain the same number of bytes. They may contain 8, 12, or 16 bytes. Address Byte Value String/Description ebp-54h ebp-50h ebp-4ch ebp-48h ebp-44h ebp-40h ebp-3ch ebp-34h ebp-2ch ebp -20h ebp-10h 6B E 2E 64 6C 6C EBP XX XX XX XX 65 6C DC C9 B0 42 XX XX XX XX kernel32.dll push 0x push 42B0C9DCh rest of Slammer payload 7