Upload
glenna-jacobs
View
21
Download
0
Embed Size (px)
DESCRIPTION
Binary Variable Learner and Apache exploits. Sung Kim MIT. Apache Exploits. http://localhost/re/ldap://local/dn?attributes?scope?filter?extenslsions. http://localhost/re/ldap://local/dn?attributes?scope?filter?extenslsions ?ext. Apache Exploits. - PowerPoint PPT Presentation
Citation preview
Apache ExploitsApache Exploitshttp://localhost/re/ldap://local/dn?attributes?scope?filter?
extenslsionshttp://localhost/re/ldap://local/dn?attributes?scope?filter?
extenslsions?ext
Apache ExploitsApache Exploits
http://.../ldap://local/dn?attributes?scope?filter?extenslsions?ext
static char *escape_absolute_uri(char *, unsigned int) {…if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }
Apache ExploitsApache Exploits
if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }
Apache ExploitsApache Exploits
Binary VariableBinary Variable
loop: jge end_loop mov ecx,dword ptr [ebp-18h] mov dword ptr [ebp+ecx*4-14h], eax jmp loopend_loop: push offset buf_over! (00409a38)
Binary VariableBinary Variable
Binary VariableBinary Variable
Binary VariableBinary Variable
Base Source
IndexIndex
Offset
Binary VariableBinary Variable
Community LearningCommunity Learning
ApacheApache
CMS
ApacheApache ApacheApache
……
Invariants Invariants
Invariants
..escape_absolute_uri(char *, unsigned int):::ENTER_4010A5
binary_var <= 4 binary_var>= 1
Patch (Manual)Patch (Manual)
ConclusionsConclusionsImplemented preliminary binary
variable learning (BVL)Generated valid invariantsApplied BVL to Apache and its
exploitsShowed the(manual) patch can
prevent the exploit