!exploitable Crash Analyzer - MSEC Debugger Extensions

New Post: Arguments to debugWrapper script

heykart — Mon, 21 Nov 2011 22:07:02 GMT

Hi, I think the debugWrapper script is going to be useful to me. Would anyone be able to explain these two parameters to the script?

@REM ^%~2 = command line arguments including tempate name if needed. I.E. "/C:search" TemplateFile.txt
@REM ^%~3 = Temple file to process.

What is a template file supposed to be, and which parameter number should it be? Which parameter number should the input file, that causes an application crash, be? I'm a bit confusion by the repetition of "template" in parameters 2 and 3.

Thanks for the help!

New Post: Some documentation on the tool

tosanjay — Tue, 21 Dec 2010 15:46:25 GMT

Hi,

In the introduction to the tool, it is mentioned that more details are provided in the following .pptx file, but I could not get any file. I am looking for details on how this tools classifies the vulnerability as highly/less exploitable i.e. what are the parameters that are considered. Pointer to any articles or blog entries are appreciated.

thanks & regards

-sanjay

New Post: Can't build 64bit msec.dll under .NET 4

puckaby — Wed, 17 Nov 2010 07:53:53 GMT

I get this error when trying to load MSECDbgExts64 in Visual C++ 2008 express :

The project consists entirely of configurations that require support for platforms which are not installed on this machine.

I think it has something to do with the latest version of the windbg SDK for win 7 and .NET framework 4. Any thoughts? Has anyone tried this and have it work?

I was able to build MSECDbgExts32 but that dll isn't compatible with the 64bit version of the debugger I installed on my OS (win 7 home premium).

Thanks!

EDIT: Never mind, I saw the readme caveat that that express edition of C++ won't work for the 64bit.

Updated Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

jasoshi — Fri, 13 Aug 2010 00:30:11 GMT

New MSECExtensions bits, changelog below:

1.0.1 Updates:

A bug that resulted in overtainting H or L registers has been fixed.
Initial External Release: March, 2009

1.0.2 Updates:

When loading user mode mini-dumps, the Gather rule now correctly sets the stack context.

1.0.3 Updates:

New state and gather functionality and analyze rules to identify exceptions where the faulting address is on the stack.
Hashes are fixed at 32 bit display (8 hex characters) and code locations are fixed at 64 bit display (16 hex characters).
Added support for the REP SCAS instruction in the disassembler
Fixed a serious bug in the wildcard match function, which would result in anything that matched up to the first wildcard matching the entire string
Fixed a bug in which the destination pointer registers were not being set to the tainted value set for Write AVs that required taint analysis
Fixed bugs in the distinction between source and data registers for taint tracking in some rep instructions

1.0.4 Updates:

Fixed a reporting and analysis bug, in which we change the faulting instruction as well as the invoking function when we skip excluded stack frames

1.0.5 Updates:

Updates to the excluded symbols list
Handle POP instructions that pop to memory
Handle PUSH instructions that push to memory
Treat POP instructions to memory the same as MOV instructions to memory

1.0.6 Updates:

External Release: June, 2009

Released: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

Fri, 13 Aug 2010 00:30:11 GMT

Source code checked in, #52406

_TFSSERVICE — Tue, 20 Jul 2010 20:45:25 GMT

Checked in by server upgrade

New Post: Major/Minor hash

thebogman87 — Tue, 13 Jul 2010 14:15:07 GMT

I'm a little confused about this major and minor hash. Why does it look like a memory address? What exactly is being hashed? And what's the difference between major and minor?

New Post: How to compile windbg extension code for windows device driver using DDK.

rajdesire — Wed, 03 Mar 2010 12:48:31 GMT

Hi All,

I am facing problem, while I am writting and compiling code for windbg. I am new to windbg extension code writting.

I need to know basic steps to compile code using DDK.

If anyone have some good example of it, pl. share with me. My id is callforkumar@yahoo.com.

Regards,

Raj

New Post: Installing/Running/Using - How?

DaveWeinstein — Mon, 20 Jul 2009 17:40:07 GMT

Hi tsp,

You issue that command from inside WinDbg.

In answer to your other question, the only tool you need to use !exploitable is the Windows Debugger (WinDbg or the command line equivalents).

--Dave

New Post: Installing/Running/Using - How?

tsp — Fri, 17 Jul 2009 17:50:09 GMT

Hi Dave,

I went through readme and it says to use !load winext\MSEC.dll to load !exploitable to windbg. I have no clue from where I should initiate this command. Readme appears to be very high level document to me. Can you explain how to load this dll to windbg? Also, Can I use Vista to load w2k3 symbols to read crash dump on Windows 2003? Do we require VC2008 ++ to use !exploitable?

TIA

New Post: Is /GS violation really exploitable?

DaveWeinstein — Mon, 13 Jul 2009 23:31:10 GMT

Hi Jim,

The /GS stack protection is considered defense in depth. It is bad practice to depend on defense in depth mechanisms, because that removes the "in depth". Compile them in, turn them on, but don't allow their existence to be used as a rationale for leaving vulnerable code in place.

To use an analogy, the fact that I have airbags in my car does not mean I shouldn't worry about the fact that my brakes don't work.

In the case of a /GS violation, we know that there is an unconstrained (or improperly constrained) copy onto the stack. If the state of the art is such that an attacker is able to evade the version of /GS that the application was compiled against, then the attacker has the ability to get remote execution of code.

Regards,

--Dave

New Post: Installing/Running/Using - How?

DaveWeinstein — Mon, 13 Jul 2009 23:26:42 GMT

Hi Gunny,

The compiled debugger extensions are actually a DLL, which is loaded into the Windows Debugger (WinDbg). You can find instructions on how to use it in the readme file included in the package.

--Dave

New Post: Is /GS violation really exploitable?

jvonder — Fri, 10 Jul 2009 20:39:28 GMT

I fuzzed a network application, and !exploitable gave me this analysis of the crash dump:

Exploitability Classification: EXPLOITABLE

Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.

My questions is: If this was detected by the /GS stack protection, then is it really exploitable? Isn't GS doing its job, and preventing this from being exploitable?

Thanks!

Jim

New Post: Installing/Running/Using - How?

tahilg — Wed, 24 Jun 2009 01:59:55 GMT

I have downloaded the MSEC Debugger Extensins 1.0.6 package, but it contains no executables (.exe) files in it.

How do I install or run or use it?

Regards,

Gunny

Updated Wiki: Home

jasoshi — Tue, 23 Jun 2009 16:57:13 GMT

Project Description
!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.

This tool was created by the Microsoft Security Engineering Center (MSEC) Security Science Team. For more information on MSEC and the Security Science team, please visit http://www.microsoft.com/security/msec. To see what's being worked on presently, visit the Security Research and Development blog at http://blogs.technet.com/srd/.

New bits posted on 6/17, changelog below:

1.0.1 Updates:

A bug that resulted in overtainting H or L registers has been fixed.
Initial External Release: March, 2009

1.0.2 Updates:

When loading user mode mini-dumps, the Gather rule now correctly sets the stack context.

1.0.3 Updates:

New state and gather functionality and analyze rules to identify exceptions where the faulting address is on the stack.
Hashes are fixed at 32 bit display (8 hex characters) and code locations are fixed at 64 bit display (16 hex characters).
Added support for the REP SCAS instruction in the disassembler
Fixed a serious bug in the wildcard match function, which would result in anything that matched up to the first wildcard matching the entire string
Fixed a bug in which the destination pointer registers were not being set to the tainted value set for Write AVs that required taint analysis
Fixed bugs in the distinction between source and data registers for taint tracking in some rep instructions

1.0.4 Updates:

Fixed a reporting and analysis bug, in which we change the faulting instruction as well as the invoking function when we skip excluded stack frames

1.0.5 Updates:

Updates to the excluded symbols list
Handle POP instructions that pop to memory
Handle PUSH instructions that push to memory
Treat POP instructions to memory the same as MOV instructions to memory

1.0.6 Updates:

External Release: June, 2009

New Post: Command options for !exploitable

jasoshi — Fri, 19 Jun 2009 18:25:46 GMT

Sumit,

Sorry for the long delay, I've got a batch file for you though, just take the below, throw it in notepad, and then save it as a .bat. Let us know if you have any questions.

Cheers,

Jason

Code begins==>

@echo off
setlocal ENABLEEXTENSIONS
@REM get local Path of script
for /F %%I in ("%0") do set localDir=%%~dpI

@REM Check for MSEC.dll in current directory, and in script directory
if not exist .\msec.dll (
	if not exist %localDir%\msec.dll (
		echo.
		echo MSEC.dll not in current directory, please copy MSEC.dll locally and 
		echo rerun classify.bat.
		echo.
		goto error
	) else (
		set msecPath=%localdir%\msec.dll
	)
) else (
	set msecPath=.\msec.dll
)

@REM Check that cdb.exe is in the path or local directory
WHERE /Q cdb.exe
IF  ERRORLEVEL 1 (
    echo.
    echo cdb.exe was not found in the local directory or path
    echo.
    goto error
  )

@REM Validate First Parameter 
if /i "%~1" EQU "" goto Usage
if /i "%~1" EQU "/?" goto Usage
if /i "%~1" EQU "-?" goto Usage
if /i "%~1" EQU "/help" goto Usage
if /i "%~1" EQU "-help" goto Usage
if not exit "%~1" (
	echo.
    echo "%~1" could not be found.
    echo.
    goto error
)

@REM Validate second Parameter
if /i "%~2" EQU "" goto Usage
if exist "%~2" (
  dir /a:d "%~2" > nul
  IF  ERRORLEVEL 1 (
    echo.
    echo "%~2" is a file, the second paremeter should be a directory
    echo.
    goto error
  )
)

@REM ERROR Checking Is Over
set Hash=
set Type=
set Exploitability=
set tempLog=.\ExploitableLog-%random%.Log

cdb -z "%~1" -a%msecPath% -c ".symfix+; .reload; .logopen \"%tempLog%\";!exploitable -m;.logclose;q"

for /f "tokens=1* delims=:" %%a in (%tempLog%) do (
	for /f "tokens=1*" %%c in ("%%b") do (
	   if /i "%%a" EQU "MAJOR_HASH" set MajorHash=%%c
	   if /i "%%a" EQU "MINOR_HASH" set MinorHash=%%c
	   if /i "%%a" EQU "SHORT_DESCRIPTION" set Type=%%c
	   if /i "%%a" EQU "CLASSIFICATION" set Exploitability=%%c
	)
)

set ResultDir=%~2\%CrashDir%\%Exploitability%\%type%\%MajorHash%\%MinorHash%
md "%ResultDir%"
copy /b /y "%~1" "%ResultDir%"
copy /b /y %tempLog% "%ResultDir%"
del /q %tempLog%
goto end

:usage
Echo classify.bat ^ ^
echo.
echo Classify.bat will place the specified dump and log into a directory structure as follows:
echo.
echo ^\^\^\^
echo.
echo Examples:
echo ^\EXPLOITABLE\WriteAV\0x6e05193a\0x7505193a
echo ^\PROBABLY_EXPLOITABLE\TaintedDataControlsCodeFlow\0x6e05193a\0x7505193a
echo ^\UNKNOWN\PossibleStackCorruption\0x6e05193a\0x7505193a
echo.
echo Classify.bat requires MSEC.dll to be in the current directory and cdb to be 
echo in the path.
echo.
echo To easily run classify.bat against a set of dumps try the following command:
echo.
echo for /R . ^%%a in (*.dmp) do classify.bat ^%%a C:\Crashes
echo.
goto error
:error
exit /b 1
:end
exit /b 0

Updated Wiki: Home

jasoshi — Wed, 17 Jun 2009 19:12:14 GMT

Project Description
!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx.

This tool was created by the Microsoft Security Engineering Center (MSEC) Security Science Team. For more information on MSEC and the Security Science team, please visit http://www.microsoft.com/security/msec. To see what's being worked on presently, visit the Security Research and Development blog at http://blogs.technet.com/srd/.

New bits posted on 6/17, changelog below:

1.0.1 Updates:

A bug that resulted in overtainting H or L registers has been fixed.
Initial External Release: March, 2009

1.0.2 Updates:

When loading user mode mini-dumps, the Gather rule now correctly sets the stack context.

1.0.3 Updates:

New state and gather functionality and analyze rules to identify exceptions where the faulting address is on the stack.
Hashes are fixed at 32 bit display (8 hex characters) and code locations are fixed at 64 bit display (16 hex characters).
Added support for the REP SCAS instruction in the disassembler
Fixed a serious bug in the wildcard match function, which would result in anything that matched up to the first wildcard matching the entire string
Fixed a bug in which the destination pointer registers were not being set to the tainted value set for Write AVs that required taint analysis
Fixed bugs in the distinction between source and data registers for taint tracking in some rep instructions

1.0.4 Updates:

Fixed a reporting and analysis bug, in which we change the faulting instruction as well as the invoking function when we skip excluded stack frames

1.0.5 Updates:

Updates to the excluded symbols list
Handle POP instructions that pop to memory
Handle PUSH instructions that push to memory
Treat POP instructions to memory the same as MOV instructions to memory

1.0.6 Updates:

External Release: June, 2009

Updated Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

jasoshi — Wed, 17 Jun 2009 19:11:35 GMT

Released: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

Wed, 17 Jun 2009 19:11:35 GMT

Created Release: MSEC Debugger Extensions v1.0.6 (Jun 17, 2009)

jasoshi — Wed, 17 Jun 2009 19:11:14 GMT