Last week was Microsoft Patch Tuesday, and for once it actually affected me directly. The team I am part of at my new employer is responsible for reversing out patches such as these, determining the vulnerability that was patched, and developing ways to exploit or otherwise attack the software. From the advisories that were released, I ended up with ms07-055 which detailed a stack overflow in the Kodak Image Viewer which was used as the default image handling application on Windows 2000 systems. After spending most of Tuesday setting up VMWare and installing some tools like IDA Pro and BinDiff, I was able to get started.
With a little help from a friend online, I was able to determine how to trigger the bug and started working on an exploit for it. In a nutshell, when the application parses a TIFF image file, you can create some malicious internal data structures that cause it to start parsing arbitrary data at a location that you specify when it’s expecting particular formatted values, which will then overflow a buffer and wipe out the call stack. With a little bit of stack repair in your overflow payload you can get the function that was executing to return to your shellcode via a supplied return address placed in the repaired stack and thus gain code execution. There’s a slightly more technical write-up with pretty pictures at our group’s blog, the BreakingPoint Strike Center, which also details the three different ways I found to evade some of the network monitoring devices that claim to detect or block network traffic exploiting this vulnerability.
Anyhow, this was probably my first overflow based exploit that I’ve written in easily 5 or 6 years, and although it was a fairly straight forward and simple one, it was good to get back into the exploitation game. The exploit I developed and IPS/IDS evasions I identified culminated into 8 different “strikes” for the company’s product, so I’d say it was a productive couple days of effort.