Binary Variable Learner and Apache exploits
-
Upload
glenna-jacobs -
Category
Documents
-
view
22 -
download
0
description
Transcript of Binary Variable Learner and Apache exploits
![Page 1: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/1.jpg)
![Page 2: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/2.jpg)
Apache ExploitsApache Exploitshttp://localhost/re/ldap://local/dn?attributes?scope?filter?
extenslsionshttp://localhost/re/ldap://local/dn?attributes?scope?filter?
extenslsions?ext
![Page 3: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/3.jpg)
Apache ExploitsApache Exploits
http://.../ldap://local/dn?attributes?scope?filter?extenslsions?ext
static char *escape_absolute_uri(char *, unsigned int) {…if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }
![Page 4: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/4.jpg)
Apache ExploitsApache Exploits
if (!strncasecmp(uri, "ldap", 4)) { int c = 0; char *token[5]; token[0] = cp = apr_pstrdup(p, cp); while (*cp && c < 5) { if (*cp == '?') { token[++c] = cp + 1; *cp = '\0'; } ++cp; }
![Page 5: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/5.jpg)
Apache ExploitsApache Exploits
![Page 6: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/6.jpg)
Binary VariableBinary Variable
loop: jge end_loop mov ecx,dword ptr [ebp-18h] mov dword ptr [ebp+ecx*4-14h], eax jmp loopend_loop: push offset buf_over! (00409a38)
![Page 7: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/7.jpg)
Binary VariableBinary Variable
![Page 8: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/8.jpg)
Binary VariableBinary Variable
![Page 9: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/9.jpg)
Binary VariableBinary Variable
Base Source
IndexIndex
Offset
![Page 10: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/10.jpg)
Binary VariableBinary Variable
![Page 11: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/11.jpg)
Community LearningCommunity Learning
ApacheApache
CMS
ApacheApache ApacheApache
……
Invariants Invariants
Invariants
..escape_absolute_uri(char *, unsigned int):::ENTER_4010A5
binary_var <= 4 binary_var>= 1
![Page 12: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/12.jpg)
Patch (Manual)Patch (Manual)
![Page 13: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/13.jpg)
ConclusionsConclusionsImplemented preliminary binary
variable learning (BVL)Generated valid invariantsApplied BVL to Apache and its
exploitsShowed the(manual) patch can
prevent the exploit
![Page 14: Binary Variable Learner and Apache exploits](https://reader035.fdocuments.net/reader035/viewer/2022062516/56812acd550346895d8ea80a/html5/thumbnails/14.jpg)