GDI Font Fuzzing in Windows Kernel For Fun
-
Upload
michelemanzotti -
Category
Technology
-
view
1.986 -
download
4
description
Transcript of GDI Font Fuzzing in Windows Kernel For Fun
![Page 1: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/1.jpg)
GDI Font Fuzzing in Windows Kernel for FunKernel for Fun
Lee Ling Chuan & Chan Lee Yee
Ministry of Science,Technology and Innovation
![Page 2: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/2.jpg)
AgendaAgenda• Introduction
• TrueType Font (.TTF)
• TTF Fuzzer
• Exploit Demonstration – MS11‐087
• Microsoft Windows Bitmapped font ( fon)Microsoft Windows Bitmapped font (.fon)
• FON Fuzzer (by Byoungyoung Lee) with some
modificationmodification
• Exploit Demonstration – MS11‐077
3/16/2012 2
![Page 3: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/3.jpg)
IntroductionIntroduction
• Two groups of categories are exist:o g oups o catego es a e e st:a. GDI Fontsb. Device Fontsb. Device Fonts
• GDI fonts which are based in Windows consists of three types:ypa. rasterb. Vectorc. TrueType & OpenType
Reference: http://msdn microsoft com/en us/library/dd162893(v=vs 85) aspxReference: http://msdn.microsoft.com/en‐us/library/dd162893(v=vs.85).aspx
3/16/2012 3
![Page 4: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/4.jpg)
Introduction…Introduction…
• Raster fonts: a glyph is a bitmap that uses toRaster fonts: a glyph is a bitmap that uses to draw a single character in the font
• Vector fonts: a glyph is a collection of line• Vector fonts: a glyph is a collection of line endpoints that define the line segments and uses to draw a character in the fontuses to draw a character in the font
• TrueType & OpenType fonts: a glyph is a ll i f li d d llcollection of line and curve commands as well
as a collection of hints
3/16/2012 4
![Page 5: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/5.jpg)
TrueType Fonts (.TTF)TrueType Fonts (.TTF)
• TrueType font file contains data, in tableTrueType font file contains data, in table format, that compromises an outline font
• The outlines of glyphs in TrueType fonts areThe outlines of glyphs in TrueType fonts are made of straight line segments and quadratic Bézier curves
• The Windows scale these fonts to any size using the hints inside the TTF file.
• Hints included in TTF files and are used to correct oversights
3/16/2012 5
![Page 6: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/6.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• TTF table is designed to keep the entire glyphTTF table is designed to keep the entire glyph data in various table:
a EBDT: Embedded Bitmap Data Tablea. EBDT: Embedded Bitmap Data Table
b. EBLC: Embedded Bitmap Location Table
EBSC E b dd d Bit S li T blc. EBSC: Embedded Bitmap Scaling Table
• The rasterizer uses combination of data from diff t t d th l h d t i th f tdifferents to render the glyph data in the font
R f T T 1 0 F Fil T h i l S ifi i R i i 1 66 A 1995 Mi fReference: TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft
3/16/2012 6
![Page 7: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/7.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• TrueType embedded bitmaps are also calledTrueType embedded bitmaps are also called ‘scaler bitmaps’ or ‘sbits’
• A set of bitmaps for a face at a given size is• A set of bitmaps for a face at a given size is called a strike
3/16/2012 7
![Page 8: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/8.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
TTF Font Structure
3/16/2012 8
.TTF Font Structure
![Page 9: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/9.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• EBDT – Embedded Bitmap Data Table:EBDT Embedded Bitmap Data Table:
a. EBDT table stores the glyph bitmap data.
b h ‘ ’ bl b i i h h db. The ‘EBDT’ table begins with a header
containing simply the table version number
c. The rest of the ‘EBDT’ table is a collection of
bitmap databitmap data
3/16/2012 9
![Page 10: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/10.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
EBDT Table Structure
3/16/2012 10
EBDT Table Structure
![Page 11: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/11.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• EBLC – Embedded Bitmap Location Table:a. The ‘EBLC’ table identifies the sizes and glyph
range of the sbits, and keeps offsets to glyph bit d t i i d S bT blbitmap data in indexSubTables
b. The ‘EBLC’ table begins with a header (eblcHeader) containing the table version and(eblcHeader) containing the table version and number of strikes.
c. The eblcHeader is followed by the bitmapSizeTable array(s)
d. Each strike is defined by one bitmapSizeTable
3/16/2012 11
![Page 12: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/12.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
3/16/2012 12
EBLC Table Structure
![Page 13: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/13.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• EBSC – Embedded Bitmap Scaling Table:p ga. The ‘EBSC’ table allows a font to define a
bitmap strike as a scaled version of another strikeb. The table begins with a header (ebscHeader)
containing the table version and number of strikesc. The ebscHeader is followed immediately by the
bitmapScaleTable array. The numSizes in the b H d i di t th b febscHeader indicates the number of bitmapScaleTables in the array
d Each strike is defined by one bitmapScaleTabled. Each strike is defined by one bitmapScaleTable
3/16/2012 13
![Page 14: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/14.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
3/16/2012 14
EBSC Table Structure
![Page 15: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/15.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…• Glyph Data (glyf)a This table contains information thata. This table contains information that describes the glyphs in the font
b. Table provides instructions for each of the following tasks:‐ Pushing data onto the interpreter stackmanaging the Storage Area‐managing the Storage Area
‐managing the Control Value Table‐modifying Graphics State settingsy g p g‐Managing outlines‐ General purpose instructions
3/16/2012 15
![Page 16: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/16.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…• TrueType instructions are uniquely specified by th i dtheir opcodes.
GLYFDirectoryEntry ‐>
DataGLYFData[x+1]‐>
SimpleGLYFData[x]‐> instructions
• Examples: Pushing data onto the interpreter stack– function[0xB0]: itrp_PUSHB1p_
– function[0xB8]: itrp_PUSHW1
3/16/2012 16
![Page 17: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/17.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…• Examples: Managing the flow of control
f ti [0 1C] it JMPR‐ function[0x1C]: itrp_JMPR‐ function[0x1F]: itrp_LSW‐ function[0x78]: itrp JROTfunction[0x78]: itrp_JROT
• Examples: Managing the stack‐ function[0x20]: itrp_DUP‐ function[0x23]: itrp_SWAP
• Examples: Managing the Storage Areafunction[0x43]: itrp RS‐ function[0x43]: itrp_RS
‐ function[0x42]: itrp_WS
3/16/2012 17
![Page 18: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/18.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• Examples: Managing the Control Value Table‐ function[0x44]: itrp_WCVT‐ function[0x45]: itrp_RCVT
• Examples: Managing the Graphics State• Examples: Managing the Graphics State‐ function[0x4D]: itrp_FLIPON‐ function[0x4E]: itrp_FLIPOFF
• Examples: Arithmetic Functions‐ function[0x60]: itrp_ADD‐ function[0x61]: itrp SUBfunction[0x61]: itrp_SUB
Reference: Chapter Appendix B, TrueType 1.0 Font File, Technical Specification Revision 1.66 August 1995 Microsoft
3/16/2012 18
![Page 19: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/19.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• Important info (1) in exploitation:Important info (1) in exploitation:
structure fnt_GlobalGraphicStateType{
stackBase; /*the stack areastackBase; / the stack area
store; /*the storage area
controlValueTable; /*the control value table
……
int8 non90DegreeTransformation /*bit0: 1 if non‐90 degree
/*bit 1:1 if x scale not equal y scale
……
unit16 cvtCount;
} fnt_GlobalGraphicStateType;
3/16/2012 19
![Page 20: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/20.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
• Important info (2) in exploitation:p ( ) p‐ function ‘itrp_InnerExecute’ as the disassembler engine to process Glyph Data and map to correct TrueType instructionsTrueType instructions
• fnt_GlobalGraphicStateType:+0 : stackBase+0 : stackBase+4: store+8: controlValueTable+8: controlValueTable+90h: non90DegreeTransformation+134h: cvtCount
3/16/2012 20
![Page 21: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/21.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
3/16/2012 21
The TrueType Instruction Set
![Page 22: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/22.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
itrp_InnerExecute
3/16/2012 22
Glyph data in hexadicimal format
![Page 23: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/23.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
itrp_InnerExecute
3/16/2012 23
Glyph data in hexadicimal format
![Page 24: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/24.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
itrp_InnerExecute
;Function[0xB0]: itrp_PUSHB1;’00’ is parameter of the instruction
3/16/2012 24
Glyph data in hexadicimal format
![Page 25: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/25.jpg)
TrueType Fonts (.TTF)…TrueType Fonts (.TTF)…
itrp_PUSHB1
;ecx: parameter ‘00’;esi: pointer structure fnt_GlobalGraphicStateType+0
3/16/2012 25
Glyph data in hexadicimal format
![Page 26: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/26.jpg)
TTF FuzzerTTF Fuzzer• TTF font fuzzer is created to fuzz the TTF font into different sizes
• In GDI, we can create a font by:a. filling in a LOGFONT structure b. calling ‘CreateFontIndirect’ which returns a font handle (HFONT) W k ith f t t l l l th h f tc. Work with fonts at a lower level through font
APIs: GetFontData, GetGlyphIndices, ExtTextOut with ETO_GLYPH_INDEX flag_ _ g
Reference: http://blogs.msdn.com/b/text/archive/2009/04/15/introducing‐the‐directwrite‐font‐system.aspx
3/16/2012 26
![Page 27: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/27.jpg)
TTF FuzzerTTF Fuzzer• The overall process of the fuzzer:a automating the installation of the crafteda. automating the installation of the crafted font in ‘C:\WINDOWS\Fonts’ folderh dll d dd (f l )htr=windll.gdi32.AddFontResourceExA(fileFont, FR_PRIVATE, None)
b. Register a window class and creating a new window to automate the display of the fontwindow to automate the display of the font text in a range of font sizec Remove the fonts in ‘C:\WINDOWS\Fonts’c. Remove the fonts in C:\WINDOWS\Fonts folderwindll.gdi32.RemoveFontResourceExW(fileFont, FR PRIVATE, None)windll.gdi32.RemoveFontResourceExW(fileFont, FR_PRIVATE, None)
3/16/2012 27
![Page 28: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/28.jpg)
TTF FuzzerTTF Fuzzer• A range of font size
lf=win32gui.LOGFONT()for fontsize in range (0, 100, 1):
lf.lfHeight=fontsizelf.lfFaceName="Dexter"lf lf d hlf.lfWidth=0lf.lfEscapement=0lf.lfOrientation=0lf lfWeight=FW NORMALlf.lfWeight=FW_NORMALlf.lfItalic=Falself.lfUnderline=Falself lfStrikeOut=Falself.lfStrikeOut Falself.lfCharSet=DEFAULT_CHARSETlf.lfOutPrecision=OUT_DEFAULT_PRECISlf.lfClipPrecision=CLIP_DEFAULT_PRECISf f p _ _lf.lfPitchAndFamily=DEFAULT_PITCH|FF_DONTCARE
3/16/2012 28
![Page 29: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/29.jpg)
TTF FuzzerTTF Fuzzer• Calling physical font APIs and display the font textfont text
windll.gdi32.ExtTextOutW(windll.gdi32.ExtTextOutW(hdc,5,55,ETO_GLYPH_INDEX,None,var1var1,len(var1),None)
3/16/2012 29
![Page 30: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/30.jpg)
TTF FuzzerTTF Fuzzer
3/16/2012 30
![Page 31: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/31.jpg)
Exploit MS11‐087Exploit MS11 087
3/16/2012 31
![Page 32: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/32.jpg)
Exploit MS11‐087Exploit MS11 087Name Value Description
EBSC.bitmapScaleTable[0].ppemX 0x004 Target horizontal pixels per Em
EBSC.bitmapScaleTable[0].ppemY 0x004 Target vertical pixels per Em
EBLC.bitmapSizeTable[5].ppemX 0x001 Horizontal pixels per Em
EBLC bit Si T bl [5] Y 0 001 V ti l i l EEBLC.bitmapSizeTable[5].ppemY 0x001 Vertical pixels per Em
EBDT.bitmapData.EbdtFormat8[11].smallMetrics.height
0x001 Number of rows of data
EBDT.bitmapData.EbdtFormat8[11].smallMetrics.width
0x0ff Number of columns of data
EBDT.bitmapData.EbdtFormat8[11]. 0x040 Position of component leftebdtComponent[0].xOffset
EBDT.bitmapData.EbdtFormat8[11].ebdtComponent[0].yOffset
0x052 Position of component top
Important info in exploitation3/16/2012 32
![Page 33: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/33.jpg)
Exploit MS11‐087Exploit MS11 087• usScaleWidth
=(EBLC.ppemX+((EBSC.ppemX*2)*
EBDT.width))/(2*EBLC.ppemX)EBDT.width))/(2 EBLC.ppemX)
=(0x001+((0x004*2)*0x0ff))/(2*0x001)
(0 001 0 7F8)/(0 002)= (0x001+0x7F8)/(0x002)
= 0x03FC
3/16/2012 33
![Page 34: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/34.jpg)
Exploit MS11‐087Exploit MS11 087
• usScaleHeight =usScaleHeight = (EBLC.ppemY+((EBSC.ppemY*2)*EBDT.height))/(2*EBLC ppemY)/(2 EBLC.ppemY)
=(0x001+0x008)/(0x002)
0 0004= 0x0004
3/16/2012 34
![Page 35: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/35.jpg)
Exploit MS11‐087Exploit MS11 087
• usScaleRowBytesusScaleRowBytes
=((usScaledWidth+0x1F)>>3)&(0xFFFC)
((0 03 C 0 ) 3)& (0 C)= ((0x03FC+0x1F)>>3)& (0xFFFC)
= (0x85)&(0xFFFC)
= 0x80
3/16/2012 35
![Page 36: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/36.jpg)
Exploit MS11‐087Exploit MS11 087
• usOriginalRowBytesusOriginalRowBytes
= ((EBDT.width+0x1F)>>3)&(0xFFFC)
((0 0 0 ) 3)&(0 C)= ((0x0FF+0x1F)>>3)&(0xFFFC)
= 0x20
3/16/2012 36
![Page 37: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/37.jpg)
Exploit MS11‐087Exploit MS11 087
• Byte of scaling bitmap dataByte of scaling bitmap data=usScaleHeight*usScaleRowBytes= 0x004*0x080= 0x004 0x080= 0x200
R i d b t f li bit d t ff t• Required byte of scaling bitmap data offset= (EBDT.yOffset)*(usOriginalRowBytes)= 0x52*0x20= 0x0A40
3/16/2012 37
![Page 38: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/38.jpg)
Exploit MS11‐087Exploit MS11 087structure fnt_GlobalGraphicStateType{
stackBase; /*the stack area store; /*the storage areastore; / the storage areacontrolValueTable; /*the control value table……int8 non90DegreeTransformation ……unit16 cvtCount;} fnt_GlobalGraphicStateType;
BEFORE
AFTER
3/16/2012 38
![Page 39: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/39.jpg)
Exploit MS11‐087Exploit MS11 087structure fnt_GlobalGraphicStateType{
stackBase; /*the stack area store; /*the storage areastore; / the storage areacontrolValueTable; /*the control value table……int8 non90DegreeTransformation ……unit16 cvtCount;} fnt_GlobalGraphicStateType;
BEFORE
AFTER
3/16/2012 39
![Page 40: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/40.jpg)
Exploit MS11‐087Exploit MS11 087
fnt_GlobalGraphicStateType+134h (cvtCount)
BEFORE
AFTER
3/16/2012 40
![Page 41: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/41.jpg)
Exploit MS11‐087Exploit MS11 087
3/16/2012 41
![Page 42: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/42.jpg)
Exploit MS11‐087Exploit MS11 087
3/16/2012 42
![Page 43: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/43.jpg)
Exploit MS11‐087Exploit MS11 087
ecx: value ‘stackBase+0’edx: value Control Value Table
3/16/2012 43
![Page 44: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/44.jpg)
Exploit MS11‐087Exploit MS11 087
3/16/2012 44
![Page 45: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/45.jpg)
Exploit MS11‐087Exploit MS11 087
3/16/2012 45
![Page 46: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/46.jpg)
Exploit MS11‐087Exploit MS11 087
Perfectly jump intoPerfectly jump into the shellcode
3/16/2012 46
![Page 47: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/47.jpg)
Demonstration
3/16/2012 47
![Page 48: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/48.jpg)
Microsoft Windows Bitmapped Font ( f )(.fon)
• Microsoft Windows Bitmapped Fonts (.fon)Microsoft Windows Bitmapped Fonts (.fon) come in two different types: a. New Executable NE (old format used bya. New Executable NE (old format used by Windows 3)NE b. Portable Executable PE (new 32bitb. Portable Executable PE (new 32bit executable format used in Windows 95 and above)
Note: Can’t find any complete documentation of Microsoft Windows Bitmapped Font. If you have any, share with me ☺!!
3/16/2012 48
![Page 49: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/49.jpg)
FON FUZZERFON FUZZER• .FON fuzzer consits of 2 files:
k fa. mkwinfont.py
‐ written and/or maintained by Simon
Tatham
‐ python script generates NE fon files onlypython script generates NE .fon files only
b. fuzzer.py
i b‐ written by Byoungyoung Lee
‐ fuzz the .fon in different width, height
3/16/2012 49
![Page 50: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/50.jpg)
FON FUZZERFON FUZZER• Some modification:
k i fa. mkwinfont.pyvalue = string.atol(w, 16) ;support hexadecimal
b. fuzzer.pyif width != 0:if width ! 0:
for j in range(height):fdStr += "A"*width + "\n“
fd "\ "fdStr += "\n"
3/16/2012 50
![Page 51: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/51.jpg)
FON FUZZERFON FUZZER
3/16/2012 51
![Page 52: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/52.jpg)
Exploit MS11‐077Exploit MS11 077
• Discovered by Byoungyoung LeeDiscovered by Byoungyoung Lee
• BSOD: BAD_POOL_HEADER(19)
i b b b d h l iInteresting bug but based on the analysis, there is very difficult to bypass the ‘safe
li ki ’ i i d k l lunlinking’ in windows kernel pool
• BSOD: DRIVER_OVERRAN_STACK_BUFFER(f7)
Possible to bypass the Stack‐Canary in Kernel
LandLand
3/16/2012 52
![Page 53: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/53.jpg)
Exploit MS11‐077Exploit MS11 077
win32k!BmfdOpenFontContext
;.Fon width=498 (0x1F2)
3/16/201253
; eax=(0x1F2)*5=0x9ba
![Page 54: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/54.jpg)
Exploit MS11‐077Exploit MS11 077
win32k!BmfdOpenFontContext
;the ‘EngAllocMem’ function allocates a block of memory (0x160) and inserts
3/16/2012 54
;a ‘Bmfd’ pool tag before the allocation
![Page 55: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/55.jpg)
Exploit MS11‐077Exploit MS11 077
3/16/2012 55
![Page 56: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/56.jpg)
Exploit MS11‐077Exploit MS11 077;Font data ‘aa’ will process and the result as index to read from the following array:a. awStretch5W1a. _awStretch5W1b. _BFA10171c. _awStretch5W2d. _BFA10191
jS h5B1e. _ajStretch5B1
3/16/2012 56
![Page 57: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/57.jpg)
Exploit MS11‐077Exploit MS11 077
3/16/2012 57
![Page 58: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/58.jpg)
Exploit MS11‐077Exploit MS11 077
Overwrite 3 bytes in l h dnext pool header
3/16/2012 58
![Page 59: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/59.jpg)
Limitation of Exploit MS11‐077Limitation of Exploit MS11 077
win32k!vStretchGlyphBitmap
3/16/2012 59
win32k!vStretchGlyphBitmap
![Page 60: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/60.jpg)
Limitation of Exploit MS11‐077Limitation of Exploit MS11 077
win32k!vStretchGlyphBitmap
3/16/2012 60
win32k!vStretchGlyphBitmap
![Page 61: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/61.jpg)
Exploit MS11‐077Exploit MS11 077
3/16/2012 61
![Page 62: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/62.jpg)
Exploit MS11‐077 (another try)Exploit MS11 077 (another try)
3/16/2012 62
![Page 63: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/63.jpg)
Exploit MS11‐077Exploit MS11 077
Possible to bypass Kernel Canary in Kernel Land??
3/16/2012 63
Possible to bypass Kernel Canary in Kernel Land?? gave up without detail testing
![Page 64: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/64.jpg)
Demonstration
3/16/2012 64
![Page 65: GDI Font Fuzzing in Windows Kernel For Fun](https://reader033.fdocuments.us/reader033/viewer/2022051109/54955c9aac7959222e8b4dfc/html5/thumbnails/65.jpg)
Thank You
Credit to: jvjvlglg, Byoungyoung Lee & Tarjei Mandt
3/16/2012 65