Re: Analyze binary for holes

[DownBload <downbload () hotmail com>]

In-Reply-To: <20030729162007.7689.qmail () www securityfocus com>

You can use strings for easy finding potential vulnerable functions.
# strings /bin/ls | grep strcpy
# strings /bin/sh | grep sprintf
# strings /bin/tralalal | grep syslog 
# strings /bin/format   | grep fprintf
If potential vulnerable function is found, you only know that function is 
used, but you don't know if that function is used in wrong way.
Try to disassemble with gdb and look for flaws or brute force args and env.

Regards,
DownBload / Illegal Instruction Labs


> Hello
> I am interested in how you may go about analyzing a binary file to 
> determine potential format string or buffer overflow holes.
>
> The platforms I am testing are: SunOs Solaris 2.7/8/9(SPARC) and Windows 
> NT/2000/XP.
>
> This is my process, maybe you could direct and fill in the massive blanks:
>
> UNIX:
> In the unix world my first step is to list out the SUID-root files.
> My next step is to identify which files have potential vulnerabilities.  
> On the Unix side I have used strings, but what does that tell me about.
> I have seen a few mallocs, callocs, and things that look like a format 
> string for a printf... But not sure what to do next...SO I was thinking
> of brute forcing the binary command line args and/or environmental vars
> to see if I can dump core..
>
> Can you identify potential format string vulnerabilities from binary?
> Can you identify potential buffer overflow vulns. from binary?
>
> WINDOWS:
> I have no idea how to recognize a vulnerable program in the Windows 
> word.Is there anything like SUID-roor, etc??
>
> Thanks