Vulnerability Development mailing list archives

Re: Analyze binary for holes

From: Shaun Clowes <shaun () securereality com au>
Date: Fri, 1 Aug 2003 10:12:05 +1000

On Thu, Jul 31, 2003 at 10:19:18PM -0000, DownBload wrote:

In-Reply-To: <20030729162007.7689.qmail () www securityfocus com>

You can use strings for easy finding potential vulnerable functions.
# strings /bin/ls | grep strcpy
# strings /bin/sh | grep sprintf
# strings /bin/tralalal | grep syslog 
# strings /bin/format   | grep fprintf
If potential vulnerable function is found, you only know that function is 
used, but you don't know if that function is used in wrong way.
Try to disassemble with gdb and look for flaws or brute force args and env.


Sorry, but this thread is now getting ridiculous, reverse engineering
using strings is silly. If you insist on looking for vulnerable functions you
should actually look for function imports using the correct tool for the
binary file you're looking at, e.g:

$ elfdump -s /bin/ls | grep strcpy
      [81]  0x00024190 0x00000000  FUNC GLOB  D    0 UNDEF       strcpy

If you decide you want to verify those calls you should run the code
through a good disassembler (though I guess objdump is pretty much your
only option that is free for Solaris) and study the code that provides
the parameters (and their origin). Any which way you look at it, doing
this well is hard and time consuming work. 

Cheers,
Shaun

Current thread:

Re: Analyze binary for holes Shaun Clowes (Aug 01)
- <Possible follow-ups>
- Re: Analyze binary for holes xenophi1e (Aug 01)
- Re: Analyze binary for holes Gerardo Richarte (Aug 11)