Some word about Vulnerability Patch Analysis

November 16, 2008


Actually I’m a bit busy with Work and some project releated to my collaboration with EvilFingers, but soon I hope to release some paper.

Today we are going to talk a bit about the world of Patch Analysis. The Security practice of analysing the security patches released mainly by microsoft but also by big Software House in the last year have had a great diffusion. The basilar concept is to study the patch to understand and or elaborate the PoC or the Exploit it self.

Let’s take in example the latest vulnerabilies released by Microsoft:

  • MS08-69 -> Microsoft XML Core Services Could Allow Remote Code Execution. That can be downloaded here.
  • MS08-69 -> Vulnerability in SMB Could Allow Remote Code Execution. Than can be downloaded here.

After downloading a copy of patches, obviously relative to our OS, we have two executables:

  • WindowsXP-KB957097-x86-ENU.exe
  • msxml6-KB954459-enu-x86.exe

These two executables contains embedded into installer the system files fixed, so the first operation is to NOT install these fixes but to obtain a copy of the New Dlls. In order to accomplish that we have to unpack these two executables. Fortunately MS installers can receive a set of various commands relative to various installation functionalities, in our case we have to extract the content of the installer into a specific directory. So let’s create a directory, for example Out, now we can extract dlls as follows:

WindowsXP-KB957097-x86-ENU.exe /x:Out

we will obtain

  • /SP2GDR
  • /SP2GFE
  • /SP3GDR
  • /SP3GFE
  • /update

We are working, for example with XP Sp2 so let’s take the copy of mrxsmb.sys proper of SP2GDR or SP2GFE. Now we can apply the Binary Diffing approach 😉

In the case of msxml6-KB954459-enu-x86.exe after decompressing it we have a .msi executable, this need to be extracted with msiexec, here how to extract msi files into a wanted directory


in a pratical example

msiexec /a e:\Evil\msxml6.msi /qb TARGETDIR=e:\Evil\Msi\

I also suggest you to pay attention to the Binary Diffing Software that you’re going to use because sometimes patches are “big” 4-5-6 MB and for example Sabre Security’s BinDiff freezes.

The best BinaryDiffer are:

  • Sabre Security’s Bin Diff
  • Eeye Binary Diffing Suite


Evilcry 🙂