DOMSDAY Analyzing a DOM-Based XSS in Yahoo!

DOMSDAY

Analyzing a DOM-Based XSS in Yahoo!

Yahoo-Exploit

Yahoo-Exploit

hello again to all great readers

before going future i want talk a bit about abysssec.  i want to talk about abysssec, in 5 years I worked as a CTO In abysssec and I had a very great the time in team. What I want to write now is actually my last post (as CTO) from abysssec team (maybe i write as guest in future). that’s it after ~5 year I finally want to leave home to new home with best wishes for abysssec new management team. so good or bad i hope you enjoyed my works i as did in abysssec. abysssec team will work as always and like before just with new management team as will share information just like before.

So finally you can follow me on twitter with @ShahinRamezany  (@abysssec account twitter will be managed by new management team) for my new company news and also our long waited training classes.

 

Yahoo! vulnerability :

as you may read in news Yahoo! recently fixed a DOM-based cross site scripting in one of  strongly used JS files. and as i promised i want share PoC and step by step article about finding and exploiting this vulnerability.

so here is paper abstract.

Abstract

As a security researcher in my free time I spend my time on both application and web application security. During one of my researches while I was focusing on auditing JavaScript codes I spent some time on Alexa top ranks and their JS libraries to see what I can find in theme. So I started working on apple, FaceBook, Yahoo! I just surprised I found few issues on all of them! And in this article I want to explain one of my cool findings on Yahoo! Mail which can be used to completely compromise an account.

According to Wikipedia[1], Yahoo mail has around 310 million users in October 2011 so any serious vulnerabilities puts millions of users in risk. Finding XSS in Yahoo! is not a new thing and is not that so hard. Reason of creating this article is not just proofing Yahoo! is vulnerable and it’s about how easy is to find and exploit vulnerabilities in well-known websites.

So in this short paper we will review on 5 steps.

  • Introduction
  • Step I   : Steps to finding vulnerability
  • Step II  : Triggering and analyzing the vulnerability
  • Step III : Exploiting the vulnerability
  • Step IV : Hijacking user accounts
  • Step V  :  Patching the vulnerability
  • Yahoo incomplete patch
  • Appendix : Demo
  • Appendix II  : Dominator to rescue
  • Credits / References

Paper Download link

http://abysssec.com/files/Yahoo!_DOMSDAY.pdf

http://www.exploit-db.com/wp-content/themes/exploit/docs/24109.pdf

 

PoC Demo

 

you can watch demo here :

also you can download it from here

update : youtube removed video after ~30K  viewers and i don’t know why …

press links :

http://thenextweb.com

http://threatpost.com/

http://news.softpedia.com/

http://www.computerworld.com/

http://news.hitb.org/

http://thenextweb.com/

http://www.offensive-security.com/

http://www.scmagazine.com/

http://www.ehackingnews.com/

http://allthingsd.com/

http://www.securityweek.com/

http://www.isssource.com/

 

i know it’s too late but happy new years !

be safe
Shahin Ramezany

[1]  http://en.wikipedia.org/wiki/Yahoo!_Mail

 

Exploiting Admin Functionality in WordPress Using ClickJacking

hello all

it’s been a while after writing a post and you may know Abysssec  mostly write about application security but we are working on web apps too . in this post we are gonna talk about funny case of wordpress exploitation using ClickJacking technology. as you may know Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn’t dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.

here is video of  PoC sorry for hosting we have some issue we will upload on abysssec soon  :

http://abysssec.com/files/WordPress_ClickJack.rar

WordPress is aware of unfiltered html with superadmin user but as you can see it’s still possible to exploit the issue .

we reported this so called issue to wordpress ~2 month ago

the answer we got is :

5/4/2012:
Thank you for the report. We're looking into this and will get back to you soon.
5/16/2012:
Sorry for the delayed reply. We've been discussing how best to do this without inconveniencing users.  At the moment we're considering adding the unfiltered_html nonce via JS when the page is not framed. I'll hopefully have a patch to share soon.

Thanks all

happy blogging !

Exploiting CVE-2011-2140 another flash player vulnerability

hello all .

before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses.

so as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago.

 

1) Advisory information

 

  Title                   :  Adobe flash player memory overwrite exploit   Version             :  <= 10.3.186.3  Discovery         :  http://www.zerodayinitiative.com/advisories/ZDI-11-276/  Vendor             :  http://adobe.com

  Impact              :  Critical

  Contact            :   info  [at] abysssec.com

  Twitter             :   @abysssec

 

2) Vulnerability Information

 

Class        1- Stack OverwriteImpactSuccessfully exploiting this issue allows remote attackers to gain code execution on vulnerable system

Remotely Exploitable

Yes

Locally Exploitable

Yes

 

 

3) Vulnerabilities detail

 

1- Stack overwrite vulnerability

 

Before we go deep into the vulnerability for understanding this vulnerability you should take a look at MP4 format and H.264/AVC data structures.The actual vulnerability occurs during processing data units in Sequence Parameter Set in MP4. Sub_1005B396 function, is responsible for processing   Sequence Parameter Set. In this function pic_order_cnt_type from SPS will be check, if it’s equal with 1, other fields like data_pic_order_always_zero_flag , offset_for_non_ref_pic , offset_for_top_to_bottom_field  will be initialize :

.text:1005B396 sub_1005B396    proc near               ; CODE XREF: sub_1005B8DB+4Bp.text:1005B397                 push    ebp.text:1005B398                 push    esi.text:1005B399                 push    edi

.text:1005B39A                 mov     edi, ecx

.text:1005B39C                 call    sub_1005A95B

.text:1005B3A1                 mov     esi, [esp+10h+arg_0]

.text:1005B3A5                 mov     ecx, edi

.text:1005B3A7                 mov     [esi], al

 

 

.text:1005B47D                 mov     ecx, edi

.text:1005B47F                 mov     [esi+20h], eax

.text:1005B482                 call    sub_1005AA64

.text:1005B487                 mov     [esi+40h], eax

.text:1005B48A                 cmp     eax, ebp             à     if( pic_order_cnt_type )

.text:1005B48C                 jnz     short loc_1005B49D

 

 

.text:1005B49D loc_1005B49D:                           ; CODE XREF: sub_1005B396+F6j

.text:1005B49D                 xor     ebx, ebx

.text:1005B49F                 inc     ebx

.text:1005B4A0                 cmp     eax, ebx            à       if( pic_order_cnt_type == 1 )

.text:1005B4A2                 jnz     short loc_1005B4EF

.text:1005B4A4                 mov     ecx, edi

.text:1005B4A6                 call    sub_1005A99A    à       offset_for_top_to_bottom_field

.text:1005B4AB                 mov     ecx, edi

.text:1005B4AD                 mov     [esi+48h], al

.text:1005B4B0                 call    sub_1005AA93    à        offset_for_non_ref_pic

.text:1005B4B5                 mov     ecx, edi

.text:1005B4B7                 mov     [esi+54h], eax

.text:1005B4BA                 call    sub_1005AA93    à         offset_for_top_to_bottom_field

 

Then the num_ref_frames_in_pic_order_cnt_cycle will be set and if it’s bigger than 0 the values in offset_for_ref_frame will be copied into buffer.

text:1005B4BF                 mov     ecx, edi.text:1005B4C1                 mov     [esi+50h], eax.text:1005B4C4                call    sub_1005AA64      à    num_ref_frames_in_pic_order_cnt_cycle.text:1005B4C9                 mov     [esi+4Ch], eax

.text:1005B4CC                 test    eax, eax

.text:1005B4CE                 jbe     short loc_1005B4EF

.text:1005B4D0                 lea     eax, [esi+58h]

.text:1005B4D3                 mov     [esp+10h+arg_0], eax

.text:1005B4D7

.text:1005B4D7 loc_1005B4D7:                                             à         do{

.text:1005B4D7                 mov     ecx, edi

.text:1005B4D9                 call    sub_1005AA93                    à         offset_for_ref_frame[i]

.text:1005B4DE                 mov     ecx, [esp+10h+arg_0]

.text:1005B4E2                 add     [esp+10h+arg_0], 4            à          buf = &buf + 4

.text:1005B4E7                 inc     ebp                                      à          i++

.text:1005B4E8                 mov     [ecx], eax                           à          buf = offset_for_ref_frame[i]

.text:1005B4EA                 cmp     ebp, [esi+4Ch]

.text:1005B4ED                 jb      short loc_1005B4D7             à          } while(i < num_ref_frames_…)   

You should got the vulnerability at this point. There is no boundary check for num_ref_frames_in_pic_order_cnt_cycle, so our data related to  offset_for_ref_frame will be copy into the stack , that’s all .

 

 

2- Exploitation

Thanks to windows memory manager, browser and class of bug it’s not that hard to archive RCE. The only thing that should care about is return address. Because values which copied from MP4 file into stack, come with the changes. In other words, these values ​​after reading from file will be decode and then are copied into stack. Values ​​are copied into the buffer are generated from values in file into Signed Exp-Golomb code.After taking controll of EIP it’s easy to finish the job we used basic heap spray.

here is reliable exploit : CVE-2011-2140

happy hunting !

 

 

Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021)

hello all

as we didn’t publish any exploit for a bit we just going to release.

1) Advisory information

Title : Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability

Vendor : http://www.microsoft.com
Impact : Critical
Contact : info [at] abysssec.com
Twitter : @abysssec

Microsoft :
A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

2) Vulnerability detail

each excel file can contain multiple BOF (2057) records . This record specifies the first substream associated with workbook.One of the fields in these records, specify substream recordd to come with. This field can be extracted from sub_3018F0C2 function.

.text:301A0C87 push [ebp+arg_2C]
.text:301A0C8A mov ecx, [ebp+var_14]
.text:301A0C8D push 1
.text:301A0C8F call sub_3018F0C2
.text:301A0C94 mov ecx, eax
.text:301A0C96 mov eax, [ebp+arg_24]
.text:301A0C99 cmp eax, ebx
.text:301A0C9B mov [ebp+var_10], ecx
.text:301A0C9E jz short loc_301A0CA2
.text:301A0CA0 mov [eax], ecx

If the field value is equal with 400, sub_3019DFBA function is called to check file type. if file type is xls EXCEL.exe will display a message If approved it will continue to run the code.if you change file extension to xlb there will be any message. After this step sub_3053F626 function will be executed. This function will parse the next BOF records.


.text:304D4E9D cmp [ebp+arg_20], ebx
.text:304D4EA0 jnz short loc_304D4EC6
.text:304D4EA2 test dword ptr word_30EDCF9C, 2000000h
.text:304D4EAC jnz short loc_304D4EC6
.text:304D4EAE mov edx, [ebp+arg_C]
.text:304D4EB1 mov ecx, [ebp+arg_8]
.text:304D4EB4 push 3Fh
.text:304D4EB6 call sub_3019DFBA
.text:304D4EBB cmp eax, ebx
.text:304D4EBD mov [ebp+var_8], eax
.text:304D4EC0 jz loc_304D4FD3
.text:304D4EC6
.text:304D4EC6 loc_304D4EC6: ; CODE XREF: sub_301A0BC7+3342D9j
.text:304D4EC6 ; sub_301A0BC7+3342E5j
.text:304D4EC6 push ebx
.text:304D4EC7 push dword_30EB89A4
.text:304D4ECD push [ebp+var_C]
.text:304D4ED0 call sub_3053F626
.text:304D4ED5 cmp dword_30F5E64C, ebx
.text:304D4EDB mov [ebp+var_8], eax
.text:304D4EDE jz short loc_304D4EE7
.text:304D4EE0 cmp eax, ebx
.text:304D4EE2 jz short loc_304D4EE7

one of records may come after BOF,is undocumented record which have record type equal to 0xA7 (167). for truly parsing this record should come with another record with 0x3C (60) record type. if it meet this requirement the length of records will be read and copied to the stack the function which operation of copying data records in the stack is sub_30199E55. This function takes three arguments .The first argument specifies the number of bytes to copy, which will read from file. The second argument specifies the destination of the copy and the third argument specifies the maximum amount of data can be copied. values of the second and third arguments based on the amount of computing reading from file and into this cumpoting,computational error which may occur here …


.text:3053F830 call sub_301A0A01
.text:3053F835 cmp eax, 3Ch
.text:3053F838 mov [ebp+var_ED4], eax
.text:3053F83E jnz loc_30540488
.text:3053F844 call sub_301A0A01
.text:3053F849 mov ecx, [ebp+var_EDC]
.text:3053F84F imul ecx, [ebp+var_F00]
.text:3053F856 mov edi, eax
.text:3053F858 mov eax, [ebp+var_EE0]
.text:3053F85E lea ebx, [ecx+eax+3]
.text:3053F862 call sub_301A0ABE
.text:3053F867 push 0FFFFFFFDh
.text:3053F869 pop edx
.text:3053F86A sub edx, ecx
.text:3053F86C add eax, edx
.text:3053F86E push eax ; Dst
.text:3053F86F push ebx ; int
.text:3053F870 mov eax, edi
.text:3053F872 call sub_30199E55

the vulnerability that exists here is that we can change the value of parameter 3 whith our own values. program will not correcly controll third argument of sub_30199E55 this and can result in the desired amount and location of desired data can overwrite in the stack.


.text:30199E60 cmp edi, [esp+4+Dst]
.text:30199E64 ja loc_303EE1B7
.text:30199E6A mov ecx, [esp+4+arg_0]
.text:30199E6E push ebx
.text:30199E6F mov ebx, dword_30F726C0
.text:30199E75 push ebp
.text:30199E76 mov ebp, nNumberOfBytesToRead
.text:30199E7C push esi
.text:30199E7D mov [esp+10h+Dst], ecx
....
.text:30199E93 mov eax, [esp+10h+Dst]
.text:30199E97 push esi ; Size
.text:30199E98 lea edx, dword_30F6E6B8[ebx]
.text:30199E9E push edx ; Src
.text:30199E9F push eax ; Dst
.text:30199EA0 sub edi, esi
.text:30199EA2 call memcpy
.text:30199EA7 add [esp+1Ch+Dst], esi
.text:30199EAB add ebx, esi
.text:30199EAD add esp, 0Ch
.text:30199EB0 test edi, edi
.text:30199EB2 mov dword_30F726C0, ebx
.text:30199EB8 jnz loc_301E0DB3

3) Exploitation :

Stack overflows are not hard to exploit at all ! but as we have both /GS , SAFESEH here. because given that we are destined to memcpy we can change it so that it begins to overwrite the stack after GS. and from there when the return comes , our values contained in the ESP and we can call it with simple call esp and game is over !!!

 

download full exploit source  : MS11-021

Happy Hacking .

 

 

 

 

 

 

 

bypassing all anti-virus in the world (Good Bye Detection , Hello Infection)

hello to all readers

Introduction

as  you may read in @abysssec in twitter  actually in past a few months we did a cool research on bypassing anti-viruses and got really great result .

Bypassing anti-viruses is not a new topic and it’s still about encrypting / decrypting  of a program to being hide from AV eyes. In past it was really, really easy task to do but AV’s getting smarter and bypassing all anti-viruses with some really unique methods that each of them use is not funny and neither easy to do.

before i go feature i like to have a simple glossary for unfamiliar readers.

Glossary

Crypter : the program (mostly GUI) will crypt the malware / bot to make it hide from anti-viruses

Stub : the Decryptor of crypted program

FUD : Fully Un Detectable (FUD = no AV detect)

RUNPE : run the PE without headers in memory

USG : unique stub generator. (make unique stubs)

Binder: will join two file will drop in hdd or mem

Pumper: will increase size of tool

EOF  : end of file(in crypter it need to preserve)

Cloner : will clone the file (Decryptor like in HDD)

Icon Changer: will change the final exe icon

well there are two also different kind of crypters scan time and run time. The good crypter is run time one because as it name says the scan time crypter is just FUD at scan time and when you run it and after real malware decrypted  it will be detect  so not that useful. And the real crypter is the runtime one.

How it works ?

if we remove all complex technical info for bypassing all 35 anti-virus around the world it works really sample.

 

it simply encrypt  program, decrypt, and  then run it in memory. encryption algorithm is not important and sample ideas are enough to make a crypter fud

but some of mostly used alghortims are :

I. RC4
II. AES
III.DES
IV. TEA
V. XOR
VI. CryptoAPI
VII. blowfish
note that there is important part in your job and that is run the malware safely in memory after decrypting it , and this is done by RunPE . the idea of RunPE comes from great PoC by Tan Chew Keong called dynamic forking of win32 exe : http://www.security.org.sg/code/loadexe.html

steps and idea are really sample :

CreateProcess

Find Base address

Virtualalloc

Align sections

Fix thread context

Resume thread

but this is not easy to hide this kind of API chaining from anti-viruses .

so we finished our research by writing a new fud crypter and our crypter is unique and different with public ones .

our crypter is unique and can bypass all 35 exist av right now .

here is list of AV we fully tested our crypters on them .

 - Ad-Aware
 - AhnLab V3 Internet Security
 - ArcaVir
 - Avast
 - Avast 5
 - AVG Free
 - AntiVir (Avira)
 - BitDefender
 - BullGuard
 - VirusBuster Internet Security
 - Clam Antivirus
 - COMODO Internet Security
 - Dr.Web
 - eTrust-Vet
 - F-PROT Antivirus
 - F-Secure Internet Security
 - G Data
 - IKARUS Security
 - Kaspersky Antivirus
 - McAfee
 - MS Security Essentials
 - ESET NOD32
 - Norman
 - Norton Antivirus
 - Panda Security
 - A-Squared
 - Quick Heal Antivirus
 - Rising Antivirus
 - Solo Antivirus
 - Sophos
 - Trend Micro Internet Security
 - VBA32 Antivirus
 - Vexira Antivirus
 - Webroot Internet Security
 - Zoner AntiVirus

we even tested 10 year ago malware and our crypter can hide them from any anti-virus system .

our crypter comes with some unique features here is some of them

 

 - FUD 0 / 35 detection
 - EOF support
 - Coded in C/ASM Stub and GUI In C#
 - Compatible with Win 2k/XP/7 x32 and x64
 - Ability of bypassing heuristic and emulators (Kaspersky pro-acvtive defense , Nod32 advanced heuristic , Norton Sonar, Avira heuristic)
 - Command line support
 - Unicode support (chines , russian and so on)
 - Right-to-Left Exploit after crypting you can have .mp3 , doc , pdf , avi or anything as output !!!
 - inbuilt scanner and scanning with 35 anti-virus after cryptring
 - advanced file binder with drop in disk and memory
 - Anti-debug
 - Anti-sandbox
 - advanced encryption : Double XOR , RC4, AES256
 - Advanced resource storage : unique method

here is some screen shot of GUI :

 

 

 

 

 

 

and finally you can see the actual work in a demo here :

http://abysssec.com/files/VampCrypt.rar

as we don’t want harm anyone if you are :

- penetration testing company

- anti virus / IDS company

- any legit company who needs it


update 2012 : do not send request anymore this project will not be shared / support any more .

contact : info [at] abysssec.com

and as always you can follow @abysssec in twitter

happy fudding .

Exploit for CVE-2011-0222 Safari SVG Vulnerability

Hello all again

we are here with a patched vuln again and this time apple safari one .

 

 

actually it’s not that really odd to see your 0day got patched in vendor big patches and this time this happened to US too.

our safari vulnerability got patched and we decide to public our windows exploit + stand alone trigger without any pop up and finally a simple ROP to DEP bypass .

no more explanation this time check out exploit code.

http://abysssec.com/files/CVE-2011-0222_WinXP_Exploit.zip

http://www.exploit-db.com/sploits/CVE-2011-0222_WinXP_Exploit.zip

as always feel free to contact us : info [at] abysssec.com

follow @twitter for updates

 

cheers

 

Analysis of CVE-2011-0041 vulnerability in GDI+

Abysssec Research

we tried for other case in exploit bounty this time for a 500$ one .

no luck for successful exploitation and to be honest we didn’t tried so hard . at least we got a PoC and here is our analysis for this cool bug.

1) Advisory information

 

  Title                   :  GDI+ CreateDashedPath Integer overflow in gdiplus.dll  

  Discovery         :  Nicolas july from vupen

  Analysis            :  Abysssec.com

  Vendor             :  http://www.microsoft.com

  Impact              :  High

  Contact            :  info  [at] abysssec.com

  Twitter             : @abysssec

  CVE                   : CVE-2011-0041

2) Vulnerable version

Gdiplus.dll 5.2.6001.22319

 

3) Vulnerability information

 

Class

        1-Integer overflow

Impact

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of vulnerable application or cause denial-of-service conditions.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerabilities detail

 

The vulnerability exists in gdiplus!GpPath::CreateDashedPath function of gdiplus.dll that is responsible for bitmap drawing and other 2d graphic rendering. EMF+ file is one of the image file format that is rendered by the library. And the vulnerability is based on some floating point calculation of an EMF+ path object.

We made the following proof of concept to trigger the issues and it will be explained more:

 

A little taste of file format we simply put a EMF_COMMENT record (id = 0×00000046) and embed and emf+ geraphic object ( id = 0×00004008 ) . For simplicity we ripped out a valid graphic object from another file and started to play with it. The record have two important area that we highlighted them in the above picture.

 

Here is the faulty code:

.text:4ECFCBAD loc_4ECFCBAD:                     

.text:4ECFCBAD                 mov     eax, esi

.text:4ECFCBAF                 shl     eax, 3

.text:4ECFCBB2                 cmp     [ebp+lpMem], 0

.text:4ECFCBB6                 push    eax             ; dwBytes

.text:4ECFCBB7                 jz      short loc_4ECFCBCE

.text:4ECFCBB9                 push    [ebp+lpMem]     ; lpMem

.text:4ECFCBBC                 call    GpRealloc(x,x)

.text:4ECFCBC1                 test    eax, eax

.text:4ECFCBC3                 jz      loc_4ECFCCDB

.text:4ECFCBC9                 mov     [ebp+lpMem], eax

.text:4ECFCBCC                 jmp     short loc_4ECFCBDE

.text:4ECFCBCE ; —————————————————————————

.text:4ECFCBCE

.text:4ECFCBCE loc_4ECFCBCE:                      

.text:4ECFCBCE                 call    GpMalloc(x)

.text:4ECFCBD3                 test    eax, eax

.text:4ECFCBD5                 mov     [ebp+lpMem], eax

.text:4ECFCBD8                 jz      loc_4ECFCCDB

 

The above code uses the eax register as arguments to the GpMalloc function. GpMalloc is simply a gdi version of heapAlloc function. The value of eax register is based on various floating point calculation that is not simple to examine at first look.

But I traced the value of eax register and it seems the calculations are based on our values mentioned earlear in the file.  And it doesn’t bound checked well, by changing the path value tricky it is possible when the “shl    eax, 3” instruction multiply the value by 8 we get an integer overflow and in turn a faulty heap allocation.

 

I dynamically traced the values with my proof of concept file. Eax register is equall to eax + [ebp-38] * 10 and as there are a lot of values and calculations before that, for better consideration I made the following diagram:

 

 

 

 

It took a lot of time explanation of all of the variables above but, the important one is the GpPath object that is in the code a clone of the object is made to later be manipulated for drawings.

.text:4ECFC9D9 loc_4ECFC9D9:                           ; CODE XREF: GpPath::CreateDashedPath(DpPen const *,GpMatrix const *,float,float,float,int)+1AAj

.text:4ECFC9D9                 fld     dword ptr [esi+eax*4]

.text:4ECFC9DC                 fmul    [ebp+arg_0]

.text:4ECFC9DF                 fstp    dword ptr [esi+eax*4]

.text:4ECFC9E2                 inc     eax

.text:4ECFC9E3                 cmp     eax, [ebp+arg_4]

.text:4ECFC9E6                 jl      short loc_4ECFC9D9

.text:4ECFC9E8

.text:4ECFC9E8 loc_4ECFC9E8:                      

.text:4ECFC9E8                 mov     ecx, [ebp+var_18] ; Src

.text:4ECFC9EB                 call    GpPath::Clone(void)

.text:4ECFC9F0                 mov     edi, eax

.text:4ECFC9F2                 test    edi, edi

.text:4ECFC9F4                 jz      loc_4ECFCDBA

.text:4ECFC9FA                 mov     eax, [edi]

.text:4ECFC9FC                 mov     ecx, edi

.text:4ECFC9FE                 call    dword ptr [eax+4]

 

After calling the clone, it checks whether it is a valid clone or not at address 4ECFC9FE.

The offset +34h of the object contains a pointer to our 4byte path object values.

0:000> dd ecx

0e03ca50  4ec67e58 68745031 00000000 00000000

0e03ca60  0e03ca74 0e03ca74 00000010 00000010

0e03ca70  00000002 00000100 00000000 00000000

0e03ca80  00000000 0e03ca98 0e03ca98 00000010

0e03ca90  00000010 00000002 449a8eab 458ac500

0e03caa0  449a8eab 4e0000fe 00000000 00000000

0e03cab0  00000000 00000000 00000000 00000000

0e03cac0  00000000 00000000 00000000 00000000

 

Our floating point values in the file format:

0e03ca98  449a8eab 458ac500 449a8eab 4e0000fe

0e03caa8  00000000 00000000 00000000 00000000

 

But there are some modifications on our values before we get the faulty code. First after the clone is performed GpPath::Flatten function made some changes to our values based on a transform matrix in the file. So this is cause of the highlighted 6 DWORDs in the file.­­­

.text:4ECFC9FE                 call    dword ptr [eax+4]

.text:4ECFCA01                 test    eax, eax

.text:4ECFCA03                 jz      loc_4ECFCDBA

.text:4ECFCA09                 fld     ds:flt_4ECB80FC

.text:4ECFCA0F                 push    ecx             ; float

.text:4ECFCA10                 lea     eax, [ebp+var_F8]

.text:4ECFCA16                 fstp    [esp+108h+var_108]

.text:4ECFCA19                 push    eax             ; int

.text:4ECFCA1A                 mov     ecx, edi

.text:4ECFCA1C                 call    GpPath::Flatten(GpMatrix const *,float)

.text:4ECFCA21                 cmp     [ebp+var_2C], 0

 

Flattened GpPath object values:

0:000> dd poi(edi+34)

0e03cd18  449a7eab 458ac100 449a7eab 4e0000fd

0e03cd28  00000000 00000000 00000000 00000000

 

And after that our changed GpPath object is sent to calculateGradiantArray and some array of floating point values are made based on its calculation.

There are many other default floating point values has effects on the value of the overflowing size for GpMalloc that are not so interesting and I’ve just shown them on the diagram.

After the calculation integer wrapped, the heap allocated by the gpMalloc function is not big enough to hold our data. So in next uses of the wrapped allocated heap the corruption occurs. But it seems there is not a straight way of exploiting such heap corruptions using a standalone file. .

PoC link   : http://abysssec.com/files/GDI_PoC.zip

			

DEP/ASLR bypass using 3rd party + Clarification

hello again to all of our great readers .

is this post we are going to do some clarification also share and drop some random 0day DEP/ASLR bypass using 3rd parties .

due to there is lots of things to say we wrote all the notes as an article called “The Arashi”.

 

Table of content :

===============================================================

Introduction and warning

The Story of Sayonara

First Method: ASLR Bitter

Second Method: Process Explorer

Narly Windbg Extension

Mona / PVEFindAddr

Ropping this fun DLL

First 0day tatsumaki

Second (half) 0day Ikazuchi

Third 0day Sugokunai

Final Note

===============================================================

and finally  here you can download it from  : here

note that the offer in paper will be expire in 10 day so if you are verified and need one of modules let us know .

as always feel free to contact us : info [at] abysssec.com

and also follow @abysssec in twitter

 

Exploiting Adobe Flash Player on Windows 7

Hello again . as a lot of readers like windows 7 exploits here is other one .

1) Advisory information

Title                   : Adobe Flash player Action script type confusion  

Version             :  flash10h.dll

Discovery         :  Malware writers

Exploit              :  abysssec.com

Vendor             :  http://www.adobe.com

Impact              :  Critical

Contact            :   info  [at] abysssec.com

Twitter            : @abysssec

CVE                    : CVE-2010-3654

2) Vulnerable version

Adobe Flash Player 10.1.53 .64 prior versions

3) Vulnerability information

 

Class 

1- Type Confusion

Impact

Successfully exploiting this issue allows remote attackers to execute code under the context of targeted browser.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerability detail

Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code.

Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory.

According to Dion Blazakis’s JIT Spray paper:

 

To handle this runtime typing requirement, the ActionScript interpreter represents internal objects using tagged pointers – internal, this object is called an “atom”. Tagged pointers are a common implementation technique to differentiate between those objects stored by value and those stored by reference using the same word sized memory cell. A tagged pointer stores type information in the least significant bits and stores a type specific values in the most significant bits. As shown in Illustration 1, the ActionScript atom is 32 bits wide; it allocates 3 bits to store the type information and uses 29 bits for the value.

So if it would be possible to confuse verifier too act an atom as another atom by some bytecode changes it would be possible to generate faulty code that most of the times lead to disclosing a vtable pointer call to the attacker.

The bug is perfectly presented in Haifei li recent slides. We have OriginalClass and RefClass with the same functions. Func1 – OriginalClass return a class objects, but Func1 – RefClass returns another type. By changing a byte in the bytecode we have confused AS3 to execute RefClass functions in the main class. After that verifier confuses the return type of the function with an OriginalClass object and generate faulty code with the vtable under the control of the return value.

 

Exploitation:

For exploitation purpose on recent protections on windows 7 without any 3rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.

Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.

Step2: leak address of the shellcode with the same pointer and NewNumber trick.

Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.

Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.

Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.

5) Conclusion

Finally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk.

6) Refrences

http://www.cansecwest.com/csw11/Flash_ActionScript.ppt

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

7) Exploit-Code

Here you can get our reliable exploit against windows 7 :

calc.exe payload

Download : CVE-2010-3654_Win7

if you need other payloads for sure you know how to change it ;)

as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates .

Happy Hunting !

Hacking / Exploiting / Cheating in Online Games

Hello to all readers.

we know that there are thousands and millions of online game players around and we guess lots of them may like to cheat this is our totally offensive research that we did to present in immunity infiltrate and as we missed that so here we go .

 

This research is about hacking /exploiting / cheating in online games and is sponsored by immunity.

 

This is a six part talk and contains:

 

Part I   : introduction

Part II: Hacking Online Game Servers

Part III: Exploiting Online Games

Part IV: Cheating in Online games

Part V   : Creating your own cheats

Part VI: Bypassing anti-cheat engines

 

Real world cheating is mainly focused on in this talk as it’s fun and legal.
During this talk we will have a tour into all the ways to manipulate an online game
and we will end up with bypassing the latest anti-cheating technologies and
manipulating the game to our heart’s desire.

 

Our case studies are:

 

1 -counter strike (half-life) as game:

 

2- SXE-Injected and Valve-anti cheat (VAC) as anti-cheat engines

Our codes will be release soon as soon we can but if you are hurry to use some cheats you can find almost all necessary codes in slides also there is two demos for proofing our research. We really enjoyed this research and it’s done from our side hope you enjoy too.

 

You can download slides here:

ppt : Exploiting-Online-Games

Font : in case if you have problem with embedded one

PDF : Exploiting-Online-Games

PS 1 : video demos are ready but due to those are huge we need to find a better way to compress them after that we will post them here.

PS 2 : Tools will be release after a while .

For getting updates about tools / videos please follow @abysssec in twitter.

 

For any question please contact:

 

Shahin [at] abysssec.com

 

For any other requirement please contact:

 

Info [at] abysssec.com

 

Kind Regards

Categories


Get Adobe Flash player