13 Jan

DOMSDAY Analyzing a DOM-Based XSS in Yahoo!

Posted by shahin in advisory, Exploits / BUG Decryption, news | Tags :2013, DOM-based, DOM-XSS, E-mail-Hacking, Hacking, Mail, Web-Mail, XSS, Yahoo!, Yahoo!-Mail, Yahoo-Hack, Yahoo-XSS | Comments Off

DOMSDAY

Analyzing a DOM-Based XSS in Yahoo!

Yahoo-Exploit

hello again to all great readers

before going future i want talk a bit about abysssec. i want to talk about abysssec, in 5 years I worked as a CTO In abysssec and I had a very great the time in team. What I want to write now is actually my last post (as CTO) from abysssec team (maybe i write as guest in future). that’s it after ~5 year I finally want to leave home to new home with best wishes for abysssec new management team. so good or bad i hope you enjoyed my works i as did in abysssec. abysssec team will work as always and like before just with new management team as will share information just like before.

So finally you can follow me on twitter with @ShahinRamezany (@abysssec account twitter will be managed by new management team) for my new company news and also our long waited training classes.

Yahoo! vulnerability :

as you may read in news Yahoo! recently fixed a DOM-based cross site scripting in one of strongly used JS files. and as i promised i want share PoC and step by step article about finding and exploiting this vulnerability.

so here is paper abstract.

Abstract

As a security researcher in my free time I spend my time on both application and web application security. During one of my researches while I was focusing on auditing JavaScript codes I spent some time on Alexa top ranks and their JS libraries to see what I can find in theme. So I started working on apple, FaceBook, Yahoo! I just surprised I found few issues on all of them! And in this article I want to explain one of my cool findings on Yahoo! Mail which can be used to completely compromise an account.

According to Wikipedia[1], Yahoo mail has around 310 million users in October 2011 so any serious vulnerabilities puts millions of users in risk. Finding XSS in Yahoo! is not a new thing and is not that so hard. Reason of creating this article is not just proofing Yahoo! is vulnerable and it’s about how easy is to find and exploit vulnerabilities in well-known websites.

So in this short paper we will review on 5 steps.

Introduction
Step I : Steps to finding vulnerability
Step II : Triggering and analyzing the vulnerability
Step III : Exploiting the vulnerability
Step IV : Hijacking user accounts
Step V : Patching the vulnerability
Yahoo incomplete patch
Appendix : Demo
Appendix II : Dominator to rescue
Credits / References

Paper Download link

http://abysssec.com/files/Yahoo!_DOMSDAY.pdf

http://www.exploit-db.com/wp-content/themes/exploit/docs/24109.pdf

PoC Demo

you can watch demo here :

also you can download it from here

update : youtube removed video after ~30K viewers and i don’t know why …

press links :

http://thenextweb.com

http://threatpost.com/

http://news.softpedia.com/

http://www.computerworld.com/

http://news.hitb.org/

http://thenextweb.com/

http://www.offensive-security.com/

http://www.scmagazine.com/

http://www.ehackingnews.com/

http://allthingsd.com/

http://www.securityweek.com/

http://www.isssource.com/

i know it’s too late but happy new years !

be safe

Shahin Ramezany

[1] http://en.wikipedia.org/wiki/Yahoo!_Mail

15 Jun

Exploiting Admin Functionality in WordPress Using ClickJacking

Posted by shahin in advisory, Exploits / BUG Decryption, news, Pen-test Method, security | Tags :0day, clickjacking, PoC, UI Redressing, wordpress, WP | Comments Off

hello all

it’s been a while after writing a post and you may know Abysssec mostly write about application security but we are working on web apps too . in this post we are gonna talk about funny case of wordpress exploitation using ClickJacking technology. as you may know Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn’t dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.

here is video of PoC sorry for hosting we have some issue we will upload on abysssec soon :

http://abysssec.com/files/WordPress_ClickJack.rar

WordPress is aware of unfiltered html with superadmin user but as you can see it’s still possible to exploit the issue .

we reported this so called issue to wordpress ~2 month ago

the answer we got is :

5/4/2012:

Thank you for the report. We're looking into this and will get back to you soon.

5/16/2012:

Sorry for the delayed reply. We've been discussing how best to do this without inconveniencing users.  At the moment we're considering adding the unfiltered_html nonce via JS when the page is not framed. I'll hopefully have a patch to share soon.

Thanks all

happy blogging !

18 Jul

Analysis of CVE-2011-0041 vulnerability in GDI+

Posted by shahin in advisory, Exploits / BUG Decryption, reversing | Tags :BA, binary analysis, Bounty, CVE-2011-0044, exploit, GDI+, metasploit, MSF, VUPEN | Comments Off

Abysssec Research

we tried for other case in exploit bounty this time for a 500$ one .

no luck for successful exploitation and to be honest we didn’t tried so hard . at least we got a PoC and here is our analysis for this cool bug.

1) Advisory information

Title : GDI+ CreateDashedPath Integer overflow in gdiplus.dll

Discovery : Nicolas july from vupen

Analysis : Abysssec.com

Vendor : http://www.microsoft.com

Impact : High

Contact : info [at] abysssec.com

Twitter : @abysssec

CVE : CVE-2011-0041

2) Vulnerable version

Gdiplus.dll 5.2.6001.22319

3) Vulnerability information

Class

1-Integer overflow

Impact

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of vulnerable application or cause denial-of-service conditions.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerabilities detail

The vulnerability exists in gdiplus!GpPath::CreateDashedPath function of gdiplus.dll that is responsible for bitmap drawing and other 2d graphic rendering. EMF+ file is one of the image file format that is rendered by the library. And the vulnerability is based on some floating point calculation of an EMF+ path object.

We made the following proof of concept to trigger the issues and it will be explained more:

A little taste of file format we simply put a EMF_COMMENT record (id = 0×00000046) and embed and emf+ geraphic object ( id = 0×00004008 ) . For simplicity we ripped out a valid graphic object from another file and started to play with it. The record have two important area that we highlighted them in the above picture.

Here is the faulty code:

.text:4ECFCBAD loc_4ECFCBAD:

.text:4ECFCBAD mov eax, esi

.text:4ECFCBAF shl eax, 3

.text:4ECFCBB2 cmp [ebp+lpMem], 0

.text:4ECFCBB6 push eax ; dwBytes

.text:4ECFCBB7 jz short loc_4ECFCBCE

.text:4ECFCBB9 push [ebp+lpMem] ; lpMem

.text:4ECFCBBC call GpRealloc(x,x)

.text:4ECFCBC1 test eax, eax

.text:4ECFCBC3 jz loc_4ECFCCDB

.text:4ECFCBC9 mov [ebp+lpMem], eax

.text:4ECFCBCC jmp short loc_4ECFCBDE

.text:4ECFCBCE ; —————————————————————————

.text:4ECFCBCE

.text:4ECFCBCE loc_4ECFCBCE:

.text:4ECFCBCE call GpMalloc(x)

.text:4ECFCBD3 test eax, eax

.text:4ECFCBD5 mov [ebp+lpMem], eax

.text:4ECFCBD8 jz loc_4ECFCCDB

The above code uses the eax register as arguments to the GpMalloc function. GpMalloc is simply a gdi version of heapAlloc function. The value of eax register is based on various floating point calculation that is not simple to examine at first look.

But I traced the value of eax register and it seems the calculations are based on our values mentioned earlear in the file. And it doesn’t bound checked well, by changing the path value tricky it is possible when the “shl eax, 3” instruction multiply the value by 8 we get an integer overflow and in turn a faulty heap allocation.

I dynamically traced the values with my proof of concept file. Eax register is equall to eax + [ebp-38] * 10 and as there are a lot of values and calculations before that, for better consideration I made the following diagram:

It took a lot of time explanation of all of the variables above but, the important one is the GpPath object that is in the code a clone of the object is made to later be manipulated for drawings.

.text:4ECFC9D9 loc_4ECFC9D9: ; CODE XREF: GpPath::CreateDashedPath(DpPen const *,GpMatrix const *,float,float,float,int)+1AAj

.text:4ECFC9D9 fld dword ptr [esi+eax*4]

.text:4ECFC9DC fmul [ebp+arg_0]

.text:4ECFC9DF fstp dword ptr [esi+eax*4]

.text:4ECFC9E2 inc eax

.text:4ECFC9E3 cmp eax, [ebp+arg_4]

.text:4ECFC9E6 jl short loc_4ECFC9D9

.text:4ECFC9E8

.text:4ECFC9E8 loc_4ECFC9E8:

.text:4ECFC9E8 mov ecx, [ebp+var_18] ; Src

.text:4ECFC9EB call GpPath::Clone(void)

.text:4ECFC9F0 mov edi, eax

.text:4ECFC9F2 test edi, edi

.text:4ECFC9F4 jz loc_4ECFCDBA

.text:4ECFC9FA mov eax, [edi]

.text:4ECFC9FC mov ecx, edi

.text:4ECFC9FE call dword ptr [eax+4]

After calling the clone, it checks whether it is a valid clone or not at address 4ECFC9FE.

The offset +34h of the object contains a pointer to our 4byte path object values.

0:000> dd ecx

0e03ca50 4ec67e58 68745031 00000000 00000000

0e03ca60 0e03ca74 0e03ca74 00000010 00000010

0e03ca70 00000002 00000100 00000000 00000000

0e03ca80 00000000 0e03ca98 0e03ca98 00000010

0e03ca90 00000010 00000002 449a8eab 458ac500

0e03caa0 449a8eab 4e0000fe 00000000 00000000

0e03cab0 00000000 00000000 00000000 00000000

0e03cac0 00000000 00000000 00000000 00000000

Our floating point values in the file format:

0e03ca98 449a8eab 458ac500 449a8eab 4e0000fe

0e03caa8 00000000 00000000 00000000 00000000

But there are some modifications on our values before we get the faulty code. First after the clone is performed GpPath::Flatten function made some changes to our values based on a transform matrix in the file. So this is cause of the highlighted 6 DWORDs in the file.

.text:4ECFC9FE call dword ptr [eax+4]

.text:4ECFCA01 test eax, eax

.text:4ECFCA03 jz loc_4ECFCDBA

.text:4ECFCA09 fld ds:flt_4ECB80FC

.text:4ECFCA0F push ecx ; float

.text:4ECFCA10 lea eax, [ebp+var_F8]

.text:4ECFCA16 fstp [esp+108h+var_108]

.text:4ECFCA19 push eax ; int

.text:4ECFCA1A mov ecx, edi

.text:4ECFCA1C call GpPath::Flatten(GpMatrix const *,float)

.text:4ECFCA21 cmp [ebp+var_2C], 0

Flattened GpPath object values:

0:000> dd poi(edi+34)

0e03cd18 449a7eab 458ac100 449a7eab 4e0000fd

0e03cd28 00000000 00000000 00000000 00000000

And after that our changed GpPath object is sent to calculateGradiantArray and some array of floating point values are made based on its calculation.

There are many other default floating point values has effects on the value of the overflowing size for GpMalloc that are not so interesting and I’ve just shown them on the diagram.

After the calculation integer wrapped, the heap allocated by the gpMalloc function is not big enough to hold our data. So in next uses of the wrapped allocated heap the corruption occurs. But it seems there is not a straight way of exploiting such heap corruptions using a standalone file. .

PoC link   : http://abysssec.com/files/GDI_PoC.zip

3 Jul

DEP/ASLR bypass using 3rd party + Clarification

Posted by shahin in advisory, Exploits / BUG Decryption, news | Tags :Arashi, ASLR, Bounty, bypass, Clarification, DEP, exploiting, Ikazuchi, ROP, Sugokunai, tatsumaki, WP | 1 Comment

hello again to all of our great readers .

is this post we are going to do some clarification also share and drop some random 0day DEP/ASLR bypass using 3rd parties .

due to there is lots of things to say we wrote all the notes as an article called “The Arashi”.

Table of content :

===============================================================

Introduction and warning

The Story of Sayonara

First Method: ASLR Bitter

Second Method: Process Explorer

Narly Windbg Extension

Mona / PVEFindAddr

Ropping this fun DLL

First 0day tatsumaki

Second (half) 0day Ikazuchi

Third 0day Sugokunai

Final Note

===============================================================

and finally here you can download it from : here

note that the offer in paper will be expire in 10 day so if you are verified and need one of modules let us know .

as always feel free to contact us : info [at] abysssec.com

and also follow @abysssec in twitter

18 Apr

Exploiting Adobe Flash Player on Windows 7

Posted by shahin in advisory, Exploits / BUG Decryption, Fuzzing / Auditing, reversing | Tags :0day, CVE2010-3654, exploit, IE8, win7, windows7 | Comments Off

Hello again . as a lot of readers like windows 7 exploits here is other one .

1) Advisory information

Title : Adobe Flash player Action script type confusion

Version : flash10h.dll

Discovery : Malware writers

Exploit : abysssec.com

Vendor : http://www.adobe.com

Impact : Critical

Contact : info [at] abysssec.com

Twitter : @abysssec

CVE : CVE-2010-3654

2) Vulnerable version

Adobe Flash Player 10.1.53 .64 prior versions

3) Vulnerability information

Class

1- Type Confusion

Impact

Successfully exploiting this issue allows remote attackers to execute code under the context of targeted browser.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerability detail

Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code.

Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory.

According to Dion Blazakis’s JIT Spray paper:

To handle this runtime typing requirement, the ActionScript interpreter represents internal objects using tagged pointers – internal, this object is called an “atom”. Tagged pointers are a common implementation technique to differentiate between those objects stored by value and those stored by reference using the same word sized memory cell. A tagged pointer stores type information in the least significant bits and stores a type specific values in the most significant bits. As shown in Illustration 1, the ActionScript atom is 32 bits wide; it allocates 3 bits to store the type information and uses 29 bits for the value.

So if it would be possible to confuse verifier too act an atom as another atom by some bytecode changes it would be possible to generate faulty code that most of the times lead to disclosing a vtable pointer call to the attacker.

The bug is perfectly presented in Haifei li recent slides. We have OriginalClass and RefClass with the same functions. Func1 – OriginalClass return a class objects, but Func1 – RefClass returns another type. By changing a byte in the bytecode we have confused AS3 to execute RefClass functions in the main class. After that verifier confuses the return type of the function with an OriginalClass object and generate faulty code with the vtable under the control of the return value.

Exploitation:

For exploitation purpose on recent protections on windows 7 without any 3^rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.

Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.

Step2: leak address of the shellcode with the same pointer and NewNumber trick.

Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.

Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.

Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.

5) Conclusion

Finally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk.

6) Refrences

http://www.cansecwest.com/csw11/Flash_ActionScript.ppt

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

7) Exploit-Code

Here you can get our reliable exploit against windows 7 :

calc.exe payload

Download : CVE-2010-3654_Win7

if you need other payloads for sure you know how to change it ;)

as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates .

Happy Hunting !

21 Mar

Hacking / Exploiting / Cheating in Online Games

Posted by shahin in advisory, news, reversing, security, Uncategorized | Tags :aimbot, Aimbot.dll, bypass, cheat, counter strike, cs 1.6, flashhack, hack, half-life, hook, noflash, nosmoke, ring0, shahin, smokehack, speedhack, SXE 11.6, SXE 11.6 Fix 2, SXE-Injected, unhook, VAC, VAC 2, Valve Anti Cheat, wallhack, world of warcraft, wow, WPE | Comments Off

Hello to all readers.

we know that there are thousands and millions of online game players around and we guess lots of them may like to cheat this is our totally offensive research that we did to present in immunity infiltrate and as we missed that so here we go .

This research is about hacking /exploiting / cheating in online games and is sponsored by immunity.

This is a six part talk and contains:

Part I : introduction

Part II: Hacking Online Game Servers

Part III: Exploiting Online Games

Part IV: Cheating in Online games

Part V : Creating your own cheats

Part VI: Bypassing anti-cheat engines

Real world cheating is mainly focused on in this talk as it’s fun and legal.
During this talk we will have a tour into all the ways to manipulate an online game
and we will end up with bypassing the latest anti-cheating technologies and
manipulating the game to our heart’s desire.

Our case studies are:

1 -counter strike (half-life) as game:

2- SXE-Injected and Valve-anti cheat (VAC) as anti-cheat engines

Our codes will be release soon as soon we can but if you are hurry to use some cheats you can find almost all necessary codes in slides also there is two demos for proofing our research. We really enjoyed this research and it’s done from our side hope you enjoy too.

You can download slides here:

ppt : Exploiting-Online-Games

Font : in case if you have problem with embedded one

PDF : Exploiting-Online-Games

PS 1 : video demos are ready but due to those are huge we need to find a better way to compress them after that we will post them here.

PS 2 : Tools will be release after a while .

For getting updates about tools / videos please follow @abysssec in twitter.

For any question please contact:

Shahin [at] abysssec.com

For any other requirement please contact:

Info [at] abysssec.com

Kind Regards

22 Oct

Adobe Shockwave player rcsL chunk memory corruption 0day

Posted by shahin in advisory, Exploits / BUG Decryption | Comments Off

1) Advisory information

Title : Adobe Shockwave player rcsL chunk memory corruption

Version : Shockwave player 11.5.8.612

Discovery : http://abysssec.com

Vendor : http://www.adobe.com

Impact : Critical

Contact : shahin [at] abysssec.com , info [at] abysssec.com

Twitter : @abysssec

CVE : ZeroDay Not Patched

2) Vulnerable version

Shockwave Player 11.5.8.612 last version

3) Vulnerability information

Class

1- Memory corruption allow command execute

Impact

Successfully exploiting this issue allows remote attackers to execute arbitrary code or cause denial-of-service conditions.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerabilities detail

Introduction

Shockwave player is a plug in for loading Adobe Director video files in to the browser. Director movies have DIR or compressed format of DCR. DIR file format is based on RIFF based formats. RIFF formats start with a 4byte RIFX identifier and length of the file. And subsequently chunks come together with format of 4byte chunk identifier + size of chunk + data. Some of the chunk identifiers are tSAC, pami, rcsL.

By help of our simple fuzzer we have manipulated a director movie file and found a vulnerability in part of an existing rcsL chunk.

Vulnerability explanation

There is a 4bytes value in the undocumented rcsL chunk in our sample director movie and it may be possible to find similar rcsL chunks in other director samples. The 4bytes so called value can be manipulated to reach the vulnerable part of function 68122990. Here is the function:

.text:68122990 sub_68122990 proc near ; CODE XREF: sub_68112120+1A57p

.text:68122990 ; DATA XREF: sub_68122F30+4AAo

.text:68122990

.text:68122990 var_8 = dword ptr -8

.text:68122990 var_4 = dword ptr -4

.text:68122990 arg_0 = dword ptr 4

.text:68122990 arg_4 = dword ptr 8

.text:68122990

.text:68122990 sub esp, 8

.text:68122993 mov eax, [esp+8+arg_4]

.text:68122997 push ebx

.text:68122998 push ebp

.text:68122999 push esi

.text:6812299A mov esi, [esp+14h+arg_0]

.text:6812299E push edi

.text:6812299F push eax

.text:681229A0 push esi

.text:681229A1 call sub_680FC6D0

.text:681229A6 mov ecx, [esi+18h]

.text:681229A9 mov edx, [esi+10h]

.text:681229AC mov ebp, [esi+1Ch]

.text:681229AF mov ebx, [esi+20h]

.text:681229B2 add ecx, 0FFFFFFF8h

.text:681229B5 cmp ebp, 3

.text:681229B8 mov [esp+18h+arg_0], eax

.text:681229BC mov [esi+18h], ecx

.text:681229BF mov eax, [edx]

.text:681229C1 mov edx, [eax+ecx]

.text:681229C4 lea edi, [esi+1Ch]

.text:681229C7 mov [edi], edx

.text:681229C9 mov eax, [eax+ecx+4]

.text:681229CD mov [edi+4], eax

.text:681229D0 mov [esp+18h+var_8], 4

.text:681229D8 mov [esp+18h+var_4], 0

.text:681229E0 jz short loc_681229F6

.text:681229E2 push ebx

.text:681229E3 push ebp

.text:681229E4 push 0Ch

.text:681229E6 push esi

.text:681229E7 call sub_680FCFB0

.text:681229EC pop edi

.text:681229ED pop esi

.text:681229EE pop ebp

.text:681229EF pop ebx

.text:681229F0 add esp, 8

.text:681229F3 retn 8

.text:681229F6 ; —————————————————————————

.text:681229F6

.text:681229F6 loc_681229F6: ; CODE XREF: sub_68122990+50j

.text:681229F6 mov ecx, [ebx]

.text:681229F8 mov edx, [ecx]

.text:681229FA mov ecx, [esp+18h+arg_0]

.text:681229FE lea eax, [esp+18h+var_8]

.text:68122A02 push eax

.text:68122A03 push ecx

.text:68122A04 push ebx

.text:68122A05 push esi

.text:68122A06 call dword ptr [edx+2Ch]

.text:68122A09 mov ecx, [esi+7Ch]

.text:68122A0C test ecx, ecx

.text:68122A0E jz short loc_68122A22

.text:68122A10 push ebx

.text:68122A11 push ebp

.text:68122A12 push esi

.text:68122A13 call sub_680FC730

.text:68122A18 pop edi

.text:68122A19 pop esi

.text:68122A1A pop ebp

.text:68122A1B pop ebx

.text:68122A1C add esp, 8

.text:68122A1F retn 8

.text:68122A22 ; —————————————————————————

.text:68122A22

.text:68122A22 loc_68122A22: ; CODE XREF: sub_68122990+7Ej

.text:68122A22 test eax, eax

.text:68122A24 jnz loc_68122AAC

.text:68122A2A push esi

.text:68122A2B call sub_680FD9D0

.text:68122A30 push edi

.text:68122A31 push esi

.text:68122A32 mov [edi], ebp

.text:68122A34 mov [edi+4], ebx

.text:68122A37 call sub_680FC7C0

.text:68122A3C push esi

.text:68122A3D call sub_680FD9D0

.text:68122A42 mov eax, [esp+18h+arg_4]

.text:68122A46 mov edx, [esi+28h]

.text:68122A49 mov [esi+0A4h], eax

.text:68122A4F mov dword ptr [esi+20h], 80000001h

.text:68122A56 mov ecx, [edx]

.text:68122A58 lea eax, [eax+eax*2]

.text:68122A5B push esi

.text:68122A5C call dword ptr [ecx+eax*8+20h]

.text:68122A60 mov eax, [esi+7Ch]

.text:68122A63 test eax, eax

.text:68122A65 jz short loc_68122A85

.text:68122A67 cmp eax, 4

.text:68122A6A jnz short loc_68122ACE

.text:68122A6C mov edx, [esp+18h+arg_0]

.text:68122A70 push edx

.text:68122A71 push 8

.text:68122A73 push 37h

.text:68122A75 push esi

.text:68122A76 call sub_680FD040

.text:68122A7B pop edi

.text:68122A7C pop esi

.text:68122A7D pop ebp

.text:68122A7E pop ebx

.text:68122A7F add esp, 8

.text:68122A82 retn 8

.text:68122A85 ; —————————————————————————

.text:68122A85

.text:68122A85 loc_68122A85: ; CODE XREF: sub_68122990+D5j

.text:68122A85 mov eax, [edi]

.text:68122A87 mov ecx, [edi+4]

.text:68122A8A mov edx, [esi+10h]

.text:68122A8D mov [esp+18h+var_8], eax

.text:68122A91 mov eax, [esi+18h]

.text:68122A94 add eax, 0FFFFFFF8h

.text:68122A97 mov [esp+18h+var_4], ecx

.text:68122A9B mov [esi+18h], eax

.text:68122A9E mov ecx, [edx]

.text:68122AA0 mov edx, [ecx+eax]

.text:68122AA3 mov [edi], edx

.text:68122AA5 mov eax, [ecx+eax+4]

.text:68122AA9 mov [edi+4], eax

.text:68122AAC

.text:68122AAC loc_68122AAC: ; CODE XREF: sub_68122990+94j

.text:68122AAC push ebx

.text:68122AAD push ebp

.text:68122AAE push esi

.text:68122AAF call sub_680FC730

.text:68122AB4 mov eax, [esi+7Ch]

.text:68122AB7 test eax, eax

.text:68122AB9 jnz short loc_68122ACE

.text:68122ABB push esi

.text:68122ABC call sub_680FD9D0

.text:68122AC1 mov ecx, [esp+18h+var_8]

.text:68122AC5 mov edx, [esp+18h+var_4]

.text:68122AC9 mov [edi], ecx

.text:68122ACB mov [edi+4], edx

.text:68122ACE

.text:68122ACE loc_68122ACE: ; CODE XREF: sub_68122990+DAj

.text:68122ACE ; sub_68122990+129j

.text:68122ACE pop edi

.text:68122ACF pop esi

.text:68122AD0 pop ebp

.text:68122AD1 pop ebx

.text:68122AD2 add esp, 8

.text:68122AD5 retn 8

.text:68122AD5 sub_68122990 endp

In the above function we have direct control on the second argument of the function. By manipulating the argument in rcsL chunk we reach to an indirect call that is based on our arguments:

.text:68122A42 mov eax, [esp+18h+arg_4]

.text:68122A46 mov edx, [esi+28h]

.text:68122A49 mov [esi+0A4h], eax

.text:68122A4F mov dword ptr [esi+20h], 80000001h

.text:68122A56 mov ecx, [edx]

.text:68122A58 lea eax, [eax+eax*2]

.text:68122A5B push esi

.text:68122A5C call dword ptr [ecx+eax*8+20h]

The above code is our vulnerable part. EAX register is set with second argument that we have control on it and ESI is first argument of the function and is a pointer to a dynamic allocated structure in heap. Value of offset 28h of the structure that is unknown is set in ECX register and finally an indirect call to the ‘ECX+EAX*24+20h’ is done. Because result of EAX*24 is a large value and we have complete control on EAX register we can almost control first byte of our indirect call pointer without the need of ECX register.

Exploitation :

For exploitation purpose because we don’t have a fixed address in our call we cannot control the execution flow to an exact value but we can jump to a specific range because we have control on first bytes of the pointer of indirect call. So here by abusing javascript we can use old-school heap spray technic to fill memory with nops+shellcode and call to this range.

To control the 4 bytes EAX register in our exploit we manipulated 4bytes at offset 4C4B of the file to value FFF00267.

An important hint here is that because we call the indirect pointer the EIP is set to nops itself. As you know an EIP of 90909090 is invalid. But we can use other opcodes as nopslides that doesn’t have any effect. In our test sample we used 0a0a0a0a as both base range of heap spray and nopslides because 0a0a opcode is an OR instruction on some unimportant registers.

The sample + exploit are tested on patched windows XP service pack 3.

here is exploit + binary analysis link:

http://abysssec.com/files/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip

Proof Video : Here

PS 1 : this vulnerability is not patched bug released by ZDI http://www.zerodayinitiative.com/advisories/ZDI-10-162/

PS 2 : it’s possible to exploit this vulnerability on modern windows like Vista/7 too and it’s up to readers …

MOAUB – Day by Day

Posted by shahin in advisory, Exploits / BUG Decryption, news, reversing, security | Tags :0day, binary analysis, exploit, exploit-db, metasploit, microsoft, MOAUB, shahin, shahin ramezany | Comments Off

Yes ! finally MOAUB (Month of Abysssec Undisclosed Bugs) started and finished as well.

Month of all User Bugs

Good Or Bad we released lots of 0days and binary analyses during a month (September) and you can use these info for owning websites UN-patched clients or writing more secure applications .

here is summary:

Day1:

Binary Analysis:

MOAUB #1 – Adobe Acrobat Reader and Flash Player “newclass” invalid pointer

MOAUB #1 – Adobe Acrobat Reader and Flash Player “newclass” invalid pointer – Binary Analysis

0day:

MOAUB #1 – Cpanel PHP Restriction Bypass Vulnerability 0day

———————————————————————————–

Day2:

Binary Analysis:

MOAUB #2 – Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability

MOAUB #2 – Apple QuickTime FlashPix NumberOfTiles Vulnerability – Binary Analysis

0day:

MOAUB #2 – Rainbowportal Multiple Remote Vulnerabilities

MOAUB #2 – Rainbowportal Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day3:

Binary Analysis:

MOAUB #3 – Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution

MOAUB #3 – Trend Micro Internet Security Pro 2010 ActiveX extSetOwner – Binary Analysis

0day:

MOAUB #3 – Visinia 1.3 Multiple Vulnerabilities

MOAUB #3 – Visinia CMS Multiple Vulnerabilities – 0day

———————————————————————————–

Day4:

Binary Analysis:

MOAUB #4 – Movie Maker Remote Code Execution (MS10-016)

MOAUB #4 – Movie Maker Remote Code Execution (MS10-016) – Binary Analysis

0day:

MOAUB #4 – syndeocms 2.8.02 Multiple Vulnerabilities

MOAUB #4 – Syndeocms 2.8.02 Multiple Vulnerabilities – 0day

———————————————————————————–

Day5:

Binary Analysis:

MOAUB #5 – Microsoft MPEG Layer-3 Remote Command Execution Exploit

MOAUB #5 – Microsoft MPEG Layer-3 Remote Command Execution – Binary Analysis

0day:

MOAUB #5 – IfNuke Multiple Remote Vulnerabilities 0day

———————————————————————————–

Day6:

Binary Analysis:

MOAUB #6 – HP OpenView NNM webappmon.exe execvp_nc Remote Code Execution

MOAUB #6 – HP OpenView NNM webappmon execvp_nc Remote Code Execution – Binary Analysis

0day:

MOAUB #6 – InterPhoto Gallery Multiple Remote Vulnerabilities

MOAUB #6 – InterPhoto Gallery Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day7:

Binary Analysis:

MOAUB #7 – Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow

0day:

MOAUB #7 – DynPage <= v1.0 Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day8:

Binary Analysis:

MOAUB #8 – Microsoft Office Visio DXF File Stack based Overflow

MOAUB #8 – Microsoft Office Visio DXF File Stack based Overflow – Binary Analysis

0day:

MOAUB #8 – Sirang Web-Based D-Control Multiple Remote Vulnerabilities

MOAUB #8 – Sirang Web-Based D-Control Multiple Remote Vulnerabilities – 0 day

———————————————————————————–

Day9:

Binary Analysis:

MOAUB #9 – Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

0day:

FestOS CMS 2.3b Multiple Remote Vulnerabilities

MOAUB #9 – FestOS CMS 2.3b Multiple Remote Vulnerabilities

———————————————————————————–

Day10:

Binary Analysis:

MOAUB #10 – Excel RTD Memory Corruption

0day:

MOAUB #10 – aradBlog Multiple Remote Vulnerabilities

———————————————————————————–

Day11:

Binary Analysis:

MOAUB #11 – Microsoft Office Word 2007 sprmCMajority Buffer Overflow

0day:

MOAUB #11 – ASP Nuke SQL Injection Vulnerability

MOAUB #11 – ASP Nuke Sql Injection Vulnerability

———————————————————————————–

Day12:

Binary Analysis:

MOAUB #12 – Adobe Acrobat and Reader “pushstring” Memory Corruption

0day:

MOAUB #12 – eshtery CMS SQL Injection Vulnerability

———————————————————————————–

Day13:

Binary Analysis:

MOAUB #13 – RealPlayer FLV Parsing Integer Overflow

0day:

MOAUB #13 – Luftguitar CMS Vulnerability: Upload Arbitrary File

———————————————————————————–

Day14:

Binary Analysis:

MOAUB #14 – Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow

MOAUB #14 – Novell iPrint Client Browser Plugin ExecuteRequest debug Stack Overflow

0day:

MOAUB #14 – FreeDiscussionForums v1.0 Multiple Remote Vulnerabilities

———————————————————————————–

Day15:

Binary Analysis:

MOAUB #15 – Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption

0day:

MOAUB #15 – PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities

———————————————————————————–

Day16:

Binary Analysis:

MOAUB #16 – Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability

0day:

MOAUB #16 – mojoportal Multiple Remote Vulnerabilities

———————————————————————————–

Day17:

Binary Analysis:

MOAUB #17 – Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution

0day:

MOAUB #17 – phpmyfamily Multiple Remote Vulnerabilities

———————————————————————————–

Day18:

Binary Analysis:

MOAUB #18 – Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability

0day:

MOAUB #18 – CMSimple XSRF Vulnerability

MOAUB #18- CMSimple XSRF Vulnerability

———————————————————————————–

Day19:

Binary Analysis:

MOAUB #19 – Novell iPrint Client Browser Plugin call-back-url Stack Overflow

0day:

MOAUB #19 – JMD-CMS Multiple Remote Vulnerabilities

———————————————————————————–

Day20:

Binary Analysis:

MOAUB #20 – Java CMM readMabCurveData Stack Overflow

0day:

MOAUB #20 – VWD-CMS CSRF Vulnerability

———————————————————————————–

Day21:

Binary Analysis:

MOAUB #21 – Microsoft Excel WOPT Record Parsing Heap Memory Corruption

0day:

MOAUB #21 – Personal.Net Portal Multiple Vulnerabilities

———————————————————————————–

Day22:

Binary Analysis:

MOAUB #22 – Adobe Shockwave Director tSAC Chunk Memory Corruption

0day:

MOAUB #22 – gausCMS Multiple Vulnerabilities

———————————————————————————–

Day23:

Binary Analysis:

MOAUB #23 – Adobe Acrobat Reader and Flash ‘newfunction’ Remote Code Execution Vulnerability

0day:

MOAUB #23 – Microsoft Excel HFPicture Record Parsing Memory Corruption (0day)

———————————————————————————–

Day24:

Binary Analysis:

MOAUB #24 – Microsoft Excel OBJ Record Stack Overflow

0day:

MOAUB #24 – Microsoft MPEG Layer-3 Audio Decoder Division By Zero

———————————————————————————–

Day25:

Binary Analysis:

MOAUB #25 – Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

0day:

MOAUB #25 – VisualSite CMS v1.3 Multiple Vulnerabilities

———————————————————————————–

Day26:

Binary Analysis:

MOAUB #26 – Microsoft Cinepak Codec CVDecompress Heap Overflow

0day:

MOAUB #26 – Zenphoto Config Update and Command Execute Vulnerability

———————————————————————————–

Day27:

Binary Analysis:

MOAUB #27 – Microsoft Internet Explorer MSHTML Findtext Processing Issue

0day:

MOAUB #27 – ndCMS Sql Injection Vulnerability

———————————————————————————–

Day28:

0day:

MOAUB #28 – JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

0day:

MOAUB #28 – AtomatiCMS Upload Arbitrary File Vulnerability

———————————————————————————–

Day29:

Binary Analysis:

MOAUB #29 – Microsoft Excel SxView Record Parsing Heap Memory Corruption

Day30:

Binary Analysis:

MOAUB #30 – Microsoft Unicode Scripts Processor Remote Code Execution

0day:

MOAUB #30 – ASPMass Shopping Cart Vulnerability File Upload CSRF

———————————————————————————–

Press :

Exploit-Database

Dark-Reading

NetworkAsia

ITBusinessedge

ComputerWorld

Theinquirer

And …

———————————————————————————–

PS : during these project and maybe we made some technical and non-technical mistakes due to complexly and compaction of this work and we hope we can fix some of them.

at end we are happy with result and your kind feedback.

for sure we will have really more interesting projects soon as soon possible and we think you will like them as well .

please follow me on twitter with @abysssec for other news projects and stay tunned for more projects .

as always finally if you have any question feel free to contact :

shahin [at] abysssec.com

info [at] abysssec.com

22 May

webapp Advisory + not dead just busy !!!

Posted by shahin in advisory, news | Tags :adobe 0day, adobe get icon, dana, douran, exploit, news, web application | Comments Off

hello to all of our dear reades .

we are not dead , just really busy in doing our projects . but there is a few notes I’d like to enclose with you .first of all about 2 Web Based vulnerability we’ve report to milw0rm . we haven’t free time to working on educational sources . and those vulnerability was special for us because those portal was commercial portals uses for our “government” , “private” web sites. and we’ve report those for helping our autonomous applications .

by the way if you like to see those vulnerabilities here you are :

first DOURAN Portal <= 3.9.0.23 Multiple Remote Vulnerabilities

second Dana Portal Remote Change Admin Password Exploit

third about adobe exploit my next writeup will be about PDF hacking / exploiting stuff (soon) .

and finally about future :

we believe to “no more free bugs” so after reporting a few more vulnerabilities / exploit maybe we don’t report more transparent / reliable exploit (as past) . maybe just PoC’s or just papers or just advisories titles or … . but who knows ?!

then :

we will try to update site with respectable index and more post on our blogs but you should take our apology for our late and unfaithfulness .

and final note :

unfortunately for a few reasons we disabled commenting system on blogs but feel free to contact us with our mails.

for now you can use admin [at] abysssec.com .

keep on to visit us .

hope to see you soon .

20 Feb

MS09-002 Exploit

Posted by shahin in advisory | Tags :IE 0day, IE Exploit, internet explorer exploit, ms09-002 exploit | Comments Off

hello to all readers

i wrote this exploit 2 hour after publishing PoC on milw0rm

but now there is a lots of mirror and version of this exploit on net !

maybe i release DEP-enabled / IE protection bypass version on variant os too .

Anyway Here is the code :

http://abysssec.com/blog/wp-content/uploads/2009/02/ms09-002-exploit.txt

mirror : http://milw0rm.com/exploits/8079

Cheers !!!

Abysssec Security Research

DOMSDAY Analyzing a DOM-Based XSS in Yahoo!

DOMSDAY

Analyzing a DOM-Based XSS in Yahoo!

Yahoo! vulnerability :

Abstract

Paper Download link

PoC Demo

press links :

Exploiting Admin Functionality in WordPress Using ClickJacking

Analysis of CVE-2011-0041 vulnerability in GDI+

1) Advisory information

CVE : CVE-2011-0041

2) Vulnerable version

3) Vulnerability information

4) Vulnerabilities detail

DEP/ASLR bypass using 3rd party + Clarification

Exploiting Adobe Flash Player on Windows 7

1) Advisory information

2) Vulnerable version

3) Vulnerability information

4) Vulnerability detail

5) Conclusion

6) Refrences

7) Exploit-Code

Hacking / Exploiting / Cheating in Online Games

Adobe Shockwave player rcsL chunk memory corruption 0day

1) Advisory information

2) Vulnerable version

3) Vulnerability information

4) Vulnerabilities detail

Exploitation :

MOAUB – Day by Day

webapp Advisory + not dead just busy !!!

MS09-002 Exploit

Categories

Blogroll