M$ Firefox

While there are Windows 0-day exploit (XML core) again, I have found some funny web site. It’s about M$ Firefox‘s features, http://www.msfirefox.com/microsoft-firefox/index.html. Having fun :)

Trirat Kira P.

Share

Flaw in Vista’s ASLR

For the exploit writers on Windows platform, one of the protection mechanism in Vista that they have to faced with is Address Spaces Layout Randomization (ASLR). ASLR is the security feature that prevent the attacker exploit the vulnerable programs by arrange randomly the address spaces of stack, heap, library and so on. This make the attacker hard to predict the key entity in exploitation phase – such as return address, function pointer – so the rate of successful of the exploit will become in low rate. (This is the reason why I hate ASLR, lol)

But before the final version of Vista will be released, Ali Rahbar from Sysdream had analyzed Vista’s ASLR and he found some flaw in it.

But 32 possibilities is not much, and for buffer overflow exploitation, in some situations it is really feasible to do a brute force on the 32 possible values. But why has Microsoft used only 32 out of 256 possibilities

(more…)

Share

New 0-day in the Old bug

Now, CERT have already released the advisory 0-day IE bug, “WebViewFolderIcon ActiveX”. This bug, WebViewFolderIcon or another name “SetSlice” bug, is discovered by H D Moore on 18 July 2006 or early date – 2 months ago and he described it in one of his blog Browser Fun.

I think that this bug was fixed in past 2 months, however, I’m wrong. The public exploit is released from Metasploit project on Sep 26 and it can successful exploit on XP SP0 – SP2 with IE 6 SP1 and it should work for 2K and 2K3.

This bug should not be 0-day if guys from M$ had read H D M blog :) (or they had already read, but ignore it, lol)

Share

Heap Spraying: Exploiting Internet Explorer VML 0-day XP SP2

Credits: Niega

At the first time, I decide the release the article at Oct 10. But there is someone already publish the exploit, so there is no means to still keep it private.

Last article, I had described that my method can’t be used to exploit XP SP2. But things change because Niega give me some information that he could produce some error that different from the old one.

This exception may be expected and handled.
eax=0013be58 ebx=001cc564 ecx=0013be4c edx=00000041 esi=000020d4 edi=00140000
eip=6f9eed1e esp=0013be34 ebp=0013c05c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program\Delade filer\Microsoft Shared\VGX\vgx.dll -
vgx!$DllMain$_gdiplus+0x30e8d:
6f9eed1e 668917 mov word ptr [edi],dx ds:0023:00140000=6341

IE crashes, but not with the security cookie checking failure. This is the interesting one, may be I can made the code execution from this (the reason why I’m give up to find the way to made the exploit work on XP SP2 because there is others can do it). Niega said that he produce the error by overwrite the stack massively. I reproduce the error by create the attack vector like this:
(more…)

Share

Heap Spraying: Exploiting Internet Explorer VML 0-day

[UPDATE: Sep 24th, 2006] Finally, got the code execution on XP SP2. However, because of the serious damage, I will not publish things about this until M$ release the patch. Sorry for inconvenient

At the time I write this article, This exploit is still 0-day, there is no patch. I decide to write this exploit because I just wanna to know that which platform is exploitable. Xsec’s exploit show that W2k platform is exploitable, so I decide to work with XP platform.

I use Shirkdog’s PoC as the starting point to see how IE crash. This is the result:

(6ec.6f0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00310030 ebx=ffffff88 ecx=0013bec4 edx=001832cc esi=00000000 edi=00000000
(more…)

Share