Heap Spraying: Exploiting Internet Explorer VML 0-day

[UPDATE: Sep 24th, 2006] Finally, got the code execution on XP SP2. However, because of the serious damage, I will not publish things about this until M$ release the patch. Sorry for inconvenient

At the time I write this article, This exploit is still 0-day, there is no patch. I decide to write this exploit because I just wanna to know that which platform is exploitable. Xsec’s exploit show that W2k platform is exploitable, so I decide to work with XP platform.

I use Shirkdog’s PoC as the starting point to see how IE crash. This is the result:

(6ec.6f0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00310030 ebx=ffffff88 ecx=0013bec4 edx=001832cc esi=00000000 edi=00000000


Copyright in a packet

Can you tell who wrote this poem?

Everybody follows
Speedy bits exchange
Stars await to glow”

You’re right!
Oracle JDBC Client programmers.

I was sniffing my network and encountered this poem in the RAW bytes of one of Oracle’s JDBC logon packets.

The RAW bytes of the packet (Data is in Hex; on the right ASCII translation):

22 4f 72 “Or
61 63 6c 65 0a 45 76 65 72 79 62 6f 64 79 20 66 acle.Everybody f
6f 6c 6c 6f 77 73 0a 53 70 65 65 64 79 20 62 69 ollows.Speedy bi
74 73 20 65 78 63 68 61 6e 67 65 0a 53 74 61 72 ts exchange.Star
73 20 61 77 61 69 74 20 74 6f 20 67 6c 40 6f 77 s await to gl@ow
22 0a 54 68 65 20 70 72 65 63 65 64 69 6e 67 20 “.The preceding
6b 65 79 20 69 73 20 63 6f 70 79 72 69 67 68 74 key is copyright
65 64 20 62 79 20 4f 72 61 63 6c 65 20 43 6f 72 ed by Oracle Cor
70 6f 72 61 74 69 6f 6e 2e 0a 44 75 70 6c 40 69 poration..Dupl@i
63 61 74 69 6f 6e 20 6f 66 20 74 68 69 73 20 6b cation of this k
65 79 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 ey is not allowe
64 20 77 69 74 68 6f 75 74 20 70 65 72 6d 69 73 d without permis
73 69 6f 6e 0a 66 72 6f 6d 20 4f 72 61 63 6c 31 sion.from Oracl1
65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 43 e Corporation. C
6f 70 79 72 69 67 68 74 20 32 30 30 33 20 4f 72 opyright 2003 Or
61 63 6c 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e acle Corporation

As you can see – the packet, belonging to our corporate world, had a Copyright mark, just after the poem.

“The preceding key is copyrighted by Oracle Corporation.
Duplication of this key is not allowed without permission
from Oracle Corporation. Copyright 2003 Oracle Corporation”

Well, what next?.. Harry Potter on P2P packets or maybe Copyrighted MD5s?

Live long and prosper,

Kfir Damari,


diSlib (A Python PE Parser)

gil dabah (arkon), the creator of the fastest stream disassembler around, which also happens to be open source, distorm, released dislib, a python pe parser. i’ve discussed it before briefly while covering distorm.

dislib (a python pe parser):

dislib is a an easy to use python module to parse pe executables. it will give you all necessary information such as:

* sections with their accompanying information
* imported functions and their addresses (iat)
* exported functions by name, ordinal and address
* supports imagebase relocation
* relocated entries by offsets and their original dword values.
* lets you apply the relocations
* uses exceptions and oo interface (thanks to shenberg!)


gadi evron,


Joanna’s Blue Pill – Invisible Rootkits

the overly cool joanna rutkowska has been working on what she calls blue pill technology. using advanced virtualization technology from amd called svm/pacifica, her research shows she can create “invisible malware”. this is not related to any bug or os dependent, although she says it she will demonstrate how she gets by vista’s interesting technology to prevent unsigned code from being injected to the kernel.

you can read more about it in her blog.

gadi evron,


Taking Over Laptops by Fuzzing Wireless Drivers

some news items showed up in the past couple of days about vulnerabilities in wireless device drivers. these vulnerabilities were apparently found by the use of a 802.11 fuzzing tool called lorcon.

from wikipedia:

lorcon (acronym for loss of radio connectivity) is an open source network tool. it is a library for injecting 802.11 frames, capable of injecting via multiple driver frameworks, without the need to change the application code.
the project is maintained by joshua wright and michael kershaw (“dragorn”).

apparently, david maynor and jon ellch intend to demonstrate taking over a laptop by the use of a wireless driver vulnerability next month at black hat usa 2006.

i personally intend to go only to defcon, but this will be cool. :)

disclaimer: my employer (and the people hosting the blogs), beyond security, are the makers of the bestorm 2nd generation fuzzing product.

gadi evron,


PaiMei RE Framework

pedram amini announced paimei a few days ago. here is what he just said about it on dd:

for those of you who may be interested, i recently released a reverse
engineering framework that i’ve been working on named paimei. the goal
of the framework is to reduce the time from “idea” to prototype to a
matter of minutes, instead of days.

paimei is written entirely in python and exposes at the highest level a
debugger (pydbg, a component i’ve previously mentioned on this list), a
graph based binary abstraction and a set of utilities for accomplishing
various repetitive tasks. the framework can essentially be thought of as
a reverse engineer’s swiss army knife and has already been proven
effective for a wide range of both static and dynamic analysis tasks
such as: fuzzer assistance, code coverage tracking, data flow tracking
and more. you can grab the latest copy from:


i made the general documentation, api references and a flash demo of the
code coverage tool available on my personal site:


the real-time graphing and ida exporting functionality is not shown off
in the demo, i’ll add it as soon as i get better at making these silly

a couple of really brilliant individuals have already taken strong
interest in paimei and i hope to others get inspired to contribute as
well. please feel free to contact me directly on my pedram [dot] amini
[at] gmail account (pedram@redhive is purely a spam trap).

gadi evron,


diStorm – very quick (open source) stream disassembler

distorm is just another stream disassembler, but… the quickest one i have ever seen and it supports amd64. the guy (arkon, gil dabah) must have no life as this thing is very good and must have taken quite some time to develop. it is open source.

it’s available for windows, linux and general *nix. there is also a pe binary parsing library in the package.

distorm64 is an amd64 disassembler, which is the first open source disassembler library for amd64 out there, licensed under the bsd license.

distorm is a binary stream disassembler. it’s capable of disassembling 80×86 instructions in 64 bits (amd64, x86-64) and both in 16 and 32 bits. in addition, it disassembles fpu, mmx, sse, sse2, sse3 and 3dnow! (w/ extensions) and new x86-64 instruction sets. distorm was written to decode quickly every instruction as accurately as possible. robust decoding, while taking special care for valid or unused prefixes, is what makes this disassembler powerful, especially for research. another benefit that might come in handy is that the module was written as multi-threaded, which means you could disassemble several streams or more simultaneously.
for rapidly use, distorm is compiled for python and is easily used in c as well. distorm was originally written under windows and ported later to linux.


a similar disassembler was recently released by piotr bania, called disit. also very good but my personal preference is distorm. disit is also still in beta.

gadi evron,


Skype – The new NMAP?

In Blackhat Europe 2006 Philippe BIONDI presented his work on Skype.
Skype is famous for the level of obscurity taken to protect the code and protocol from prying eyes.

This outstanding work unveils Skype’s inner workings, reverse engineering the application and the network protocol and provides code samples.

The author poses and later answers three questions:

  1. Is Skype a backdoor?
  2. Can one detect and block Skype traffic?
  3. Is Skype safe enough for Business use?

Several security related issues are brought to light:

  • Several heap overflows were found during the research.
  • Skype can be DoSed by a single packet
  • Skype can be abused as anything from a port scanner to a botnet and covert channels in P2P

For the rest of this excellent work get the full paper at:


Message-Rendering Vulnerabilities in E-mail Readers

Richard Smith posted the following in a message to funsec this morning:

I’ve got some sort of bad email message in my POP3 inbox which Outlook 2003 is refusing to download. I’m not sure what the problem is with the message, but Outlook is complaining that it doesn’t have enough memory to process the message. See the attached screen shot.

However, I am now stuck because I can no longer read email from this account. I suspect the message is a spam message, so there are maybe other people in the same boat.

For the specific error message, see the screenshot from Richard’s report.

I have a copy of the original message, and can attest to the fact that it is severely malformed. The interesting part, however, is that the malformation does not appear to be what is to blame in this instance.

The recipients list on this particular e-mail contains hundreds of different e-mail aliases, and that appears to be what is causing problems. Outlook, in particular, appears to exhaust a limited-size heap when faced with such an e-mail message. The impact of that upon Outlook is quite severe, because messages aren’t removed from mail servers unless they are successfully written to the Outlook Inbox. This process fails when such a message is received due to the heap-exhaustion problem, and thus, the e-mail message remains on the server indefinitely. Outlook proceeds to re-download the message and fail to process it until it is deleted from the mail server where the attacked mailbox is hosted by some other means.

I’ve tried manual importation of local copies of the message into several mail readers and only one (Outlook Express) handled this in a semi-correct fashion unless the recipients list had been significantly shortened. The others all failed the import operation, but otherwise respond normally. It remains to be seen whether these clients can be caused to fail in a similar fashion to Outlook. At this point in time, I recommend filtering e-mail with exceedingly large recipient lists in the To or CC fields (say, 100 or more) and asking users to send such e-mails to large groups via blind carbon copy.

As I conduct more aggressive tests on other mail readers, I’ll post my results here.


The Domain Name Service as an IDS

“how dns can be used for detecting and monitoring badware in a network”


this is a very interesting although preliminary work by obviously skilled people. i haven’t learned much but i am extremely happy others work on this than the people i already know! they also weren’t too shy with credit, mentioning florian weimer and his passive dns project already at the abstract (quoted below). they even mention me for some reason.

great paper guys!

moving past passive dns replication and blacklisting, they discuss what so far has been done for years using dnstop, and help us take it to the next level of dns monitoring.

someone should introduce them to duane wessels’ (from isc oarc) follow-up dnstop project, dsc. :)
[duane's lecture on the tool at the 1st dns-oarc workshop] http://www.caida.org/projects/oarc/200507/slides/oarc0507-wessels-dsc.pdf

there has been some other interesting work done in this area by our very own david dagon from georgia tech:
[presentation from the 1st dns-oarc workshop] botnet detection and response – the network is the infection: http://www.caida.org/projects/oarc/200507/slides/oarc0507-dagon.pdf
[paper] modeling botnet propagation using time zones: http://www.cs.ucf.edu/~czou/research/botnet_tzmodel_ndss06.pdf

surfnet is looking for technologies to expand the ways they can detect network traffic anomalies like botnets. since bots started using domain names for connection with their controller, tracking and removing them has become a hard task. this research is a first glance at the usability of dns traffic and logs for detection of this malicious network activity. detection of bots is possible by dns information gathered from the network by placing counters and triggers on specific events in the data analysis. in combination with netflow information and ip addresses of known infected systems, detection of bots of network anomalies can be made visible. also the behavior of a bot can be documented and additional information can be gathering about the bot. using dns data as a supplement to the existing detection systems can give more insight in
the suspicious network traffic. with some future research, this information can be used to compile a case against particular types of bot or spyware and help dismantling a remote controlled infrastructure as a whole.

we started this research project with the question if the passive dns software of florian weimer was useful for bot detection. we immediately found out that the sensor of the passive dns software strips the source address from the collected data for privacy reasons, making this software not useful at all for our purpose. we deviated from the research plan (plan van aanpak) and took a more general approach to the question; ”is gathered dns traffic usable for badware detection”.

gadi evron,


Exploit: Head-2-head – H D Moore and Matthew Murphy (MS06-006)

apparently, both h d moore and our very own matthew murphy worked all night to write working exploit code for ms06-006.

head to head they coded, and we honestly can’t tell who wrote the first working code!

h d moore’s code can be found here.
matthew murphy’s code can be found here.

both guys are amazing and h d moore as always know more than most of us put together. we think that matthew’s code however is universal and he is the first who hit the lists with full code.

his code should work on nt/2000/xp/2003, pretty much anything and everything windows media that is vulnerable.

that was not even 2 days for a not (that) trivial to exploit vulnerability. lucky for us there are responsible researchers such as these to help us in the security world do our job, as those on the dark path have their own resources while we deal with legal b/s from people who jdgi. just don’t get it.

sunshine asked us to update that both these cool guys mentioned they used techniques by skylined. thanks skylined!

(got anything to tell ren&stimpy? email us: rennstimpy@securiteam.com)


Reversing GDI32.DLL

by websense:

gadi evron,


Winamp 5.12 “play list file” 0day [PATCHED]

a vulnerability for winamp 5.12 was released today (full disclosure mode):

a specially crafted winamp play list file can be used for remote exploitation (i will never understand why such vulnerabilities are called remote).

“the current version of winamp contains an error in its playlist parsing allowing malicious users to execute code via a prepared playlist.”

the poc code suggest using an iframe on a web site linking to the specially crafted file as a possible attack vector.

most people don’t believe a worm is very likely, but i wouldn’t completely rule it out yet.

there are several reasons why a worm potentially could be riskier than the usual mass mailers we see:

1. how many organizations filter email attachments by eliminating known bads rather than allowing known goods? this is a (somewhat) new bad.

2. the social engineering effect should not be dismissed:
- people love clicking.. which we know.
- people get mp3′s in email often or at least not be surprised
when once in a blue moon they do.
- social engineering effect of the above two points is: hey! new
mp3! (i.e. cool mp3/winamp icon).

i wouldn’t rule it out so quickly… although…

some clients won’t show icons… nothing we haven’t seen before with mass mailers and something people may not bother with…

but it is more than a just a possibility and should be taken into account. after all, we have seen what a worm designed only to effect one brand of personal firewall did (witty, anyone?).

winamp vulnerabilities of the past have not been that successful for massive exploitation, though, so in my opinion all bets are still open on this one.

a simple way to avert this until a patch is available would be to remove (or change) the file associations for .pls and .m3u.

update from the winamp development team:
(thank keith!)

yes, we know about it and it’s already been fixed :-)

here is the patched in_mp3.dll for 5.12

this url will be removed once a new client with this fix has been

(place in_mp3.dll in the winamp\plugins folder)

there’ll be a 5.13 released shortly, which will be exactly the same as
5.12 but with the patched in_mp3 included.

there’ll be a separate patched in_mp3.dll included with the next public
release of 5.2 beta (http://forums.winamp.com/showthread.php?s=&threadid=236311), also
hopefully today.

gadi evron,


Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)


this is an urgent alert released by the cooperative efforts of the mwp /
da groups that also worked on the hurricane rita scams. this task force is
now known as the tisf blackworm task force.
this task force involves many in the security (anti spam, certs, anti
virus, academia, isp’s, etc.) community and industry, working together to
combat threats to the security of the internet in cooperation with law enforcement globally.

anti virus companies each have a chosen name for this, but for
operational reasons as well as simplicity we choose blackworm. this is
what we submit for cme. a cme entry should hopefully be created shortly.

buttom line:
1. update anti viruses urgently.
2. see snort signatures below.

a special sans diary page should be setup soon to process information for
snort signatures for this as we refine them:
(current snort sigs are at the footer of this email message)

general information and updates will be found also at:

actual information and background:

this worm will destroy certain data files on an infected user’s
machine. so far about 700k users have been infected. we know this because
of a counter which the malware author made use of.
that machine is nothing but a counter and there is no reason at this time
to blackhole it, as it would harm our attempts to respond to this
we are however coordinating a possible action of this sort with the right
people if that becomes necessary.

we believe the counter to be real and the number of infected users to be
mostly accurate.

we are working with law enforcement and the isp to get a list of infected
ip’s so that we can inform the respected isp’s of the possibly infected
users in their net-space.

dday is february 3rd (i.e. that is when the worm becomes destructive).

however effective or ineffective this may be, we urge users to update
their anti viruses as soon as possible and scan their computers and/or

this risk may turn out to be nothing and whatever happens, the internet is
not going to die. we would however rather attempt to prevent this dday on
february 3rd regardless.

further, joe stewart (jstewart at lurhq.com) has come up with the snort
signatures below to help detect infected users in your net-space. false
positives should be reported to him.

it should be noted that the worm connects to the counter only once on
connection, however it keeps trying to ddos microsoft. both these methods
can be used to track down the infected users at risk.

these signatures and this alert should soon also be on bleedingsnort and
the sans diary, as well as come from different certs.

snort signatures:

1. this sig alerts if someone visits any counter at webstats.web.rcn.net
without a referrer: header in their url. could be an infected user,
could be one of us checking out the counter stats:

alert tcp any any -> any 80 (msg:”webstats.web.rcn.net count.cgi request
without referrer (possible blackworm infection)”;
content:”get /cgi-bin/count.cgi|3f|”; depth:23; content:”df|3d|”;
content:”host|3a 20|webstats.web.rcn.net”; content:!”referer|3a|”;
classtype:misc-activity; sid:1000376; rev:1;)

2. this sig alerts on the specific pattern blackworm uses to test
connectivity to www.microsoft.com. it’s unique in that the request
doesn’t have a user-agent: header. so this will catch blackworm and
possibly other automated requests to microsoft (which could happen if
someone codes a sloppy app that uses the exact same pattern – but they
should probably be flogged anyway)

alert tcp any any -> any 80 (msg:”agentless http request to
www.microsoft.com (possible blackworm infection)”; dsize:92;
content:”get / http/1.1|0d0a|host|3a20|www.microsoft.com|0d0a|
classtype:misc-activity; sid:1000377; rev:1;)

thanks, we will update further as information becomes available, if

good luck,

gadi evron,


KDE JS bug poses a real threat

(Updated: January 21, 2006 @ 21:19, 21:23)

A security vulnerability in KDE’s JavaScript interpreter allows remote attackers to cause a user visiting a malicious web page to execute arbitrary code by overflowing KJS (KDE-JavaScript) UTF-8 interpreter.

The vulnerability can be triggered by any program that utilizes KJS, i.e. the vulnerability is not limited to Konqueror.

More information to come as technical details start to surface.

The patch found in ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-kjs.diff offers some insight into the problem, the vulnerable JavaScript functions appearently are: encodeURI and decodeURI.

Update 2: The CVE-2006-0019 entry has not be released yet, but keep watching.


BlackWorm stats

BlackWorm aka BlueWorm aka Nyxem aka Grew aka Kapser aka Blackmal aka Tearec aka MyWife is making some noise this week. It’s just another in a long line of relatively uninteresting VB worms – why are so many people clicking on it? How do we know how many people are actually clicking? BlackWorm logs each infection to a webstats counter. Last time I checked it was over 453,000 users infected. A variant from 2004 made it to 920,000 infections, so clearly plenty of people are still willing to click on whatever attachment they are sent.

The one thing that can stop these worms is user education. That’s certainly a point of contention with many people, who claim that users at a certain level simply can’t be educated. Probably because we’ve taken the wrong approach to user education. Providing information is not education. Education is sticking your bare hand on a hot stove. The problem with viruses is, there are plenty of users sticking their hands on a hot stove, but don’t realize it’s hot – so the education doesn’t occur.

We’ve all heard the anecdotal story about the BOFH network admin who periodically sends his users executable attachments, warns them not to click on it, and then some form of public humiliation/punishment ensues when the user clicks on it anyway. We need to be doing way more of that. For example, instead of blocking executable attachments at the gateway, strip and replace the attachment with one of your own making. Something suitably humiliating. Anyone doing anything like this already they’d like to share?