| 01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
6-Jan-2010 [12:50] -- DRINC solutions (AwesomeX.ocx)
Some time ago I sent to the
DVlabs guys the solutions to one of the unsolved challenges at
ekoparty.
Time has passed and here are both simple solutions. Funny these were not caught since they are some simple and easy to spot...
* Flaw #1
Using Javascript you can instantiate this control and force it to
autoupdate from a malicious web server, the only check is a magic flag
(54535254h)
It will download the update and execute it... (c:awesomex_update_latest.exe)
Of course it also has problems with MITM, DNS poisoning... on legit
sites using a site-locked activex control.
int Download_updates(LPCWSTR lpszServerName, int flag)
The flag comparison is performed at:
.text:100018DD cmp [ebp+flag], 54535254h
* Flaw #2:
On DoFancyStuff (callable through JS) the first argument is a VT_UI4.
There are several checks to see if it is word aligned and below
0x30000000. And then, after some fancy stuff malloc/memcpy, we will
give control to that (address*2)+0x14h..
.text:10001B87 mov eax, [ebp+pointer]
.text:10001B8A test al, 3
.text:10001B8C jnz loc_10001C34
.text:10001B92 lea ecx, [eax+eax]
.text:10001B95 cmp ecx, 60000000h
.text:10001B9B ja loc_10001C34
.text:10001BA1 test eax, eax
[...]
.text:10001BAB lea esi, [eax+14h]
[...]
.text:10001C2F call esi
With heap spraying we can control that address... and place a shellcode there.
On other things, please note the website address has changed and the new one is
http://zhodiac.hispahack.com with the new rss feed
http://zhodiac.hispahack.com/rss.php. Old rss will stop working shortly.
Fermin J. Serna - @fjserna
Comments (1)
