| 01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
27-May-2010 [11:39] -- Learning ROP on iPhone (ARM)
Some little research on iphone (non jailbroken) security and ROP (return oriented programming) this weekend... did not go so far but promises a lot...
Right now controlling most of interesting registers, including pc, with just two chained ARM gadgets:
(gdb) info reg r0 r1 r2 r3 r4 r5 r6 r7 pc
r0 0x10 16
r1 0x11111111 286331153
r2 0x22222222 572662306
r3 0x33333333 858993459
r4 0x44444444 1145324612
r5 0x55555555 1431655765
r6 0x66666666 1717986918
r7 0x77777777 2004318071
pc 0xdeadbeee -559038738
(gdb)
Gadgets are: (first one borrowed from zynamics
blogpost. Thx guys :)
x32988d5e - libSystem+000c7d5e - pop {r0, r1, r2, r3, pc}
0x3298cdf6 - libSystem+000cbdf6 - pop {r4, r5, r6, r7, pc}
Now onto some more interesting gadgets to call functions and chain them...
Fermin J. Serna - @fjserna
Comments (0)
25-Jan-2010 [11:34] -- Firefox 3.6 vulnerability... exploitable?
I was reading the RSS feeds I am subscribed to and found this
Firefox 3.6 proof of concept.
A brief scan on the poc looks like an invalid xml file with 30k nested children...
Once I was sure the PoC was clean with no malicious code, I opened windbg and tested it.
Crash is as follows:
xul!NS_Realloc_P+0x3f63:
61b11333 53 push ebx
0:000> r
eax=00000000 ebx=0e45b800 ecx=0d252680 edx=0d926490 esi=00000000 edi=0d86fb48
eip=61b11333 esp=00052ffc ebp=00000000 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
xul!NS_Realloc_P+0x3f63:
61b11333 53 push ebx
0:000> kPn
# ChildEBP RetAddr
00 00000000 00000000 xul!NS_Realloc_P+0x3f63
0:000> q
It is a stack recursion bug... so I do not think we should consider this more than a client side DoS.
Fermin J. Serna - @fjserna
Comments (0)
6-Jan-2010 [12:50] -- DRINC solutions (AwesomeX.ocx)
Some time ago I sent to the
DVlabs guys the solutions to one of the unsolved challenges at
ekoparty.
Time has passed and here are both simple solutions. Funny these were not caught since they are some simple and easy to spot...
* Flaw #1
Using Javascript you can instantiate this control and force it to
autoupdate from a malicious web server, the only check is a magic flag
(54535254h)
It will download the update and execute it... (c:awesomex_update_latest.exe)
Of course it also has problems with MITM, DNS poisoning... on legit
sites using a site-locked activex control.
int Download_updates(LPCWSTR lpszServerName, int flag)
The flag comparison is performed at:
.text:100018DD cmp [ebp+flag], 54535254h
* Flaw #2:
On DoFancyStuff (callable through JS) the first argument is a VT_UI4.
There are several checks to see if it is word aligned and below
0x30000000. And then, after some fancy stuff malloc/memcpy, we will
give control to that (address*2)+0x14h..
.text:10001B87 mov eax, [ebp+pointer]
.text:10001B8A test al, 3
.text:10001B8C jnz loc_10001C34
.text:10001B92 lea ecx, [eax+eax]
.text:10001B95 cmp ecx, 60000000h
.text:10001B9B ja loc_10001C34
.text:10001BA1 test eax, eax
[...]
.text:10001BAB lea esi, [eax+14h]
[...]
.text:10001C2F call esi
With heap spraying we can control that address... and place a shellcode there.
On other things, please note the website address has changed and the new one is
http://zhodiac.hispahack.com with the new rss feed
http://zhodiac.hispahack.com/rss.php. Old rss will stop working shortly.
Fermin J. Serna - @fjserna
Comments (0)
30-Oct-2009 [11:52] -- EMET
I'm not going to copy & paste the blog post... You can read it here...
http://blogs.technet.com/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx
Basically, it is a framework/tool for testing mitigations, even on downlevel OS, we wrote at Microsoft. Special thanks to Andrew Roths and Matt Miller.
Fermin J. Serna - @fjserna
Comments (0)
