PornoSecurity

Ultimi Articoli

Vuln: Web Directory Script 'listing_view.php' SQL I..

Web Directory Script 'listing_view.php' SQL Injection Vu..

Vuln: Multiple Vendor BIOS Keyboard Buffer Password..

Multiple Vendor BIOS Keyboard Buffer Password Persistenc..

Vuln: Pluck 'index.php' Multiple Local File Include..

Pluck 'index.php' Multiple Local File Include Vulnerabil..

Categories

Commenti

Blog Roll

The sexy side of information security, benvenuti su PornoSecurity!

Impossible is Nothing

Posted on 2008-08-25 12:59:42 in PornoSecurity

Impossible

I was looking for a vuln to write an exploit for when I found this PoC.

The author wrote:

     "The reason why there isnt any shellcode here is because the client is
     coverting the junk/buffer data to unicode so its corrupting the shellcode,
     ive tried sending unicode buffer but the same problem occurs.
     if anyone else can get further please let me know. but i doubt you can"

It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria) that i decided to write this. Actually it was pretty funny :)

The first problem is how to redirect the execution flow to our buffer, the buffer can be found at three different locations:

at some address on the stack converted to unicode
at some address on the heap again converted to unicode
at some address on the heap in plain ASCII

Unfortunately none of these addresses are unicode friendly :(.
But.. there is an address on the stack that points in the middle of the buffer(the one on the stack), all we need is to pop the stack 6 times and then return.
To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.

The second problem is that the buffer on the stack is converted to unicode(so \x41 -> \x00\x41) *and* must be, with some exceptions, in the \x01 -> \x59 space... so I decided to write a unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX using offsets from a register(somewhat related to our buffer), push it and then return.

On my box this works 100 times out of 100 :)

Check it out here

Having Fun With Windogs

Posted on 2008-08-11 14:21:03 in PornoSecurity

Oh yes, it's definitely true, i'm actually approaching the wild word of windogs. I started with some simple stack-based buffer overflows, and let me say a thing: they seems to be very very easy to exploit, kernel32.dll(which is guaranteed to be loaded in every single windozze app) and his friends are full of very usefull opcodes.
Heap-based buffer overflows are a bit more tricky, but it's just a matter of playing around for a while with your favourite debugger. At least for windozze <= sp1, actually sp2 introduces a bit more security in the way he manage chunk's coalescence, they call it safe-unlink and is more or less what glibc adds around version 2.3.5, it basically checks that the prev->next pointer equals the next->prev one before triggering RtlpCoalesceFreeBlocks(). So, i dunnno how to defeat it (yet), but if we speak about all of those browser-based vulnerabilities, i mean like ActiveX, the good news is that is possibile to adjust the Infernet eXploder heap by playing with javascript, and this is very very helpful!

A Linksys video and an IGSuite exploit

Posted on 2008-06-23 00:01:56 in PornoSecurity

Sexy Inside

Well, i got bored. I notified Cisco PSIRT and Linksys security on 04/21, they confimed some of the vulnerabilities and asked for more details. I sent them a pretty dumb-proof report a couple of days after their email, now it's time to disclose! Here is a sexy video demonstrating the flaws, there's really no need for even a single line of code :)

I also posted to milw0rm a fully automated reverse shell exploit(currently waiting for it to be published) that take advantage of a blind SQL injection vulnerability in IGSuite <=3.2.4, enjoy.