PornoSecurity

Opera 9.62 URL Handler Heap Overflow

Posted on 2008-11-18 11:54:10 in PornoSecurity

Hi there, ladies and gents. it's now the Opera turn. :)

As you can see in the comments section send9 contacted me and gave me some details on a reproducible crash he founds in the url:// handler of the Opera browser. I was very busy at the time and so two weeks passed before I found some time to play with the stuff he sends to me.

It is an heap overflow and I  managed to achieve code execution by overwriting a function pointer and using Heap Spraying to put shellcode in a known location. I used a slighty modified version of the heap spraying code you usually find in exploits, this one will not be detected by your antivirus :). It wasn't hard at all to write this sploit because Opera makes massive use of function pointers and the chunk overflowed is just in the middle of some useful structures. Withouth that it would be a pain to exploit this kind of vuln.

Then we, send9 and me, coordinate the disclosure of the vulnerability and the release of the exploit.

As usual you can find the exploit here, and a video demonstration here.

Exploiting BitTorrent

Posted on 2008-10-08 12:26:43 in PornoSecurity

Hi there, i want to tell you about a buffer overflow in the BitTorrent client. Dont worry it is already patched :) This BitTorrent vulnerability hasn't gained much media attention and i really dunno why, the BitTorrent client is installed on so many clients that exploiting this vulnerabily on a large scale could allow someone to build a very large botnet. That's the reason why i will not publish any exploit code for now. Fortunately exploiting this vuln is not so simple as it seems, actually it's pretty hard to achieve stable, windows version independent arbitrary code execution.

The overflow is stack based and the better way to achieve code execution is through the Structured Exception Handler. So you first overwrite the SEH with the usual pop,pop,ret pointer that must be unicode friendly and must be located in bittorrent.exe module, this way your retaddr can be the same through different windows version. Another particularity is that you can't jump the SEH pointer when you fall on your buffer due to the unicode expansion(you could jump only 0 byte ahead) and the fact that conditional jump opcodes are all filtered so your return address should point to a pop,pop,ret and must also be executed without crashing the application. So it must also be a NOP from the attacker perspective.

Then you could think that you can use the venetian method to build a shellcode on the stack and execute it, right? Well, you can't! There's not enough space to execute anything useful. One thing you can do is to use a venetian decoder to build an egghunter that search through the heap for your buffer. That's what I've done.

Again you could think that's all: find your buffer, jump to it and use the venetian technique to build your shellcode.... unfortunately you can't, the memory region where your code resides is not writable anymore!

The trick I used is to write after the egghunter a small decoder that push the buffer on the stack decoding it in its original form. Basically it starts from the end and copy byte a byte omitting \x00 then push ESP and finally return.

Here is a live demonstration, enjoy! :)

Impossible is Nothing

Posted on 2008-08-25 12:59:42 in PornoSecurity

I was looking for a vuln to write an exploit for when I found this PoC.

The author wrote:

     "The reason why there isnt any shellcode here is because the client is
     coverting the junk/buffer data to unicode so its corrupting the shellcode,
     ive tried sending unicode buffer but the same problem occurs.
     if anyone else can get further please let me know. but i doubt you can"

• at some address on the stack converted to unicode
• at some address on the heap again converted to unicode
• at some address on the heap in plain ASCII