Nelson Brito, profile picture
Uploaded byNelson Brito
1,161 views

[PH-Neutral 0x7db] Exploit Next Generation®

The document discusses the challenges and methodologies related to exploiting 0-day vulnerabilities, focusing on the eng++ approach which utilizes permutation-oriented programming to overcome traditional pattern-matching detection. It highlights various evasion techniques, tools, and examples of server and client-side vulnerabilities such as ms02-039 and ms08-078. The overall aim is to improve exploitation reliability by manipulating vulnerable ecosystems and enhancing the understanding of existing vulnerabilities.

Embed presentation

1 / 105
2 / 105
3 / 105
4 / 105
5 / 105
6 / 105
7 / 105
8 / 105
9 / 105
10 / 105
11 / 105
12 / 105
13 / 105
14 / 105
15 / 105
16 / 105
17 / 105
18 / 105
19 / 105
20 / 105
21 / 105
22 / 105
23 / 105
24 / 105
25 / 105
26 / 105
27 / 105
28 / 105
29 / 105
30 / 105
31 / 105
32 / 105
33 / 105
34 / 105
35 / 105
36 / 105
37 / 105
38 / 105
39 / 105
40 / 105
41 / 105
42 / 105
43 / 105
44 / 105
45 / 105
46 / 105
47 / 105
48 / 105
49 / 105
50 / 105
51 / 105
52 / 105
53 / 105
54 / 105
55 / 105
56 / 105
57 / 105
58 / 105
59 / 105
60 / 105
61 / 105
62 / 105
63 / 105
64 / 105
65 / 105
66 / 105
67 / 105
68 / 105
69 / 105
70 / 105
71 / 105
72 / 105
73 / 105
74 / 105
75 / 105
76 / 105
77 / 105
78 / 105
79 / 105
80 / 105
81 / 105
82 / 105
83 / 105
84 / 105
85 / 105
86 / 105
87 / 105
88 / 105
89 / 105
90 / 105
91 / 105
92 / 105
93 / 105
94 / 105
95 / 105
96 / 105
97 / 105
98 / 105
99 / 105
100 / 105
101 / 105
102 / 105
103 / 105
104 / 105
105 / 105
Exploit Next Generation® “Missão dada é missão cumprida!”
Agenda
Agenda • 0001 – Introduction
Agenda • 0001 – Introduction • 0010 – Brain at work
Agenda • 0001 – Introduction • 0010 – Brain at work • 0011 – ENG++ approach
Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0011 – ENG++ approach
Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach
Agenda • 0001 – Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach • 0110 – Questions and Answers
nbrito@pitbull:~$ whoami
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™
nbrito@pitbull:~$ whoami • Nelson Brito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™ • WEB: • http://fnstenv.blogspot.com/ • http://twitter.com/nbrito
0001 – Introduction “Because five bytes can make the difference”
Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware • This technology is as need today as it was in the of its existence. past, but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or • No matter how fast is the pattern-matching a mitigation is released (which comes first). algorithm, if a pattern does not match, it means that there is no vulnerability exploitation. • So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you • No vulnerability exploitation, no protection do not believe me, you can try to sell a well- action… But what if the pattern is wrong? known vulnerability to your vulnerability- broker. • How can we guarantee that the pattern, which was not matched, is the correct approach for a • Some security solutions fight against 0-day faster protection action? Was the detection really than the affected vendor. designed to detect the vulnerability?
Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation – Overlapping fragments • Fragroute / Fragrouter • Stream segmentation – Overlapping segments • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / “rpc-evade-poc.pl” / Others • URL obfuscation (+ SSL encryption) • “predator” • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
What is Exploit Next Generation®? The scenario The methodology • Remember: “Some security solutions fight against • To circumvent or avoid a pattern-matching 0-day faster than the affected vendor”. detection, there are two options: – Easier: know how the vulnerability is • This protection (mitigation) has a long life, and detected (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: • ENG++ is the hardest option: vulnerability mitigated, no patch… – Deep analysis of a vulnerability. – Use all the acquired knowledge to offer a • But what if an old and well-known variety of decision points (variants). vulnerability could be exploited, even on this – Interact with the trigger and the security approach model? additional entities, preparing the vulnerable ecosystem and performing • According to pattern-matching, any new some memory manipulation . variant of an old vulnerability exploitation is – Use randomness to provide unpredictable considered a new vulnerability, because there is payloads, i.e., permutation. no pattern to be matched yet!
ENG++ (pronounced /ěn’jĭn/ incremented) The truth The examples • ENG++ methodology deals with vulnerable • Server-side vulnerabilities: ecosystem and memory manipulation, rather – MS02-039: CVE-2002-0649/CWE-120. than shellcode – it is neither a new polymorphic shellcode technique, nor an – MS02-056: CVE-2002-1123/CWE-120. obfuscation technique, instead, ENG++ employs “Permutation Oriented Programming”. • Client-side vulnerabilities: – MS08-078: CVE-2008-4844/CWE-367. • ENG++ methodology can be applied to work with: Rapid7 Metasploit Framework, CORE Impact Pro, – MS09-002: CVE-2009-0075/CWE-367. Immunity CANVAS Professional, and stand-alone proof-of-concepts (a.k.a. freestyle coding). • Windows 32-bit shellcodes: – 波動拳: “CMD /k”. • ENG++ methodology is neither an additional – 昇龍拳: “CMD /k set DIRCMD=/b”. entropy for tools mentioned above, nor an Advanced Evasion Technique (AET). Instead, ENG++ methodology can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • ENG++ methodology maintains the exploitation examples for client-side in HTML and JavaScript. reliability, even using random decisions, it is able to achieve all exploitation requirements.
What if… exploit #1
What if… exploit #1 exploit #2
What if… exploit #1 exploit #N exploit #2
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone Exploit Next Generation®
0010 – Brain at work “Hardest option”
Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0- 1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
MS02-039 (CVE-2002-0649/CWE-120)
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367)
MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
0011 – ENG++ approach Permutation Oriented Programming Also known as “(Re)searching for alternatives”
ENG++ approach Vulnerability
ENG++ approach Vulnerability Vulnerable Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Document Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Trigger Additional Entities
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
MS02-039 (CVE-2002-0649/CWE-120) POPed • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, – 115 permutations. except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. • Writable address and memory alignment: – 24,000 permutations. – There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server • Return address: 2000 SP0-2). There are much more – Uses the “jump to register” technique, in writable addresses if do not mind making this case the ESP register. it hardcoded. – Tools: “IDA Pro 5.0 Freeware” by Hex- – There are four (4) new possible return addresses within SQLSORT.DLL (Microsoft Rays, and “OlyDBG 2.01 alpha 2” by SQL Server 2000 SP0-2). There are much Oleh Yuschuk. more return addresses if do not mind – 26,758 permutations. making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, • Padding and memory alignment: (“Hacking Proof your Network – Second – ASCII hexa values from 0x01 to 0xff. Edition”, 2002), and “DumpOp.c” by Koskya – The length may vary, depending on JUMP, Kortchinsky (“Macro reliability in Win32 from 3,048 to 29,210 possibilities. Exploits” – Black Hat Europe, 2007). – 29,210 permutations. – 4 permutations.
MS08-078 (CVE-2008-4844/CWE-367) POPed
MS08-078 (CVE-2008-4844/CWE-367) POPed
MS08-078 (CVE-2008-4844/CWE-367) POPed • CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML Elements think so… to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only • XML Data Island: five (5) elements are useful. – There are two (2) options: using the – The HTML element is a key trigger, because Dynamic HTML (DHTML) <XML> element it points to a dereferenced XML DSO, but it within the HTML document or overloading does not have to be the same HTML element the HTML <SCRIPT> element. Unfortunately, to do so – it can be any mixed HTML the HTML <SCRIPT> element is useless. element. – The <XML> element accepts a combination – 25 permutations. of different types of elements, i.e., they can be anything. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, – Characters like “<” and “&” are illegal in and can use “.NET DLL” technique by Mark <XML> element. To avoid errors <XML> Dowd and Alexander Sotirov (“How to element can be defined as CDATA (Unparsed Impress Girls with Browser Memory Character Data). But the <XML> element Protection Bypasses” – Black Hat USA, 2008). can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible – Both <IMG SRC= > and <IMAGE SRC= > return addresses. elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
0100 – Demonstration
What demo? The examples applying ENG++ methodology will be available – as soon as I connect to Internet. Thus you will be able to test by yourselves!!!
0101 – Conclusions
Conclusions • Some examples, applying ENG++ methodology, • The ENG++ methodology is not part of any will be available. For further details, please refer commercial or public tool and is freely available, to: although the examples were ported to work with Rapid7 Metasploit Framework – this is to show – http://fnstenv.blogspot.com/ how flexible its approach and deployment is – hoping it can help people to understand the • ENG++ examples are licensed under GNU threat, improving their infra-structure, security General Public License version 2. solutions and development approach. • ENG++ methodology can be freely applied, there • The examples cover pretty old vulnerabilities, such are no restrictions… No other than laziness. as: – MS02-039: 3,231 days since published. • ENG++ methodology can help different people, – MS02-056: 3,161 days since published. performing different tasks, such as: – MS08-078: 893 days since published. – Penetration-testing. – MS09-002: 838 days since published. – Development of exploit and proof-of-concept tools. – Evaluation and analysis of security solutions. • ENG++ is also not new: – Quality assurance for security solution. – Encore-NG: 980 days since BUGTRAQ and – Development of detection and protection FULL-DISCLOSURE. mechanisms. – ENG++ : 546 days since H2HC 6th Edition. – Etc…
0110 – Questions & Answers
Any questions?
[PH-Neutral 0x7db] Exploit Next Generation®

More Related Content

PDF
Protocol T50: Five months later... So what?
byNelson Brito
 
PDF
The hangover: A "modern" (?) high performance approach to build an offensive ...
byNelson Brito
 
PDF
Offensive cyber security: Smashing the stack with Python
byMalachi Jones
 
PDF
A client-side vulnerability under the microscope!
byNelson Brito
 
PDF
Embedded device hacking Session i
byMalachi Jones
 
PDF
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
byHackito Ergo Sum
 
PPT
OWASP Much ado about randomness
byAleksandr Yampolskiy
 
PDF
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
byeurobsdcon
 
Protocol T50: Five months later... So what?
byNelson Brito
 
The hangover: A "modern" (?) high performance approach to build an offensive ...
byNelson Brito
 
Offensive cyber security: Smashing the stack with Python
byMalachi Jones
 
A client-side vulnerability under the microscope!
byNelson Brito
 
Embedded device hacking Session i
byMalachi Jones
 
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
byHackito Ergo Sum
 
OWASP Much ado about randomness
byAleksandr Yampolskiy
 
The entropic principle: /dev/u?random and NetBSD by Taylor R Campbell
byeurobsdcon
 

What's hot

PDF
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
byFFRI, Inc.
 
PDF
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
byPositive Hack Days
 
PDF
Mind your language(s), A Discussion about Languages and Security
byAdaCore
 
PPTX
Slide cipher based encryption
byMizi Mohamad
 
PDF
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
byMaksim Shudrak
 
PDF
How to find_vulnerability_in_software
bysanghwan ahn
 
PDF
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
byIRJET Journal
 
PDF
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
byUniversitat Politècnica de Catalunya
 
PDF
A22 Introduction to DTrace by Kyle Hailey
byInsight Technology, Inc.
 
PPTX
Secure coding for developers
bysluge
 
PDF
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
PDF
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
PDF
Tools and Techniques for Understanding Threading Behavior in Android
byIntel® Software
 
PDF
David-FPGA
byguest66dc5f
 
PPTX
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
byIgor Korkin
 
PPT
Uvm dcon2013
bysean chen
 
PDF
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
byJoe Sylve
 
PDF
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
byAdaCore
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
byFFRI, Inc.
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
byPositive Hack Days
 
Mind your language(s), A Discussion about Languages and Security
byAdaCore
 
Slide cipher based encryption
byMizi Mohamad
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
byMaksim Shudrak
 
How to find_vulnerability_in_software
bysanghwan ahn
 
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
byIRJET Journal
 
Attention-based Models (DLAI D8L 2017 UPC Deep Learning for Artificial Intell...
byUniversitat Politècnica de Catalunya
 
A22 Introduction to DTrace by Kyle Hailey
byInsight Technology, Inc.
 
Secure coding for developers
bysluge
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
byCODE BLUE
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
by44CON
 
Tools and Techniques for Understanding Threading Behavior in Android
byIntel® Software
 
David-FPGA
byguest66dc5f
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
byIgor Korkin
 
Uvm dcon2013
bysean chen
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
byJoe Sylve
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
byAdaCore
 

Viewers also liked

ODP
Microsoft GDI+ JPEG Integer Underflow Vulnerability
byAshish Malik
 
PDF
Cloud: Should I Stay or Should I Go?
byMarcelo Martins
 
PDF
Permutation Oriented Programming: (Re)searching for alternatives!
byNelson Brito
 
PDF
Gestão de Patches e Vulnerabilidades
byMarcelo Martins
 
PDF
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
byStefan Esser
 
PDF
Secure Application Development in the Age of Continuous Delivery
byBlack Duck by Synopsys
 
PDF
Exploit Next Generation®: Missão dada é missão cumprida!
byNelson Brito
 
PPTX
Hexadecimal (Calculations and Explanations)
byProject Student
 
PDF
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
byNelson Brito
 
PDF
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
byNelson Brito
 
PDF
The Departed: Exploit Next Generation® – The Philosophy
byNelson Brito
 
PDF
Permutation Oriented Programming
byNelson Brito
 
PPTX
Workforce Planning (Process, Labour Shortage, Excess Labour)
byProject Student
 
PPTX
Changes in working practices
byProject Student
 
PPTX
Programming Languages / Translators
byProject Student
 
PPTX
FormacaoCrypto
byIgor Antunes
 
PPTX
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
byProject Student
 
PDF
The Caesar Cipher
byAnnalisa Di Pierro
 
PDF
Patch and Vulnerability Management
byMarcelo Martins
 
PPTX
Cryptography - 101
byn|u - The Open Security Community
 
Microsoft GDI+ JPEG Integer Underflow Vulnerability
byAshish Malik
 
Cloud: Should I Stay or Should I Go?
byMarcelo Martins
 
Permutation Oriented Programming: (Re)searching for alternatives!
byNelson Brito
 
Gestão de Patches e Vulnerabilidades
byMarcelo Martins
 
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
byStefan Esser
 
Secure Application Development in the Age of Continuous Delivery
byBlack Duck by Synopsys
 
Exploit Next Generation®: Missão dada é missão cumprida!
byNelson Brito
 
Hexadecimal (Calculations and Explanations)
byProject Student
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
byNelson Brito
 
"Touching the UNTOUCHABLE" (YSTS Seventh Edition)
byNelson Brito
 
The Departed: Exploit Next Generation® – The Philosophy
byNelson Brito
 
Permutation Oriented Programming
byNelson Brito
 
Workforce Planning (Process, Labour Shortage, Excess Labour)
byProject Student
 
Changes in working practices
byProject Student
 
Programming Languages / Translators
byProject Student
 
FormacaoCrypto
byIgor Antunes
 
Product (Product Portfolio, Branding, USP, Product Depth and Breadth, Product...
byProject Student
 
The Caesar Cipher
byAnnalisa Di Pierro
 
Patch and Vulnerability Management
byMarcelo Martins
 
Cryptography - 101
byn|u - The Open Security Community
 

Similar to [PH-Neutral 0x7db] Exploit Next Generation®

PDF
"ENG++: Permutation Oriented Programming" por Nelson Brito
bySegInfo
 
PDF
Vale Security Conference - 2011 - 13 - Nelson Brito
byVale Security Conference
 
PDF
Dan Guido SOURCE Boston 2011
bySource Conference
 
PPT
B-Sides Seattle 2012 Offensive Defense
byStephan Chenette
 
PPTX
2013 Security Threat Report Presentation
bySophos
 
PPTX
Vulnerability, exploit to metasploit
byTiago Henriques
 
PPTX
Exploitation techniques and fuzzing
byPrachi Gulihar
 
PDF
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
PDF
TS-5358
bytutorialsruby
 
PDF
TS-5358
bytutorialsruby
 
PPTX
IBM Smarter Business 2012 - IBM Security: Threat landscape
byIBM Sverige
 
DOC
Web Hacking
byagung sundoro
 
PDF
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
byArea41
 
PPTX
Top Application Security Trends of 2012
byDaveEdwards12
 
PDF
Threats, Threat Modeling and Analysis
byIan G
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
PDF
Web Application Security Guide by Qualys 2011
bynat page
 
PDF
Qg was guide
bynat page
 
PDF
The Magic of Symbiotic Security
byDenim Group
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
byAditya K Sood
 
"ENG++: Permutation Oriented Programming" por Nelson Brito
bySegInfo
 
Vale Security Conference - 2011 - 13 - Nelson Brito
byVale Security Conference
 
Dan Guido SOURCE Boston 2011
bySource Conference
 
B-Sides Seattle 2012 Offensive Defense
byStephan Chenette
 
2013 Security Threat Report Presentation
bySophos
 
Vulnerability, exploit to metasploit
byTiago Henriques
 
Exploitation techniques and fuzzing
byPrachi Gulihar
 
Hacking school computers for fun profit and better grades short
byVincent Ohprecio
 
TS-5358
bytutorialsruby
 
TS-5358
bytutorialsruby
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
byIBM Sverige
 
Web Hacking
byagung sundoro
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
byArea41
 
Top Application Security Trends of 2012
byDaveEdwards12
 
Threats, Threat Modeling and Analysis
byIan G
 
Software Security Engineering (Learnings from the past to fix the future) - B...
byDebasisMohanty43
 
Web Application Security Guide by Qualys 2011
bynat page
 
Qg was guide
bynat page
 
The Magic of Symbiotic Security
byDenim Group
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
byAditya K Sood
 

More from Nelson Brito

PDF
SQL Fingerprint NG - A Next Generation DB Scanner
byNelson Brito
 
PDF
Próximo passo evolutivo de um DB Scanner
byNelson Brito
 
PDF
Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era
byNelson Brito
 
PDF
Inception: Support Slides
byNelson Brito
 
PDF
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
byNelson Brito
 
PDF
Keynote: Where is my identity?
byNelson Brito
 
PDF
Worms 2.0: Evolution — From SyFy to "You Die"
byNelson Brito
 
PDF
Inception: A reverse-engineer horror History
byNelson Brito
 
PPT
Worms: Conheça o inimigo e defenda-se
byNelson Brito
 
SQL Fingerprint NG - A Next Generation DB Scanner
byNelson Brito
 
Próximo passo evolutivo de um DB Scanner
byNelson Brito
 
Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era
byNelson Brito
 
Inception: Support Slides
byNelson Brito
 
DoS: From "Galactic Network" to "Service Unavailable" (Support Slides)
byNelson Brito
 
Keynote: Where is my identity?
byNelson Brito
 
Worms 2.0: Evolution — From SyFy to "You Die"
byNelson Brito
 
Inception: A reverse-engineer horror History
byNelson Brito
 
Worms: Conheça o inimigo e defenda-se
byNelson Brito
 

Recently uploaded

PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 

[PH-Neutral 0x7db] Exploit Next Generation®

  • 1.
    Exploit Next Generation® “Missãodada é missão cumprida!”
  • 2.
  • 3.
    Agenda • 0001 –Introduction
  • 4.
    Agenda • 0001 –Introduction • 0010 – Brain at work
  • 5.
    Agenda • 0001 –Introduction • 0010 – Brain at work • 0011 – ENG++ approach
  • 6.
    Agenda • 0001 –Introduction • 0100 – Demonstration • 0010 – Brain at work • 0011 – ENG++ approach
  • 7.
    Agenda • 0001 –Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach
  • 8.
    Agenda • 0001 –Introduction • 0100 – Demonstration • 0010 – Brain at work • 0101 – Conclusions • 0011 – ENG++ approach • 0110 – Questions and Answers
  • 9.
  • 10.
    nbrito@pitbull:~$ whoami • NelsonBrito: • Security researcher enthusiast • Addict for (in)security systems
  • 11.
    nbrito@pitbull:~$ whoami • NelsonBrito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro
  • 12.
    nbrito@pitbull:~$ whoami • NelsonBrito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™
  • 13.
    nbrito@pitbull:~$ whoami • NelsonBrito: • Security researcher enthusiast • Addict for (in)security systems • Home town: – Rio de Janeiro • Public tools: • T50 Experimental Mixed Packet Injector • ENG++ SQL Fingerprint™ • WEB: • http://fnstenv.blogspot.com/ • http://twitter.com/nbrito
  • 14.
    0001 – Introduction “Becausefive bytes can make the difference”
  • 15.
    Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware • This technology is as need today as it was in the of its existence. past, but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or • No matter how fast is the pattern-matching a mitigation is released (which comes first). algorithm, if a pattern does not match, it means that there is no vulnerability exploitation. • So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you • No vulnerability exploitation, no protection do not believe me, you can try to sell a well- action… But what if the pattern is wrong? known vulnerability to your vulnerability- broker. • How can we guarantee that the pattern, which was not matched, is the correct approach for a • Some security solutions fight against 0-day faster protection action? Was the detection really than the affected vendor. designed to detect the vulnerability?
  • 16.
    Current evasion techniques(a.k.a. TT) Techniques Tools • Packet fragmentation – Overlapping fragments • Fragroute / Fragrouter • Stream segmentation – Overlapping segments • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / “rpc-evade-poc.pl” / Others • URL obfuscation (+ SSL encryption) • “predator” • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
  • 17.
    What is ExploitNext Generation®? The scenario The methodology • Remember: “Some security solutions fight against • To circumvent or avoid a pattern-matching 0-day faster than the affected vendor”. detection, there are two options: – Easier: know how the vulnerability is • This protection (mitigation) has a long life, and detected (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: • ENG++ is the hardest option: vulnerability mitigated, no patch… – Deep analysis of a vulnerability. – Use all the acquired knowledge to offer a • But what if an old and well-known variety of decision points (variants). vulnerability could be exploited, even on this – Interact with the trigger and the security approach model? additional entities, preparing the vulnerable ecosystem and performing • According to pattern-matching, any new some memory manipulation . variant of an old vulnerability exploitation is – Use randomness to provide unpredictable considered a new vulnerability, because there is payloads, i.e., permutation. no pattern to be matched yet!
  • 18.
    ENG++ (pronounced /ěn’jĭn/incremented) The truth The examples • ENG++ methodology deals with vulnerable • Server-side vulnerabilities: ecosystem and memory manipulation, rather – MS02-039: CVE-2002-0649/CWE-120. than shellcode – it is neither a new polymorphic shellcode technique, nor an – MS02-056: CVE-2002-1123/CWE-120. obfuscation technique, instead, ENG++ employs “Permutation Oriented Programming”. • Client-side vulnerabilities: – MS08-078: CVE-2008-4844/CWE-367. • ENG++ methodology can be applied to work with: Rapid7 Metasploit Framework, CORE Impact Pro, – MS09-002: CVE-2009-0075/CWE-367. Immunity CANVAS Professional, and stand-alone proof-of-concepts (a.k.a. freestyle coding). • Windows 32-bit shellcodes: – 波動拳: “CMD /k”. • ENG++ methodology is neither an additional – 昇龍拳: “CMD /k set DIRCMD=/b”. entropy for tools mentioned above, nor an Advanced Evasion Technique (AET). Instead, ENG++ methodology can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • ENG++ methodology maintains the exploitation examples for client-side in HTML and JavaScript. reliability, even using random decisions, it is able to achieve all exploitation requirements.
  • 19.
    What if… exploit #1
  • 20.
    What if… exploit #1 exploit #2
  • 21.
    What if… exploit #1 exploit #N exploit #2
  • 22.
    What if… exploit #1 exploit #N exploit #2 shared zone
  • 23.
    What if… exploit #1 exploit #N exploit #2 shared zone
  • 24.
    What if… exploit #1 exploit #N exploit #2 shared zone Exploit Next Generation®
  • 25.
    0010 – Brainat work “Hardest option”
  • 26.
    Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0- 1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – XML Data Island feature enabled (default). – SQL Request CLNT_UCAST_INST. – DHTML with embedded Data binding. – INSTANCENAME >= 96 bytes. – XML Data Source Object (DSO). – INSTANCENAME != NULL. – Data Consumer (HTML element) pointing to a dereferenced XML DSO.
  • 27.
  • 28.
  • 29.
  • 30.
    MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 31.
    MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 32.
    MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 33.
    MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 34.
    MS02-039 (CVE-2002-0649/CWE-120) trigger ↓ additional entities ↓
  • 35.
    arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 36.
    arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 37.
    arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 38.
    arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 39.
    arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 40.
    arbitrary additional code entities trigger ↓ ↓ ↓ MS02-039 (CVE-2002-0649/CWE-120)
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
    MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 63.
    MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 64.
    MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 65.
    MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 66.
    MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 67.
    MS08-078 (CVE-2008-4844/CWE-367) trigger ↓ arbitrary code ↓
  • 68.
  • 69.
  • 70.
  • 71.
  • 72.
  • 73.
    MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
  • 74.
    MS08-078 (CVE-2008-4844/CWE-367) bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::SetHRow bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CXfer::CreateBinding bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CXfer::ColumnsChanged bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance
  • 75.
    0011 – ENG++approach Permutation Oriented Programming Also known as “(Re)searching for alternatives”
  • 76.
  • 77.
  • 78.
  • 79.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Ecosystem
  • 80.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem
  • 81.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
  • 82.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Alternatives
  • 83.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
  • 84.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives
  • 85.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
  • 86.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
  • 87.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives
  • 88.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Trigger Additional Entities
  • 89.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
  • 90.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Alternatives Additional Entities
  • 91.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection
  • 92.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection
  • 93.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
  • 94.
    ENG++ approach Vulnerability Vulnerable Documentation? Document Alternatives? Ecosystem Reversing Alternatives? Alternatives Obfuscation? Trigger Arbitrary code Alternatives Additional Entities Attack detection Permutation?
  • 95.
    MS02-039 (CVE-2002-0649/CWE-120) POPed •SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, – 115 permutations. except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. • Writable address and memory alignment: – 24,000 permutations. – There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server • Return address: 2000 SP0-2). There are much more – Uses the “jump to register” technique, in writable addresses if do not mind making this case the ESP register. it hardcoded. – Tools: “IDA Pro 5.0 Freeware” by Hex- – There are four (4) new possible return addresses within SQLSORT.DLL (Microsoft Rays, and “OlyDBG 2.01 alpha 2” by SQL Server 2000 SP0-2). There are much Oleh Yuschuk. more return addresses if do not mind – 26,758 permutations. making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, • Padding and memory alignment: (“Hacking Proof your Network – Second – ASCII hexa values from 0x01 to 0xff. Edition”, 2002), and “DumpOp.c” by Koskya – The length may vary, depending on JUMP, Kortchinsky (“Macro reliability in Win32 from 3,048 to 29,210 possibilities. Exploits” – Black Hat Europe, 2007). – 29,210 permutations. – 4 permutations.
  • 96.
  • 97.
  • 98.
    MS08-078 (CVE-2008-4844/CWE-367) POPed •CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML Elements think so… to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only • XML Data Island: five (5) elements are useful. – There are two (2) options: using the – The HTML element is a key trigger, because Dynamic HTML (DHTML) <XML> element it points to a dereferenced XML DSO, but it within the HTML document or overloading does not have to be the same HTML element the HTML <SCRIPT> element. Unfortunately, to do so – it can be any mixed HTML the HTML <SCRIPT> element is useless. element. – The <XML> element accepts a combination – 25 permutations. of different types of elements, i.e., they can be anything. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, – Characters like “<” and “&” are illegal in and can use “.NET DLL” technique by Mark <XML> element. To avoid errors <XML> Dowd and Alexander Sotirov (“How to element can be defined as CDATA (Unparsed Impress Girls with Browser Memory Character Data). But the <XML> element Protection Bypasses” – Black Hat USA, 2008). can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible – Both <IMG SRC= > and <IMAGE SRC= > return addresses. elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
  • 99.
  • 100.
    What demo? The examples applying ENG++ methodology will be available – as soon as I connect to Internet. Thus you will be able to test by yourselves!!!
  • 101.
  • 102.
    Conclusions • Some examples,applying ENG++ methodology, • The ENG++ methodology is not part of any will be available. For further details, please refer commercial or public tool and is freely available, to: although the examples were ported to work with Rapid7 Metasploit Framework – this is to show – http://fnstenv.blogspot.com/ how flexible its approach and deployment is – hoping it can help people to understand the • ENG++ examples are licensed under GNU threat, improving their infra-structure, security General Public License version 2. solutions and development approach. • ENG++ methodology can be freely applied, there • The examples cover pretty old vulnerabilities, such are no restrictions… No other than laziness. as: – MS02-039: 3,231 days since published. • ENG++ methodology can help different people, – MS02-056: 3,161 days since published. performing different tasks, such as: – MS08-078: 893 days since published. – Penetration-testing. – MS09-002: 838 days since published. – Development of exploit and proof-of-concept tools. – Evaluation and analysis of security solutions. • ENG++ is also not new: – Quality assurance for security solution. – Encore-NG: 980 days since BUGTRAQ and – Development of detection and protection FULL-DISCLOSURE. mechanisms. – ENG++ : 546 days since H2HC 6th Edition. – Etc…
  • 103.
  • 104.