Vulnerability Development mailing list archives
Re: .ida vulnerability..
From: "Joakim Sandstrom" <jode () tribalstorm com>
Date: Thu, 28 Jun 2001 22:27:32 +0200
Lo Again, Answering to my own post, well yes. Many people have been asking about this and that. I'm trying to cover a very commong question. Q: Can't get it to raise an exception when pasting the code with onto a telnet 127.0.0.1 80 session. A: Neither can I. Read the file using c or something and push it over a socket this will work just fine on a windows 2000 professional sp2. I acctually managed to reach very close to the same spot (00AA0061) on a Windows 2000 Adv Server running on sp1.. just by pasting the contect of the txt file provided onto a telnet 127.0.0.1 80 session. For some reason this worked. Dunno why. Anyway the spot 00AA0061 is empty so you will propably need to fill up the payload abit to slide down the codes there. This if you are interested in doing so. Something I'd be glad to hear is about making proof of concept exploits -> Many proof of concept exploits write files. It's cool, I agree it is. But not very educational. IMHO it would be allot more interesting to just leave the proof of concept in a state where it's upto the exploiter what he/she want's to acomplish? Wouldn't it? It's pretty hard to find out where/when/how nicely running exploits are doing their stuff as they usually are hardly documented at all. regs, JODE ----- Original Message ----- From: "Joakim Sandström" <jode () tribalstorm com> To: "Ryan Permeh" <ryan () eEye com>; "Vuln-Dev" <VULN-DEV () SECURITYFOCUS COM> Cc: "SKI_BUM" <jeppe () cramon dk> Sent: Wednesday, June 27, 2001 4:25 PM Subject: Re: .ida vulnerability..
Thanks, Ok I get your point. And now back to the stuff.. -> I had some time to play with it again. And with some help from eeye's
pages
I got it right on a win2k sp2 iis5.0. Exploit code attached. Search for
the
text -> <-- snip --> ÌÌÌÌYOURBADASSCODECOMESHEREREMOVETHEBREAKPOINTFIRST <-- snip --> that IS the point where we will be executing eventually. I know there request isn't the nicest possible.. I'm not an AD however :) I'm not
goona
spend more time on this. But if someone does a nice "reverse shell" for example. You could
let
me know :) I think it should be a matter of just pasting it into the the
right
place and do some cleaning and make sure inetinfo exits nicely (somehow :)). It works exactly as eEye's probably does. I just found the heap allocation address.. and flooded it abit. to get my code slide down to 00AC0061 .. which is approx 100bytes above the text I entered above.. It would be nice to know if it hit's the same spot on win2k servers and
others
as well.. so please info about it. And the final note goes -> NO I didn't get it to
work
just by pasting it into a telnet localhost 80 session. for some reason. thanks and laters, JODE ps. the codes does nothing else than launches a breakpoint call at THE (ÌÌÌÌ) location And for some reason it get's to the breakpoint usually the second time you run it against the IIS.. after that it blows home every time. ----- Original Message ----- From: "Ryan Permeh" <ryan () eEye com> To: "Joakim Sandström" <jode () tribalstorm com>; "Vuln-Dev" <VULN-DEV () SECURITYFOCUS COM> Sent: Tuesday, June 26, 2001 6:20 PM Subject: Re: .ida vulnerability..well, i suppose i will post a response here, since i was the one thatwrotethe exploit handed to microsoft. firsrt, the heap grows with suffiencintly large requests. we are
talking
about 20k+ requests. you probably will get cutoff if you try to put 20k chars in the url, and besides, they will probably be converted to garbage anyways(the whole
wide
char conversion). in the exploit that we gave microsoft, we used a specific header(eeye: data\r\n) to pad our requests onto the heap. It have since heard of
some
more ways to do this that are more reliable, but have no working code implementing them. right now, we have gotten code to run on 2k, xp, and nt, all servicepacks.the code we provided microsoft was tuned out of the box to consistantlyhita 2k server/advanced server sp1 install, but it could have been
tweaked(we
made padding and eip based on command line ops) to work on any of them. The core reason we have not publicly released(and it seems that the
media,
along with numerous other sources think we already have), is due to thehighskew factor in this. an exploit that runs 90% of the time on sp1 willcrashnt 100% of the time. and nt's heap is very sensitive to this, so you basically have to be right no, and it tended to taske us about 3-4 times with a debugger to get "right on". This problem is real, and whether we do or donot decide to finally
release
code, i know of multiple exploits that are in the wild(not public, but
not
ours, nor based on any code we have produced), some with higher degree
of
accuracy in differing situations. In this vein, i beleive that it may be a wise thing for this group to examine the following information: http://www.msnbc.com/news/592066.asp?0dm=C1BQT since it deffinately affects everyone who deals with vulnerability as research. eEye is a commercial organization, and we publish research as part of our commitment to the security community, groups like thisthreatento make people and groups that publish vulnerabilty research into the
bad
guys, rather than the companies who create vulnerabilities in theirsystems.just something for everyone to think about. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer ----- Original Message ----- From: "Joakim Sandström" <jode () tribalstorm com> To: "Vuln-Dev" <VULN-DEV () SECURITYFOCUS COM> Sent: Monday, June 25, 2001 7:11 AM Subject: .ida vulnerability..Hi Folks, I had some time off work last weekend so I took a look at the new .ida vulnerability. I was debugging a win2k adv server with sp2 installed. First of all I tried to get eipoverrun and successfully did that after trying out different params. The first thing I noticed wasthat(as stated on eeye's pages) that the buffer get's converted to wide character (which makes this really tricky) .. But according to eeye's description about the vuln I should be able to push in more
stuff
andmake the heap (or whatever)grow larger so I could produce some of my
own
input data to appear in mem locations as 00430043. First of all I must admit I didn't succeed. Seems to me that theexceptionsfrom the overflow occur before the "payload" get's parsed into thememory.Ican't locate the payload anywhere.. (and in some occasions the actual buffer).From what I know.. I see this as a deadlock situation.. Maybe it'sdoable..Though I don't have time to further investigate the vuln. Has anyone else tried it out?
Results?
Anycertain combinations of payloads and overflow size which produces a
good
result? I bet this all varies allot form win2k version and sp
versions?
Another thing that wonders me.. Why haven't eeye released the proof of concept they are promising on their website? I'd really like to see(followthe flow) how you can get all this together. The exploit eeye had senttomicrosoft was based on win2k prof.and sp1. Is this because it wasun-doableon win2k servers? thanks, JODE
Current thread:
- .ida vulnerability.. Joakim Sandström (Jun 26)
- Re: .ida vulnerability.. Ryan Permeh (Jun 26)
- Re: .ida vulnerability.. Joakim Sandström (Jun 27)
- Re: .ida vulnerability.. Joakim Sandstrom (Jun 29)
- Re: .ida vulnerability.. Joakim Sandström (Jun 27)
- Re: .ida vulnerability.. Ryan Permeh (Jun 26)