Dailydave mailing list archives
Commander Keen in Fonts
From: Dave Aitel <dave () immunityinc com>
Date: Sat, 14 Jan 2006 12:04:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So lately we've taken to watching "Commander in Chief" from itunes. It's basically a poorly written West Wing with a twist: The President is a woman! I think maybe Hillary and Condoleeza got together and decide to throw it up as a political balloon to see how the ratings went. Based on my viewings: They didn't go so well. As an example, in the last episode we downloaded for two dollars, the president says to torture some dude. About five seconds later the Secratary for Defense says "We've got a complete list of the terrorists!" They fade out for commercial, which has been cut, so they fade back into, and I'm paraphrasing from memory here, but not by much: Secretary of Defense: We've captured all the terrorists. President: That's great! President's Daughter: Yay, you've saved Halloween! Speaker of the House: Clever girl. Clever, clever girl. <evil laugh> President: Torture is bad, mmkay? Classicly bad writing like that would give Aaron Sorkin an embolism. But we watch it anyways because IPTV has yet to truly take off and otherwise the Mac just sits there being expensive for no reason. There's something about the visual representation of actually catching the terrorists that's important. Even if it wastes a lot of time on a forgone conclusion, I feel like I should see a few explosions before you announce the terrorists are all nicely sitting in a jail cell drinking tea and commenting on their roles in the plot. In some ways, CANVAS is about visualization as well. There's not many people who can manage running 5 different connections over Hydrogen, and maintain the state of things in their head for multiple exploitation threads. Likewise, the number of people who can take t2embed.dll and say "I'm going to create a font file from scratch" is quite small. But with BinNavi, it's about a 40 hour job for someone moderately skilled with Ollydbg, which is "What I did this week for Partner's". I dunno how long it took Piotr and Fang Xing to find it originally. I have to hope more than 40 hours. I honestly don't know how the IDS companies are going to find this sort of thing. It's not trivial to detect since you can loop around a few hundred times before you send a bad Huffman table. Once you've access violated it a few different ways, it's then a matter of another 400 hours writing a reliable heap exploit, sadly. So here's my thought of the day. To get and use a reliable exploit I use a large set of complex visualization tools: 1. BinNavi and Ollydbg, both, high quality tools for visualizing the flow of data through a program to get to where you want to be. This results in a POC that crashes something: http://www.immunityinc.com/partners-index.shtml 2. Nicolas Waisman plugins and specialized debuggers for heap analysis. Ideally, I'd "Visualize" this by posting "Nico, can you write the eot exploit" to #immunity. This is the equivalent of hoping someone walks up to you and says "We've captured all the terrorists!" 3. CANVAS's GUI to divide the space of exploitation into something my tiny brain can handle. Anyways, Access Violation == time for a ginger beer. I've spent the last 40 hours obsessed with a file format I'd never heard of before, and now I'm going to go do something else for the weekend and laugh at AV and NIDS vendors claiming to find this EOT bug in arbitrary networks streams. :> - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDyS8UB8JNm+PA+iURAh7dAJ9scged9ogIFKbue8NGtDVxZjw1LACfalAO GL/adyEIsqXg9A8Np37AhR0= =UML1 -----END PGP SIGNATURE-----
Current thread:
- Commander Keen in Fonts Dave Aitel (Jan 14)