Commander Keen in Fonts

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So lately we've taken to watching "Commander in Chief" from itunes.
It's basically a poorly written West Wing with a twist: The President
is a woman! I think maybe Hillary and Condoleeza got together and
decide to throw it up as a political balloon to see how the ratings
went. Based on my viewings: They didn't go so well.

As an example, in the last episode we downloaded for two dollars, the
president says to torture some dude. About five seconds later the
Secratary for Defense says "We've got a complete list of the
terrorists!" They fade out for commercial, which has been cut, so they
fade back into, and I'm paraphrasing from memory here, but not by much:
Secretary of Defense: We've captured all the terrorists.
President: That's great!
President's Daughter: Yay, you've saved Halloween!
Speaker of the House: Clever girl. Clever, clever girl. <evil laugh>
President: Torture is bad, mmkay?

Classicly bad writing like that would give Aaron Sorkin an embolism.
But we watch it anyways because IPTV has yet to truly take off and
otherwise the Mac just sits there being expensive for no reason.

There's something about the visual representation of actually catching
the terrorists that's important. Even if it wastes a lot of time on a
forgone conclusion, I feel like I should see a few explosions before
you announce the terrorists are all nicely sitting in a jail cell
drinking tea and commenting on their roles in the plot.

In some ways, CANVAS is about visualization as well. There's not many
people who can manage running 5 different connections over Hydrogen,
and maintain the state of things in their head for multiple
exploitation threads.  Likewise, the number of people who can take
t2embed.dll and say "I'm going to create a font file from scratch" is
quite small. But with BinNavi, it's about a 40 hour job for someone
moderately skilled with Ollydbg, which is "What I did this week for
Partner's". I dunno how long it took Piotr and Fang Xing to find it
originally. I have to hope more than 40 hours. I honestly don't know
how the IDS companies are going to find this sort of thing. It's not
trivial to detect since you can loop around a few hundred times before
you send a bad Huffman table.

Once you've access violated it a few different ways, it's then a
matter of another 400 hours writing a reliable heap exploit, sadly.

So here's my thought of the day. To get and use a reliable exploit I
use a large set of complex visualization tools:

1. BinNavi and Ollydbg, both, high quality tools for visualizing the
flow of data through a program to get to where you want to be. This
results in a POC that crashes something:
http://www.immunityinc.com/partners-index.shtml
2. Nicolas Waisman plugins and specialized debuggers for heap
analysis. Ideally, I'd "Visualize" this by posting "Nico, can you
write the eot exploit" to #immunity. This is the equivalent of hoping
someone walks up to you and says "We've captured all the terrorists!"
3. CANVAS's GUI to divide the space of exploitation into something my
tiny brain can handle.

Anyways, Access Violation == time for a ginger beer. I've spent the
last 40 hours obsessed with a file format I'd never heard of before,
and now I'm going to go do something else for the weekend and laugh at
AV and NIDS vendors claiming to find this EOT bug in arbitrary
networks streams. :>

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDyS8UB8JNm+PA+iURAh7dAJ9scged9ogIFKbue8NGtDVxZjw1LACfalAO
GL/adyEIsqXg9A8Np37AhR0=
=UML1
-----END PGP SIGNATURE-----