Re: .ida vulnerability..

["Joakim Sandstrom" <jode () tribalstorm com>]

Lo Again,

Answering to my own post, well yes. Many people have been asking about this
and that. I'm trying
to cover a very commong question.

Q: Can't get it to raise an exception when pasting the code with onto a
telnet 127.0.0.1 80 session.

A: Neither can I. Read the file using c or something and push it over a
socket this will work just fine on
a windows 2000 professional sp2. I acctually managed to reach very close to
the same spot (00AA0061)
on a Windows 2000 Adv Server running on sp1.. just by pasting the contect of
the txt file provided onto
a telnet 127.0.0.1 80 session. For some reason this worked. Dunno why.
Anyway the spot 00AA0061 is
empty so you will propably need to fill up the payload abit to slide down
the codes there. This if you are
interested in doing so.

Something I'd be glad to hear is about making proof of concept exploits ->
Many proof of concept
exploits write files. It's cool, I agree it is. But not very educational.
IMHO it would be allot more interesting
to just leave the proof of concept in a state where it's upto the exploiter
what he/she want's to acomplish?
Wouldn't it? It's pretty hard to find out where/when/how nicely running
exploits are doing their stuff as they
usually are hardly documented at all.

regs,
    JODE



----- Original Message -----
From: "Joakim Sandström" <jode () tribalstorm com>
To: "Ryan Permeh" <ryan () eEye com>; "Vuln-Dev" <VULN-DEV () SECURITYFOCUS COM>
Cc: "SKI_BUM" <jeppe () cramon dk>
Sent: Wednesday, June 27, 2001 4:25 PM
Subject: Re: .ida vulnerability..


> Thanks,
>
> Ok I get your point. And now back to the stuff.. ->
>
> I had some time to play with it again. And with some help from eeye's
pages
> I got it right on a win2k sp2 iis5.0. Exploit code attached. Search for
the
> text ->
>
> <-- snip -->
> ÌÌÌÌYOURBADASSCODECOMESHEREREMOVETHEBREAKPOINTFIRST
> <-- snip -->
>
> that IS the point where we will be executing eventually. I know there
> request isn't the nicest possible.. I'm not an AD however :)  I'm not
goona
> spend more time on
> this. But if someone does a nice "reverse shell" for example. You could
let
> me
> know :) I think it should be a matter of just pasting it into the the
right
> place and do
> some cleaning and make sure inetinfo exits nicely (somehow :)). It works
> exactly as eEye's
> probably does. I just found the heap allocation address.. and flooded it
> abit. to get my
> code slide down to 00AC0061 .. which is approx 100bytes above the text I
> entered above..  It
> would be nice to know if it hit's the same spot on win2k servers and
others
> as well.. so
> please info about it. And the final note goes -> NO I didn't get it to
work
> just by pasting it
> into a telnet localhost 80 session. for some reason.
>
> thanks and laters,
>                         JODE
>
>
> ps. the codes does nothing else than launches a breakpoint call at THE
> (ÌÌÌÌ) location
> And for some reason it get's to the breakpoint usually the second time you
> run it against the IIS.. after that
> it blows home every time.
>
>
>
> ----- Original Message -----
> From: "Ryan Permeh" <ryan () eEye com>
> To: "Joakim Sandström" <jode () tribalstorm com>; "Vuln-Dev"
> <VULN-DEV () SECURITYFOCUS COM>
> Sent: Tuesday, June 26, 2001 6:20 PM
> Subject: Re: .ida vulnerability..
>
>
> > well, i suppose i will post a response here, since i was the one that
> wrote
> > the exploit handed to microsoft.
> >
> > firsrt, the heap grows with suffiencintly large requests.  we are
talking
> > about 20k+ requests.
> > you probably will get cutoff if you try to put 20k chars in the url, and
> > besides, they will probably be converted to garbage anyways(the whole
wide
> > char conversion).
> >
> > in the exploit that we gave microsoft, we used a specific header(eeye:
> > data\r\n) to pad our requests onto the heap.  It have since heard of
some
> > more ways to do this that are more reliable, but have no working code
> > implementing them.
> >
> > right now, we have gotten code to run on 2k, xp, and nt, all service
> packs.
> > the code we provided microsoft was tuned out of the box to consistantly
> hit
> > a 2k server/advanced server sp1 install, but it could have been
tweaked(we
> > made padding and eip based on command line ops) to work on any of them.
> >
> > The core reason we have not publicly released(and it seems that the
media,
> > along with numerous other sources think we already have), is due to the
> high
> > skew factor in this.  an exploit that runs 90% of the time on sp1 will
> crash
> > nt 100% of the time.  and nt's heap is very sensitive to this, so you
> > basically have to be right no, and it tended to taske us about 3-4 times
> > with a debugger to get "right on".
> >
> > This problem is real, and whether we do or donot decide to finally
release
> > code, i know of multiple exploits that are in the wild(not public, but
not
> > ours, nor based on any code we have produced), some with higher degree
of
> > accuracy in differing situations.
> >
> >
> > In this vein, i beleive that it may be a wise thing for this group to
> > examine the following information:
> > http://www.msnbc.com/news/592066.asp?0dm=C1BQT
> >
> > since it deffinately affects everyone who deals with vulnerability as
> > research.  eEye is a commercial organization, and we publish research as
> > part of our commitment to the security community, groups like this
> threaten
> > to make people and groups that publish vulnerabilty research into the
bad
> > guys, rather than the companies who create vulnerabilities in their
> systems.
> > just something for everyone to think about.
> >
> >
> > Signed,
> > Ryan Permeh
> > eEye Digital Security Team
> > http://www.eEye.com/Retina -Network Security Scanner
> > http://www.eEye.com/Iris -Network Traffic Analyzer
> >
> > ----- Original Message -----
> > From: "Joakim Sandström" <jode () tribalstorm com>
> > To: "Vuln-Dev" <VULN-DEV () SECURITYFOCUS COM>
> > Sent: Monday, June 25, 2001 7:11 AM
> > Subject: .ida vulnerability..
> >
> >
> > > Hi Folks,
> > >
> > > I had some time off work last weekend so I took a look at the new .ida
> > > vulnerability. I was debugging
> > > a win2k adv server with sp2 installed. First of all I tried to get eip
> > over
> > > run and successfully did
> > > that after trying out different params. The first thing I noticed was
> that
> > > (as stated on eeye's pages) that
> > > the buffer get's converted to wide character (which makes this really
> > > tricky) .. But according to
> > > eeye's description about the vuln I should be able to push in more
stuff
> > and
> > > make the heap (or whatever)grow larger so I could produce some of my
own
> > > input data to appear in mem locations as 00430043.
> > > First of all I must admit I didn't succeed. Seems to me that the
> > exceptions
> > > from the overflow occur before the "payload" get's parsed into the
> memory.
> > I
> > > can't locate the payload anywhere.. (and in some occasions the actual
> > > buffer).
> > > > From what I know.. I see this as a deadlock situation.. Maybe it's
> > doable..
> > > Though I don't have time
> > > to further investigate the vuln. Has anyone else tried it out?
Results?
> > Any
> > > certain combinations of payloads and overflow size which produces a
good
> > > result? I bet this all varies allot form win2k version and sp
versions?
> > > Another thing that wonders me.. Why haven't eeye released the proof of
> > > concept they are promising on their website? I'd really like to see
> > (follow
> > > the flow) how you can get all this together. The exploit eeye had sent
> to
> > > microsoft  was based on win2k prof.and sp1. Is this because it was
> > un-doable
> > > on win2k servers?
> > >
> > >
> > >
> > > thanks,
> > >       JODE