Results 1 to 4 of 4

Thread: multiple bugs (IE) Share/Save - My123World.Com!

  1. #1

    multiple bugs (IE)

    Hi,

    I'm new on this forum and this is my first post, so: hello.

    Back to the post: I have a lot (like 1k or sth) ***** from different crashes from IE.
    I've done that when I was learning how those things are working and how can I break/use it.
    (I'm of course still learning this but) maybe someone of you want to help or assist with
    learning process of how we can exploit vulnerabilities found during fuzzing in different browsers.
    Starting - from IE (for XP let's say).

    Is you want more details, feel free to contact me (pm/email).

    Maybe we can write here something like howto or step-by-step list...

    Thanks.

  2. #2
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Welcome on forum, blankcart,

    regarding your question for exploiting Browsers steps are pretty clear:

    1. Identify the browser which you want to fuzz
    2. Find out all the supported features in that browser
    3. Write a fuzzer and start fuzzing
    4. one you get crash check the POC and see if you can reproduce the same crash with that POC
    5. Once you get stable POC giving the same crash start analyzing the Crash (Root cause of the crash, Bug type, Exploitability, etc)
    6. Start Crafting POC which can provide you EIP control(Heap Spray, Low Fragmentation Heap, etc)
    7. Once you gain control over EIP you need to start writing you ROP chain (this is required for XP with DEP enabled for IE)
    8. Once you are ready with your ROP and Shell Code go ahead and POP up Calc

  3. #3
    Finnaly some answers

    Thanks, but it isn't what I wanted.

    Check this out:
    in your steps, I have few of them already done:


    1. Identify the browser which you want to fuzz
    done

    2. Find out all the supported features in that browser
    don't need it on this stage

    3. Write a fuzzer and start fuzzing
    it's also done (not by me, but it's working pretty well)

    4. one you get crash check the POC and see if you can reproduce the same crash with that POC
    And here we go...

    I wrote a little script to windbg to automate commands I will type during the crash (for example .dump, .logopen, !analyze -f, !heap...)
    And that's how I can generate a lot of fuzzing crashes (with "poc" already there - cuz that's how I understand d00mped memory (d4mnth1sc3nz0r!)


    5. Once you get stable POC giving the same crash start analyzing the Crash (Root cause of the crash, Bug type, Exploitability, etc)
    Also my favourite point So... how to get this poc from crash.dmp (and/or .log)


    6. Start Crafting POC which can provide you EIP control(Heap Spray, Low Fragmentation Heap, etc)
    It's probably case for another post, so we will not talk about it here.
    Different crashes,different exploitation...

    7. Once you gain control over EIP you need to start writing you ROP chain (this is required for XP with DEP enabled for IE)
    Like I said -first things first.

    What I need is:
    For example, we have article like this: http://d0cs4vage.blogspot.com/

    I have "few" crashes to analys. Now I need someone who will fill the blanks in this (your steps)
    in a way, I can understand it. (For example you will find that you need in dbg do this and this and next step is presented
    on image1 - on image1 you will find everything (beside the place when you need to hit the button for example to get some information, etc...)

    IRC?

  4. #4
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Quote Originally Posted by blankcart View Post
    5. Once you get stable POC giving the same crash start analyzing the Crash (Root cause of the crash, Bug type, Exploitability, etc)
    Also my favourite point So... how to get this poc from crash.dmp (and/or .log)

    IRC?
    Ok So i am bit confused here... since i am also Human
    You have HTML file after loading which you are getting that same crash right?
    What you have to do now is check what are the instruction before the crashing instruction and the later instruction to see if there any call instructions for the register in your control.

    You might love this Garage4hackers Ranchoddas Webcast Done by David Rude II

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •