30th August 2010
Archive for August, 2010
26th August 2010
The Exploit Database is happy to announce some exciting EDB community features which have been implemented recently. From the 1st of Sept, 2010, we will be inviting well established exploit writers and EDB “regulars” to have greater involvement with the database.
We will be enabling comments on exploits, as well as a new “Exploit Voting System”, where members will be able to rate exploits for their reliability and functionality.
We believe this involvement will improve the overall user experience, and will definitely add interesting input to our database. On the 1st of October, we will open membership to the general public – stay tuned for more updates.
25th August 2010
Due to the overwhelming number of submissions we are receiving for applications that are vulnerable to DLL Hijacking, we will continue to update this post with submissions we receive rather than continuing to create a separate entry for each one.
17th August 2010
The Abysssec Security Team is about to unleash its Month Of Abysssec Undisclosed Bugs on us. Starting on the 1st of September, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc. The 0day collection includes PoCs and Exploits for Microsoft Excel, Internet Explorer, Microsoft codecs, Cpanel and others. The MOAUB will be hosted on the Exploit Database, and will be updated on a daily basis. Get your hard-hats on, your VM’s and debugging tools organized – it’s gonna be a an intensive ride. Follow both the exploit-db and Abysssec twitter feed to keep updated!
4th August 2010
In this post we are going to take a vulnerability in Internet Explorer 6/7 that was exploited in a relatively stable manner and attempt to add the DEP bypassing ability. The main exploit for this vulnerability has been implemented as a metasploit module (“ms10_018_ie_behaviors” by moshe ben abu from rec-sec). It works well on the target platforms but it doesn’t bypass DEP (yet..).
4th August 2010
In this post we will demonstrate the method discussed by mark dowd and alex sotirov for bypassing DEP and ASLR on IE 6/7 running on a windows vista machine. This method is simple and useful. We will create a .NET ActiveX that will be loaded by IE. The ActiveX will be loaded into a fixed address and will be executable. To overcome the difficulties we need two things
- To make the ActiveX load into a constant address by removing the IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
- Select the image base we want.
The flag IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE means that the ActiveX can be loaded at a dynamic address. Removing this flag will indicate that it can’t, and help solve the ASLR problem on IE. Once we bypassed ASLR we can select the image base we want. This way when we gain control over EIP we can jump directly to our shellcode.
3rd August 2010
3rd August 2010
After receiving a recent submission affecting OWA 2007, we have been eyeing a proper environment to test it out. With Exchange 2007 installed on Windows Server 2008 and OWA in place, we started our trusted bt4 webserver and put the malicious html file there. For good measure we decided to attack a logged-in OWA user on a Windows 7 machine.
It is worth remembering that since this is a CSRF type of exploit, we would need to convince the target user to visit our malicious html page by some other means (encoded URL link in an email, etc.).