Articles by ‘Tal Zeltzer’

Fuzzing vs Reversing – Round #2 (Reversing)

22nd November 2010

After a few days of fuzzing, I noticed that I covered a large part of the format (at least the part I found interesting) so I then began reverse engineering the format more thoroughly. I started by mapping out the tag-types and reviewing functions that parse them.
(more…)

Fuzzing vs Reversing – Round #1 (Fuzzing)

22nd November 2010

I have recently been doing some fuzzing on the Adobe Flash Player. I started by implementing a simple format fuzzer for Flash based on a homegrown framework that I have been developing for awhile. I implemented and executed tests and progressively covered more and more of the format. After a few days, I noticed one of the SWF files causing strange crashes, the “Just in time” debugger gets triggered but the process is terminated.

(more…)

Exploiting Internet Explorer 7 – Case Study

4th August 2010

In this post we are going to take a vulnerability in Internet Explorer 6/7 that was exploited in a relatively stable manner and attempt to add the DEP bypassing ability. The main exploit for this vulnerability has been implemented as a metasploit module (“ms10_018_ie_behaviors” by moshe ben abu from rec-sec). It works well on the target platforms but it doesn’t bypass DEP (yet..).

(more…)

Exploiting Internet Explorer 7 With Dot Net

4th August 2010

In this post we will demonstrate the method discussed by mark dowd and alex sotirov for bypassing DEP and ASLR on IE 6/7 running on a windows vista machine. This method is simple and useful. We will create a .NET ActiveX that will be loaded by IE. The ActiveX will be loaded into a fixed address and will be executable. To overcome the difficulties we need two things

  • To make the ActiveX load into a constant address by removing the IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
  • Select the image base we want.

The flag IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE means that the ActiveX can be loaded at a dynamic address. Removing this flag will indicate that it can’t, and help solve the ASLR problem on IE. Once we bypassed ASLR we can select the image base we want. This way when we gain control over EIP we can jump directly to our shellcode.

(more…)

Analyzing undocumented formats

28th June 2010

Exploit DatabaseUsually when I analyze a protocol or a file-format I spend a few hours or days mapping out targets. The first step towards really understanding what you’re dealing with is to really get to know your target.

  • Search for old vulnerabilities, find a common motive.
  • Attempt to find signatures of third party libraries. If found, check if they are indeed the last version
  • Map out the types of data that the application parses. (for example, on internet explorer you could attempt to attack jpg images, the java-script interpreter, and many other components that are being parsed by internet explorer or passed on to the operating system)

(more…)