Posts Tagged ‘Exploit’

Exploiting Internet Explorer 7 – Case Study

4th August 2010

In this post we are going to take a vulnerability in Internet Explorer 6/7 that was exploited in a relatively stable manner and attempt to add the DEP bypassing ability. The main exploit for this vulnerability has been implemented as a metasploit module (“ms10_018_ie_behaviors” by moshe ben abu from rec-sec). It works well on the target platforms but it doesn’t bypass DEP (yet..).

(more…)

Exploiting Internet Explorer 7 With Dot Net

4th August 2010

In this post we will demonstrate the method discussed by mark dowd and alex sotirov for bypassing DEP and ASLR on IE 6/7 running on a windows vista machine. This method is simple and useful. We will create a .NET ActiveX that will be loaded by IE. The ActiveX will be loaded into a fixed address and will be executable. To overcome the difficulties we need two things

  • To make the ActiveX load into a constant address by removing the IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
  • Select the image base we want.

The flag IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE means that the ActiveX can be loaded at a dynamic address. Removing this flag will indicate that it can’t, and help solve the ASLR problem on IE. Once we bypassed ASLR we can select the image base we want. This way when we gain control over EIP we can jump directly to our shellcode.

(more…)

vBulletin – Not So Secure Anymore

3rd August 2010

Some time ago, an LFI vulnerability within vBSEO was discovered, which allowed an attacker to include locally hosted files. The challenge, when confronted with an LFI vulnerability, is to leverage it into executing arbitrary code of our choosing.

(more…)

Tags: ,

Outlook Web Access 2007 CSRF Vulnerability

3rd August 2010

Outlook Web Access 2007 CSRFAfter receiving a recent submission affecting OWA 2007, we have been eyeing a proper environment to test it out. With Exchange 2007 installed on Windows Server 2008 and OWA in place, we started our trusted bt4 webserver and put the malicious html file there. For good measure we decided to attack a logged-in OWA user on a Windows 7 machine.
It is worth remembering that since this is a CSRF type of exploit, we would need to convince the target user to visit our malicious html page by some other means (encoded URL link in an email, etc.).

(more…)

Tags: , ,

Alien Invasion Snow Leopard ROP Exploit

6th July 2010

Since I posted my EvoCam exploit I have spotted at least one other OS X exploit that used the same technique for gaining code exec on Leopard. I though it would be useful to take this exploit for UFO: Alien Invasion by dookie and see how easy it would be to modify it to use my technique above to get it to run on Snow Leopard.

(more…)

Tags: , ,