Archive for the Exploits Category

Blackhat Demo Explained

Posted in Exploits, Windows API with tags , , on 27 December, 2009 by __fastcall

It was a hot morning approx. 9 in Vegas waiting for the John’s McDonald and Chris’ Valasek lecture about Heap Exploitation, it was an advanced lecture, and dizzy I was, so I didn’t understand much. Those guys posted a demo explanation about the attack. You can also download their paper. BHUSA09-McDonald-WindowsHeap-PAPER

Posted by Chris Valasek on December 09, 2009 at 11:08 AM EST.

Introduction

As several of you may or may not remember, John McDonald and I did a presentation this year at BlackHat on Practical Windows Heap Exploitation. In this presentation we had a video that claimed to show reliable heap exploitation on Windows Server 2003 lacking a fully controlled environment. Now that our advisory is published we can finally prove to you that the video was not fake; explaining the vulnerability and some of our techniques. Continue reading

Get kernel32.dll imagebase in Windows 7

Posted in Exploits with tags , on 26 December, 2009 by __fastcall

This one is taken from skypher’s blog. Its a shellcode for getting the kernel32.dll address. Before Windows 7 kernel32.dll was loaded second. Windows 7 load the kernelbase.dll before kernel32.dll so now it comes third. A universal way to get the kernel32.dll base address is to check for a null termination after the 12th unicode character (12*2 bytes). Here is the code for getting kernel32.dll before Windows 7.

    
    XOR     ECX, ECX                    ; ECX = 0
    MOV     ESI, [FS:ECX + 0x30]       ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder (ntdll.dll)
    LODSD                               ; EAX = PEB->Ldr.InInitOrder.flink (kernel32.dll)
    MOV     EBP, [EAX + 0x08]           ; EBP = PEB->Ldr.InInitOrder.flink.base_address

And the universal one

    XOR     ECX, ECX                    ; ECX = 0
    MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder
next_module:
    MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address
    MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)
    MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)
    CMP     [EDI + 12*2], CL            ; Check modulename[12] == 0x??00 // for Win2k the register hast to be CX 
    JNE     next_module                 ; No: try next module.

I ‘ve seen one other alternative like iterating the module list till the third record but they say that it does not work well for Win2k show I prefer skyphers method.