Sunday, March 22, 2009

IncrediMail 5.86 Script Execution Vulnerability

Discovered by Bui Quang Minh

The most of popular Mail Client now exclude Script Code for mail content. It aims to avoid the type of XSS exploitation (For e.g: stolen cookie).

IncrediMail also remove Script Code when the user read mail. However, I found the "Reply" and "Forward" function of the mail client has not handled mail content well resulting in XSS vulnerability.

Of course, this leads to a lot of risk to users as lost sensitive information, cookies, ...

I reported to the manufacturer!

Posted by Mr.Minh at 9:52 PM 0 comments  

Monday, March 16, 2009

Metasploit Shellcode Hiccup in Exploitation (English)

Bui Quang Minh

With software vulnerability, most demo exploits make use of Shellcode taken from metasploit.com of HD Moore. This is really a success of HD Moore.

However, I found a small problem in the Shellcode of HD Moore. If a person does not have a thorough grasp of Shellcode, he or she might encounter the circumstances where Shellcodes are not executed even though he or she has already been able to redirect control of the program.

More specifically, at the beginning of Shellcode, HD Moore often uses his own decoder (though there are several other methods). Let look more closely at the fourth instruction: fnstenv [esp-0Ch]. This instruction saves FPU environment into the memory location pointed by esp-0Ch.

Basically, this instruction works just fine. But, let's imagine, if ESP is pointing right at the start of the shellcode, and the control redirection is achieved via "jmp ESP". As a result, this instruction unintentionally overwrites some part of the shellcode or even lies onto the currently executed instruction "fnsenv". The consequence is that shellcode cannot run successfully.

This is really an issue because exploitation making use of "jmp esp" is very popular or even the basic matter in software vulnerability exploitation. Of course, I believe that many people have encountered this problem and haven't been able to resolve it, or have overcome it but do not totally understand the reason why. And this is the main idea of this short paper.

OK, we have finished with the theory. And here come the solutions, two solutions actually:

- Create a new shellcode which does not use ESP.

- Add a lot of NOP instruction (0x90) at the beginning of shellcode.

Posted by Mr.Minh at 6:24 AM 1 comments  

Sunday, March 15, 2009

Hello World!

Welcome to me!

Posted by Mr.Minh at 8:28 AM 0 comments  

Subscribe to: Posts (Atom)