魔法少女プリティジューリャ

The morning after I made this post: http://foxgrrl.livejournal.com/50642.html I walked into work — that afternoon actually — and was making random chit-chat with a coworker — flint_otter actually — and he said that he was reading this article on C|Net about how there was some new super-exploit already for the recent Windows vulnerability, and I'm like: Yeah, the MS06-070 one, I just wrote an exploit for it last night. And he's like, No it's something really new as of Tuesday. And I'm like, Yeah, that was MS06-070, unless one of the other ones was horribly exploitable. And he's like, Well, someone just wrote an exploit for it, and it's on the front page of C|Net. And I'm like, Um, I just wrote an exploit for it… And made a mention of it in my blog… Having been around C|Net reporters before, I know that they print a lot of hearsay and rumors from questionable sources. [And as I write this, Nyah keeps trying to tickle me → Just you wait until I write about this in my LJ! I exclaim. It's making it a bit hard to concentrate…]

So, I looked the article up…

http://news.com.com/Experts+raise+Windows+security+alarm/2100-1002_3-6136310.html

Paranoia mounting… Right now, I really don't need nameless cyclopean institutions investigating me… again. Especially, if there's suddenly a huge MS06-070 exploiting-worm outbreak. You know, it looks kinda suspicious, since I told a bunch of people that I write 0-day exploits and internet worms for a living; I might be viewed as a suspect. But I quickly figured out that they were referring to this: http://www.milw0rm.com/exploits/2789 (I still haven't published my MSF3 module anywhere.)

There was a period of time when I wasn't oppressively paranoid all the time, when I wasn't incredibly uptight and stressed out… when I wasn't pretending to be normal. It was right after I transitioned (the first time). In a way, I was really going from one box to another by going stealth - But there was a time in between, when I was outside of the rigid boxes.
( Read more... )

Now students, can anyone tell me what happens next?
( Courtesy LJ cut for large images )
I think that it'll help if I tell you that the heap structure at 0x00BFA8D8 was a free block, originally 0x005E 0x004D 0x01 0x10 0x00 0x00 with the forward and backwards pointers both set to 0x00230178, and I don't know why the fuck I can remember that without having to look it up, when I can't even remember my own postal address most of the time. (Maybe it's like lurene said, that all the really good reverse engineers/assembly coders are mentally broken in some way.) Anyway, 0x00230178 is the start of the free list (I think), it points back to 0x00BFA8E0.

Anyway, since this is Windows 2K Advanced Server SP0, I could just overwrite one of the function pointers in the PEB, or the TEB... or the SEH, wheee! [I'll explain later...] Although this particular buffer tends to move around a bit in memory, and I've been up all night trying to make the exploit [no you can't have a copy] more reliable. So I've been thinking of using Halvar's trick of building a VirtAlloc structure in the buffer underneath the free block, to get an extra DWORD copy. And with two writes, I think that would be enough to make this reliable, because the pointer to the free block exists in the segment table at 0x00B70027 (I think it was), which I know the address of. And worst case I could leave the original Forward pointer intact, because that does point to the FreeTable entry for itself. (In other words, if I can take the DWORD located at 0x00B70027 -- which points to data from the overflowed buffer, and write it to your favorite function pointer, then the shellcode will be jumped to exactly.)

Maybe.

Either that I'll just have to manipulate the heap list itself in such a way, that I can control where the next buffer will be written (to an address of my choice), write the shellcode there, and then do the overflow again to put this known address in some know location that will jump to it.
( Overtired )