Random IRC quote :       <@mrnobody1> que asco me dan los putos sucios de wikileak <@mrnobody1> solo publican crap por el adsense
BacalaoalpilPill
Los otros bugs…

Macrorisión – Windows XP/2k3 0bay

Buenas noches,Kartoffel

Esta misma tarde leyendo con Rubén el blog de Symantec nos encontrábamos una entrada interesante.  Elia Florio nos avisaba sobre un nuevo 0day encontrado In The Wild, después de conjeturar un rato sobre la salida censurada de la captura de pantalla que se muestra en el blog, recaímos en una frase de Elia : “At the moment, it’s still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files”. No son muchos los drivers que cumplen esta condición en una instalación de Windows normal, así que nos pusimos manos a la obra, después de un rato dimos con el siguiente código en el driver secdrv.sys, el cual pertenece a la proteccion SafeDisc propietaria de Macrovision y ha sido desarrollado por la misma empresa.

.text:00015E2C                 cmp     [ebp+var_10], 0CA002813h
.text:00015E33                 jz      short loc_15E69

Como podéis ver el código de la IOCTL nos indica que se está utilizando METHOD_NEITHER, en estos casos es necesario realizar una verificación de los parámetros recibidos ya que el I/O manager nos deja el asunto en nuestras manos y si no se tiene cuidado se pueden producir fallos graves.

En el driver no se realiza ninguna comprobación sobre el buffer de entrada, con lo cual sería posible sobreescribir memoria (incluso del kernel) siempre que cumpliera con ciertas condiciones que se esperan sobre este buffer (código de operacion, magics o similares), pero en este caso Macrorisión nos pone la cosa fácil escribiendo también en el buffer de salida :

.text:00015ED9                 call    dword ptr [eax+10h] ; Internal Dispatcher
.text:00015EDC                 mov     [ebp+var_1C], eax
.text:00015EDF                 cmp     [ebp+var_1C], 0Ah
.text:00015EE3                 jz      short loc_15EFC
.text:00015EE5                 mov     eax, [ebp+arg_4]
.text:00015EE8                 mov     dword ptr [eax], 0C0000001h
.text:00015EEE                 mov     eax, [ebp+arg_4]
.text:00015EF1                 and     dword ptr [eax+4], 0
.text:00015EF5                 mov     eax, 0C0000001h
.text:00015EFA                 jmp     short loc_15F21
.text:00015EFC ; —————————————————————————
.text:00015EFC
.text:00015EFC loc_15EFC:                              ; CODE XREF: sub_15E12+D1j
.text:00015EFC                 mov     ecx, [ebp+var_4]
.text:00015EFF                 mov     esi, [ebp+var_C]
.text:00015F02                 mov     eax, [ebp+arg_0]
.text:00015F05                 mov     edi, [eax+3Ch]  ; Output Buffer (Irp->UserBuffer)
.text:00015F08                 mov     eax, ecx
.text:00015F0A                 shr     ecx, 2
.text:00015F0D                 rep movsd  ; Inline memcpy
.text:00015F0F                 mov     ecx, eax
.text:00015F11                 and     ecx, 3
.text:00015F14                 rep movsb

Una vez visto esto y haciendo uso de Kartoffel Rubén programó un bonito exploit para la vaca que ríe.

A pesar de que no existe parche para la vulnerabilidad, publicamos esta información esperando que sea de ayuda para administradores e investigadores ya que se está explotando ITW. De cualquier manera el exploit únicamente demuestra la posibilidad de ejecución de código pero dudo que sea de utilidad para la scriptkiddería :-)

Un saludo,

Mario

Por: Mario Ballano | 10/18/07 | Noticias | Trackback | Comentarios [RSS 2.0]

45 Comentarios para “Macrorisión – Windows XP/2k3 0bay” »»

  1. Nahuel
    Comentario por Nahuel | 10/18/07 at 5:46 pm

    La verdad los felicito a Ruben y a vos, no dejan de sorprenderme!. Y son los culpables de que a mi me gusten los drivers!.

    Saludos.

  2. Tora
    Comentario por Tora | 10/18/07 at 8:58 pm

    Yo es que soy muy corto, así que eso de “the typical Microsoft file properties” no me dice mucho. ¿Qué tienen los demás que no tenga secdrv.sys?

    ¿No será porque es negro, verdad? (Ali-G like)

    Saludos, cracks!

  3. Ruben
    Comentario por Ruben | 10/18/07 at 9:50 pm

    Tora no es nada del otro mundo, botón derecho-> propiedades->PestañaVersion. Vamos que toda esa información está dentro de los recursos del propio fichero.Se puede sacar mediante API o como se le ocurrió a Mario para hacerlo rápidamente añadiendo a “detalles” en el explorer los campos adecuados y ordenando los ficheros por esos campos.

    Como dijo ese gran poeta: “R E S P E C T O!”

  4. 63546464
    Comentario por 63546464 | 11/05/07 at 4:48 pm

    kl;l;

  5. z
    Comentario por z | 11/25/07 at 8:42 pm

    多谢啦

  6. 24base
    Comentario por 24base | 04/16/08 at 8:10 am

    in der kartoffel liegt die Kraft. Die Kartoffel besteht zwar fast ausschließlich auf Kohlenhydraten und wächst unter der Erde – aber genau das macht sie aus. Outet euch ihr Kartoffel Fans

  7. mybook
    Comentario por mybook | 03/16/10 at 4:36 am

    Amulet of the Darkmoon:
    +10 Strength
    +19 Agility
    +10 wow power leveling Stamina
    The second is Caster based (Maga, Priest, Paladins…)
    Orb of the Darkmoon:
    +11 Stamina
    +8 Spirit
    Equip: Increases wow power leveling damage and healing done by magical spells and effects by up to 22.
    I counted best wow gold a little, and it comet out, That it can be “gathered” from 1 Gold 20 Silver – To ~190 Gold PLUS”How To”
    When Darkmoon Fiery event is wow gold uk active, you can complete Q-ts to obtain tickets. And that is what we need. The Q-ts are repeatable, and that’s our luck! down till cheapest wow gold you have the 1200 ticket is Thorium Widget! Is an Engineering “component”.
    1200 tickets = Epic Neck (one from above)
    The Q-ts are Profession gold for wow based, but this can be tricked out!
    You will need a “Schematic: Thorium Widget” (Limited supply: 1G 20S by Vendors, 3G-10G+ at AH) If he knows it, world of warcraft power leveling even better for us
    First: You need to find someone who has Engineering around lvl 260 (needed to create Thorium Widget-s) world of warcraft power leveling
    and tell him that you “pay” his Engineering skill to 300 if he helps you.

  8. Data Recovery
    Comentario por Data Recovery | 02/11/11 at 1:16 pm

    Data Recovery Services, File Recovery Hard Drive Recovery Hard Disk Recovery Drive not Spinning Hard Drive Recovery UK HP Dell Compaq Seagate Hitachi Toshiba Lacie Apple Mac Toshiba Samsung Acer Easy Recover Hard Drive Data Recovery Disk Recovery External Hard Drive Recovery Hard Disk Harddrive Recovery Hard Disc Recovery Recover Data Raid Recovery Harddisk Laptop Data Recovery Data Recovery Services Easy Recovery Data Recover Hard Drive File Recovery External Hard Drive Recovery Hdd Data Recovery Drive not spinning Usb Stick.

  9. Mens Health blog
    Comentario por Mens Health blog | 02/14/11 at 9:10 am

    Hey,Thanks for publishing such a great data with us.This is a very much helpful stuff shared by you.

  10. tiffany & co
    Comentario por tiffany & co | 02/19/11 at 8:28 pm

    The high sign application to increase productivity using mouse gesture…. Pretty cool….

  11. Best C,C++ Tutorial
    Comentario por Best C,C++ Tutorial | 03/01/11 at 1:39 pm

    Se puede sacar mediante API o como se le ocurrió a Mario para hacerlo rápidamente añadiendo a “detalles” en el explorer los campos adecuados y ordenando los ficheros por esos campos.

  12. Professional Website Design
    Comentario por Professional Website Design | 04/04/11 at 7:14 am

    I would like to pay a hearlty tribute to the author of this article for sharing suhc innovative ideas

  13. Kendall Liposuction
    Comentario por Kendall Liposuction | 05/03/11 at 7:36 am

    I wanted to thank you for this great read!! I definitely enjoyed every little bit of it, I have you bookmarked to check out all the new stuff you post….

  14. EMR Software
    Comentario por EMR Software | 05/03/11 at 7:37 am

    I am really curious to know more about it………

  15. Long Island Eye Doctor
    Comentario por Long Island Eye Doctor | 05/03/11 at 7:38 am

    You have really imparted useful tips/ knowledge…………….

  16. Medical Research  
    Comentario por Medical Research   | 05/03/11 at 7:39 am

    Your post was very nice……………

  17. Weight Loss Diet Reviews
    Comentario por Weight Loss Diet Reviews | 05/03/11 at 7:40 am

    Wow! what an idea ! Great concept ! Beautiful ..

  18. Wholesale Flowers
    Comentario por Wholesale Flowers | 05/03/11 at 7:40 am

    Hi… that was great stuff.. I really like this subject. Could you tell me more … I would love to explore.

  19. American family photographer in France
    Comentario por American family photographer in France | 05/03/11 at 7:42 am

    Awesome!! It’s just what I need!! Thanks!…………..

  20. Medical Bracelets
    Comentario por Medical Bracelets | 05/03/11 at 7:49 am

    I wanted to thank you for this great read!! I definitely enjoyed every little bit of it . I have you bookmarked to check out new stuff on your post..

  21. Visors
    Comentario por Visors | 05/03/11 at 7:50 am

    Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your posts. Any way I’ll be subscribing to your feed and I hope you post again soon..

  22. Golf Handicap
    Comentario por Golf Handicap | 05/03/11 at 7:51 am

    Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on a look out for such information.

  23. Designer Clothing Wholesalers
    Comentario por Designer Clothing Wholesalers | 05/03/11 at 7:54 am

    Nice to be visiting your blog again, it has been months for me. I need this article to complete my assignment in college. Thanks.

  24. Luxury shoes
    Comentario por Luxury shoes | 05/03/11 at 7:58 am

    This is a great blog posting and very useful. I really appreciate the research you put into it…

  25. Discount Shopping
    Comentario por Discount Shopping | 05/03/11 at 8:02 am

    Wish I had found this blog before. The advices in this post are very helpful and I surely will read the other posts of this series too. Thank you for posting this.

  26. Children Jewelry
    Comentario por Children Jewelry | 05/03/11 at 8:03 am

    You have a very good site, well constructed and very interesting i have bookmarked you hopefully you keep posting new stuff.

  27. Commercial Property
    Comentario por Commercial Property | 05/03/11 at 8:06 am

    I would like to thank you for the efforts you have made in writing this article and i am hoping the same best work from you in the future as well.

  28. Image Stylist
    Comentario por Image Stylist | 05/03/11 at 8:07 am

    Its really wonderful and watchable. I like to share it with all my friends and I am sure they will like it.

  29. Tiffany jewelry on sale
    Comentario por Tiffany jewelry on sale | 05/05/11 at 8:32 am

    Hi everyone! I want to introduce a wonderful place to all of you! Spain is a very popular holiday destination for people from all the corners of the world. It is the type of country where regardless of the type of person you are, you will surely find something interesting and attractive, something that raises your interest.

  30. PSD to Joomla
    Comentario por PSD to Joomla | 05/05/11 at 12:23 pm

    PSD to HTML: At Xhtmljunction, we convert PSD to HTML/XHTML & CSS. Convert Image to HTML/CSS, PSD to WordPress, Joomla, Drupal & Magento Theme, PSD Slicing at an affordable budget. Lowest rate ($39) & fastest delivery (8 hrs) guaranteed!

  31. Billiga cyklar
    Comentario por Billiga cyklar | 05/07/11 at 5:12 pm

    Thanks man! :)

  32. Seminyak Villas
    Comentario por Seminyak Villas | 05/10/11 at 12:36 pm

    Your site always offer some really interesting information. Thank you for sharing it with us.

  33. kick boxing Calgary  
    Comentario por kick boxing Calgary   | 05/11/11 at 8:10 am

    Dynamicmma offers a variety of programs, Grappling, Wrestling, Cage Fighting, Kickboxing Calgary, Mix Martial Arts Calgary, MMA Gyms Calgary & ready to aid you with any part of your training.

  34. pandora beads on sale
    Comentario por pandora beads on sale | 05/12/11 at 3:56 am

    You have a very nice and motivating posting style, it makes me read your articles with great interest.

  35. tiffany’s engagement rings
    Comentario por tiffany’s engagement rings | 05/12/11 at 3:57 am

    Way to stay positive and stick with something you love!

  36. links of london charms sale
    Comentario por links of london charms sale | 05/12/11 at 3:58 am

    I am in support of wonderland, this project is seeing very good fame and should be continued.

  37. Jeans, Buy Jeans Online
    Comentario por Jeans, Buy Jeans Online | 05/19/11 at 12:25 pm

    Jean Store is famous for their wide range of men’s and women’sjeans from top brandsincluding Levis, Wrangler, Lee, Fred Perry and Edwin.Buy jeans online today for great quality denim and unbeatable prices.

  38. kelvin
    Comentario por kelvin | 06/06/11 at 5:21 am

    Thanks for all the detailed information!

  39. basis reporting
    Comentario por basis reporting | 06/07/11 at 9:19 am

    basis reporting

  40. work and travel şirketleri
    Comentario por work and travel şirketleri | 06/07/11 at 11:45 am

    Its really wonderful and watchable. I like to share it with all my friends and I am sure they will like it.

  41. lyoness españa
    Comentario por lyoness españa | 06/08/11 at 10:55 am

    thank you for sharing such a great post its really awesome

  42. Time Lapse Construction
    Comentario por Time Lapse Construction | 06/09/11 at 11:49 am

    I Really enjoyed your blog. I just bookmarked it. I am a regular visitor of your website I will share It with my friends .Thanks.

  43. ropa tallas grandes
    Comentario por ropa tallas grandes | 06/14/11 at 11:08 am

    thank you for sharing such a great post its really awesome, I like to share it with all my friends and I am sure they will like it.

  44. MSI laptops
    Comentario por MSI laptops | 06/20/11 at 7:15 pm

    It was good to see your post. It is such an important topic and ignored by so many, even professionals. I thank you to help making people more aware of possible issues. Great stuff as usua

  45. test
    Comentario por test | 10/01/11 at 7:25 pm

    lalalaasda dsa

Dejar un comentario »»

 
Get Firefox!

48Bits Blog is proudly powered by WordPress & equiX.
Code is Poetry | CSS | XHTML