Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Code to exploit Windows graphics flaw now public

  1. #11
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    on a positive note nortons heuristic scaning picks up the jpeg that k-otik's code produces as bloodhound.exploit. rather generic but flags it none the less. i dont believe shell code can be morphed so it will take entirely new shell code that has not been not used in other exploits to get past it. im sure it'll show up but i dont think its going to be the field day they're portraying.

    but then again those that dont keep up on their patching are not likely to keep their virus sigs up to date either. so once again it will be the same bunch getting slammed.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #12
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Symantec, mcafee, trend and a few others are matching on the JFIF headers of the jpegs. These can not change since it's required to cause the overflow. Still..people don't patch and don't update regularly. I expect the vector to be email that has embedded activeX controls, but there are so many possibilities.....
    It should be interesting....
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #13
    well ive a question , what about the people who donot want to install sp2 ?? like i ve sp 1 and do not want to move over to sp 2, is there any way to be safe from it?

  4. #14
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    FoToZ

    Has anyone actualy gotten any of these to work ??

    I've been playing with this local cmd.exe (not bound to the net) version..

    Perhaps it's the:
    "\xB8\x44\x80\xC2\x77" // mov eax,77c28044h (address of system() on WinXP SP1)
    part that doesn't work on my Dutch WinXP SP1..

    The C code was compiled with visual C++ 6.0 and executed on a Windows98 box.


    I attached the resulting jpg (zipped).. it should be safe (a cmd.exe window should pop up if exploit works)
    Disclaimer
    The attachment shouldn't be harmfull and is uploaded for experimentation only.
    I can't be held responsible for your stupidity if this actualy crashes a production server,
    eats your hamster, steals your lunchmoney, creates a hole in the space time continuum
    or anything else..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #15
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    k-otik's code produces as bloodhound.exploit.
    tedob1, yeah i saw my norton pick it up too. Norton knows it since 14/09 it seems.

    Anyway i've been playing the latest from k-otik , the ActiveX one and i have the same prob as the_jinx, namely that probably the hexcode for the GDIPLUS.DLL in Win XP NL.

    I compiled it under linux and I put it in as a .jpg under my apache webserverroot. When I surf to it, it is active since Norton picks it up, but it doesn't create an extra account as it claims.
    I believe its a matter of getting the right hex for the GDIPLUS.DLL. Here's a snip of its code to show you what i mean. I did had some weird actions by a win xp unpatched box but again not the account as it claims.

    Code:
    #********************************************
    #Address of shellcode
    #********************************************
    #printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
    printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
    #printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0
    well ive a question , what about the people who donot want to install sp2 ?? like i ve sp 1 and do not want to move over to sp 2, is there any way to be safe from it?
    Apparently keep your AV up-to-date, since they seem to pick it up already.

    Greetz,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  6. #16
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Has anyone actualy gotten any of these to work ??
    No. I too have tried all the POC code in the wild and so far it has been just that - POC. However, after handing the code to someone who i believe is extremely talented, I can see how quickly minor ajustments can be made and thus, the avelanch of crap will surely soon be upon us.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #17
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Yes. I was able to modify the PoC to bind a shell and create a reverse shell. But as hog mentioned the trigger in the header will be easily detectable.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  8. #18
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I'm suprised this didn't show up in articles before Wednesday. The security group that works for my company had POC code over the weekend that they were able to run and confirm that it works.. That was on Saturday. We were blocking all jpgs at our proxy and email servers over the weekend because they were expecting a virus to come out by last Sunday...

    McAfee has generic protection built into their 4394 dats if you enable heuristics.. The really bad thing about this is that it can infect you even if the file is renamed to .gif or some other image extension.. If the file extension envokes the gdiplus.dll the exploit code can run, regardless of the file extension...

  9. #19
    Junior Member
    Join Date
    Mar 2003
    Posts
    5

    Other dll besides gdiplus?

    The GDIScan tool at http://isc.sans.org/gdiscan.php detects other files besides gdiplus.dll:

    sxs.dll, wsxs.dll, mso.dll, vgx.dll

    Does anyone know more details about these files? According to the morons at Microsoft, the MS04-028 vulnerability only affects gdiplus.dll. Apparently not...?

    Roberto F.

  10. #20
    Member Gir's Avatar
    Join Date
    Sep 2002
    Posts
    39
    This post is in response to tigersharks post posted 09-23-2004 01:31 PM where he states *• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.* It would be entirely possible to force a user to visit a malicious site. It's called a pop-up. We see them all the time. You can use a pop-up blocker or for that matter any mozilla browser to prevent this.
    The answer to all how to questions: Very carefully with a large stick.

    \"Dogs f***ed the Pope. No fault of mine.\" Hunter S. Thompson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •