Monday, January 14, 2013

Illustrating True Risk IE Edition

You're not in this business for long if you don't love exploits. The smell of 0day in the morning, so to speak. But I'm not in love with this particular CButton IE exploit yet because of the way it bypasses ASLR. There's not a lot of great options with ASLR bypasses on IE:

1. You can work hard to transform your exploit primitive into an memory peek (sometimes not possible?)
2. You can burn another bug to get your memory peek
3. You can rely on external software without ASLR that happens to be installed on a lot of machines (Office, Java JRE). The downside here is that obviously targeting Office or the JRE itself sometimes makes more sense.

We chose option 3 for the CButton exploit in CANVAS Early Updates currently.

That said, the purpose of the video below is not to demonstrate an amazing exploit against IE, as it is to demonstrate how an exploit against IE that has a known primitive, but has not been seen before in totality, still bypasses most common secondary protection mechanisms.

Not mentioned in the movie is that because of the way AV's munge memory around, you will in some cases get a lower reliability out of the exploits. But you won't get caught.

In any case, hopefully you enjoy your Movie of the Day!

No comments: