Expired Pointers of an Exported DLL Function

Once the dynamic-link library (DLL) is loaded in the memory, the address of an exported function is usually retrieved. The address is copied into a variable. Before the program executes the exported function, it retrieves its address from the variable. A potential vulnerability exists if the DLL is unloaded but the variable still contain the address of the exported function that was previously valid.

Here is one approach to get started the investigation into a potential vulnerability.

Let's assume the debugger executes the target application. We configure it to break-in when a DLL is unloaded. We know the base address and the size of the DLL as the debugger displays it. When the debugger breaks in we search for pointers that fall into this region. We set data access breakpoint for each pointer, and resume the execution to see if the pointers are accessed.

We may find that some of the pointers set to NULL when the breakpoint is triggered. This is most likely to prevent the access to invalid memory.

We may find that other expired pointers get copied into another memory location. This could be suspicious as we don't normally read expired pointers, albeit, often whole structures get copied even if they contain members that are no longer used.

We may find that some of the breakpoints are not triggered, and we need to analyze further if they can be reached from the execution flow.

READ FULL POST

Sample Pintools for Visual Studio

Creating a Visual Studio Project for Pintools (32-bit)

• Start Visual Studio 2010 and create a new Win32 Project.
• In the Win32 Application Wizard, select DLL for Application type, and tick Empty project in the Additional options.
• Create directory Pin in the Solution folder and copy Pin framework here.
• Copy Pin\source\tools\ManualExamples\inscount0.cpp to the Project folder. This is a sample Pintools file. Add the copied inscount0.cpp to the project.
• Set Active Configuration to Release.
• Add the following to the Additional Include Directories:

$(SolutionDir)Pin\source\include\pin;$(SolutionDir)Pin\source\include\pin\gen;$(SolutionDir)Pin\extras\xed2-ia32\include;$(SolutionDir)Pin\extras\components\include;%(AdditionalIncludeDirectories)

• Add the following to the Additional Library Directories:

$(SolutionDir)Pin\ia32\lib;$(SolutionDir)Pin\ia32\lib-ext;$(SolutionDir)Pin\extras\xed2-ia32\lib;%(AdditionalLibraryDirectories)

• Add the following to the Preprocessor:

TARGET_WINDOWS
TARGET_IA32
HOST_IA32

• Set Enable C++ Exceptions to No, and set Runtime Library to Multi-threaded (/MT).
• Add the following to the Additional Dependencies in the Linker settings:

ntdll-32.lib
libxed.lib
pin.lib
pinvm.lib
libcmt.lib
libcpmt.lib

• Set Ignore All Default Libraries to Yes (/NODEFAULTLIB).
• Set Entry Point to Ptrace_DllMainCRTStartup@12.
• Add the following to the Additional Options of the Command Line linker option:

/EXPORT:main

Downloading&Building Sample Pintools for Visual Studio

• To download Sample Pintools Project created with the above settings click here [SkyDrive].
• Open the solution file in Visual Studio and set the active configuration to Release.
• Create directory Pin in the Solution folder and copy Pin framework here.
• Copy Pin\source\tools\ManualExamples\inscount0.cpp to the Project folder. This is a sample Pintools file.
• Build the project.

READ FULL POST

Flash Player Unloading Vulnerability

Opera unloads Flash Player after two minutes of not being used. Flash Player can create dialog that can run even when the player itself is unloaded. When it's unloaded, the running dialog makes a call back to the unloaded module, in a time window.

If an attacker can exploit the time window between the unload and the dereference, it's possible to redirect the execution flow.

While experimenting, I used heap spray to inject 0xCC bytes to the deleted memory. I succeeded once of many attempts and this suggests it's practically possible to create an exploit that could inject malicious code within the time window.

When investigated this vulnerability, I wanted evidence to the question: what module unloads the Flash Player? I used Windbg to place breakpoint at unload events. I let the application to trigger the unload events, and when the debugger hit the breakpoint, printed the call stack.

0:014> sxe ud
0:014> g
Unload module C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll at 54760000
eax=00000000 ebx=035f5584 ecx=00000000 edx=00000000 esi=035f5bc8 edi=00000000
eip=77b1fc72 esp=0037dab0 ebp=0037db30 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200246
ntdll!ZwUnmapViewOfSection+0x12:
77b1fc72 83c404          add     esp,4
0:000> kc
ntdll!ZwUnmapViewOfSection
ntdll!LdrpUnloadDll
ntdll!LdrUnloadDll
KERNELBASE!FreeLibrary
WARNING: Stack unwind information not available. Following frames may be wrong.
Opera_534b0000!OpSetSpawnPath
Opera_534b0000!OpWaitFileWasPresent

I saw the Flash Player was freed by Opera indeed.

I needed the answer for the question also: what module created the thread that calls back to the unloaded module? Here are the series of Windbg commands used to get the answer.

sxn et
sxn ud
bp CreateRemoteThreadEx "kc; gu; !handle eax 8; gc"
g

KERNELBASE!CreateRemoteThreadEx
kernel32!CreateThreadStub
WARNING: Stack unwind information not available. Following frames may be wrong.
NPSWF32_11_4_402_287!native_ShockwaveFlash_TCallLabel
Opera_534b0000!OpGetNextUninstallFile
Opera_534b0000!OpGetNextUninstallFile
NPSWF32_11_4_402_287!NP_Shutdown
NPSWF32_11_4_402_287
NPSWF32_11_4_402_287!DllUnregisterServer
Opera_534b0000!OpWaitFileWasPresent
ntdll!TppPoolReserveTaskPost
ntdll!TppTimerpSet
Opera_534b0000!OpGetNextUninstallFile
Opera_534b0000!OpSetLaunchMan
Opera_534b0000!OpSetLaunchMan
Handle a20
  Object Specific Information
    Thread Id   88ac.1700
    Priority    10
    Base Priority 0
    Start Address 5497083d NPSWF32_11_4_402_287!native_ShockwaveFlash_TCallLabel
ModLoad: 6bda0000 6bdd0000   C:\Windows\SysWOW64\wdmaud.drv
ModLoad: 72cb0000 72cb4000   C:\Windows\SysWOW64\ksuser.dll
ModLoad: 6d9e0000 6d9e7000   C:\Windows\SysWOW64\AVRT.dll
ModLoad: 6cad0000 6cad8000   C:\Windows\SysWOW64\msacm32.drv
ModLoad: 6bd80000 6bd94000   C:\Windows\SysWOW64\MSACM32.dll
ModLoad: 6bd70000 6bd77000   C:\Windows\SysWOW64\midimap.dll
Exit thread 6:3f90, code 0
Exit thread 7:4074, code 0
Unload module C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll at 54760000
Unload module C:\Windows\system32\WINSPOOL.DRV at 736f0000
(88ac.1700): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000102 ebx=00000000 ecx=75a914d0 edx=00000000 esi=11c8d000 edi=11c8d470
eip=549706c0 esp=0aacfd38 ebp=0aacfd80 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
<Unloaded_NPSWF32_11_4_402_287.dll>+0x2106c0:
549706c0 ??              ???

I saw that thread 88ac.1700 is created by the Flash Player. When the player is unloaded the thread is still running. Finally, the thread calls back to the unloaded module. Therefore, I knew Flash Player created the thread that calls back to its own module that has been unloaded.

And here is some interesting observation.

When started to look into triggering a dialog in Flash Player I created the following ActionScript that executes an infinite loop.

class InfiniteLoop {
static function main() {
           for (var i = 0; i < 1;) {}
}
}

I built the Flash file with the command below.

mtasc.exe -swf InfiniteLoop.swf -main -header 125:125:20 InfiniteLoop.as

The Flash file triggers a slow script warning dialog. I was able to unload and to crash the Flash Player while the dialog was still running. I achieved this with version 11.4.402.278. When reported the problem to Opera they couldn't reproduce it. That time there was a Flash Player update, and I found it out that they used the latest version of Flash Player that was 11.4.402.287. With the latest version, I couldn't reproduce the problem either.

It got me thinking if Adobe fixed security problem either silently or "accidentally". When I checked the release notes of the latest version I didn't see indication of this kind of fix. I still don't know what had happened between the two releases but thought to investigate this issue further. I tried to trigger the bug via different code paths. I looked at my Flash file collection to dig out a file that triggers a dialog. And here it is, with the one I found, I could crash the player with the same call stack as before.

Initially, I thought Opera could fix this issue by leaving the module permanent in the address space, so I reported this to Opera. However, they notified Adobe after confirming it's not the problem in Opera (though they considered it as a stability issue). Adobe received the report at the end of November, 2012. The bug is now fixed in the security update that has a number of APSB13-09 at 12 March, 2013.

The preliminary version of this blog post was reviewed by Adobe. The preliminary version is same to the published version apart from some changes in the wording.

READ FULL POST

Doggy Foods Strategies Publication : Doggy Foods Strategies Get

Puppies are usually mans most appropriate pal and also hands down the most liked kinds animals. A lot of consider pet dogs element of these family members or perhaps as their personal youngster.
We offer the most notable remedy we could, coming from recognize company puppy dog foods to be able to health-related remedy, toys and games, and more, it is necessary pricey. Nevertheless, plenty of puppies are merely inside the aspect of these precious grasp for almost any ten years for the most part. Reniforme disappointment, malnutrition, intestinal plan health conditions, therefore a number of additional concerns can easily take into account out the precious puppies before they will have the possiblity to increase antique. It truly is this kind of disaster to pay thus a whole lot as well as earnings getting excellent care in our puppies to provide up like that. Properly, maybe you have considered which you could probably in fact poisioning your puppy every single day simply by giving these mercantil puppy dog foods? Sadly, this can be the truth.

Mercantil doggy food items producers, it is necessary huge or perhaps small the brand name will be, try out each way to boost their particular income. As opposed to genuinely patient your new puppy, they can probably make use of slaughter residence waste materials, infected dog charpente including chemical compounds and various low-nutritious factors to lessen fees. All these are generally not groundless rumours. Tim Lewis, creator of the most effective advertising guidebook Doggy Foods Strategies, performed many years of study to obtain the actuality concerning family pet food items right after his or her puppy dog perished immediately after simply several a very long time regarding lifestyle.

Following hearing about each of the hazards of mercantil doggy foods, maybe you want to try out additional concerns to be able to nourish your puppy. But if you may nourish your puppy commerical doggy dishes, just what and then? You may get just about all you have to pick inside Doggy food items insider secrets, as an example crucial vitamins and minerals that will k-9s will need, several dishes which can be speedy to be able to prepare food despite the fact that getting the two nourishing and also gooey for that family pet. Should you favor to nourish your puppy together with individual foods, make sure you do have a check out inside set of dangerous individual foods to be able to puppies in the guidebook very first. You will find additionally a big number of knowledge concerning health and fitness remedy, diet, shots, food handle and in addition tips and ideas to instruct an individual techniques to help to make heathy treats.

Using a while regarding reasearches and a genuine dog-loving coronary heart, Lewis is incredibly assured within the publication. In case you are not happy for the guidebook for the result in, it is possible to acquire your entire earnings returning with no supplying once more the particular publication.
With all the ease the particular publication plus your enjoy, difficult a dream to give your current dog's life-time to enable you to in fact enjoy several happy and also nutritious yrs each!

READ FULL POST

Super deals about exhaustive affordable vacation packages

Delight expend involving leisure time is certainly much loveable to all or any among us. Explanation everyone in business is adore to getaway in your trips if we hold the the perfect time to expedition a number of spots. With this modern-day age everyone is looking to merely expend their very own leisure time with virtually no anxiety or any other nervousness. As a result they each looking to prepare their very own trips while using instruction or maybe arranging involving expedition coordinator or maybe coders. Several features added to typically the expedition ideas with this form of arranging. Are often times vacation packages are generally this sort of famous sort of expedition arranging where vacationer does not need to concern yourself with their very own resorts or maybe fooding or maybe of these expedition software.

About in which bank account typically the deal expedition arranging along with discounts are definitely the sizzling favored in connection with trips exhaustive. By way of such type of expedition technique everyone can receive the effective elements of expedition. Throughout below vacationer will get typically the every answer expedition deal company. Via expedition about to priced arranging plus the overall expedition software are generally put in place by simply this sort of service agency. With the Exhaustive getaway, all of your current refreshments inside the from the price tag, and that means you is not going to ought to pay to take pleasure from evening meal. Included in the package see that almost all lodge pursuits along with leisure are generally bundled way too. And so in the moment anyone appear towards your airline flight property, you may take pleasure in whatever amount since you similar to.

With this modern-day time period any time each everyone is relying on the world wide web, there are several selections for features throughout expedition software. Each bargain in connection with are often times vacation packages are generally presents on the vacationer with various features. Individuals features are generally involves typically the every day paying for you to planning the desire travels. There are actually a lot of Affordable Trips to locate along with reserve on the web. As a result reserve an economical getaway or maybe affordable airline flight to your substantial number of major resorts throughout spots throughout the world, using package offers in the United kingdom's top rated Tour guides. Look for along with reserve exhaustive trips, vacation cruises, Aircraft along with Snowboarding trips in the favored spots or maybe learn a place brand spanking new with a splash ideas via each of our vacation spot courses.

Each of our exhaustive holidaysare suitable for any individual buying a bust of their billfolds, especially when you aren't vacationing being a class or maybe household. Is actually top rated spots worldwide available, you are going to rapidly realize why jooxie is typically the United kingdom's number one getaway firm}. Decide on numerous types of exhaustive trips to a few the top major resorts on the globe. Looking for trips for anyone for most financial constraints. Look for each of our on the web arranging technique at this point for any exhaustive getaway great buy. We live gurus to locate affordable package offers for you to some actors exhaustive motels along with your five legend exhaustive motels out of all top rated major resorts. Distinctive vacation savings you'll not get somewhere else. While exhaustive Trips can be a best probability to have fun away from challenges of along with property. You may only loosen up from the expertise the dish along with take in on your bash is usually coated on your full continue to be. For this reason just to delight in your own personal getaway, whichever preferences, whether intended for basking in the sun with the water which has a fine reserve, participating in some sort of spherical involving the game of golf or maybe testing surfing etc,. The selection is yours to make.

 Find the related info about vacation through the Vietnam Mountains.

READ FULL POST