Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 

Current Page: 1 of 1
Results 1 - 24 of 24
4 years ago
malloci
By they way I have contacted Mozilla and ZDI; however, the latter(ZDI) had this to say "The issues that seem to look exploitable could be due to an unchecked return value from an allocation, as malloc(x) will return a null pointer on failure. I haven't confirmed each particular instance of the crash, but due to the variance of the crashes (in that you're hitting more than one bug) and that
Forum: DoS
4 years ago
malloci
Okay so I have a lame POC (Firefox 3.6.2 Remote Denial of Service Exploit Vulnerability) DOS attack which may be exploitable further? I just wanted to get some feedback and/or ideas from the greater minds available online. Either way if you have time check it out, debug the crash results, and please post any updates or comments. http://cybermediaplanet.com/security/ff3.6/FF3.6-PoC-v1.4.html
Forum: DoS
4 years ago
malloci
If this video is of you you deserved to be mocked http://www.youtube.com/user/r7hdyeg ... LOL
Forum: OMG Ponies
4 years ago
malloci
I can help, but first I need the link to the pictures he posted so I can flap to them. Thx
Forum: OMG Ponies
4 years ago
malloci
Okay... so the http://www.mozilla.org/security/announce/2009/mfsa2009-54.html bug/exploit which I reported was "Fixed" in the new version http://news.cnet.com/8301-30685_3-10385082-264.html FF3.5.4... or was it? Check out my http://cybermediaplanet.com/security.html PoC and at http://wiki.austinhackers.org/2009-09-30-0x0024 AHA.
Forum: DoS
5 years ago
malloci
You can reproduce the crash by attaching an already running instance of Firefox, start Firefox, attach the process in Windbg, in your borwser try to use the FoxTab addon, and crash. It seems to be an issue with FoxTab calling ShockwaveFlash: NPSWF32!native_ShockwaveFlash_TCallLabel+0xc4f6c NPSWF32!native_ShockwaveFlash_TCallLabel+0xc51ff , but then again, like I said I am learning myself.
Forum: DoS
5 years ago
malloci
@p0deje Good find... I was able to reproduce the crash (Windows Vista64 Ultimate). (1e00.21a0): Guard page violation - code 80000001 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=06893000 ebx=00000010 ecx=0039e834 edx=08810000 esi=08810000 edi=0039e834 eip=606ef27a esp=0039e60c ebp=00000003 iopl=0
Forum: DoS
5 years ago
malloci
Can you run a debug with !exploitable -v, just curious to see the stack trace. Looks like a it might be an expoliable issue to me if you were able to control the (eip or esi) registers. I am still learning how to debug such issues as well. Great post, keep us updated on your find. malloc(i)
Forum: DoS
5 years ago
malloci
Couldn't help it... just had to add a third thread with the same name. Hey, at least I didn't copy my code line for line from the other posts (just my own post). Either way, I am fairly sure this code will crash your Firefox3.5 browser. This is just one version of the PoC I have been coding. It is ugly code but should serve as an example to use for debugginf FF3.5. Hope to get some feedback
Forum: DoS
5 years ago
malloci
Like I said... the program should crash your browser; however, try it several times as it will crash on diffrent errors. Part of the time it should display that Firefox was closed by DEP, which is most likly a very bad thing. malloc(i)
Forum: DoS
5 years ago
malloci
This is just one version of the PoC I have been coding. It is ugly code but should serve as an example to use for debugginf FF3.5. Hope to get some feedback (crashes, debug, comments, ideas). ------------------------------------- index.html ------------------------------------- <!DOCTYPE HTML> <html> <head> <title>DOS</title> </head> <body>
Forum: DoS
5 years ago
malloci
Any feedback would be appreciated ;)
Forum: DoS
5 years ago
malloci
This one is great as well. It crashed firefox with a DEP notice: (22dc.169c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. int 3 0:032> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live u
Forum: DoS
5 years ago
malloci
More !exploitable output: Description: Privileged Instruction Violation Short Description: PrivilegedInstruction Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Privileged Instruction Violation A privileged instruction exception indicates that the attacker controls execution flow. Wait... I love that part "A privileged instruction exception indic
Forum: DoS
5 years ago
malloci
@Gareth Thanks for the comments... I'm still trying to figure this expoilt out. I now need to try to weaponise the exploit, but that is another matter ;)
Forum: DoS
5 years ago
malloci
Yes... Yes, I have a new PoC which seems to work from my limited testing. I believe it may be some kind of race condition within the javascript web worker. Either way, part of the time it crashes on the bug which I made mozilla aware of, the other part of the time it chrashes in an access violation error: User mode write access violations that are near NULL are probably exploitable.
Forum: DoS
5 years ago
malloci
I think it may be exploitable? (1698.544): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=7749039d ebx=00a63220 ecx=08fcf4a0 edx=62c1e9d8 esi=00000000 edi=07aeff10 eip=62b93074 esp=0031eab4 ebp=08fcf050 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002
Forum: DoS
5 years ago
malloci
Okay... so after a little testing on my own I decided to turn to Mozilla to see if they might have any ideas. After a week I got the following email from them: "I poked at this a bit and I don't like it. Based your output it looks relatively benign, a near-null read and probable resource exhaustion (based on the testcase). I crashed in a few different spots, still "near null"
Forum: DoS
5 years ago
malloci
More Debug output: (484.5d0): Break instruction exception - code 80000003 (first chance) eax=7ffdb000 ebx=00000000 ecx=00000000 edx=7707f06d esi=00000000 edi=00000000 eip=77032ea8 esp=077dfefc ebp=077dff28 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!DbgBreakPoint: 77032ea8 cc int 3 0:017> g (
Forum: DoS
5 years ago
malloci
So I set up a Vista instance under a VM and disabled DEP just for testing. I got the following dump from WinDbg when passing in a nop sled ("%u9090"): (ac8.e10): Break instruction exception - code 80000003 (first chance) eax=7ffac000 ebx=00000000 ecx=00000000 edx=7707f06d esi=00000000 edi=00000000 eip=77032ea8 esp=0572fcf4 ebp=0572fd20 iopl=0 nv up ei pl zr na pe nc cs=001
Forum: DoS
5 years ago
malloci
If I change the index.html code to the following firefox does not crash right away but rather stalls and creates a memory leak.??? I am trying different inputs for my code and getting very different results and crashes depending on the input. If anyone is willing to try fuzzing input for the code and see what type of results they are getting in FF3.5 I would appreciate it. I am just curious if
Forum: DoS
5 years ago
malloci
@Gareth Heyes Thanks for the reply. I will try to throw some different values in and see what happens. Sort of fuzzing the input passed in to my code I guess? Anyway, I appreciate your feedback and will try some different values in my code. I am far from an expert as well; this is my first attempt at debugging a crash. If anyone has any more ideas or input I am open to suggestions.
Forum: DoS
5 years ago
malloci
Okay... so I compiled the source code for !exploitable "!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment."(http://msecdbg.codeplex.com/) and put the msce.dll in the Windows Debugger winext sub-directory. After running my code WinDbg gave me the following output using !expolitab
Forum: DoS
5 years ago
malloci
Hello Sla.ckers, This is my first post so please take it easy on me, I'm still learning. I have a question regarding debugging firefox. I have loaded the symbols from the symbol server and have some debug output; however, I am not sure what I am looking at. I am curious if this code might lead to a possible exploit? I have read a little on the recent heap spray and buffer overflow exploits
Forum: DoS
Current Page: 1 of 1