Reversemode
Home
Thursday, 03 July 2008
  
 
CONTENT
Home
Papers
Advisories
News Archive
Corporate Website
Downloads
Contact
About




BYTES & WORDS
Latest News



Kartoffel 1.4 is out
Written by Rubén   
Wednesday, 18 June 2008

The new version of kartoffel is already available for download in 32/64-bit flavours for Vista/2003/XP/2k. As expected I have received no feedback with regards to the new version, neither bugs nor suggestions... nothing at all, so I assume that either I am the only person in the world that uses kartoffel or I am very good at programming which is less likely. Anyway this new version includes the following features:

  • Integration with WinDbg through kar_ext.dll (Kartoffel Extension)


    • This extension does not work on 2K, anyway you should be able to grab raw data through "!bugdump" command. On Windows Versions higher than 2K you can use this extension to get the data that Kartoffel embeds within the crash dump (see image above ) you may get while debugging/researching into a driver. In order to let kartoffel track your steps, you must add up the option "-X" to the command-line in every execution. See "kartoffe-userguide.pdf" for further information.

  • Retarded heuristic for spotting uninitialized kernel memory leaks in METHOD_BUFFERED requests.

    • This is a common problem since the I/O Manager just initialize the input buffer (in METHOD_BUFFERED both input and output buffer are overlapped) so if the driver returns the whole length of the output buffer we can leak bits from the kernel. See the following image, the example is taken from a Microsoft Driver "msgpc.sys". In this case it's not a big deal since you need admin privileges.


  • Force memory dump.
    • Crash your machine for fun and profit via "-Y" option.

  • Build up your custom buffer through the command-line

    • I've added a new fuzzing method where you can describe the contents of the buffer just by using the command-line, you don't need a k-plugin.
    The CUSTOM Method allows you to write Pointers, Bytes, Ansi strings and Wide Strings. You can also specify “repeat” and “offset” parameters where repeat sets the number of times the specified value will be repeated and “offset” is the position (in bytes) within the buffer at which the value will begin to be written.

    Tokens:

    • Write a Pointer
    [P=0xVALUE::*REPEAT$OFFSET]

    • Write a Byte
    [B=0xVALUE::*REPEAT$OFFSET]

    • Write an Ansi String
    [A=this is an ansi string::*REPEAT$OFFSET]

    • Write a Wide String
    [W=This is a wide string::*REPEAT$OFFSET]

    • Finalize BufferString
    [!!]

    Example:

    -u CUSTOM,”[P=0xDEADBEEF::*8$4][A=Escape \”Quotes\”::*1$8][B=0x41::*0][!!]”

    This string will write 0xDEADBEEF 8 times beginning at offset 0x4, then the string will be copied 1 time at 0x8 and finally the byte 0x41 will be written one time at offset 0.

    That's all, well there are minor bugs fixed but nothing really remarkable. Have fun, happy hunting/debugging!

    Doo bee doo, doo doo bee dooo...
    Written by Rubén   
    Tuesday, 13 May 2008

    One month later...

    I have just uploaded a new k-pluginfor Kartoffel. It's an exploit for a local vulnerability in i2omgmt.sys, a Microsoft driver, which has been fixed in the Service Pack 3. The exploit for a recent Realtek HD Audio Code Drivers flaw is also available as a k-plugin.

    I'm planning to release a new version of Kartoffel soon. This new version will include among other things, integration with WinDbg to make debugging crashdumps caused by kartoffel easier. So it's time to drop me a line if you have missed functionalities, spotted a bug...

    See you in a month or so!

    Last Updated ( Tuesday, 13 May 2008 )
    Exploit for win32k!ntUserFnOUTSTRING (MS08-25/n)
    Written by Rubén   
    Friday, 11 April 2008

    Hi there, I'm still alive.

    This month Microsoft has patched a bunch of bugs within gdi32.dll and win32k.sys mainly. Thomas Garnier is doing a really good job researching into core components, just take a look at the latest bulletins.

    There is a shared error between several vulnerabilities patched in this bulletin, which is explained in detail at the SWI blog. One of the simplest vulnerabilities already patched lies in the win32k!NtUserFnOUTSTRING function. The flaw is pretty clear but the way the flaw can be exploited is really interesting since unveils a previously "unknown" attack vector (at least for me, since I never thought that ProbeForWrite considers kernel addresses with 0 length as valid).
    Last Updated ( Tuesday, 13 May 2008 )
    Read more...
    More...
    << Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

    Results 1 - 4 of 37
    		 
    "Nevertheless, it does move"
    Galileo