Quick notes on blind exploitation, cnet

[Dave Aitel <dave () immunitysec com>]

Just for the record, Isaac's SecurityFocus paper pre-dates the 
blindIsapi CANVAS module, and it predates the previously published NGS 
paper by a few months as well (such is life). The CANVAS module is 
actually quite effective, but I use a different algorithm, and of 
course, I use the blind-isapi shellcode previously discussed here. One 
drawback is that (unlike Isaac's code) my code doesn't appear to work 
against /gS'd executables. It kills inetinfo.exe before it gets control, 
for some reason. I might fix that by doing a few "shove tons of 
shellcode into dllhost/inetinfo then jump to random place in the heap" 
games. Not sure.

In terms of real-world use, CANVAS's w3who.dll exploit was automatically 
generated using our blindIsapi code.

Also, there's article on vulnerability disclosure on Cnet:
http://news.zdnet.com/2100-1009_22-5550430.html

Suffice it to say, Microsoft thinks Immunity is irresponsible with 
vulnerability information, and Immunity thinks Microsoft is 
irresponsible with vulnerability information. Some people agree with 
Microsoft, and some people agree with Immunity. As long as no one is 
actively lobbying Congress for a change in law that would make 
disclosing vulnerabilities illegal, then I couldn't care less. I think 
the (unwritten) mission of the Orwellian named "Organization for 
Internet Safety" is to do exactly this lobbying, but I also think 
they've been completely ineffective and are basically dead.

-dave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave