1) jmp or call a register pointing to shellcode

2) pop ret | pop pop ret | pop pop pop ret  => no register but you see your baby on the stack

3) push return  => baby in the register but there isn’t any direct jmp to register, find a push register and return

4) jmp [reg + offset] => register doesn’t point at the beginning

5) any ret ==> when you baby is in ESP, this will auto push current ESP to EIM

6) If you are faced with the fact that the available space in the buffer (after the EIP overwrite) is limited, but you have plenty of space before overwriting EIP, then you could use jump code in the smaller buffer to jump to the main shellcode in the first part of the buffer.

7) SEH ==> refer to Corelan SEH tutorials

Nice neat stuff with actual vulnerable application - the SORITONG mp3 player. ( I couldn’t find the original application package anywhere else so I just registered on the Corelan team site and downloaded the application.) Just a few notes in order to have a full working exploit:

1. Make sure you use the memdump method (the 2nd method in the tutorial) when you try to locate a POP POP RET assembly pattern. I couldn’t locate any usable POP POP RET from the player.dll and end up with a “POP POP RET” in address 0×42103cdc. I am yet to determine whether this is a portable address or just hardcoded in my own XP machine.

2. Only “POP EDI POP ESI RET” will work and if register EBX or EBP are involved and your exploit will likely to be broken. I still need to figure out what’s the exact reason but I guess by poping to EBX or EBP will change the stack segment.

BTW time to go back to explore new features in Metasploit and I haven’t got a chance to explore in depth after it was acquired by Rapid7. I decide to play with a few fuzzing tools before coming back to exploits writing just to make sure I am not getting bored.

In the Information Security world, we always look at People, Process and Technology while in Starcraft - Resources, Troops and Technology are the threesome to win a game. As in both case, an optimal balance of these three factors are the key to successfully manage an enterprise information security or defeat your opponent in a Starcraft 1vs1 game.   Also an objective and adaptive strategy are fundamental in both cases.  As an IS professional, we need to keep a close eye on the current threat landscape, the emerging threat and allocate resources (your budget) accordingly. In Starcraft, scouting and intelligence about your enemy’s strategy is the used to decide how you want to use your minerals and gas.

At the tactical level, a complimentary mixture of your troops are the most basic micro techniques in Starcraft. Similarly in the Information Security, I am a strong believer of multi-layers/tier implementation and diminishing returns of investment in single type of Information Security controls. A single type of IS security controls can only reduce the overall risk to a certain percentage and subsequent return of investment in the same type of control will decrease and reach a plateau. In one of the recent talks I have attended, Dr Peter Tippett from Verizon Business also illustrated this by using the example of safety belt in car safety controls. A nylon safety belt will reduce the probability of fatal car accident by 50% while a high-cost titanium safety belt will only reduce another 3%. Instead, an airbag at a fraction cost of a titanium safety belt, will reduce the risk much more significantly.

Just like Starcraft’s micro (unit controls in battles) and macro (resource planning, map controls etc)management, there are also micro and macro in Information Security. We need Risk framework, Governance, Strategy, Measurements and Metrics etc at a macro level, but we also need micros such as vulnerability research, code analysis, log monitoring, intrusion signature developements,  reverse engineering. Lacking either one will neither win you a Starcraft game nor will protect your enterprise information effectively.

“Operation Dynamaphone” - Aug 3, two-day operation by UK and Ireland police to crack down a group of six individuals for pilfering funds from 10000 online banking accounts through phishing emails. 

“Operation Pin Pad” - April 16 2010 Brazil PoS (Point-of-Sale)  Hack

“Operation b49″ -  Feb 2010  A coordinated effort of taking down Waledac Botnet by Microsoft along with supporting experts from Shadowserver, the University of Washington, Symantec and others.

“Operation Aurora” - Quote from wiki

Operation Aurora is a cyber attack which began in mid-2009 and continued through December 2009.The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China.

The attack was named “Operation Aurora” by Dmitri Alperovitch, Vice President of Threat Research at cyber security company McAfee. Research by McAfee Labs discovered that “Aurora” was part of the file path on the attacker’s machine that was included in two of the malware binaries McAfee said were associated with the attack. “We believe the name was the internal name the attacker(s) gave to this operation,” McAfee Chief Technology Officer George Kurtz said in a blog post.

“Operation Bot Roast” - June 2007 - An initiative from FBI to track down Botnet owners and subsequently a number of high profile charges are made against Botnet owners globally.

This project is aiming at creating a systematic and structural security framework for Virtual Worlds users (the gamers), third-party testers and developers. We already have very good security framework for generic application security (such as the OWASP Testing Guide), it’s time to zoom to specific category of application and in this case - Virtual Worlds created by in various MMORPG (Massively Multi-player Online Role Playing Games). If you ask me why I choose this specific type of application, I will say that I have this vision that one day or even in near future, virtual worlds will be an extension of real world. They will just like any independent nations with their own economy, laws and regulations, political systems and social structures. A very simple example is that we may see virtual currency come into the real world FX trading - we may see currency pair like USDLID (LID -> Linden $ currency in Second World) or USDISK (ISK -> currency in Eve-online). This is definitely very exciting stuff and worth the efforts from all of us.

Lastly quote a paragraph from Steve Jobs’ convocation speech (Stanford) -

“You can’t connect the dots looking forward; you can only connect them lookign backwards. So you have to trust that the dots will somehow connect  in your future. You have to trust in something your gut, destiny,life,karma, whatever because believing that the dots will connect down the road will give you the confidence to follow your heart, even when it leads you off the wellworn path, and that will make all the difference.”

Heartland Calls for End-to-End Encryption, Cooperation to Prevent Data Breaches

First of all it is of the right length, no chunky huge paragraph and with proper links - it is an absolute turn-off when you see something interesting and yet no links or even worse - the content is for restricted groups.  Next, related articles give the interested readers full picture of tools and their relevant usage - For example, BinScope is introduced in this newsletter together with a how-to article. (BinScope Binary Analyzer and Security Tip of the Month: Using BinScope Binary Analyzer to Improve Code Security ). In the Business Security session, Andreas Wuchner speaks out the exact thought in my mind of “What I Look for When Hiring IT Security Staff “. It is short, precise and very accurate summary of the reality in hiring of IT security staff.

This is the 2nd time in the week I am impressed by Microsoft (the first one is the Microsoft Security Development Lifecycle blog). Probably it’s time to get a copy of Windows 7 ..LOL

The only reason which triggers me to sit down and write down this post is the inspiration after reading a couple of articles in one of the backlog ISACA Journals. In the “HelpSource Q&A” session, there is a question on how to fight phishing attacks for online banking applications.  Although I have been dealing with process-level controls for the past year, the words “attacks”, “applications”, “phishing” just trigger the technical geeky style of problem-solving thinking in me and ideas of strong 2-factor authentication, SPF (Sender Policy Framework), gateway spam filtering etc immediately come into the picture.

However the very first key control suggested is to have a properly defined e-mail communication policy for both sending and receiving emails to and from customers. Subsequently the advice mentioned a number of very good business process improvement which take fighting spam/phishing emails into consideration. A few small changes to a business process will easily mitigate bunch of relevant security issues which technology alone finds them difficult to tackle. It reminds me of those days when great amount of efforts and resources were spent on network level controls in order to fight application level security issues.  Are we in the same situation nowadays while we are spending too much efforts in creating application level or even information security process level controls in order to tackle business process level security issues?

I believe it’s time to introduce business process security into the information security model and make it a layer-8 practice. It just like buiding security into SDLC and we shall build security into a business process from the very begining. The thought of having a whole new paradigm in the information security model is really exciting. I am sure this will bring drastic changes to the infosec industry - probably soon we will see business process level security penetration testing, business process hardenning etc .

One of the quoted paragraph from this write-up realy sends a chill down the spine for most infosec folks.

“Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

While we - the infosec folks are happily talking about nice-looking process, management, frameworks etc.. indulging ourselves in various fanciful security solutions which are full of marketing hoohaaas. We seems to forget about the fundermentals. Probably we need some form of wake-up call - before it is too late.