[Dailydave] BOOM: WhitePhosphorus in CANVAS

Dave Aitel dave at immunityinc.com
Thu Oct 31 14:15:56 EDT 2013


"WP" as it's known internally, is now almost completely integrated into
CANVAS. I think we added something like 150 new exploits with the latest
release. Not that, for me, it's about NUMBERS. Someone asked on twitter
(I refuse to have real conversations in 150 chars - that kind of brevity
is for shellcode, yo), how many client-side exploits in various attack
tools rely on beating ASLR by loading a DLL that is not ASLR enabled.

I can't think of any exploits in CANVAS that do that - I know our recent
IE release does the whole corrupt->leak->parse->corrupt->DEPLIB chain to
executing code, where you manipulate an internal javascript object so
you can read memory, and build your exploit around that.

If you have to load JAVA to exploit your target, then something is
always seriously wrong, although the Chinese did that one recently that
used an old World DLL, which is pretty cool. Obviously it helps if you
have a SIGINT network and you know from HTTP Headers and various other
sources that your target network uses Word 2003. But CANVAS/MSF/CORE
can't assume that.

-dave


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131031/79c3b291/attachment.sig>


More information about the Dailydave mailing list