When is "insecure" good enough?

I'm... pretty sure that's wrong. Also, somewhat OT: you should probably consider that nutraceutical companies, while not as godawful huge as pharma companies, are just as interested in the bottom line.

That isn't necessarily true. As HM and others have indicated, a remote exploit doesn't have to use a payload, it can load stuff into the target program's address space; and get root from there by invoking a kernel vulnerability.

The question isn't where that's possible, the question is whether it's practical to automate.

 

@ ibut

The big pharma txt is NO spiel, but right now i guess you believe they are All nice people only wanting to help. One day you "might" learn the Truth !

How EXACTLY are they going to get in my comp ? And without ANY warnings etc ?

Silly

How can it, on MY comp ?

Says you ! Before you can go round preaching about what other peoples Setups can/can't do, you should install XP & configure it & our Browser/s Exactly as i/we have, plus ALL our Apps & configured accordingly. Throw as much Malware as you can at them, then post your results. Until you do, if Ever, you're just posting in the dark, & presuming All sorts of things which is NOT reality to us !

Well bully for "your" team Unless it's setup as i/we have, as above, then i expect it will be pawned = no kudos etc there

 

Those of us who are impatient might want to try the BeEF live CD:

hxxps://github.com/beefproject/beef/wiki/BeEF-Live-CD

Actually DVD sized (847 MB) but it includes BeEF and Metasploit.

(Umm, I hope it's permitted to mention this thing?)

 

Well i wish someone, Anyone, would provide me with such a Loader etc. I'll be happy to test it, & then we'll see one way or the other. If it does it's dirty deeds i won't mind, as that will Prove it, rather than just Talk/Talk/Talk

 

I am not goin to talk about pharmaceutical companies... I never said you needed to take tylenol or some **** to be safe lol you're just going off on something that has no bearing on the conversation.

The thing about "talk" is that it's actually the basis of the security field. Research about techniques is what's important, not being able to demonstrate some really specific **** on an XP VM. If you understand how antiexecutable works, for example, there's no need to waste time demonstrating that it doesn't do the slightest thing against remote code execution.

But you can go ask your AntiExecutable software publisher, whoever that is, if they can stop remote code execution/ shellcode, and they'll tell you they can't (or more likely they'll give a marketing response about "oh well we focus on the payloads, which are common, blah blah blah").

The issue is then you educating yourself about what RCE can really do, without a local payload.

But I'm not going to keep arguing this stuff. It's been argued to death, and it's quite clear to anyone who's paying attention the limits of that software.

I could waste my time explaining exactly how your system would get exploited, or I could waste even more time running your XP configured system (I'll probably do this anyways though) to demonstrate it, but that's meaningless. If you understood how the software you ran actually worked you'd understand its limits.

Go download metasploit. Set it up. Run it against your system.

 

Arbitrary code execution exploit? In any internet-facing program?

Okay, suppose you have a buffer overflow in Firefox's HTML parser. You go to some hostile website. It has malformed HTML to trigger the overflow, and somewhere else in the page embeds malicious binary data as a string literal.

- The page is loaded into Firefox's memory space
- The overflow triggers, overwriting the renderer's call stack with the address of the a function in the binary data
- The renderer jumps right to that function and executes it, compromising the browser

(Hope I got that right, I may have missed some details. )

Now if you've got, say, a GPG private key in your home directory, it can be yoinked with a few more function calls.

What I would question is, again, how easy it is to automate this, and moreover how easy it is to automate rooting a system from there in order to get malware persistence.

(But that's why I'm downloading the BeEF live CD.)

 

Well you started it with the cold analagy !

I don't need to run Metasploit, all i want is for Anyone to provide an exploit www.link i could visit, and/or some code etc that i can try & Install/Run, to see what "might" happen.

Anything is Unrealistic as regards my surfing & running things.

 

Someone's been taking their C (I assume) programming seriously?

P.S. It's easy. They had the exact situation on IOS, browser exploit to kernel exploit. You also have tools that generate ROP from a process, you simply tell it the call you want to make, and it creates your ROP chain. You can run quite a lot of code just from stage 1 shellcode, if you really want to.

I believe I said earlier, but you can do it generically, since a kernel exploit bypasses everything (for this conversation). Get kernel level, unhook security programs, have fun with the system that you now own.

Easiest way out of a sandbox, especially on XP - pretty sure MS removed a lot of code that would be accessible. Not to mention XP is pre-SDL, and pre-every-mitigation-technique.

But I'm all talked out today.

 

That is true in a business environment, but for most people the user is the one that makes the system policies, so in that case he/she is the one in charge.

 

@ Gullible Jones

That's more like it, & what i want to see, & try

Anyway if Anything did get in here, they would be highly disappointed, as i don't bank etc online, or have ANY personal data etc. Plus All my PW's are in memorised.

 

Currently C++ but yeah.

Anyway I'm guessing you're correct, but I want to see it with my own eyes; thus the BeEF ISO in my download queue and the Windows Vista RTM copy installing on my spare computer.

(Had to use Vista, the XP CD is scratched up. Anyway Vista is better for this, since it has gpedit; I'll probably do two runs, one with SRP and one with PrivateFirewall. I will see what there is to see.)

 

Figured it was either C or C++. Glad you're learning the right way, and understanding how addresses are stored in memory. A lot of CS classes don't do that, they teach C as if it were a high level language. Sucks. But if you learn it right you start to get how these things work much better.

Have fun hacking, I'll be happy to see it.

 

LOL, I wish. ATM I'm between jobs, so I'm working through a book on it trying to teach myself. I only have a vague inkling how stuff is stored in memory, mostly courtesy of Wikipedia; even the (gruelingly difficult) C course I took last year didn't cover that.

I'll remember to keep notes and post them here...

 

Sorry to butt back in a conversation I stopped caring about, but this particular post I wanted to address. When discussing "system policy" it's not always about IT department policy, it's about what the OS was built to do and how to act by default. When discussing that, no, the user is not in control whatsoever. I'll put it this way, 3rd party programs attempt to protect flaws in the underlying OS code from being abused. They cannot however, nor can the user "fix" that code. Only the OS vendor can do that. Otherwise we wouldn't have Patch Tuesdays. I know way too little about shell and all that, so HM can handle that part. But it seems to me that the point is that the way the OS is designed, these 3rd party programs and the level of intelligence and diligence a user has, has little to no effect against anything but the laziest of attacks.

 

@GJ,

I have some good materials that'll teach you how things are mapped in memory at a level anyone can understand, through the context of the C language. I'd be happy to share.

School courses teach languages all wrong, especially C. Every single one will start you off with "Hello World" when you shouldn't even look at a piece of code for two weeks, after you've gained an understanding of binary, instructions, and just how a computer *works*.

@Mman79,

Correct. I think people also don't realize that, when you look at security as a whole, research comes first, and a few years later you get attacks. ROP didn't happen overnight, and I bet there were at least a few people thinking "Oh, return oriented programming? That's just 'theory', nothing to worry about" but to a lot of people it became quite obvious that that's where attackers would go.

If you can "think" an attack out through your head, understanding the elements, it's likely that there's research on it, and that, at some point, an attack will be designed to use that process.

 

@Mman79: I agree with a part of what you said; the user cannot have control over the underlying OS code and he cannot patch an inherently vulnerable system (unless he uses Linux and is part of the kernel development team ).

But I disagree that using 3rd party solutions doesn't solve the problem. Let's say that the OS has a vulnerability that can be remotely exploited on port 135; even though the user will not be able to patch it, and the vulnerability remains there, by using a firewall and configuring it correctly, that vulnerability is rendered useless.

 

"insecure" is good enough when.. when pigs fly I guess. Lets follow a simple algorithm to see how a pig might fly.

Exploiting flaws in code will not stop.

Systems will never be 100% secure.

People will have differing opinions as to what works best or how to proceed in the future, but since all code is flawed and there will never be absolute security, opinions will remain opinions, meaning none of them are absolute either.

Those without computer knowledge will always have problems. They play russian roulette with 5 in the chambers lol.

Those with computer knowledge will fare better. But when the inevitable happens, even thier knowledge won't help.

The borg will assimilate use into the hive.

Mine is bigger than yours

A pig just flew by my house

Sul.