Case Study: SolarWinds Orion (video)

Corelan Team (Lincoln) December 14, 2010
This article has 2,946 views

Special Thanks:

To my wife for putting up with my crap. Also SolarWinds for keeping an open communication while fixing the issue. And of course… Corelan Team πŸ˜›

Audio:

Many thanks to DJ Great Scott for supplying me with the music. Definitely check out some of his work!

http://soundcloud.com/greatscott
http://glitch.fm/

Music in Video:
Defcon (Samples Remix) | link to track
Leuce Rhythms – Bad Brain (Great Scott Remix) | link to track
Great Scott – Caravan | link to track

Video:

This video is based on an ActiveX bug discovered in SolarWinds Orion version 10 and below. The bug was fixed in version 10.1.

I decided to make a movie instead of releasing code because the .dll is marked not safe for scripting, so the "exploit-ability" doesn’t make it very practical.

The other reason for making a movie is I thought this wasn’t a "typical" bug. There were many encounters with different problems that needed to be solved.

While developing the exploit I had some issues with getting the code to execute.

I had previously thought that the memory block where the payload was loaded into would not execute (due to the permissions in memory), so I decided to make use of the buffer space available to stage the shellcode somewhere else using a memcpy() call. In essence, I told it to write the payload back onto the stack so it can be executed.

After revisiting this bug months later (after it was fixed by SolarWinds), I realized the problem existed between the keyboard and chair and it was not the case … the code could be executed from memory so there was no need for the memcpy() call. Anyways, it still is a good technique to make your shellcode executable when needed :).

So at either rate, it still makes for a fun video. Enjoy!
(Make sure to toggle full screen)

– Lincoln

Solarwinds Orion

(or click here)

 

  Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte



Similar/Related posts:

Default ThumbnailKen Ward Zipper exploit write-up on abysssec.com Default ThumbnailExploit writing tutorial part 1 : Stack Based Overflows Default ThumbnailMalicious pdf analysis : from price.zip to flashplayer.exe Default ThumbnailExploit writing tutorial part 3 : SEH Based Exploits Default ThumbnailMona 1.0 released !

Tags:

,

Β© Corelan Consulting BV. All rights reserved. ​The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.