Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange



Please consider donating: https://www.corelan.be/index.php/donate/


2,625 views

Case Study: SolarWinds Orion (video)

Special Thanks:

To my wife for putting up with my crap. Also SolarWinds for keeping an open communication while fixing the issue. And of course… Corelan Team :P

Audio:

Many thanks to DJ Great Scott for supplying me with the music. Definitely check out some of his work!

http://soundcloud.com/greatscott
http://glitch.fm/

Music in Video:
Defcon (Samples Remix) | link to track
Leuce Rhythms – Bad Brain (Great Scott Remix) | link to track
Great Scott – Caravan | link to track

Video:

This video is based on an ActiveX bug discovered in SolarWinds Orion version 10 and below. The bug was fixed in version 10.1.

I decided to make a movie instead of releasing code because the .dll is marked not safe for scripting, so the "exploit-ability" doesn’t make it very practical.

The other reason for making a movie is I thought this wasn’t a "typical" bug. There were many encounters with different problems that needed to be solved.

While developing the exploit I had some issues with getting the code to execute.

I had previously thought that the memory block where the payload was loaded into would not execute (due to the permissions in memory), so I decided to make use of the buffer space available to stage the shellcode somewhere else using a memcpy() call. In essence, I told it to write the payload back onto the stack so it can be executed.

After revisiting this bug months later (after it was fixed by SolarWinds), I realized the problem existed between the keyboard and chair and it was not the case … the code could be executed from memory so there was no need for the memcpy() call. Anyways, it still is a good technique to make your shellcode executable when needed :).

So at either rate, it still makes for a fun video. Enjoy!
(Make sure to toggle full screen)

– Lincoln

Solarwinds Orion

(or click here)

 


  Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte

© 2010, Corelan Team (Lincoln). All rights reserved.

Related Posts:

Comments are closed.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories