OpenRCE Blog Entry

Halvar Flake (halvar) <halvar

flake

sabre-security

com>

Saturday, May 20 2006 04:10.00 CDT

Quote from Lock, Stock and Two Smoking Barrels: "I dont care who you use as long as they are not complete muppets".

Having MSOffice 0day is not terribly hard, but one should not burn it by making it drop standard, off-the-shelf, poorly-written bot software. The stealth advantage that one has by sending .DOC files into an organisation should not be given up by creating empty SYS files or dropping DLLs.
Also, registry key adding for getting control on reboot is kinda suboptimal.

I am kinda curious to know how they got caught, but my guess is that the bad QA on the internet explorer injection raised enough crashes to make people investigate.

On a side note, this highlights a few common problems people face when doing client side attacks:

One-shot-ness -- any exploit you write is a one-shot and should work reliably
Process recovery -- any exploit you write needs to be able to recover and have the exploited application resume as if nothing happened. This is a tad hard if youve written 200 megs of garbage to the heap.
Lack of complete pre-attack intel on the target environment -- I dont know what went wrong when they injected into iexplore, but they mustve been confident that their code was good enough. This means they tested it on a testbed which didnt reflect the actual target.
Lack of attack focus -- I am quite convinced that they couldve had a simpler, stealthier, and more stable bot component if they had thought more thoroughly about what their goal in this attack was

Enough ranting for today.

	Posted: Wednesday, December 31 1969 18:00.00 CST