Security vulnerability reports as a way to establish your l33t kr3|)z


There is an entire subculture of l33t l4x0rs who occasionally pop into our world, and as such have to adapt their communication style to match their audience. Sometimes the adaptation is incomplete.

I have appended a file exploit.pl which exploits a vulnerability
in XYZ version N.M.  The result is a denial of service.
The perl script generates a file, which if double-clicked,
results in a crash in XYZ.

S00PrA\/\/e$Um#!/usr/bin/perl

system('cls');
system('color c');
system('title XYZ DOS Exploit');
print('
----------------------------------------------------
****************************************************
*              __                      $           *
*   --        |  |     __             $$$          *
*  |     - -  |__|    |  |           $     | |     *
*   --  | | | |       |__| \  /\  /   $$$  | |     *
*     |  - -  |   r   |  |  \/  \/ e     $  -  m   *
*   --                |  |            $$$          *
*                                      $           *
****************************************************
----------------------------------------------------
');

sleep 2;
system('cls');
print('
----------------------------------------------------
****************************************************
*                                      $           *
*   --                |  |            $$$          *
*     |  - -  |   L   |__|  /\  /\ 6     $  -  w   *
*   --  | | | |__     |  | /  \/  \   $$$  | |     *
*  |     - -  |  |    |__|           $     | |     *
*   --        |__|                    $$$          *
*                                      $           *
****************************************************
----------------------------------------------------

The exploit!
');
sleep 2;

$theexploit = "\0";

open(file, ">exploit.xyz");
print(file $theexploit);

system('cls');
print('
----------------------------------------------------
****************************************************
*              __                      $           *
*   --        |  |     __             $$$          *
*  |     - -  |__|    |  |           $     | |     *
*   --  | | | |       |__| \  /\  /   $$$  | |     *
*     |  - -  |   r   |  |  \/  \/ e     $  -  m   *
*   --                |  |            $$$          *
*                                      $           *
****************************************************
----------------------------------------------------

DONE!

Double-click exploit.xyz in XYZ and KABLOOEEYYY!
');

sleep 3;

system('cls');
print('
----------------------------------------------------
****************************************************
*              __                      $           *
*   --        |  |     __             $$$          *
*  |     - -  |__|    |  |           $     | |     *
*   --  | | | |       |__| \  /\  /   $$$  | |     *
*     |  - -  |   r   |  |  \/  \/ e     $  -  m   *
*   --                |  |            $$$          *
*                                      $           *
****************************************************
----------------------------------------------------

CONSTRUCTED BY S00PrA\/\/e$Um

Special thanks to: XploYtr & T3rM!NaT3R.
');

You may have trouble finding the exploit buried in that perl script, because the perl script consists almost entirely of graffiti and posturing and chest-thumping. (You may also have noticed a bug.) Here is the script with all the fluff removed:

$theexploit = "\0";

open(file, ">exploit.xyz");
print(file $theexploit);

This could've been conveyed in a simple sentence: "Create a one-byte file consisting of a single null byte." But if you did that, then you wouldn't get your chance to put your name up in lights on the screen of a Microsoft security researcher!

(For the record, the issue being reported was not only known, a patch for it had already been issued at the time the report came in. The crash is simply a self-inflicted denial of service with no security consequences. There isn't even any data loss because XYZ can open only one file at a time, so by the time it crashes, all your previous work must already have been saved.)

Comments (29)
  1. Anonymous says:

    I like how they thank two people for it, like it was some huge collaborative effort to put together these three lines.

  2. Anonymous says:

    ""I like how they thank two people for it, like it was some huge collaborative effort to put together these three lines."" It's entirely possible that it was some huge collaborative effort to find the bug itself.

  3. Anonymous says:

    " It's entirely possible that it was some huge collaborative effort to find the bug itself." Maybe. Though if they have to collaborate to find a known bug that had already been patched, that's a bit disappointing. Maybe the collaboration was more on the stylistic graffiti they put into the program.

  4. Anonymous says:

    Is that the actual graffiti and posturing and chest-thumping that you received, or did you actually go to the effort to construct it?  Is SuperAwesome the "Contoso" of leet hackers?

    [I changed the name of the leet hacker, but the original graffiti was in the same style. -Raymond]
  5. Anonymous says:

    Man that was funny.

    Filler text to get past spam filter.

  6. Well, I tried to report a stack overflow bug in IE8 and IE9, using my MSDN support account, but Microsoft only supports IE10 now and is not accepting bugs for these old ones. So I don't bother anymore. Soon I will get conditioned enough for a competitor's browser.

  7. Anonymous says:

    @alegr1: IE8 and IE9 are still patched for security bugs. So what you just said is a lie.

  8. Medinoc says:

    The hacker didn't even put his graffiti in a function. Lame, that's not "clever" code.

  9. What is a l4x0r?  Is that like a ***?

  10. Ah, now it makes sense.  The word I was attempting to write was

    h 4 x o r

  11. Anonymous says:

    Rank amateurism. A real hacker makes the exploit print his name (aside some privileged information that proves the exploit works), but in such a way that you don't understand how. See also JAPH. Give the other guy something to study too.

    The exploit that can be further reduced is not the true exploit.

  12. Jack B Nimble says:

    @Matt, is it a lie to be mistaken? I don't believe so.

  13. Anonymous says:

    @Jack: It's a lie to claim that you reported a stack overflow in IE8 and it was ignored by Microsoft. You only need to read this blog to know that:

    blogs.msdn.com/…/10247870.aspx

  14. Yuhong Bao says:

    "There isn't even any data loss because XYZ can open only one file at a time, so by the time it crashes, all your previous work must already have been saved."

    On the other hand, a win32k or ntoskrnl BSoD on a terminal server can cause hundreds of users to lose their work even if there is no way to get remote code execution.

    [Irrelevant here since, as noted, this was an app crash, not a system crash. -Raymond]
  15. Anonymous says:

    While I've seen many "leet" hackers who do stuff like that, please don't judge the entire security industry by those individuals.  Every town has their idiot.

  16. Anonymous says:

    Lawrence: I look forward to Raymond mentioning "C0nt050".

    Actually, I think I just found my next password (for low-value sites).

  17. Anonymous says:

    @Joshua. You wouldn't have to type that filler text to hack the spam filter if you signed all your posts with a super awesome ascii art signature.

  18. Anonymous says:

    Surprisingly, I agree with the assessment of a security vulnerability. Unless it's a NULL pointer crash (I normally use fault address < 4096 to define this), crashes with evidence of memory corruption are a pretty good indicator of security vulnerability. In kernel mode, even NULL is security (see Win16). I can get past ALSR with a 1 in 256 chance and if I were a broad-spectrum attacker I'd consider that a good enough chance to get an unhealthy amount of bots.

  19. Unescaped backslashes in a single-quoted string?  Tsk.

  20. Anonymous says:

    @Matt:  That post describes Microsoft's policy; employees are only human and can occasionally fail to adhere to the policy.

  21. Anonymous says:

    Hello !

    very informative blog. I have a question:

    some program on my computer keeps on messing around with my internet explorer proxy settings. it enables the "use automatic configuration script" checkbox, which I would like to be disabled all the time. Is there a way to know which is the offending program ?

    br

  22. Anonymous says:

    @digitalsurgeon: Yes, yes there is.

  23. Anonymous says:

    very informative blog indeed!

    @digitalsurgeon: Run Process Monitor and filter for changes to the registry where the proxy setting is stored

  24. Anonymous says:

    @Maurits: Maybe I'm mistaken, but in perl doesn't single-quoting treat \ the same as ??

  25. @Neil (SM)

    Yes; the backslash operator in a single-quoted string is treated as a literal backslash unless it is followed by either another backslash (in which case the pair is treated as a literal backslash) or the string terminator (in which case it is treated as a literal string terminator.)

    'ab' is ab

    'a'b' is a'b

    q(a)b) is a)b

    'a\b' is a\b

    Since the backslash still has escape syntax in a single-quoted string, as a matter of style I recommend using \ everywhere you want a literal

    This is an incredibly nitpicky comment, which I intended to provide humorous relief, given the severity of the other problems with the code.

  26. Anonymous says:

    Re Joshua, a security vulnerability?!?! Where's the payload going in a one-byte NULL byte file?!?!

  27. Anonymous says:

    Does anybody remember a bug in older versions of NT (IIRC, XP used to be affected, too) where code that prints tbbbb in a loop (in console) would cause the system to reboot after a few seconds?

    (What's the timeout for posting on this blog? 90 seconds?)

  28. Anonymous says:

    ender: yes, the internet has a very long memory: support.microsoft.com/…/311486.  What about it?

  29. You have to understand that Perl scripts are a form of art…

    for people who never do anything else other than write Perl scripts and attempt to crash their own systems all day, at least.

Comments are closed.