Code that Hacked Google IDs [Aurora]

Author: on January 16, 2010

HackingChinese hackers changed the face of Internet forever by taking the wrong step — trying to hack the search giant and several other giants.

Apparently, we know that hackers exploited a Vulnerability in Internet Explorer, but little was known about it untill the code that hacked Google became public.

So what does this code do ?

In Easy Words: Basically, the script creates a blank element on the page. This element has an “address” like a house. Then the element “moves out” and something else takes up the space of the house (it might even move the house around, or be larger than the house and contain it). But the script still knows where the house was, and can put things in there and if another bit of the program happens to overlap, some code put in that place might get executed maliciously.

Technical Language: It is essentially a mixture of Buffer Overflow and brute forcing the following passwords: Love, Secret, Sex, and sometimes God. The possible mechanism goes here:

  • Script creates objects within the rendered page, specifically the “comment” HTML element which isn’t rendered
  • Script retains a pointer to the element. (Saves a way of accessing the element)
  • Script deletes the element it created, but holds on the the pointer.
  • Script then tries to update the memory of the element, which it has since deleted, via the pointer
  • Seeing as the element no longer exists, its memory is used for other things
  • By updating the memory with a command, whatever the memory is NOW being used by, executes what’s in the bit of memory that the pointer points to.

It actually builds that string 200 times, so as to fill 100 MBs of heap space with 200 copies of the exploit, before discarding it all. Presumably this gives a high probability that a random future allocation will land somewhere that, should the instruction pointer end up there, will likely lead to execution of shellcode.

More on this, Even Metasploit has detailed on how to reproduce this bug in IE.

All in all, the code is quiet complex and hard to understand at first look. Let me know if you feel it’s something more than what is explained above. Truly, a high profile attack.

Get more Security, Tech News @taranfx on Twitter or by subscribing below:

VN:F [1.9.13_1145]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.13_1145]
Rating: 0 (from 0 votes)


Filed in: Hacking, Security Tags: , , ,

About Tarandeep Singh

Independent software Entrepreneur and software developer at premier Fortune 20 company. Full time Geek.

Related Posts

Bookmark and Promote!

  • http://www.taranfx.com/firefox-3-6 Firefox 3.6 Features [Download]

    [...] time for industry to move on from Interent Explorer after the high profile attack on Google [Aurora Details]. At the right time comes the Mozilla’s next version to rediscover the Web with Firefox [...]

  • http://www.taranfx.com/china-busts-hackers China Busts Black-Hawk Hackers

    [...] predicted that same hackers could have been involved in the Google hacking case. For what we know, Aurora was pretty advanced attack. It won’t be a surprise even if that kind of attack was done by a script [...]

  • http://www.taranfx.com/google-hackers-china Chinese Google Hacker Tracked

    [...] #Tags: Google, Hacking, Security The source of high profile attack  on Google [Aurora] has been tracked down to the source, a Hacker from China. The US authorities have traced the [...]

blog comments powered by Disqus
© 2012 Geeknizer. All rights reserved. XHTML / CSS Valid.
Designed by taranfx.