"Hack Away at the Unessential" with ExpLib2 in Metasploit

[Nytro]

"Hack Away at the Unessential" with ExpLib2 in Metasploit

Posted by Wei Chen in Metasploit on Apr 7, 2014 11:26:18 AM This blog post was jointly written by Wei sinn3r Chen and Juan Vazquez

Memory corruption exploitation is not how it used to be. With modern mitigations in place, such as GS, SafeSEH, SEHOP, DEP, ASLR/FASLR, EAF+, ASR, VTable guards, memory randomization, and sealed optimization, etc, exploit development has become much more complicated. It definitely shows when you see researchers jumping through hoops like reverse-engineering some 0-day vulnerability and the software, turning a use-after-free crash into an arbitrary write, leak an object and disclose a module base, and customized ROP and shellcode. Watching an exploit developer work is like watching a

: you see him trying to thrust, hack, kick, hitting left and right, from the ground all the way to rooftops, and then next thing you know he just popped a shell. It's all very fancy. Oh, and it's real.

Despite all the fanciness of modern exploitation, security researcher Yuki Chen (who is the exploit dev version of Bruce Lee) took a different turn. If you're not much of a Bruce Lee fan, well, Lee was really big in the philosophy of simplicity. In his words:

[TABLE=width: 100%]

[TR]

[TD=align: right][/TD]

[TD]“It’s not the daily increase but daily decrease. Hack away at the unessential.”[/TD]

[/TR]

[/TABLE]

What Yuki Chen wanted to do was avoid dealing with the hassle of EAF, DEP, shellcode, and other things. Basically, going for the most straight-forward punch with the least amount of effort. His idea of simplicity and the creation of ExpLib2 are what make him so Bruce Lee. However, we notice that the security community hasn't been talking about his stuff much, so here we'd like to go over his work on ExpLib2 more in depth, hopefully to spark more interest.

ExpLib2 is basically Yuki's exploitation library for Internet Explorer. To be able to use this, it assumes you already have a bug for an arbitrary write. And then you will have to use this bug to modify the length field of an array in memory, and you tell the library where it is, what payload to run, and that's all it needs from you. To give you an idea how much you're writing for the exploit, take a good look at the following example:

    function modifyArray() {  
      // Use your bug and modify the array here  
      // For testing, we do: ed 1a1b3000+18 400  
    }  

    function example() {  
      var num_arrays = 98688;  
      var arr_size = (0x1000 - 0x20)/4;  
      var explib = new ExpLib( num_arrays, arr_size, 0x1a1b3000, new payload_exec('calc.exe') );  
      explib.setArrContents([0x21212121, 0x22222222, 0x23232323, 0x24242424]); // There is a default one too  
      explib.spray();  
      modifyArray();  
      explib.go();  // Code execution  
    }  

The go() function from ExpLib2 will then use the information initialized by you and leak objects in order to figure out where the security manager is, makes a copy of it, have it modified (and patches other necessary functions), that way the ScriptEngine functions will end up using your fake security manager, and execute your payload in "god mode". This is pretty much the summarized version of the technique, which is also briefly explained in the original paper by Yuki, "Exploit IE Using Scriptable ActiveX Controls", but let's take a closer look at this magic trick.

Articol complet: https://community.rapid7.com/community/metasploit/blog/2014/04/07/hack-away-at-the-unessential-with-explib2-in-metasploit