IE browser exploits technology evolution(II)-vulnerability warning-the black bar safety net

ID MYHACK58:62201679174
Type myhack58
Reporter hac425
Modified 2016-09-14T00:00:00


Foreword In a previous article, we talked about some of the early ie related exploits, from the most basic, the most simple stack overflow vulnerability of the use of speaking, to the relatively more complex UAF exploits. Through these exploits evolution, as if we can see the human society from the primitive barbaric society to a civilized society the evolution of a microcosm. For IE exploits, the beginning is to use a stack overflow vulnerability stack overflow vulnerability the use of very simple and crude, we can direct through the length of the string overwrite the function return address or seh chain structure to direct the hijacking off the program of the eip, the control program execution flow. In actual use, in order to stability and simplicity, generally the first to use the heap spray technique will be our payload (nops + shellcode)is arranged to a predictable address, the address is generally 0x0c0c0c0c, which will be followed by overflowing the eip value of the control is 0x0c0c0c0c achieved, then the program will jump into the nops block, the final execution to the shellcode area, complete the exploit. You can see this whole process is very simple and crude, with cents if the words of such an exploit"not elegant", and later the UAF vulnerability appeared, exploit technology, also become elegant up, for the UAF exploits, the hacker's modus operandi than before the stack overflow vulnerability of the use of the technique, fine a lot, the use of the routines is: there are holes in the object after being released, the application some of the size with the release of the object share memory the same size as the object, to achieve"accounted for pit", then in the modify that block of memory data is started 4 bytes, of the virtual table, and finally calls the virtual function, to trigger the vulnerability, hijacking eip. Can clearly feel to the entire exploit process than before to elegance a lot of, the hacker they need to be careful manipulation of the memory allocation, in order to achieve that block the release of the memory of the heavy interest. Of course this whole process or is there a"not elegant"places in the exploits of the last stage, we use the or the beginning of that kind of arrangement shellcode method, it is directly a large amount of ejection of memory, Willy-nilly the eip is set to 0x0c0c0c0c achieve vulnerability. This way, in the absence of DEP or desirable. But DEP dad a result, nothing changed. Then the DEP end? DEP Data Execution Prevention, Data Execution Prevention the basic principle is the data where the memory page is identified as non-performing, when the program overflow successfully transferred to the ShellCode, the program will try to in the data on the page to execute the instruction, then the CPU will throw an exception, instead of to execute malicious instructions. And before we exploit the last step is directly jump to the data area to execute code, so in the DEP under the action of we all previous exploits will beoperating systemend to the last step, isn't it a gas? I think at the time the hacker must be very helpless I have to get eip, you won't let me execute my code, you tease me play? But the hacker's Creed is not"give up"the word, and some just"break everything"is! A period of Confusion after that some clever hacker discovered that you didn't let me perform my data? Well, I will not perform my data, I execute your program's own data can always. Should the program itself is certainly need to execute code, so we can reuse the program code to put them stitching together the final implementation we need to function. This technique is referred to as ROP(Return Oriented Programming return oriented programming is. On the ROP technical detail, the way of use online there have been a number of articles for the description, please do not familiar to the reader Baidu, here will not repeat them here.

IE browser exploits technology evolution For DEP, now we have the ROP of this technology to be bypassed. The introduction of the ROP technique, but also introduce new problems, in most cases we will not use the rop chain to achieve our shellcode functionality required, in a more General way is by calling the number provided by the system can set the memory attribute of the function to the shellcode where the memory region is set to the executable attribute, so that we can perform our input data. We know that for the rop of some code snippet, which we call gadgets) are some of the to the ret instruction at the end of the code fragment. While the ret instruction is a stack of data on the operation of, and the reality is that we now obtain the ie vulnerability basic no can control the stack data. We can control only the heap of the above data by using the"heap spray"technique, in this case we want to use into a fun instruction: xchg reg ,esp such an instruction is the role of the exchange of the reg register and the esp register value. And in some heap-related vulnerabilities, we can often control at least one register value that imagine we will a register value is set to 0x0c0c0c0c (Yes again, is this fun to address), and then use an xchg instruction the esp value and the register value of the swap, as a result of the program the stack becomes a we can control the place, the exploit is not yet another to become elegant. Now left one last question: in our successful implementation of the rop chain to set the shellcode where the memory for the executable property before, we have no way performed on the heap data, so we use similar to xchg reg ,esp the instruction to switch to good stack after our ret address MUST BE in the rop chain of the first address. To solve this problem we should use"precise heap spray"technique. We know that the dynamic application memory of the address is constantly changing, so in 0x0c0c0c0c at the address of the data should also will change, the so-called"precise heap spray"is the use of some particular heap layout so that the in 0x0c0c0c0c at the data as a constant value, as a result, in ie the use of rop and, together the storm is a breakthrough. Below to combat under the"precise heap spray"! First to a can in ie8 on heap spray script: // [ Shellcode ] var shellcode = "\xcc\xcc" var fill = unescape("%u0c0c%u0c0c"); while (fill. length fill += fill; } // [ fill each chunk with 0x1000 bytes ] evilcode = shellcode + fill. substring(0, 0x800 - shellcode. length); // [ repeat the block to 512KB ] while (evilcode. length evilcode += evilcode; } // [ substring(2, 0x40000 - 0x21) - IE8 ] var block = evilcode. substring(2, 0x40000 - 0x21); // [ Allocate 2 0 0 MB ] var slide = new Array(); for (var i = 0; i slide[i] = block. substring(0, block. length); } (1); The pop-up bomb box(in order to facilitate debugging, the equivalent to the next breakpoint when you use the debugger to attach, look at the memory layout. ! You can see we've the data can be injected into 0x0c0c0c0c this address. The next step we should do is Control 0x0c0c0c0c this at the address of the value. Based on the predecessors of the effort, we can use the following methods to control the value. Specific practices are as follows:

[1] [2] [3] [4] [5] [6] next