In this post we will demonstrate the method discussed by mark dowd and alex sotirov for bypassing DEP and ASLR on IE 6/7 running on a windows vista machine. This method is simple and useful. We will create a .NET ActiveX that will be loaded by IE. The ActiveX will be loaded into a fixed address and will be executable. To overcome the difficulties we need two things
- To make the ActiveX load into a constant address by removing the IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE
- Select the image base we want.
The flag IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE means that the ActiveX can be loaded at a dynamic address. Removing this flag will indicate that it can’t, and help solve the ASLR problem on IE. Once we bypassed ASLR we can select the image base we want. This way when we gain control over EIP we can jump directly to our shellcode.
We create our initial ActiveX by selecting a new project in visual studio. The project type is a “C# Windows Forms Control Library”.
Once we created the project we can remove all of the code inside “UserControl1.Designer.cs” beside the namespace and class definitions. To plant the shellcode we modify “UserControl1.cs” to contain the following code:
public partial class UserControl1 : UserControl
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90".. (0x20000 Bytes);
Once compiled, the ActiveX will replace the string containing “\x90\x90…” into unicode and it will become “\x90\x00\x90\x00…” so we will need to replace it. We can make it pretty simple to replace by placing a signature at the start and the end of the string. (for example: “\x41\x05\x07\x99\xFF\x14”). This way when we will want to replace the NOPs with a real shellcode, we can simply search for “\x41\x00\x05\x00\x07\x00\x99\x00\xFF\x00\x14\x00” and replace everything we want in between the two instances we find.
We have created two simple python script to accomplish both tasks. You can use it to make the ActiveX load into a constant address and to replace the NOPs with a valid shellcode. The image base I chose was 0x0c0b0000 and the location in which the shellcode will be loaded to is 0x0c0c0c18. (We are currently using breakpoint shellcode for debugging.)
The script can be found here and the Net ActiveX can be found here. In addition to the script, we have created a metasploit component that allows the generation of a NET ActiveX on the fly. We will cover the component usage at the next post.
About the Author
Tal zeltzer (zelik) is a security researcher from israel, focusing on reverse engineering both software and hardware. He spends most of his free time developing private security tools and exploits for fun.