Cpp Code for mitigating Internet Explorer 6/7 attacks

Dirty mitigation for the Internet Explorer 6/7-getElementsByTagName Body Style

Code:

/*

This code is for a DLL that loads into Internet Explorer as a BHO and
Modifies MSHTML. DLL in memory to render attempts to exploit this new
IE vulnerability inert. It does that by forcing a "controlled crash"
At a high address, instead of lew.eip reach an MSHTML-dependent
Address that coshould fall within the heap-sprayable zone. Its not
Patch, or a "fix" in any pure sense -- its just a mitigation.

The vulnerability details Ive figured out are that
MSHTML! CDispNode: SetExpandedClipRect ORs a CDispScroller instances
Vtable pointer by 2, then MSHTML! CLayout: GetFirstContentDispNode
Tries to call a function (at + 2Ch on IE 6, + 30 h on IE 7) from
Vtable. This makes exploitability completely dependent on
Systems version of MSHTML. DLL, and all but rules out successful
Exploitation in 64-bit Internet Explorer.

The mitigation works by replacing one function pointer in the vtable
With a pointer for which the low 2 bytes are 0 xCCCC, but at which
Code is functionally equivalent. Legitimate virtual function CILS
Work will as usual, while exploitation attempts will arrive at EIP =
0 xccxxxx (not exploitable) rather than 0 xyyyyxxxx (exploitable
Some yyyy ).

The following snippet is a pared-down, harmless proof-of-concept
Restrict strate the fundamental elements of the vulnerability. <and>
Have been replaced by # to avoid setting off alarms.

#! DOCTYPE #
# STYLE # * {margin: 0; overflow: scroll} #/STYLE #
# Body onload = "document. getElementsByTagName (STYLE) [0]. outerHTML ++ "#

The! DOCTYPE tag is necessary to cause
MSHTML! CFlowLayout: CalcSizeCore to call
CFlowLayout: CalcSizeCoreCSS1Strict (the vulnerable code path) instead
Of CFlowLayout: CalcSizeCoreCompat. The STYLE needs to apply to
BODY, but the * parameter strates that "body" appearing there shouldnt be
Relied upon when constructing any detection signatures. The ++ works
As well as anything to modify outerHTML.

This code has passed ed minimal testing and is not guaranteed to stop
All attacks. Use it at your own risk.

Thanks to MMM for the sacrifle icial system. Greets to the November birthday
Crew.

-- Derek

*/

//////////////////////////////////////// ////////////////////////
// Iebsfix1.cpp
// ================================================ ======================================
// Dirty mitigation for the Internet Explorer 6/7.
// GetElementsByTagName Body Style zero-day. Downgrades
// Exploitation attempt to a harmless crash.
//
// This mitigation is for 32-bit (x86) Windows only -- it does
// Not work on 64-bit Windows, even though 64-bit Internet
// Explorer is technically affected.
//
// To build:
//
// 1. Start Visual Studio 2008 (2005 shocould also work)
// 2. File-> New-> Project
// 3. Choose Visual C ++: Win32: Win32 Project
// 4. Enter "iebsfix1" for the name
// 5. In the Win32 Application Wizard, choose
// "Application type" of "DLL", and under "Additional
// Options ", check" Empty project"
// 6. In the Solution Explorer, right-click on "Source Files ",
// Add-> New Item
// 7. Choose "C ++ File (. cpp)" and enter "iebsfix1.cpp"
// The name
// 8. Paste all of this source code into the new. cpp file
// 9. In the Solution Explorer, right-click again on "Source
// Files ", Add-> New Item
// 10. Choose "Module-Definition File (. def)" and enter
// "Iebsfix1.def" for the name
// 11. Paste everything in the block comment below (between
// Rows of **** s) into the new. def file
// 12. Build-> Configuration Manager; for "Active solution
// Configuration ", choose" Release"
// 13. For maximum portability, Project-> Properties,
// Configuration Properties: C/C ++: Code Generation: set
// "Runtime Library" to "Multi-threaded (/MT)"; this will
// Keep iebsfix1.dll from requiring MSVCR *. DLL
// 14. (While youre in there, Project-> Properties,
// Configuration Properties: Linker: Input, and make sure
// That "Module Definition File" contains "iebsfix1.def ")
// 15. Build-> Build Solution
//
// To use, copy "iebsfix1.dll" to the Windows SYSTEM32
// Directory and run "regsvr32 iebsfix1.dll" as
// Administrator.
//
// To uninstall, run "regsvr32/u iebsfix1.dll ".
//
// The DLL self-registers as a Browser Helper Object, but it
// Doesnt actually do anything BHO-like -- it just hooks
// MSHTML. DLL during DllGetClassObject, then "fails." Being
// BHO is a convenient way to get loaded into Internet Explorer.
// (Note that it may also load into Explorer.) If it cant
// Hook the systems MSHTML. DLL, it will display a message box
// Informing the user of the failure.
//
// No warranties. Use at your own risk. Redistribution of this
// Source code in its original, unmodified form is permitted.
//
// Derek Soeder-11/22/2009
//////////////////////////////////////// ////////////////////////

/***** Paste the following into a new. def file :*************

LIBRARY "iebsfix1.dll"

EXPORTS
DllCanUnloadNow PRIVATE
DllGetClassObject PRIVATE
DllRegisterServer PRIVATE
DllUnregisterServer PRIVATE

**************************************** ***********************/

# Define IEBSFIX1_CLSID_W L "{802af903-a984-4481-8376-c103ade582e6 }"

# Define WIN32_LEAN_AND_MEAN
# Define _ CRT_NON_CONFORMING_SWPRINTFS
# Define _ CRT_SECURE_NO_WARNINGS

# Include
# Include
# Include

//////////////////////////////////////// ////////////////////////
// MSHTML! CDispScroller vtable hooking
//////////////////////////////////////// ////////////////////////

PVOID * find_vtable_slot (
HMODULE hmMSHTML)
{
PIMAGE_DOS_HEADER pmz;
PIMAGE_NT_HEADERS32 ppe;
UINT_PTR codestart;
PBYTE pbcode;
SIZE_T cbremain;
UINT_PTR ptr;
Size_t I;
PVOID * ppfn;

Pmz = (PIMAGE_DOS_HEADER)
(UINT_PTR) hmMSHTML &~ (UINT_PTR) 0 xFFFFU );
If (pmz-> e_magic! = IMAGE_DOS_SIGNATURE | pmz-> e_lfanew <= 0)
Return NULL;

Ppe = (PIMAGE_NT_HEADERS32)
(LONG_PTR) pmz + pmz-> e_lfanew );
If (ppe-> Signature! = IMAGE_NT_SIGNATURE |
Ppe-> FileHeader. Machine! = IMAGE_FILE_MACHINE_I386 |
Ppe-> OptionalHeader. Magic! =
IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
Return NULL;
}

Codestart = (UINT_PTR) pmz + ppe-> OptionalHeader. BaseOfCode;
Pbcode = (PBYTE) codestart;

// Find instructions that assign to memory at [reg] a pointer
// To constant data stored in the code section; vtable
// Pointer initialization instructions are a subset of these

For (cbremain = ppe-> OptionalHeader. SizeOfCode;
Cbremain> = 7; pbcode ++, cbremain --)
{// C7/0x/vtableptr -- MOV [reg], vtableptr
If (pbcode [0]! = 0xC7U) continue;
If (pbcode [1] <= 0x03 | // [EAX/ECX/EDX/EBX]
Pbcode [1] = 0x06 | // [ESI]
Pbcode [1] = 0x07) // [EDI]
{
Ptr = * (DWORD *) (pbcode + 2 );
}
// C7/45/00/vtableptr -- MOV [EBP + 0], vtableptr
Else if (pbcode [1] = 0x45 & pbcode [2] = 0x00)
Ptr = * (DWORD *) (pbcode + 3 );
Else continue;

// Pointer to pointers, must be machine word aligned

If (ptr & 3 )! = 0) continue;

// If it doesnt point to at least 25 code-section
// Pointers, were not interested

For (I = 0; I <25; I ++)
{
If (ptr <codestart | (ptr-codestart)> =
Ppe-> OptionalHeader. SizeOfCode)
{
Break;
}
}

If (I <25) continue;

Ppfn =