heap spray
}
}
//leverages the vulnerability into memory disclosure
function initread() {
//overwrite something in a heap spray slide
try {
selarray[99].options.add(optarray.pop(),-100000000/4);
} catch(err) {}
//now find what and where exectly did we overwrite
Exploit Code :
#!/usr/bin/env python
#######################################################
#
# Title: Apple Safari <= Tag (heap spray) Remote BOF Exploit (osX)
# Author: eidelweiss
# Special Thank`s to: AL-MARHUM - [D]eal [C]yber - all Senior MEDANHACKER
# Greats: JosS (hackown) , r0073r & 0x1D (inj3ct0r) , kuris (good job beib
LOL)
# Tested on ibook OS X 10.4.11 (ibook g4)
the attacker, so when exception raises the execution is transferred to
an arbitrary memory address chosen by the person providing the malicious
web page.
By adding JavaScript code in the malicious web page, the attacker can
use a technique called Heap Spray, that fills the heap of the browser
process with his payload, and then jump to the arbitrary code located in
the process heap.
The following Python code will generate an HTML file that, when opened
on a machine with Web Print Object installed, will launch the Windows
<script>
var obj = new ActiveXObject("TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1");
</script>
then the dll will try to call inside an unitialized memory region
which is reachable by an attacker through heap spray.
//rgod
All versions of GreenBrowser is prone to a vulnerability which leads to arbitrary code execution. A Double Free of iframe object is triggered by its shortcut button F6 (use to search the content of current page). A simple poc html that cause the corruption contains: <iframe src="Any_File_Will_Do.swf"></iframe>
Other file extension such as xml may tigger this corruption either. Open this page and press F6 (this is the shortcut button to use searchbar), then press F5 to refresh this page, an error window of memory corruption will pop up. Close this page, close the whole GreenBrowser or jump to another page also trigger the problem since this double free occurs when iframe object is released.
------------------------------------------------------------------
II. Description
GreenBrowser is a IEcore based browser. A specified crafted page could lead to the execution of shellcode. Using some JavaScript to refresh the page can let shellcode execute automatically after a press of F6.
Search bar exists in many browsers, used mostly for a quick search over different searching engine such as Google and Bing. GreenBrowser defines a shortcut button F6 used to search the content of current web page (including the content inside iframe) for text inside the search bar. After a press of F6 for a web page with a iframe points to a flash or xml, GreenBrowser will call ieframe.dll!CFindEngine::DisconnectDocument then mshtml.dll!CDocument::PrivateRelease. When the page is refreshing or closing, GreenBrowser will call mshtml.dll!CDocument::PrivateRelease to release the iframe object again. Since CDocument object has already been released once, another call of CDocument::PrivateRelease will use a released memory (could be shellcode using HeapSpray) as virtual function table, thus leading to a code execution vulnerability. Advanced memory attacking techniques such as HeapFengShui or JIT-Spray could be used to build a stable exploit.
A detailed analysis and a POC of this vulnerability could be downloaded from here:
http://www.hhjack.com.cn/report/GreenBrowserDF.rar (18.5 MB).
Old and lastest version of GreenBrowser has been tested under Windows 7 and Windows XP.
------------------------------------------------------------------
created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted
sites. After the user visits the malicious Webpage, no further user
interaction is needed.
Exploitation of this vulnerability is relatively simple if a heap spray
technique is used to control large portions of heap memory. It is also
trivial for an attacker to reallocate the chunk of freed memory and
populate it with controlled values. This allows an attacker to control
a C++ VTABLE, which leads to code execution. As such, iDefense
considers this vulnerability to be highly exploitable.
The specific flaw exists within Internet Explorer that allows malicious
users to leak information about the memory layout of an Internet
Explorer process. When creating a new 'Option' HTML Element, the 'index'
field of the object is not set to zero and can be used to leak the
location of the global variable table. This can be used to defeat ASLR
or to remove the need for heap spraying while exploiting a remote code
execution flaw.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
ole32!wCoGetInterfaceAndReleaseStream -> ole32!CoUnmarshalInterface ->
ole32!ReadObjRef -> ole32!StRead < = p0wn!!
So all we need to do is emulate a fake IStream interface in memory. How?
aligned heap spray FTW!
This is how our sprayed block would look in memory
Heap Value
15220c20 15220c18 // Fake VTable pointer
te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...
that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.
the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.
4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.
5 Crash info:
===============
ModLoad: 00110000 001c8000 C:\Program Files (x86)\Internet
4 Exploitable?
============
if overwrite freed memory with controlled content, combined with heap
spray, can cause remote code execution.
and we noticed that the exploitation attack in the wild.
5 Crash info:
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within Firefox's handling of observer OBJECTs.
If an observer OBJECT is removed from the mObserverList during an
iteration of LOOP_OVER_OBSERVERS macro, one can heap spray over
|mObserverList.mNext| and
change the execution flow. This would allow the attacker to execute
arbitrary code under the context of the user running the browser.
-- Vendor Response:
(gdb) print /d (unsigned int)0xffffffff
$7 = 4294967295
--- GDB OUTPUT END ---
* I didn't get deep this flaw, but I believe that it could lead to a
Remote Command Execution (perhaps using a heap-spray) and once
Protheus Application Server runs as super user (root) it means full
server compromised.
----------------------------------------------------------------------------------------
¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Wikipedia quote: "Apple Inc. (NASDAQ: AAPL) is an American multinational corporation which designs and manufactures consumer electronics and software products. The company's best-known hardware products include "
II. Description
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Calling the CSS attr() attribute with a large number leads to memory corruption, heap spraying allows execution of code.
III. Impact
¨¨¨¨¨¨¨¨¨¨¨
Arbitrary remote code execution can be achieved by creating a special website and entice
the victim into visiting that site.
---------
<img width=0.3133731337313373133731337... src="31337.jpg">
---------
Play little bit with numbers to get a desirable return address, little
bit of heap spraying, and it works.
Regards,
Leon Juranic
te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...
that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.
the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.
>
> te file you sent here contains a bunch of embeded nulls (every other
> character is 00). stripping those out reveals ...
>
> that it's a collection of browser exploits. by the looks of it it's MPack
> and uses the heapspray slide stuff.
>
> the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
> as a local file c:\\mosvs8.exe and then run it.
>
>
|
