You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

Heap Spraying Research

<!–
___________________________________________________________________

,sSSSs, Ss, Internet Exploiter 2 v0.1
SS” `YS’ ‘*Ss. MSIE R6025 Multithreading issue PoC exploit
iS’ ,SS” Copyright (C) 2003, 2004 by Berend-Jan Wever.
YS, .ss ,sY” http://www.edup.tudelft.nl/~bjwever
`”YSSP” sSS
____________________________________________________________________

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
the Free Software Foundation.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.

A copy of the GNU General Public License can be found at:
http://www.gnu.org/licenses/gpl.html
or you can write to:
Free Software Foundation, Inc.
59 Temple Place – Suite 330
Boston, MA 02111-1307
USA.

The vulnerability:
There is a race condition when using appendChild to append an element in one
window to an element in another. A “dirty” read can be exploited to gain
control over the process. The control can be gained because of this code:

MSHTML.DLL @ 0x635F6074 (win2ksp4en)
MOV EAX, DWORD PTR [ESP+4] ; EAX = Some pointer to the heap for mshtml
MOV EAX, DWORD PTR [EAX] ; EAX = “dirty” value from heap
JMP NEAR DWORD PTR [EAX+8] ; Jmp to memory pointed to by “dirty” value

This is how we exploit it:
– To get some control over the “dirty” value we try to “spray” the heap for
mshtml with the value we want it to read. This is done with creatComment()s
that contain a string full of our value. We want to spray effectve and
fast, so we use as big a string as possible. If we use a string over 512
bytes long, mshtml will write a pointer to the string instead of the string
itself.
– To jump to the right address, we have to make sure that the “dirty” value
points to a pointer that in turn points to the address we want to jump to.

The first part of the exploit will provide for all this in creating a
number of dwords around 0x0D0D0D0D that all point to 0x0D0D0D0D. So if we
“spray” the heap for mshtml with 0x0D0D0D0D, this is what will happen:

MSHTML.DLL @ 0x635F6074 (win2ksp4en)
MOV EAX, DWORD PTR [ESP+4] ; EAX = Some pointer to the heap fot mshtml
MOV EAX, DWORD PTR [EAX] ; EAX = 0x0D0D0D0D
JMP NEAR DWORD PTR [EAX+8] ; JMP [0x0D0D0D15] = JMP 0x0D0D0D0D
HEAP @ 0x0D0D0D0D
OR EAX, 0x0D0D0D0D
OR EAX, 0x0D0D0D0D
OR EAX, 0x0D0D0D0D
…nopslide…
shellcode

This has proven to work quite reliable. Allthough testing showed that there
is a chance we do not control the “dirty” value. In this case, the “dirty”
value seems to be 0x11CF03f9 a lot of the time, so we make sure we cover
that address with the ‘0D’ nopslide-landingzone too.
–>
internet exploiter2

This was written by zeroday. Posted on Tuesday, June 5, 2007, at 12:29 am. Filed under Digital Warfare. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.
Proudly powered by WordPress. Hosted by Pressable.