Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-30-2013, 23:56
r00t
 
Posts: n/a
Allocating BSTR strings in IE9

Hello,

I am currently interested if anyone from this forum has done some work in exploit development as I found myself banging on a wall for quite a few.

The issue I am facing is allocating BSTR strings in HEAP under Internet Explorer 9. I encounter no issues doing it under IE8 using "substring" from javascript. I have been playing around with a heap overflow under IE8 and got it working, based on the advisory IE9 should also be vulnerable however there are no public references for a BSTR allocation primitive for it.

Note that placing the BSTR strings in memory is essential in order to cause a leak and bypass ASLR. I can not use simple objects of a certain size as the heap overflow overwrites the BSTR SIZE DWORD which allows me to get the leak.

If anyone has any insight or ideas regarding this I would appreciate it.
Reply With Quote
  #2  
Old 01-31-2013, 01:15
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
I have no problems creating one in IE10 (win7x86) here. Why is the word HEAP capitalized? What exactly is the problem?
Reply With Quote
  #3  
Old 01-31-2013, 02:34
mrsick mrsick is offline
Friend
 
Join Date: Mar 2012
Posts: 15
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 0 Times in 0 Posts
mrsick Reputation: 0
Take a look here: https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
Reply With Quote
  #4  
Old 01-31-2013, 12:39
r00t
 
Posts: n/a
MrSick, thanks!

While that did not solve the problem entirely by using a random heap I was able to get allocations working correctly under IE9. Now it's just a matter of crafting the heap accordingly.
Reply With Quote
  #5  
Old 01-31-2013, 12:47
mrsick mrsick is offline
Friend
 
Join Date: Mar 2012
Posts: 15
Rept. Given: 4
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 0 Times in 0 Posts
mrsick Reputation: 0
Yeah, i don't recall many IE9 targets tbh

But you can take a look on this metasploit module using corelan's random spray: MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption

Good luck
Reply With Quote
Reply

Tags
allocation, bstr, heap, promitive

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IDA can't properly deal with RUST strings WhoCares General Discussion 3 07-08-2021 10:46
Strings plugin for x64dbg hors Developer Section 0 03-16-2019 01:42
Problem with referenced strings in Olly. Fade General Discussion 5 05-08-2006 22:40
Allocating memory at a specific location redbull General Discussion 5 04-18-2005 19:37
Is it possible for UPX to scramble referenced text strings? Nilrem General Discussion 12 01-18-2004 23:56


All times are GMT +8. The time now is 09:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )