Proj 14: Heap Spray (15 pts.)

Purpose

To understand the Heap Spray technique, a way to defeat Address Space Layout Randomization. We won't complete an actual exploit in this project, but just demonstrate the payload delivery technique.

What You Need

Source

I am following this excellent tutorial from corelanc0d3r .

Checking the Target Machine

On the Windows 2008 target machine, open internet Explorer. You should see the message "Caution: Internet Explorer Enhanced Security Configuration is not enabled".

If you don't see that message, follow the instructions in the image below to enable it.

Testing Networking

Use ifconfig on your Kali machine to find its IP address. Ping the Kali machine from your Windows machine. If the pings don't get replies, you need to troubleshoot your virtual network settings. Setting both machines to NAT mode works best.

Making a Kali Web Server

On your Kali 2 machine, in a Terminal window, execute these commands:
service apache2 start
cd /var/www/html
nano alloc.htm
In nano, enter this code. this is a simple Web page that declares two string variables in JavaScript and adds them together.
<html>
<body>
<script language='javascript'>

var a = "IM IN UR HEAP";
var b = " PWNING UR OS";
var c = a + b;
alert(c);

</script>
</body>
</html>

Save the file with Ctrl+X, Y, Enter.

How Windows Uses the Heap

When IE allocates a string, it becomes a BSTR (Basic String) object like this:

Let's see this in action.

On your Windows target machine, in Internet Explorer, open this URL, replacing the IP address with the IP address of your Kali machine:

http://192.168.119.131/alloc.htm
You see an alert box, saying "IM IN UR HEAP PWNING UR OS", as shown below.

Close the alert box, but leave Internet Explorer open.

Starting Immunity Debugger

On your desktop, right-click "Immunity Debugger" and click "Run as Administrator".

From the Immunity menu bar, click File, Attach.

In the "Select process to attach" box, click iexplore, as shown below, and click the Attach button.

Searching RAM with Mona

In Immunity, at the bottom, in the white bar, execute this command:
!mona help
The help message shows the Mona commands. One of them is "find", as shown below.

In Immunity, at the bottom, in the white bar, execute this command:

!mona help find
Details of the "find" command appear, as shown below.

Windows frequently stores strings in Unicode encoding, because it's an international operating system, and that's how Internet Explorer stores Javascript strings in RAM.

We'll search for a Unicode string of "IM IN UR HEAP PWNING" (with the -s option), searching through all modules, that is, through the complete userland RAM space (-x *),

In Immunity, at the bottom, in the white bar, execute this command:

!mona find -s "IM IN UR HEAP PWNING" -unicode -x *
Mona is searching the entire userland RAM space, which may take a few minutes.

When the search finishes, you see one or more pointers found, as shown below. Right-click one of the pointers and click "Dump at address", as shown below.

A Dump window appears. Scroll down one line to show the RAM before the "IM IN UR HEAP PWNING" string, as shown below.

Note these features:

Saving a Screen Image

Make sure the string "I.M. .I.N. .U.R. .H.E.A.P. .P.W.N.I.N.G. .U.R. .O.S." is visible, as shown above

Click on the host machine's desktop.

Press Shift+PrintScrn. That will copy the whole desktop to the clipboard.

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 14a". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Using Unescape

We want to upload shellcode to RAM and execute it. We don't want the Unicode storage adding null bytes after each byte we send up, so we'll have to break our exploit into two-byte chunks and tell JavaScript to interpret each chunk as a single Unicode character.

The ASCII string "IM IN" corresponds to these hex values, as you can see in the chart below (click the chart for the whole table): 49 4D 20 49 4E

In Kali, in a Terminal window, execute this command:

nano alloc2.htm
In nano, enter this code:
<html>
<body>
<script language='javascript'>

var a = unescape('%u4D49%u4920%u204E%u5255%u4820%u4145%u2050'); // "IM IN UR HEAP "
var b = unescape('%u5750%u494E%u474E%u5520%u2052%u534F');       // "PWNING UR OS"
var c = a + b;
alert(c);

</script>
</body>
</html>

Save the file with Ctrl+X, Y, Enter.

On your Windows 2008 target machine, close Immunity.

Open Internet Explorer and go to this URL, replacing the IP address with the IP address of your Kali machine:

http://192.168.119.131/alloc2.htm
You see an alert box, containg non-English characters corresponding to the Unicode data, as shown below.

Close the alert box, but leave Internet Explorer open.

SStart Immunity, click File, Attach, and attach the iexplore process.

In Immunity, at the bottom, in the white bar, execute this command:

!mona find -s "IM IN UR HEAP PWNING" -x *
As shown below, the text now appears as ASCII, not Unicode:

Understanding a Heap Spray

The idea of a heap spray is to put your exploit into a Javascript string and store many copies of it on the heap.

The expoit should be preceded by a long NOP sled.

After the Javascript runs, the heap sill look like this:

Spraying a Test Exploit Without Shellcode

We'll use this dummy exploit code: As you can see, this data is over 99% NOPs, which means that if we jump anywhere in the heap, we have a 99% chance of running our exploit code :).

The JavaScript below places 500 copies of this exploit in RAM, filling over 50 MB with copies of the attack.

In Kali, in a Terminal window, execute this command:

nano heap.htm
In nano, enter this code:
<html>
<script>

nopsled = '';
for (i=0; i<100000; i++){
	nopsled += unescape('%u9090%u9090'); }

buf = '';
for (i=0; i<500; i++){
	buf += unescape('%uCCCC%uCCCC'); }

tag = unescape('%u554C%u5A4C'); //LULZ

a = new Array();
for (i=0; i<500; i++){
	a[i] = nopsled + buf + tag + tag; }
alert("Spray done")

</script>
</html>

Save the file with Ctrl+X, Y, Enter.

On your Windows 2008 target machine, close Immunity.

Open Internet Explorer and go to this URL, replacing the IP address with the IP address of your Kali machine:

http://192.168.119.131/heap.htm
You see an alert box, saying "Spray done", as shown below.

Close the alert box, but leave Internet Explorer open.

Start Immunity, click File, Attach, and attach the iexplore process.

In Immunity, at the bottom, in the white bar, execute this command:

!mona find -s "LULZLULZ" -x *
Mona found 500 hits, with many different addresses, as shown below.

Troubleshooting

One student's Mona refused to find the "LULZLULZ". But we used HxD and it was there. If that happens to you, just send in screen shots of HxD finding the heap spray in RAM. So he just turned in screen shots from HxD to prove the heap spray worked.

Viewing RAM at 06060606

In Immunity, click View, CPU.

In the lower left pane, right- click and click "Go to", Expression, as shown below.

In the "Enter expression..." box, type 06060606, as shown below. Then click OK.

The dump shows a lot of 90 bytes, as shown below.

If you don't find the NOPs at 06060606, try 07070707, 08080808, etc.

Saving a Screen Image

Make sure at least one row of 90 bytes is visible.

Click on the host machine's desktop.

Press Shift+PrintScrn. That will copy the whole desktop to the clipboard.

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj 14b". Use your real name, not the literal text "Your Name".

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Turning in your Project

Send the image to: cnit.127sam@gmail.com with a subject line of "Proj 14 From Your Name", replacing Your Name with your own first and last name. Send a Cc to yourself.

Sources

Exploit writing tutorial part 11 : Heap Spraying Demystified

mona.py – the manual

Part 8: Spraying the Heap [Chapter 1: Vanilla EIP]

Reliable Windows 7 Exploitation

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7

http://www.communicrypt.com/site/index.php?option=com_content&task=view&id=27&Itemid=101

https://www.corelan.be/index.php/forum/security-advisories-archive-2010/corelan-10-042-ansmtp-dll-smtp-component-activex-ver-8-0-0-2/

How to Exploit IE8 to Get Root Access When People Visit Your Website


Posted 10-26-15 by Sam Bowne
Saving instructions for image A added 2-20-28