Hi there, here we’ll be avoiding ASLR with an interesting technique. For those who don’t know, ASLR means address space layout randomization and it’s a feature enabled on some software on modern operating systems. With ASLR enabled, a program’s library loads it’s code in different addresses everytime windows is booted, so if we have a JMP ESP in 12345678 address and we reboot next time may be in 87654321 instead of the previous address, this is used to make hard to exploit programs avoiding fixed basic JMP XXX instructions. In this example we’ll see that we can easily bypass that on some cases.
We’ll be working with windows animated cursor stack overflow vuln in windows vista with IE 7(CVE-2007-0038).
We can copy that on a .ani file
And craft a simple html page that will load the cursor
Now if we attach IE7 inside OLLY and we browse the page with IE we see the crash, and the EIP register overwritten
EIP register overwritten, and if we do a quick research we can see that the EBX register’s first 4 bytes point at the begining of our .ani file
Here we can see that clearly:
So.. next step? We can try to overwrite EIP register with a JMP [EBX] (remember not JMP EBX, EBX contains a pointer, not code!) and jump to our shellcode
We just saw a JMP [EBX] address on user32.dll (dll that’s loaded when the crash occurs) but what happens if we reboot the system and we do exactly the same?
Yes same instruction loaded on a different address… We can compare both addresses
If we look closely and we repeat the process few times, we’ll se that only the first 2 bytes are randomized, last 2 bytes are fixed! So here in this example, we can try to reduce the buffer space and overwrite only 2 lower bytes.
After doing that we’ll see that only 2 lower bytes has been overwritten, and the 2 higher bytes of EIP(not overwritten) always contain the randomized part of the address!
Now we know that we can craft our exploit, first of all we generate the shellcode in raw hex format with metasploit
Then we add it to the ani file just at the end, and we overwrite 2 lower bytes of EIP with the fixed address of the jump to pointer ebx. Note that I edited some parts of the code with short jump’s that’s done because when jmp [ebx] is executed it will lead the execution to the first bytes of the .ani file (52 49 46 …) we don’t want our exploit to run the NULL BYTE section (00 00 00..) that will crash it’s execution! so we need to place a few short jumps to avoid that and get to our shellcode.
And at the end we can see the result
game over IE7 P-)