Bypass ASLR with partial EIP overwrite

Written by  on July 30, 2015 

Hi there, here we’ll be avoiding ASLR with an interesting technique. For those who don’t know, ASLR means address space layout randomization and it’s a feature enabled on some software on modern operating systems. With ASLR enabled, a program’s library loads it’s code in different addresses everytime windows is booted, so if we have a JMP ESP in 12345678 address and we reboot next time may be in 87654321 instead of the previous address, this is used to make hard to exploit programs avoiding fixed basic JMP XXX instructions. In this example we’ll see that we can easily bypass that on some cases.

We’ll be working with windows animated cursor stack overflow vuln in windows vista with IE 7(CVE-2007-0038).

The following proof of concept code was provided, it’s quite simple, the following hex values correspond to an evil .ani file wich will cause a program crash overwriting EIP register with 43434343proof

We can copy that on a .ani file

 

.1

And craft a simple html page that will load the cursor

2

Now if we attach IE7 inside OLLY and we browse the page with IE we see the crash, and the EIP register overwritten

3

EIP register overwritten, and if we do a quick research we can see that the EBX register’s first 4 bytes point at the begining of our .ani file

followEBX

Here we can see that clearly:

EBX

So.. next step? We can try to overwrite EIP register with a JMP [EBX] (remember not JMP EBX, EBX contains a pointer, not code!) and jump to our shellcode

user32dll-1

We just saw a JMP [EBX] address on user32.dll (dll that’s loaded when the crash occurs) but what happens if we reboot the system and we do exactly the same?

user32dll-2

Yes same instruction loaded on a different address… We can compare both addresses

user32-compare

If we look closely and we repeat the process few times, we’ll se that only the first 2 bytes are randomized, last 2 bytes are fixed! So here in this example, we can try to reduce the buffer space and overwrite only 2 lower bytes.

4

After doing that we’ll see that only 2 lower bytes has been overwritten, and the 2 higher bytes of EIP(not overwritten) always contain the randomized part of the address!

5

Now we know that we can craft our exploit, first of all we generate the shellcode in raw hex format with metasploit

genshellcode

Then we add it to the ani file just at the end, and we overwrite 2 lower  bytes of EIP with the fixed address of the jump to pointer ebx. Note that I edited some parts of the code with short jump’s that’s done because when jmp [ebx] is executed it will lead the execution to the first bytes of the .ani file (52 49 46 …) we don’t want our exploit to run the NULL BYTE section (00 00 00..) that will crash it’s execution! so we need to place a few short jumps to avoid that and get to our shellcode.

finalHEX

And at the end we can see the result

THE_END

game over IE7 P-)

Category : exploiting

Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *