12 comments on “Heap spraying in Internet Explorer with rop nops

  1. good job!but when i test this exploit-exploit.htm. i find that a9
    in the 0x7c3413a9 ,maybe the bad characters!everytime i debug in the ollydbg the num 0xa9 change to 0x3f. i don’t know how you test this. i test the exp in xp sp2 and IE6…so i serch another xchg address 0x7c342643.this time it works good!

  2. Strange, I think it could be the OS language, try filling the first 215 bytes with a9 instead of 41 and set a breakpoint on 0x7c376223 and check the stack when breaks. For me a9 was fine, anyway glad you got it working 🙂

  3. headersize should be 0x10; it does not matter for this case, but that is why you have 0x0000 values at the end of heap’s blocks.

    headersize 0x24 was in IE8.

  4. BTW, one more thing that works for me. You do not need padnum function at all. Just add any string before nop. if any concat operation will be in the loop, spary will work.

    codewithnum = “HI” + code;
    heap_chunks[i] = codewithnum.substring(0, codewithnum.length);

  5. Hey man. Nice blog post. I tried Peter Van Eeckhoutte’s scripts, but they didn’t seem to heap spray in IE9 correctly for me. Your stuff helped me to figure out what was wrong with my javascript.

    Also, you mention above that you are weak in V-table exploitation. Check out my blog post here:

    heh–you’re trying to learn something that I wrote about and im trying to learn something you wrote about. This works out well for both of us 🙂

  6. Glad I could help 🙂 Thanks for sharing the link about v-table exploitation, I look forward to reading it 🙂

  7. Hello,

    I am new to ROP programming and i found your article very helpful. I am trying to use the same exploit for the Java JNLP Plug-in vulnerability (CVE-2010-3552). I find that msvcr71.dll does not load in IE’s process space. What can I do in that case (except testing on a different computer?) I understand your heap spraying part, where you precede the shellcode with the rop chain and a lot of rop-nops in each chunk. Can you please explain how you achieve stack-pivoting in the last few lines of code? Is the offset of EIP 215 bytes?

    Thanks for your explanation!

  8. This is what I understood: you are used the ROP chain to change the access protection from RW to RWX for the memory location starting at ESP after VirtualProtect() is called. Then you return from the sprayed heap and exchange ESP and EAX, then JMP to EAX. Is that correct? Why did you add an offset to VirtualProtect function pointer? (when loading that value into EAX in the ROP chain?) Thanks for the answer.

  9. That’s right, the ROP chain is to make our memory executable and the exchange esp to eax is point to our sprayed heap memory where eax points to the heap.

Leave a Reply

Your email address will not be published. Required fields are marked *