{"id":756,"date":"2014-01-02T15:29:15","date_gmt":"2014-01-02T14:29:15","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=756"},"modified":"2014-01-02T15:29:15","modified_gmt":"2014-01-02T14:29:15","slug":"bypassing-windows-aslr-using-run-without-permission-add-ons","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=756","title":{"rendered":"Bypassing Windows ASLR using &#8220;Run without permission&#8221; Add-ons"},"content":{"rendered":"<p>This is just a short post highlighting a couple of products that if installed could be used to bypass ASLR in Internet Explorer.<\/p>\n<ul>\n<li>DivX Player 10.0.2<\/li>\n<li>Yahoo Messenger 11.5.0.228<\/li>\n<li>AOL Instant Messenger 7.5.14.8<\/li>\n<\/ul>\n<p>These products contain a number of libraries that does not get ASLRed when loaded in memory due to not being compiled with the dynamicbase flag. These libraries can easily be loaded in Internet Explorer as they get registered on the system to run without permissions therefore no prompts are given. Below are the lists of libraries that can be loaded via ProgID or ClassID.<\/p>\n<pre>Dll\u00a0\u00a0\u00a0\u00a0 - C:\\Program Files\\DivX\\DivX OVS Helper\\npovshelper.dll\r\nProgID\u00a0 - OVSHelper.OVSHelperCOM.1\r\nClassID - C6E31427-FD7E-4C53-B568-124B191E5DC4\r\nVersion - 1.1.0.12\r\n-\r\nDll\u00a0\u00a0\u00a0\u00a0 - C:\\Program Files\\DivX\\DivX Web Player\\npdivx32.dll\r\nProgID\u00a0 - npdivx.DivXBrowserPlugin.1\r\nClassID - 67DABFBF-D0AB-41FA-9C46-CC0F21721616\r\nVersion - 3.0.1.5\r\n-\r\nDll\u00a0\u00a0\u00a0\u00a0 - C:\\Program Files\\DivX\\DivX Web Player\\npdivx32.dll\r\nProgID\u00a0 - nprovi.RoviStreamPlayer.1\r\nClassID - 7F64C4F7-2D43-42fe-B7E7-CE5873E7D8B6\r\nVersion - 3.0.1.5\r\n-\r\nDll\u00a0\u00a0\u00a0\u00a0 - C:\\Program Files\\Yahoo!\\Messenger\\YPagerChecker.dll\r\nProgID\u00a0 - YPagerChecker.MessengerChecker.1\r\nClassID - DA4F543C-C8A9-4E88-9A79-548CBB46F18F\r\nVersion - 1.1.0.3\r\n-\r\nDll\u00a0\u00a0\u00a0\u00a0 - C:\\Program Files\\AIM\\isAim.dll\r\nProgID\u00a0 - isaim.aimlocator.1\r\nClassID - BAEB32D0-732D-11D2-8BF4-0060B0A4A9EA\r\nVersion - 2.0.0.0<\/pre>\n<p>To view which libraries that can be loaded without permission go to &#8220;Manage Add-ons&#8221; which can be accessed from Internet Explorer &#8211; Tools &#8211; Manage Add-ons and choose &#8220;Run without permission&#8221; in the show dropdown list.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"\/images\/addonsdivx.png\" width=\"640\" height=\"498\" \/><\/p>\n<p>The below script you can use to test if any of these libraries get loaded or just click <a href=\"http:\/\/www.greyhathacker.net\/pocs\/aslrbypassaddons.html\" target=\"_blank\">here<\/a> to run it now. Libraries taking base address 0x10000000 will get rebased if one is already loaded. Note that for the Yahoo Messenger object check does not work so will fail but the library will still get loaded if installed. Also depending where you download AOL Instant Messenger the latest version is 8.0.6.1 which does not contain isAim.dll library.<\/p>\n<pre>&lt;HTML&gt;\r\n&lt;SCRIPT language=\"JavaScript\"&gt; \r\n\/\/\r\nif (DivX1() == \"DivX\")\r\n{\r\n\u00a0\u00a0 document.write(\"DivX VOD Helper Plug-in npovshelper.dll loaded&lt;br&gt;\");\r\n}\r\nif (DivX2() == \"DivX\")\r\n{\r\n\u00a0\u00a0 document.write(\"DivX Web Player (DivXBrowserPlugin) npdivx32.dll loaded&lt;br&gt;\");\r\n}\r\nif (DivX3() == \"DivX\")\r\n{\r\n\u00a0\u00a0 document.write(\"DivX Web Player (RoviStreamPlayer) npdivx32.dll loaded&lt;br&gt;\");\r\n}\r\nif (Aol() == \"AIM\")\r\n{\r\n\u00a0\u00a0 document.write(\"AOL Messenger isAim.dll loaded&lt;br&gt;\");\r\n}\r\nif (Yahoo() == \"YahooM\")\r\n{\r\n\u00a0\u00a0 document.write(\"Yahoo Messenger YPagerChecker.dll loaded&lt;br&gt;\");\r\n}\r\n\/\/\r\nfunction DivX1() \r\n{\r\n\u00a0\u00a0 var divxver = \"\";\r\n\u00a0\u00a0 var divx = 0;\r\n\u00a0\u00a0 var err = 0;\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 divx = new ActiveXObject(\"OVSHelper.OVSHelperCOM.1\") \r\n\u00a0\u00a0 } catch (err) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 document.write(\"DivX VOD Helper Plug-in npovshelper.dll failed&lt;br&gt;\");\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 if ((typeof divx) == \"object\") {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 divxver = \"DivX\";\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 return divxver;\r\n}\r\nfunction DivX2() \r\n{\r\n\u00a0\u00a0 var divxver = \"\";\r\n\u00a0\u00a0 var divx = 0;\r\n\u00a0\u00a0 var err = 0;\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 divx = new ActiveXObject(\"npdivx.DivXBrowserPlugin.1\")\r\n\u00a0\u00a0 } catch (err) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 document.write(\"DivX Web Player (DivXBrowserPlugin) npdivx32.dll failed&lt;br&gt;\");\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 if ((typeof divx) == \"object\") {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 divxver = \"DivX\";\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 return divxver;\r\n}\r\nfunction DivX3() \r\n{\r\n\u00a0\u00a0 var divxver = \"\";\r\n\u00a0\u00a0 var divx = 0;\r\n\u00a0\u00a0 var err = 0;\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 divx = new ActiveXObject(\"nprovi.RoviStreamPlayer.1\")\r\n\u00a0\u00a0 } catch (err) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 document.write(\"DivX Web Player (RoviStreamPlayer) npdivx32.dll failed&lt;br&gt;\");\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 if ((typeof divx) == \"object\") {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 divxver = \"DivX\";\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 return divxver;\r\n}\r\nfunction Aol() \r\n{\r\n\u00a0\u00a0 var aolver = \"\";\r\n\u00a0\u00a0 var aol = 0;\r\n\u00a0\u00a0 var err = 0;\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 aol = new ActiveXObject(\"isaim.aimlocator.1\")\r\n\u00a0\u00a0 } catch (err) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 document.write(\"AOL Messenger isAim.dll failed&lt;br&gt;\");\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 if ((typeof aol) == \"object\") {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 aolver = \"AIM\";\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 return aolver;\r\n}\r\nfunction Yahoo() \r\n{\r\n\u00a0\u00a0 var yahoover = \"\";\r\n\u00a0\u00a0 var yahoo = 0;\r\n\u00a0\u00a0 var err = 0;\r\n\u00a0\u00a0 try {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yahoo = new ActiveXObject(\"YPagerChecker.MessengerChecker.1\")\u00a0 \r\n\u00a0\u00a0 } catch (err) {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 document.write(\"Yahoo Messenger YPagerChecker.dll failed&lt;br&gt;\");\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 if ((typeof yahoo) == \"object\") {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 yahoover = \"YahooM\";\r\n\u00a0\u00a0 }\r\n\u00a0\u00a0 return yahoover;\r\n}\r\n&lt;\/SCRIPT&gt;\r\n&lt;\/HTML&gt;<\/pre>\n<p>Checking with Process Explorer you&#8217;ll see something like this<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"\/images\/procyahdivaim1.png\" width=\"635\" height=\"434\" \/><\/p>\n<p>There are a number of mitigations available so bypassing ASLR using modules not set with the dynamicbase bit should be old news by now.<\/p>\n<ul>\n<li>Install Microsoft EMET which supports multiple mitigation technologies, one being Mandatory Address Space Layout Randomization (ASLR) forcing module addresses to be randomized for a target process<\/li>\n<li>Upgrade to Internet Explorer 10 or 11 where additional patches will be installed enabling it to use ForceASLR on Windows 7<\/li>\n<li>Upgrade to Windows 8 which supports ForceASLR where Internet Explorer tells the OS to randomize all modules loaded by the browser<\/li>\n<li>Disable the libraries from &#8220;Manage Add-ons&#8221;<\/li>\n<\/ul>\n<p>Running Internet Explorer 10\/11 or EMET all addresses will get randomized as you can see below<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"\/images\/procyahdivaim2.png\" width=\"635\" height=\"434\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is just a short post highlighting a couple of products that if installed could be used to bypass ASLR in Internet Explorer. DivX Player 10.0.2 Yahoo Messenger 11.5.0.228 AOL Instant Messenger 7.5.14.8 These products contain a number of libraries that does not get ASLRed when loaded in memory due to not being compiled with [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,6],"tags":[38],"class_list":["post-756","post","type-post","status-publish","format-standard","hentry","category-all","category-vulnerabilities","tag-aslr"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=756"}],"version-history":[{"count":2,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/756\/revisions"}],"predecessor-version":[{"id":758,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/756\/revisions\/758"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}