Exploitme5 (Heap spraying & UAF)
If you haven’t already, read the previous articles (I, II, III, IV) before proceeding. For this example you’ll need to disable DEP. In VS 2013, go to Project→properties, and modify the configuration...
View ArticleEMET 5.2
The acronym EMET stands for Enhanced Mitigation Experience Toolkit. As of this writing, the latest version of EMET is 5.2 (download). As always, we’ll be working on Windows 7 SP1 64-bit. Warning EMET...
View ArticleIE10: Reverse Engineering IE
For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 10 downloaded from here. To successfully exploit IE 10 we need to defeat both ASLR and DEP....
View ArticleIE10: From one-byte-write to full process space read/write
As we said before, if we can modify a single byte at an arbitrary address, we can get read/write access to the entire process address space. The trick is to modify the length field of an array (or...
View ArticleIE10: God Mode (1)
When an html page tries to load and run an ActiveX object in IE, the user is alerted with a dialog box. For instance, create an html file with the following code:<html> <head> <script...
View ArticleIE10: God Mode (2)
Fixing the God Mode Before doing something radical, let’s try to find out where the crash is. To do this, let’s add a few alerts:function createExe(fname, data) { alert("3"); //...
View ArticleIE10: Use-After-Free bug
Until now, we have depended on WinDbg for modifying the length of an Int32Array to acquire full read/write access to the space address of the IE process. It’s high time we found a UAF to complete our...
View ArticleIE11: Part 1
For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 11 downloaded from here: http://filehippo.com/download_internet_explorer_windows_7_64/tech/...
View ArticleIE11: Part 2
Completing the exploit As we saw, the POC uses window.onload because it requires that the javascript code is executed after the page has fully loaded. We must do the same in our exploit. We also need...
View ArticleMore space on the stack
If you can’t get an exploit to work because you get a weird crash inside fread or some other access violation, the space on the stack might be insufficient for the payload. The easiest solution is to...
View Article