« Wiki back up ASPsh – A remote shell written in ASP. »

Internet Exploiter 2 – bypassing DEP

Posted by SkyLined on March 1st, 2010 in , , , , , and · 14 Comments

In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits. The exploit I released would not work if you had DEP turned on for MSIE. However, I also created a version of the exploit that used ret-into-libc to bypass DEP, which I never released until today.

I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms. 32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location. The code in this exploit shows how to abuse this to perform a ret-into-libc attack when you can predict or, through information leakage, determine the location of modules (exe, dll) in the process’ memory.

The source code, which has inline documentation, can be found here.

***UPDATE*** It appears that some people need a little more detail to figure out what is going on:

14 Comments to “Internet Exploiter 2 – bypassing DEP”

  1. larry seltzer
    2010/03/01

    Is the exploit actually supposed to work, or is it earlier-stage than that?

    I’m trying it on IE8/Vista SP2 and it throws “No such interface supported” at each iteration of the main for(i=0;i<1024;i++) loop.

  2. larry seltzer
    2010/03/02

    Perhaps a better question is what the shellcode is supposed to do, because I don’t see any evidence that it’s executing

  3. SkyLined
    2010/03/02

    This exploit targets a bug that was fixed in MSIE 6.0 in 2005, which explains why it does not affect any recent install. This release is for academic purpose only, it is not an 0-day that script-kiddies can use to pwn your grandma’s computer.

  4. larry seltzer
    2010/03/02

    Darn, now I have to find some other way to pwn Grandma!

  5. thomas
    2010/03/02

    Could you make it work with recent Aurora exploit? It would be a good challenge for you and to prove that it’s better than Immunity’s JIT method

Trackbacks & Pingbacks

  1. Skypher · Internet Exploiter 2 – bypassing DEP « Internet Cafe Solution
    Pingback on March 2nd, 2010 at 9:57

  2. Googler ships exploit to defeat DEP | Zero Day | ZDNet.com
    Pingback on March 3rd, 2010 at 20:48

  3. New exploit technique nullifies major Windows defense «
    Pingback on March 3rd, 2010 at 22:35

  4. Is Windows Now Doomed To A New Round Of Attacks? | Revelations From An Unwashed Brain
    Pingback on March 4th, 2010 at 7:43

  5. Nova técnica de ataque burla a maior defesa do Windows « SECNOW – Web Security Analysis and Threads
    Pingback on March 5th, 2010 at 0:21

  6. InfoSec Daily » Episode 80 – Don’t “Stire” Me
    Pingback on March 5th, 2010 at 0:57

  7. DEP in Windows hacked « Robby Pedrica’s Tech Blog
    Pingback on March 5th, 2010 at 14:23

  8. » ¿Es vulnerable el sistema DEP? NoticiasTech
    Pingback on March 6th, 2010 at 13:08

  9. 0-day exploits for IE flaw another reason to switch to IE8 « Web Designing
    Pingback on March 12th, 2010 at 6:08

Leave a Comment

*

*