Shulou(Shulou.com)05/31 Report--

This article shows you how to achieve Windows VBScript engine remote execution code vulnerability analysis and reproduction, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Preface

A remote code execution vulnerability exists in the way the VBScript engine handles objects in memory. The vulnerability could corrupt memory in a way that an attacker can execute arbitrary code in the context of the current user. An attacker who successfully exploits this vulnerability can gain the same user privileges as the current user. If the current user logs in with administrative user privileges, an attacker who successfully exploits this vulnerability can take control of the affected system. The attacker can then install the program; view, change, or delete data; or create a new account with full user privileges.

I. brief introduction of loopholes

In a Web-based attack scenario, an attacker can exploit a specific website for this vulnerability via Internet Explorer, and then induce users to view the site. An attacker can also embed an ActiveX control marked "safe initialization" in an application or Microsoft Office document that hosts the IE rendering engine. Attackers can also take advantage of compromised websites and sites that accept or host content or advertisements provided by users. These sites may contain tailor-made content that may exploit this vulnerability.

On August 14, 2018, Microsoft released a security patch that affected most popular system versions.

Basic information about vulnerabilities

Vulnerability IDCVE-2018-8373 vulnerability name Microsoft VBScript engine remote code execution vulnerability type remote code execution threat type UAF impact system version IE9 WS 2008 32max 64, IE10 Windows Server2012, most versions of IE11 II, vulnerability test system environment Win7 32/64IE version IE10EXP https://github.com/B1eed/VulRec/blob/master/CVE-2018-8373 III, vulnerability principle

Due to the serious confusion of samples, some of the code is shown in figure 1. Here, simplified POC is used for analysis, and the code is shown in figure 2.

Figure 1 serious confusion is used in the sample

Figure 2 Crash Poc

Crash PoC defines the MyClass class, a member variable of array, and two member functions: Class_Initialize and Default Property Get P. Class_Initialize is an abandoned method that has now been replaced by a new process. When the object is initialized, it is automatically awakened. In PoC, Class_Initialize is overloaded, and when VBScriptClass::InitializeClass is called, overloaded functions are handled.

MyClass: create and assign a value to the specified variable cls through new. This operation will first trigger the creation and initialization of the class. The function for creating the class is completed by the vbscriptClasscls create function.

After the class has been created successfully, the vbscriptscript class function will be called to initialize the content of VBScriptClassVBScriptClass

Get the class pointer in the vbscriptpointer vbscriptpointer VARGROGRAPHY IsFunction function

Then call class's virtual function vbscriptinitialization CScriptEntryPointPointPativeCall. The final call stack is as follows:

Vbscriptinterprets vbs code is responsible for interpreting and executing the compiled CScriptRunTimeghuanRunNoEH. The initialization operation of the class is performed here, which mainly includes the definition of the array array and the execution of the Class_Initialize function.

The function to create an array in vbscript is vbscriptasking MakeArray, as follows:

ReDim array (2): vbscriptasking MakeArray is called to create an array with 3 elements, as shown in the following figure:

Cls.array (2): call vbscriptaddress Accessarray to get the address of the array element. In vbscriptslave Accessarray, it first checks whether the index of the array element is out of bounds, and then calculates the address of the element and saves it to the stack.

Save the address of the element on the stack and save the array (2) = 0x12ae6ff0 address on the stack.

Cls.array (2) = cls: call vbscriptasking AssignVar to set the default property value of MyClass to cls.array (2). After getting the default attribute value of MyClass, Public Default PropertyGet P is called and ReDim array (1) in Public Default PropertyGet P is executed, releasing the original pvData.

ReDimPreserve array (1): the operation of resetting array memory is actually implemented through the function RedimPreserveArray, and eventually you can call SafeArrayRedim to see that the pvData of the array object has been modified to 0x0818afe0, and the memory address of the previous pvData (0x12ae6fd0) has been freed, including the 0x12ae6ff0 previously saved on the stack.

The address of array (2) is still stored in the stack, and the return value of Public Default Property Get P accesses the freed memory, resulting in a UAF vulnerability.

IV. Debugging and analysis of EXP

The debugging method is the same as Crash PoC, tracking and analyzing how to change the length of the two-dimensional array to 0x0FFFFFFF, how to achieve arbitrary memory read and write, and how to forge the CONTEXT structure to execute Shellcode.

The vulnerability defines two arrays, array1 and array2. Array1 is the array described in the previous PoC, and array2 is a two-dimensional array in which the value of each element is 3. Then use the script callback function DefaultPropertyGet to release the original array1.pvData and set array2 to the new array1.pvData. Because the original array1.pvData is the same size as the array2.SAFEARRAY structure, it is 0x30 bytes in memory. The array2.SAFEARRAY structure reuses the memory freed in the original array1.pvData. At the same time, the return value of DefaultPropertyGet, 0x0FFFFFFFF, overrides the structure SAFEARRAYBOUND of array2.SAFEARRAY and modifies the length of the two-dimensional array to 0x0FFFFFFF.

Change the length of the 2D array to 0x0FFFFFFF:

Setting array (index_vul) (index_a,0) to "AAAA" makes the data field of the next array2 become 8, because the VarType type of string is 8, which results in a set of confusing array (index_vul) (index_a+n,0) and array (index_b) (0, n). By converting the variant at array (index_vul) (index_a,0) into a long integer, the variant at array (index_vul) (index_a,0) is converted into an array As a result, we get a piece of leaked memory util_mem, that is, the specified area of read-write memory.

After executing rw_primit, the specified location has been overwritten as 0x200C. With a leaked memory util_mem, an one-dimensional array of user-mode arbitrary addresses can be read and written in 32-bit mode:

The method of executing Shellcode is the same as 8174, which is not analyzed in detail here.

It can be successfully used in Windows7 environment. Take pop-up calc as an example.

The above content is how to analyze and reproduce the remote execution code vulnerabilities of the Windows VBScript engine. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.