Tuesday, October 20, 2009

PPStream 0day

I just finished working on the PPStream exploit. The p0c to reproduce the bug was released at Milw0rm a few days go. By using the default exploit, we’ll notice that the bug is related to heap corruption instead just typical stack overflow on ActiveX. In stack overflow on ActiveX app, we can just simply heap spray the browser and overwrite SEH to get control of EIP and jump to heap to get to our shellcode. But, since this is heap overflow, overwriting SEH pointer is not possible due SEH pointer is located inside a stack frame instead of heap frame. On this particular exploitation, we need to rely on heap exploitation to get control of EIP.

After further analysis on the bug, i noticed that the param ofBackImage is the key to get heap overflow occur. So i made a little bit changes on p0c and start debugging on the p0c again. Since the key point of heap exploitation is to get control when heap is doing coalesce we need to get this assembly code (this is when heap is doing coalesce,we can have arbitrary overwrite if we can overflow the next/prev chunk) :

move dword ptr [eax],ecx ds:0023:41414141=?????

Since my target machine is running on XP SP1, i still can use arbitrary overwrite [WHERE] to VEH pointer. And to get reliable value on my shellcode location [WHAT], i’m using heap spray to place my shellcode. Below are the screenshot of the calc.exe got executed when vulnerable PPSTream (V2.6.86.8900) open the exploit page (via IE browser) (I promised i wont used Heap Spray technique ;)).

I apologize for very brief/basic information on this bug and also not releasing the exploit code. The reason is due to the current PPStream is not yet have a patch (during this blog post writing). I hope that one fine day i can publish this simple exploitation dev article.