Wednesday, March 24, 2010

Pwn2Own 2010: Internet Explorer 8 Exploit on Windows 7

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled.

The exploit consists of two parts.

The first part figures out where a certain .dll file is loaded in the current process followed by step 2 that uses the information gathered in step 1 to trigger an exploit that uses some ret2lib technique to disable DEP for our shellcode and then redirects the program flow to the shellcode.

I will not (and am not allowed to) give out the exact vulnerabilities that I used in the exploit, but I might disclose them someday when Microsoft has them patched. Yes, you read that correctly, them, I used 2 exploits to get the final code execution on W7, but that was partly to speed up the exploit.

Anyways, I’m writing this on the plane to Vancouver without access to the W7 VMs that I tested the exploit on, so I’ll keep it vague. Also, I only had MS Word and MS Paint for the text and the images, so don’t complain about the quality of the final document.

[...]

I just read most of it back and Agree that it’s a bit of a lousy paper, skipping certain concepts and assuming prior knowledge, continuously switching from ‘I’ to ‘we’, but hey, you read it so far so maybe you liked it anyways =)

Peter Vreugdenhil

No comments:

Post a Comment