Double Star

blade-runner-skyline.jpg

A personalized/enhanced re-creation of the Darkhotel "Double Star" APT exploit chain with a focus on Windows 8.1 and mixed with some of my own techniques. It can sandbox escape an Internet Explorer or Firefox RCE and achieve privilege escalation to NT AUTHORY\SYSTEM via a hybrid RPC Print Spooler bug and Rotten Potato style imperssonation attack.

The exploit chain contains a 64-bit Firefox IonMonkey Type Confusion RCE in the form of CVE-2019-17026, as well as a 64-bit variation of the legacy jscript.dll UAF CVE-2020-0674, which can serve a dual purpose as both an IE8/11 64-bit RCE as well as a WPAD service attack vector for sandbox escape/EoP via a PAC file over RPC.

CVE-2020-0674

blade-runner-sketch-15.jpg

This is a 32-bit re-creation of a Use-After-Free heap corruption exploit in the Windows legacy JavaScript engine. It dynamically generates a SYSCALL ROP chain in order to bypass DEP, StackPivot protection, SimExec, CallerCheck, EAF and EAF+ exploit mitigations. ASLR is bypassed through use of a memory leak.

 

It works on IE8-11 32-bit for RCE and is primarily tested on Windows 7 x64 and x86 editions. It also works on Windows 8.1 up until the EIP hijack, which is mitigated by Control Flow Guard. While its most intuitive use may appear to be as an RCE for Internet Explorer, this exploit can compromise any process which attempts to execute its JavaScript using the legacy jscript.dll engine, and there are many such applications.
 

MS12-037

cityscape3-blue-660.jpg

This is a re-creation of a classic Internet Explorer heap overflow exploit from an older era, when exploitation techniques were far simpler and contained tricks like heap sprays and BSTR length overflows (often infeasible today).

 

While initially experimenting with this genre of old classics I studied quite a few of the Metasploit modules and found some very unsatisfactory. MS12-037 in particular, I felt was lacking enough in its Metasploit rendition to merit a re-creation. My variation of the exploit contains bug fixes, as well a memory leak for ASLR bypass and pseudo-dynamic ROP chain creation.