Jump to content

Jscript Heap Spray attack? When your PC takes a DMP do you look at it?


Recommended Posts

The game is a foot! ......no, actually it's a game. I've been doing some sleuthing and thought this might be fun to share. I have a few crashes on my user base's PC's and it looks to me like exploitation attempts. I'm also hoping some of you my be able to help me focus on the right stuff. I'm not 100% sure what I'm looking at, but I know this isn't the usual DMP output because I see Jscript in my crash dump stack!
For this post I will be analyzing crashdump files from the
C:\users\%username%\appdata\local\crashdumps

In the past month the performance monitoring software we use is showing IE crashes. most of the IE crashes are usually simple fixes, but as you will see below some are getting crashes from Jscript running. Usually I also see a reference to Flash OCX in the dmp.

Is this what I think it is? can you offer any further enlightenment on the situation or potential solutions? Jscript Cannot be disabled because I work for lawyers so everything is mine mine mine now now now......

The following crash dump is slightly different from the ones I saw last week, but are still very close in nature.

oh one more thing, if any of you know how I can get symbols paths to fix the first three ERRORS in the dump output I'd really appreciate it. I can't get a straight answer from anyone on the web, and I'm starting to think I'm the only one doing this these days. kind of like how I'm the only person I've ever met that actually read the 9/11 commission report (HINT, that report said we should attack Iraq and nothing about what happened on 9/11, and to secure the northern border because obviously we have a problem here in America with undocumented Canadians are poll vaulting across the boarder.) I digress.....

************************************************************ *******************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


*** ERROR: Symbol file could not be found.  Defaulted to export symbols for EMET.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for HooksCore.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Flash32_20_0_0_228.ocx - 


FAULTING_IP: 
jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c
0a5b4e21 8b7074          mov     esi,dword ptr [eax+74h]


EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0a5b4e21 (jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0x0000000c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000001
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 8542d2a7
Attempt to read from address 8542d2a7


CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=8542d233 ebx=042eb170 ecx=8542d233 edx=34600120 esi=0a646e75 edi=34600120
eip=0a5b4e21 esp=042ea848 ebp=042ea85c iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210286
jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0xc:
0a5b4e21 8b7074          mov     esi,dword ptr [eax+74h] ds:002b:8542d2a7=????????


DEFAULT_BUCKET_ID:  INVALID_POINTER_READ


PROCESS_NAME:  iexplore.exe


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.


EXCEPTION_PARAMETER1:  00000000


EXCEPTION_PARAMETER2:  8542d2a7


READ_ADDRESS:  8542d2a7 


FOLLOWUP_IP: 
jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c
0a5b4e21 8b7074          mov     esi,dword ptr [eax+74h]


NTGLOBALFLAG:  0


APPLICATION_VERIFIER_FLAGS:  0


APP:  iexplore.exe


ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre


FAULTING_THREAD:  00001348


PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ


BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ


LAST_CONTROL_TRANSFER:  from 0a5b4cc2 to 0a5b4e21


STACK_TEXT:  
042ea85c 0a5b4cc2 34600120 042ea8e0 042ea8ac jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0xc
042ea86c 0a5b4c8d 34600120 042ea8e0 042ea8e0 jscript9!ThreadContext::IsNativeAddress+0x22
042ea880 0a5b4cf7 00000001 042ea8e0 00000000 jscript9!Js::JavascriptStackWalker::CheckJavascriptFrame+0x3e
042ea890 0a5b4d85 042ea8e0 042ea8e0 042ea8e0 jscript9!Js::JavascriptStackWalker::UpdateFrame+0xc
042ea8a0 0a5b4da5 042ea954 042ea8c4 0a5b5a77 jscript9!Js::JavascriptStackWalker::Walk+0x35
042ea8ac 0a5b5a77 042ea954 042ea8d0 042ea930 jscript9!Js::JavascriptStackWalker::GetCaller+0xf
042ea8c4 0a5b5d5e 042ea954 ba7ed600 3ffc7de0 jscript9!Js::JavascriptStackWalker::GetNonLibraryCodeCaller+0x15
042ea968 0a5b538d 3ffc7de0 042ea990 0000000a jscript9!Js::JavascriptExceptionOperators::WalkStackForExceptionContextInternal+0x15c
042ea994 0a5b52d0 3ffc7de0 0000000a 00000000 jscript9!Js::JavascriptExceptionOperators::WalkStackForExceptionContext+0x20
042ea9e0 0a6a5782 00000001 00000001 00000000 jscript9!Js::JavascriptExceptionOperators::ThrowExceptionObjectInternal+0x6c
042ea9f4 0a629620 00000001 00000000 00000000 jscript9!Js::JavascriptExceptionOperators::ThrowExceptionObject+0x12
042eaa20 0a609c8d 14f10470 14f10470 042eab08 jscript9!Js::JavascriptExceptionOperators::Throw+0x7d
042eaa48 0a5ee9b7 00000000 00000000 00000000 jscript9!Js::JavascriptError::ThrowError+0x55
042eaa64 0a60a3c4 00000000 00000000 00000000 jscript9!Js::JavascriptError::MapAndThrowError+0x34
042eaa88 0a60a397 227089c0 80070005 22708a00 jscript9!Js::JavascriptError::MapAndThrowError+0x27
042eaab4 0a60a363 042eab08 042eab2c 0a6559f5 jscript9!HostDispatch::HandleDispatchError+0x4d
042eaac0 0a6559f5 80070005 042eab08 042eabd0 jscript9!HostDispatch::HandleDispatchError+0x1c
042eab2c 0a518bc7 002dc789 042eabd0 22708a00 jscript9!HostDispatch::GetValueByDispId+0xf8
042eab44 0a518b6c 0a892e04 042eabd0 0a518ae0 jscript9!HostDispatch::GetValue+0x2a
042eab6c 0a486a06 22708a00 000000d4 042eabd0 jscript9!HostDispatch::GetProperty+0x88
042eaba0 0a4c063d 000000d4 042eabd0 14f10470 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x64
042eabec 0a50a70d 14f10470 042eb170 042eb170 jscript9!Js::JavascriptOperators::TypeofFld_Internal<0>+0x5b
042eae8c 0a50aa8f ba7ed1ac 042eb170 02f3ee80 jscript9!Js::InterpreterStackFrame::Process+0x6222
042eaec4 0a50aaee 042eb15c 20e70d8e 02f3ee80 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
042eb168 0a48d749 20e70da0 34600120 20e70d80 jscript9!Js::InterpreterStackFrame::Process+0x49a8
042eb29c 170114c9 042eb2b0 042eb558 0a489b13 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
WARNING: Frame IP not in any known module. Following frames may be wrong.
042eb2a8 0a489b13 31923520 02000002 37abf800 0x170114c9
042eb558 0a48d749 3de922d6 34601000 3de91d90 jscript9!Js::InterpreterStackFrame::Process+0x2040
042eb6dc 170114e9 042eb6f0 042eb998 0a48d3e1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
042eb6e8 0a48d3e1 31923500 10000002 1620e3c0 0x170114e9
042eb998 0a48d749 3de352ea 3da70d80 3de35010 jscript9!Js::InterpreterStackFrame::Process+0x1e62
042ebb1c 17011559 042ebb30 042ebb78 0a48671a jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
042ebb28 0a48671a 25d4de60 10000003 1620e3c0 0x17011559
042ebb78 0a48a394 10000003 042ec1f4 042ec100 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
042ebe1c 0a50aa8f ba7ec13c 042ec100 02f3ee80 jscript9!Js::InterpreterStackFrame::Process+0x3a10
042ebe54 0a50aaee 042ec0ec 1f33d6fa 02f3ee80 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49
042ec0f8 0a48d749 1f33d72e 25d4f120 1f33d680 jscript9!Js::InterpreterStackFrame::Process+0x49a8
042ec26c 17011561 042ec280 042ec2bc 0a48671a jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200
042ec278 0a48671a 25d4de80 00000000 00000000 0x17011561
042ec2bc 0a486d28 00000000 00000000 ba7ebc58 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91
042ec330 0a486c5d 14f10470 00000000 00000000 jscript9!Js::JavascriptFunction::CallRootFunction+0xb5
042ec378 0a486bf0 042ec3a4 00000000 00000000 jscript9!ScriptSite::CallRootFunction+0x42
042ec3c4 0a59207b 25d4de80 042ec408 00000000 jscript9!ScriptSite::Execute+0xd2
042ec44c 0a591247 042ec6d8 042ec6f8 ba7ebb88 jscript9!ScriptEngine::ExecutePendingScripts+0x1c6
042ec4e0 0a5928da 3d093a58 09f763b4 1611dd24 jscript9!ScriptEngine::ParseScriptTextCore+0x300
042ec530 04a2f434 14f056c0 3d093a58 09f763b4 jscript9!ScriptEngine::ParseScriptText+0x5a
042ec568 04568438 3d093a58 00000000 00000000 mshtml!CActiveScriptHolder::ParseScriptText+0x51
042ec5c0 0499515b 3d093a58 00000000 00000000 mshtml!CJScript9Holder::ParseScriptText+0x5f
042ec630 0456896e 00000000 14208a00 3c782200 mshtml!CScriptCollection::ParseScriptText+0x175
042ec71c 04568fd9 00000000 00000000 00000000 mshtml!CScriptData::CommitCode+0x31e
042ec798 04938751 049386f0 042ec7c8 05780000 mshtml!CScriptData::Execute+0x232
042ec7b8 0437d2cb 1611dca4 00000000 00000001 mshtml!CScriptData::AsyncExecute+0x67
042ec800 0437cbf4 b873d32c 00000000 0437bf20 mshtml!GlobalWndOnMethodCall+0x17b
042ec854 759162fa 00080b9e 00008002 00000000 mshtml!GlobalWndProc+0x103
042ec880 75916d3a 0437bf20 00080b9e 00008002 user32!InternalCallWinProc+0x23
042ec8f8 759177d3 00000000 0437bf20 00080b9e user32!UserCallWinProcCheckWow+0x109
042ec95c 7591789a 0437bf20 00000000 042efb3c user32!DispatchMessageWorker+0x3cb
042ec96c 0f59a7ac 042ec9ac 02efe9b8 00614fe0 user32!DispatchMessageW+0xf
042efb3c 0f5d3158 042efc08 0f5d2dd0 0024afc8 ieframe!CTabWindow::_TabWindowThreadProc+0x464
042efbfc 7757ebec 02efe9b8 042efc20 0f621f00 ieframe!LCIETab_ThreadProc+0x3e7
042efc14 60c13a31 0024afc8 00000000 00000000 iertutil!CMemBlockRegistrar::_LoadProcs+0x67
042efc4c 75d8338a 005dc8c0 042efc98 77b99882 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
042efc58 77b99882 005dc8c0 7295cad2 00000000 kernel32!BaseThreadInitThunk+0xe
042efc98 77b99855 60c139a0 005dc8c0 00000000 ntdll!__RtlUserThreadStart+0x70
042efcb0 00000000 60c139a0 005dc8c0 00000000 ntdll!_RtlUserThreadStart+0x1b




STACK_COMMAND:  ~6s; .ecxr ; kb


SYMBOL_STACK_INDEX:  0


SYMBOL_NAME:  jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c


FOLLOWUP_NAME:  MachineOwner


MODULE_NAME: jscript9


IMAGE_NAME:  jscript9.dll


DEBUG_FLR_IMAGE_TIMESTAMP:  566c54b7


FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_jscript9.dll!NativeCodeGenerator::IsNativeFunctionAddr


BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c


ANALYSIS_SOURCE:  UM


FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_jscript9.dll!nativecodegenerator::isnativefunctionaddr


FAILURE_ID_HASH:  {f79b47ef-ea32-0b27-5ba9-8a665e65198e}


Followup: MachineOwner
Link to post
Share on other sites

are there any kinds of logs related to get requests you can dig threw? You can try to setup burp suite as the proxy to give you a visual... if you can recreate the crash...

I use tcpick daily, a console application I like filter threw live stream...

You could search threw traffic.pcaps for strings related to the crash log...

I believe this stuff comes from a compromised add's campaign , to deliver exploits to a trusted domain's viewers ...

Edited by i8igmac
Link to post
Share on other sites

my thoughts exactly, I'm glad we're on the same page. It's probably setup to attack anyone it can, I have no reason to think this would be targeted. I'm going to pay that PC a visit and see if I can locate any web history from the rough time of the DMP to get more info. I was able to use this data to get management to actual listen when I say "Flash is BAD and shouldn't be installed by default and only if it's absolutely needed." currently they have it on every single box. They've been scratching their heads why IE crashes for about a month. I've been checked out because of lack of sleep and debt. I did find out good news though, presenting this actually qualifies me for some money if they impalement my idea. Too bad It's nothing like the reward for catching a 0-day.

Link to post
Share on other sites

To answer your question, not at the moment but I have gotten the go ahead to build a lab for testing things like this. it should be up by the end of the month. Unfortunately even-though I'm taking more of a security role I'm still required to take calls from the helpdesk and that makes is really hard to stay focused on reading crashes and doing investigations like this.

Link to post
Share on other sites

Sounds like alot of fun. I would love to be appart of something like this and get paid big bucks lol...

I would suggest a noscript plugin( not sure if available for ie ) and a training class on how it works... not sure if something like this is applicable...

firewall rules for the win.

Link to post
Share on other sites

Regarding those 3 errors, I think you worked this out yourself already, but they're basically the debugging symbols to the DLLs in question and the last thing the developers of these products actually want is for you to be able to dissect their code, get a better insight into it and then work out how to hack it.

In general, setting up symbol file access is described here but, again, you're probably already way ahead of me on that one.

Did you try looking at this jscript code IE was running? Maybe something like IECacheViewer could help. My point is that you seem to be diving in and going down, down, down to the nittiest, grittiest part of the system in search for answers when you might want to start with having a long, hard look at the surface.

Link to post
Share on other sites

Sounds like alot of fun. I would love to be appart of something like this and get paid big bucks lol...

I would suggest a noscript plugin( not sure if available for ie ) and a training class on how it works... not sure if something like this is applicable...

firewall rules for the win.

AHAHAHAHA - no big bucks here. I just found out I made less than 32K last year.... half of what my contract said. :( I'm about to start doing magic on the street, I love magic a lot more and it pays well during the warm months.)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...