Friday, December 19, 2008

Pentester trick #6: logging Internet Explorer boxes

In a previous post (Debugging Without Debugger), I promised to explain how to log content from text areas within Internet Explorer Web pages.

If you tried to apply the previously described technique to Internet Explorer, you should have noticed that GetWindowText is never called for getting text from Web controls. This is because the whole Web page is rendered without relying on standard Windows controls.

Therefore, we need to find the GetWindowTextLength/GetWindowText equivalents in MSHTML.DLL. Fortunately, debugging symbols will help us much in this case. The equivalent functions are:

mshtml!CTxtPtr::GetPlainTextLength()
mshtml!CTxtPtr::GetPlainText()

Which are called from 3 locations, the most common being:

mshtml!CElement::GetPlainTextInScope()

Unfortunately, NTSD does not seem to handle symbols properly, which prevents us from setting a symbolic breakpoint :(

Since MSHTML.DLL is upgraded by virtually every cumulative patch for Internet Explorer, you really need to get access to the debugging symbols for the specific Internet Explorer version installed on the target (hint: use the SYMCHK utility shipped with Debugging Tools) and find appropriate addresses inside.

From my up-to-date Internet Explorer 7 installation, here are some sample addresses:

mshtml!CTxtPtr::GetPlainTextLength : 0x44BB3B85 (entry point) -> 0x44BB3BFD (ret)
mshtml!CTxtPtr::GetPlainText : 0x44BB3C05 (entry point) -> 0x44BB3C75 (ret)
mshtml!CElement::GetPlainTextInScope : 0x44BB3CA6 (entry point) -> 0x44BB3D46 (ret)

The epilog of GetPlainTextInScope function is:

.text:44BB3D3F mov eax, [ebp+var_4]
.text:44BB3D42 pop edi
.text:44BB3D43 pop esi
.text:44BB3D44 pop ebx
.text:44BB3D45 leave
.text:44BB3D46 retn 4
.text:44BB3D46 ?GetPlainTextInScope@CElement@@QAEJPAVCStr@@@Z endp


From here, it is nice to know that ESI points to the Unicode text content before being overwritten at address 0x44BB3D43. Therefore the following NTSD commands will do the trick:

ntsd -pn iexplore.exe
bp 0x44BB3D43 "du poi(esi); g;"

Awkward trick I must admit, but it could save pentesters' lifes anyway ;)