[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <41266631545.20030701152732@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case).
Dear bugtraq@...urityfocus.com,
Attached exploit for [1] works with ~70% probability on Windows NT 4.0
(I didn't tested on different systems and it may differ, I don't care
because I only wanted to show code execution IS possible). It works
slow and may require few minutes to complete, see explanation below.
It does ExitProcess(0x3A3A) and nothing more. Shellbinding exploit
needs shellcode to be changed and will be private :) In this
realization shellcode may contain any characters except 0x0000 and few
0xFFxx combinations. Details on unicode exploits can be found in [2].
Details:
As it was said before, this is stack-based overflow in HTML32.cnv.
Bad thing: data can only contain printable ASCII characters (0x20 -
0x79) and all characters are capitalized. This limits a range to
0x20-0x60 and 0x7B-0x79. It's hard to create shellcode, but huge
problem is that memory ranges 0x20202020-0x60797979 and
0x7B202020-0x79797979 are unused. That is we cannot overwrite EIP with
something useful. So, at first look, exploitations is very difficult,
if possible.
Good thing: We can put almost unlimited amount of code almost without
any limitation on the heap. We can use it in 2 ways:
1. Try to feel memory in a way 0x20202020 address point inside our
code. It's hard, because it will require large amount of RAM and a lot
(few hours on latest PIV) of CPU time.
2. We can try partially overwrite EIP. And this trick really works (at
least on my Windows NT 4.0). With some luck, many EIPs and carefully
chosen alignment finally we can exploit this bug with high enough
success rate. Because it creates HTML of few hundreds Kb and puts it
on the clipboard from Javascript it needs some time to complete. As
you can see exploit is trivial (because of leak of
debugger and assembler experience since MS-DOS times I prefer
simplicity :)) ).
OS: WinNT 4.0 SP6a, IE 6.0.2800, msvcrt.dll 6.10.8924.0 (exploit uses
ExitProcess import address from msvcrt.dll so it will fail with
different msvcrt). Probably it will work with different IE versions,
I'm not sure about different OS.
Archive password is 3A3A
P.S. please do not write something like "I don't understand how to use
it". This thing may be interesting only for researchers, not for
profit.
References:
[1] Digital Scream, Internet Explorer >=5.0 : Buffer overflow
http://www.security.nnov.ru/search/news.asp?binid=2926
[2] 3APA3A, Details and exploitation of buffer overflow in mshtml.dll
(and few sidenotes on Unicode overflows in general)
http://www.security.nnov.ru/search/document.asp?docid=2554
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
+-------------o66o--+ /
|/
You know my name - look up my number (The Beatles)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test2.zip
Type: application/x-zip-compressed
Size: 567 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030701/52304cd6/test2.bin
Powered by blists - more mailing lists