[5966] in bugtraq
Re: L0pht Advisory MSIE4.0(1)
daemon@ATHENA.MIT.EDU (Linus Nordberg)
Thu Jan 15 02:56:53 1998
Date: Wed, 14 Jan 1998 23:45:25 +0100
Reply-To: Linus Nordberg <nordbelm@DECUS.SE>
From: Linus Nordberg <nordbelm@DECUS.SE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: DilDog's message of Wed, 14 Jan 1998 11:42:53 -0500
DilDog <dildog@L0PHT.COM> writes:
>
> Document: L0pht Security Advisory
> URL Origin: http://l0pht.com/advisories.html
> Release Date: January 14th, 1998
> Application: Microsoft Internet Explorer 4.0(1) Suite
> Severity: Viewing remote HTML content can execute arbitrary native code
> Author: dildog@l0pht.com
> Operating Sys: Windows 95 and Windows NT
>
buffer overflows comes to redmond...
especially interresting when the msie code is used in almost every
application nowadays.
below is a program that tries to find out what file is downloaded and
executed. paste the vicous url into a file and give the filename as
only argument or cat it in on stdin.
yes, it's kind of lame. i know that.
-------------------
/*
* whaturl.c
*
* prints the url that the l0pht msie-overflow is downloading by
* doing bytewise XOR on the "exploit url", using some magic values
* it tries to find in the url.
*
* see http://www.l0pht.com/advisories.html for details on the exploit.
*
* this program is easily fooled by anyone that crafts its own
* urls, but a fair guess is that most of us are too lazy/lame to do
* that.
*
* --linus
*/
#include <stdio.h>
#define MY_EOS (0)
/* signum for finding the magic value to XOR with */
unsigned char signum[] =
{0x80, 0x01, MY_EOS}; /* add b,[ecx],? */
int matchsignum(char c)
{
static char *cp = signum;
if (*cp == c) {
if (*++cp == MY_EOS)
return 1;
} else
cp = signum;
return 0;
}
int main(int argc, char *argv[])
{
int sigfound, ixor, bread, i, j;
unsigned char xorval[64], inbuf[0xffff], *cp;
FILE *fin = NULL;
if (argc)
fin = fopen(argv[1], "rb");
if (fin == NULL)
fin = stdin;
bread = fread(inbuf, sizeof(*inbuf), sizeof(inbuf), fin);
if (!feof(fin))
return 1;
/* find possible XOR-values */
sigfound = ixor = 0;
for (i = 0, cp = inbuf; i < bread; i++, cp++) {
if (sigfound) {
for (j = 0; j < ixor; j++)
if (*cp == xorval[j])
break;
if (*cp != xorval[j])
xorval[ixor++] = *cp;
sigfound = 0;
} else
sigfound = matchsignum(*cp);
}
if (!ixor) {
fprintf(stdout, "%s: signum not found, trying 0x80\n", argv[0]);
ixor = 1;
xorval[0] = 0x80;
}
/* todo: where does the url start? for now, print the lot. */
while (ixor--) {
printf("%s: xorval %#02x -->\n", argv[0], xorval[ixor]);
for (i = 0, cp = inbuf; i < bread; i++, cp++)
putchar(*cp ^ xorval[ixor]);
putchar('\n');
}
fclose(fin);
return 0;
}
---------------
--linus
