netscape4.x_bof.txt

1999-09-19T00:00:00
ID PACKETSTORM:15636
Type packetstorm
Reporter Packet Storm
Modified 1999-09-19T00:00:00

Description

                                        
                                            `Subject: Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
Hello  
  
  
David Parker$B!!(Bwrites:  
  
  
> I tried the 4 exploit test links, and they all crashed Netscape but  
> didn't cause any bluescreens or run any programs. I have win98,  
> Netscape 4.5 128-bit, and the same msvcrt.dll (6.00.8397). I'm not  
> sure how to debug the crashes, so I'm including the illegal operation  
> errors, hopefully they will be of some help:  
  
  
We could confirm that the exploit codes which were published at the demo  
site were executed. We think that the reason you can not confirm the  
executed the exploit codes is based on the difference of the Windows  
kernel code. The exploit code which is posted by R00tZer0 is for  
Japanese Windows98, this exploit uses the codes which is written in  
0xbff7a06b. In case Japanese Windows98, JMP EBX(FFH,E3H) code is written  
in such address. If you remake the exploit code that can exploit the  
specified netscape communicators, you have to change the address which  
is specified in the exploit code. We don't have the environment of the  
English Windows, we could not code for English Windows. Maybe, you will  
be able to get the address of JMP EBX code by the following program. So,  
if someone succeeded or could get the address which is written the JMP  
EBX code, please tell us the address of JMP EBX code.  
  
  
#include <windows.h>  
#include <stdio.h>  
  
  
unsigned int mems[]={  
0xbfb70000,0xbfbfc000,  
0xbfde0000,0xbfde6000,  
0xbfdf0000,0xbfdf5000,  
0xbfe00000,0xbfe10000,  
0xbfe30000,0xbfe43000,  
0xbfe80000,0xbfe86000,  
0xbfe90000,0xbfe96000,  
0xbfea0000,0xbfeb0000,  
0xbfee0000,0xbfee5000,  
0xbff20000,0xbff47000,  
0xbff50000,0xbff61000,  
0xbff70000,0xbffc6000,  
0xbffc9000,0xbffe3000,  
0,0};  
  
  
void search_mem(FILE *fp,unsigned char *st,unsigned char *ed,  
unsigned char c1,unsigned char c2)  
{  
unsigned char *p;  
  
  
fprintf(fp,"Result : %x - %x\n",(unsigned int)st,(unsigned int)ed);  
for (p=st;p<ed;p++)  
if (*p==c1 && *(p+1)==c2)  
fprintf(fp,"%x : %x %x %x %x\n",p,*p&255,*(p+1)&255,*(p+2)&255,*(p+3)&255);  
}  
int APIENTRY WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance,  
LPTSTR lpCmdLine, int nCmdShow)  
{  
FILE *fp;  
int i;  
  
  
  
if ((fp=fopen("adr.txt","w"))!=NULL){  
for (i=0;;i+=2){  
if (mems[i]==0) break;  
search_mem(fp,(unsigned char *)mems[i],(unsigned char *)mems[i+1],0xff,0xe3);  
}  
fclose(fp);  
}  
return 0;  
}  
  
  
  
Kerb$B!!(Bwrites:  
  
  
> When I went there with NC 4.05, it gave me a blue screen of death that was  
> completely unrecoverable. I had to reboot the system.  
> So, basically, it is a DoS for Netscape users, could possibly be coded  
> into a CGI or Javascript that checks browser  
> version and writes the corresponding exploit code. Just a thought.  
  
  
The CGIs which are published at the demo site are not for DoS attack. Of  
course, we could develop the codes for the DoS attack. We also could  
develop the HDD format code, virus code, trojan code, and so on. If the  
trojan code is written in the exploit code, the all visitors' PC will  
be cracked, and if the hdd format code is written, the visitors' HDD  
will be cleaned completely. It's very serious problem. In this case, the  
stack area that can be used for exploit code is wide enough.  
  
  
I will post the demo programs which can send the trojan by using the  
security hole on other applications.  
  
  
  
-----  
The Shadow Penguin Security (http://shadowpenguin.backsection.net)  
Webmaster / UNYUN (shadowpenguin@backsection.net)  
`